AntivirusBest is doing its “best” to catch unsuspecting computer users off guard with fake IE warning messages and the use of popular third-party affiliate networks to distribute its program.

This week, we’ve seen a new rogue anti-spyware program called AntivirusBest that installs an Internet Explorer BHO (Browser Helper Object). The BHO module QWProtect.dll hijacks the IE browser and shows a fake warning message, meant to look as an IE message a user would normally see on their IE browser, under the IE toolbar as seen on Figure 1.

Figure 1. Fake IE warning message

The fake IE warning message reads:

“Internet Explorer has found an unregistered version of AntivirusBest. To protect your computer, please register your AntivirusBest.”

Once the fake IE warning message is clicked on, a computer user is lead to an AntivirusBest download link. AntivirusBest runs a bogus scan and detects non-existent infections found on the computer user’s system. AntivirusBest is designed to display the same scan results regardless of the machine it is run on. The computer user is then badgered with fake system alerts in the form of pop-up windows or balloon messages located on the system tray that repeatedly remind the computer user to purchase the AntivirusBest program, as seen on Figure 2, 3, and 4.

The trojan used to distribute AntivirusBest also blocks users from accessing legitimate security software and websites as mentioned in a previous article entitled “Trojan Rootkit.Gen Variants Block Security Applications (Norton, Window Defender, others) from Running”. At this point, the computer user is forced to either give up and purchase AntivirusBest or spend time figuring out how to remove the rogue antivirus program.

Figure 2. AntivirusBest system scan and “Internal conflict alert” message



The fake “AntivirusBEST Internal conflict alert” message reads:

AntivirusBEST
Internal conflict alert.
AntivirusBEST detected internal software conflict. Some application tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer.

Figure 3. AntivirusBest “Privacy Violation Alert!” message



The fake “AntivirusBEST Privacy Violation alert!” message reads:

AntivirusBEST
Privacy Violation alert!
AntivirusBEST detected a Privacy Violation. A program is
secretly sending your private data to an untrusted internet
host. click here to block this activity by removing the threat
(Recommended).

Figure 4. AntivirusBest “Your PC is not protected” message



The fake “Your PC is not protected” message reads:

Your PC is not protected
Security center reports that ‘AntiviruBEST’ is inactive. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the suggested actions. You system might be at risk now.

We’ve seen in the past other rogue security software use BHOs or trojans to hijack web browsers and disable key functions on a computer. But what happens when trusted affiliate networks have a rogue security software in their list of products to promote online? It’s not the first time that malware makers have either hijacked well-known, trusted websites or tricked leading advertising providers to promote rogue applications.

Thanks to an interesting article from the Washington Post (“Massive Profits Fueling Rogue Antivirus Market”), we had a glimpse into the rogue antivirus market and how much malware campaigners are paid to “malvertise”. According to the Washington Post article, the data collected by security researchers on TrafficConverter.biz, one of the most infamous affiliate networks in peddling rogue security software, shows that a few of the top affiliate earners made more than $100,000 a month in commissions.

What makes AntivirusBest stand out to us is that the program directs users to affiliate links from well-known, legitimate affiliate networks rather than the typical dirty affiliate networks. The affiliate links point to AntivirusBest purchase pages from RegNow, eSellerate, Plimus, and SWREG. Apparently, malware makers have decided to go on a much larger scale and trick legitimate networks into promoting rogue applications.

It’s no surprise that malware makers are going after legitimate affiliate networks, that’s what affiliate networks have to deal with on a daily basis, but to get a rogue program approved and have it run purchase orders is the troubling part.

Here’s what happened when our research team had a computer testbed infected with AntivirusBEST and clicked on “Remove all threats now” button on the “Warning! 41 infections found!!!” message as seen on Figure 5:

Figure 5. “Warning! 41 infections found!!!” message

• The first time the “Remove all threats now” button was clicked, it redirected to a malicious domain called your-security-center.com, one of many domains used to promote rogue applications, to purchase the AntivirusBEST application for $59.95 as seen on Figure 6 below. At any given moment, “Remove all threats now” button can redirect to a different malicious domain to avoid detection and filtering.
  
  Figure 6. Your-security-center.com web page
  
  

• The second, third, fourth, and fifth time the “Remove all threats now” button was clicked, it redirected to different purchase pages from different networks as shown in the Figure 7, 8, 9, and 10 below. The purchase pages are from legitimate websites and they have not been hacked to host malware or to redirect to fraudulent domains made to look legitimate. AntivirusBEST has been added to the affiliate networks as another product to sell.
  
  Figure 7. eSellerate’s AntivirusBest product page
  
  
  
  Figure 8. Plimus’ AntivirusBest product page
  
  
  
  Figure 9. RegNow’s AntivirusBest product page
  
  
  
  Figure 10. SWREG’s AntivirusBest product page
  
  

Notice that these affiliate networks are not dirty affiliate networks. So the question is how did AntivirusBEST manage to slip through the pre-screening process of so many affiliate networks? Stay tuned for more information.