Saturday, February 25, 2006

How spyware gets installed (2)


Misspell "pot roast" as "poy roast" when searching for pot roast recipes. Notice that the web sites returned were designed to match misspelled words.

If you are unfortunate enough to select pot-roast-recipes.ioust.behavest.net, you find yourself trapped in a loop that tries to install software from WinSoftware Corporation, Inc.

WHOIS behavest.net



Andreas Tores andreas@winouxis.com
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte Moduna 3102
Managua, Nicaragua



behavest.net insists you install WinAntiSpyware.
WinAntiSpyware will report that you have serious system errors and insist you buy and install WinFixer.
Instead, use Task Manager to close the browser window. Do not install this particular WinAntiSpyware.

There could be a legimate WinAntiSpyware.com. The WinAntiSpyware web site agrees (in their terms and conditions) to agree to settle disputes according to the laws of Nevada. The General section of their license agreement indicates that the laws of the state of Nevada govern their agreement. There are two different "license agreement" web pages and two different "terms and conditions" web pages. The home page has links to "Terms and Conditions" and "License Information" and "Buy Now". "Buy Now" has different "Terms and Conditions" and "License Agreement" links. Other than references to Nevada, there is no reference to where WinAntiSpyware might be located.

The domain name WinAntiSpyware.com is registered using an address in Kiev.

winantivirus.com = [ 66.244.254.64 ]
winantispyware.com = [ 66.244.254.64 ]
winantiviruspro.com = [ 66.244.254.63 ]


Note: The next day pot-roast-recipes.ioust.behavest.net was not available. Instead, pot-roast-gravy.toms.frcollect.org had an equivalent effect.

WHOIS frcollect.org

Shuratani Laskari
1859/14 Salcedo Street
Legaspi Village Makati City
Manila
Phillipines


Registration information created a few days earlier and updated that day.

On March 3 the equivalent URL was cooking-pot-roast.buseon.seenfussy.com.

WHOIS seenfussy.com


Andreas Tores (andreas@winouxis.com)
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte, Moduna # 3102
Managua
,3289
NI
Tel. +505.2331279


Registration was created 27-Feb-2006.

See also: Symantec description of WinAntiSpyware

0 Comments:

Post a Comment

<< Home