TOKYO (MacHouse) – Some 12 days ago, we spotted the first group of websites used as redirection points for sending Internet users to fake anti-virus scan websites hosted at antivirus-scanner.com. It’s still around. Then another fake anti-virus scan website surfaced yesterday. It’s hosted through the domain of antivirus-scanonline.com. So what do we know about these fake anti-virus scan websites? Honestly, no much… But let’s go over some interesting points.
Thanks to computer security company Sophos, we found out 12 days ago that the file we were forced to download after visiting the website of antivirus-scan.com contains a computer virus known as Troj/Dwnldr-HDG. Also, we sent the file we were forced to download after visiting the other fake anti-virus scan to Sophos some 15 hours ago. So far, we haven’t heard from them. So we don’t know if the file from antivirus-scanonline contains the same computer virus.
Whichever you access antivirus-scanner.com or antivirus-scanonline.com, you will get a file labeled AtnvrsInstall.exe. But the files from these fake anti-virus scan websites aren’t exactly the same. As shown in Screenshot 01, the size of the file from antivirus-scanner.com is 56,080 bytes while the file from antivirus-scanonline.com is 1.17 times bigger. It is possible that the latter contains multiple computer viruses.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: completewhois.com |
 Screenshot 03 – Source: completewhois.com |
In the meantime, we have no trouble believing that the two fake anti-virus websites are run by the same criminal organization. Looking at the domain registration forms for antivirus-scanner.com and antivirus-scanonline.com, they have the same registrar, which is ESTDOMAINS, INC. (See Screenshot 02-3.) They also point to the exactly same set of nameservers. Moreover, these domains share the same registrant except that the room and phone numbers are slightly different. Strange, huh!? Both registration forms show that the registrants are from Gibraltar, a small British overseas territory located at the Southern tip of the Iberian Peninsula (southern Spain).
 Screenshot 04 – Source: MacHouse |
 Screenshot 05 – Source: ezzi.net |
 Screenshot 06 – Source: MacHouse |
So far, we don’t know exactly where these fake anti-virus scan websites are hosted. Some ten days ago, the website of antivirus-scanner.com appeared to have be hosted by Euro Access. Now, it appears to be hosted by a New York-based web hosting company called EZZI.net. (See Screenshot 04-5.) In the meantime, using Visual Route, it appears that the website of antivirus-scanonline.com can be tracked to Euro Access. Nonetheless, cyber criminal use various DNS services to disguise their web server locations. So you never know where these fake anti-virus scan websites are exactly hosted.
References:
Lehigh University’s Multiple Department Websites Exploited for Redirection to ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: 15 Websites Victimized in the Latest ‘?prj’ Exploitation Scheme
Warning: A New Fake Anti-Virus Scan Website Discovered
The Official Website of British Band Camera Obscura Exploited for Fake Anti-Virus Scan
Sitemap Hack, ANTIVIRUS-SCANNER.COM Invading At Least 10 Websites Including Arizona State University’s Site
ANTIVIRUS-SCANNER.COM and Troj/Dwnldr-HDG
Warning: A New Hack Scheme Discovered Involving Anti-Virus Scan Website
