Monday, June 02, 2008

More on rogue antivirus software, apparently rogue PC networking software


There’s more being written these days about rogue fake “anti-virus” software such as what I encountered a few months ago. Recall, I found comments on my blogs trying to prompt the visitor to install “XPAntivirus” with a word of “Here.” I put on comment monitoring on the remaining blogs, and deleted a few of these comments that I found before I put on the monitoring. I’ve gotten a few variations of these, but they tend to go away after a few days of repeated comment rejection. By the way, I realize I could install the Captcha on the comment moderation to keep these out (as I think they are robots) but I don’t want to hinder legitimate comments.

Needless to say, on another Wordpress tech blog that I run on a domain (billboushka.com), I get lots of rogue comments submitted to moderation that are mostly obvious word salad with inappropriate links, perhaps ten a day. It’s easy for a human being to spot them, much harder for an automated script.

Bill Mullins has an article yesterday on Xpantivirus, on Wordpress, here, which appeared today on the “Mixx” newservice under the tag “internet security”. There are some unsubstantiated allegations about its trying to capture personal information, and about generating false warnings even to people who did not try to install the full product. Kurt Baumgartner has a more general report on fake antivirus software on his “ThreatFire Research” blog here. (Somehow the blog's name reminds me of “Project Wildfire” from “The Andromeda Strain.”)

I’ve noticed another theme happening. Spammers or con artists will misspell names of legitimate products and direct you not to just a parked domain of links, but to a different site trying to sell a rogue version. For example, “Gotomypc.com” is legitimate (it was discussed in major media sources discussing telecommuting), but there is a clone on Motorshowguide.com as a subdirectory (with a slight misspelling equated [probably with an address record] to another domain name) that the host may not know about. Always check the URL that comes up when you go to a site to find something to install and make sure that the spelling matches. McAfee site advisor had not caught this problem.

No comments: