Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Rogue Anti-spyware in Action

Created: 14 Jun 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:16 GMT
Liam O Murchu's picture
0 0 Votes
Login to vote

I would never associate the phrase "good ethics" with rogue anti-spyware. Maybe "questionable ethics" or, indeed, "no ethics" are phrases that would be more appropriate! We encounter questionable ethics everyday in the lab, especially when dealing with rogue applications. I will provide some information below on one of the best examples of rogue anti-spyware we have seen in the lab, called "Punisher".

Symantec detects this rogue application as Punisher, but it is also known as Remedy AntiSpy, SystemStable, HitVirus, and Adware Bazooka in the industry. Rogue applications often employ a technique of using various guises, where the application will be advertised and distributed using seemingly different software applications that all turn out to be exactly the same (except, perhaps, a different skin).

We made observations on this rogue application during an installation onto a clean system. We noted that it drops a specific file onto the host system into a particular location (C:\Documents and Settings\Administrator\Cookies\cookie.txt). Upon inspection we see that the cookie.txt file contains the following text:

badsrfi
V099e17dbf50e7c2d74384524ac28a
atwola.com/
1024
1951777024
29822706
4131383120
29749280
*
badsrfi
V099e17dbf50e7c2d74384524ac28a
adblock.com/
1024
1951777024
29822706
4131383120
29749280
*
badsrfi
V099e17dbf50e7c2d74384524ac28a
cashtoolbar.com/
1024
1951777024
29822706
4131383120
29749280
*
badsrfi
V099e17dbf50e7c2d74384524ac28a
hitexchange.net/
1024
1951777024
29822706
4131383120
29749280
*

Please note the presence of the phrases "hitexchange.net", "cashtoolbar.com", and "adblock.com" in the above breakdown of the cookie file. Now it's time to scan the clean system and see what Punisher finds (no prizes for guessing) and yes—that’s right—Punisher retrieves cookies from hitexchange.net, cashtoolbar.com, and adblock.com. In order to remove these cookies (which, of course, Punisher placed there in the first instance) you will be charged the "special offer" price of only $49.95! In fact, even the special discount offered on their sales page has been calculated incorrectly; offering a mere 37% discount instead of the 60% discount stated! But hey, what else would you expect from a rogue application?