Monday, August 21, 2006

DollarRevenue uses "Osama has been Captured Lure" to Download Malware

Over the weekend Chris Gunn (owner of BIZynet) and the newsgroup Biz.Stolen sent me an interesting e-mail with the title "Osam (SP) Bin Laden Captured." Here is a copy of the e-mail:

From: david.jones@gmail.com
Subject: Osam Bin Laden Captured
Date: Sun, 20 Aug 2006 09:07:48 -0500
To: biz-stolen@moderators.isc.org

Hey, Just got this from CNN, Osama Bin Laden has been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can.

*Link removed because it was still active when checked earlier today. The "stuff" on here will ruin a good home PC.

Thinking this was too good to be true, I went to the CNN site and found a lot about Bin Laden -- who is being featured as part of a special this week -- but nothing about him being captured.

Not sure of what was going on, I sent a quick e-mail to Alex Eckelberry (CEO, Sunbelt Software) and Paul Laudanski (CastleCops, PIRT) to see if they would help me get to the bottom of this. Paul and Alex are both very active in helping protect the public against "Internet Sleazebags."

Alex was kind enough to have Patrick Jordan (Sunbelt) take a look at it and they told me it was from DollarRevenue. According to a post, I read on another blog - Patrick's own site was under DDOS attack in June.

DollarRevenue sounds like they aren't very nice people.

Here is what Patrick discovered (I shortened the report to only show results versus no virus found):

Antivirus Version Update Result

AntiVir 6.35.1.3 08.21.2006 TR/Dldr.DollarRev.A
Avast 4.7.844.0 08.21.2006 Win32:Adloader-CG
AVG 386 08.21.2006 Downloader.Generic2.LEV
BitDefender 7.2 08.21.2006 Trojan.Downloader.DollarRevenue.Z
DrWeb 4.33 08.21.2006 Adware.DollarRevenue
Ewido 4.0 08.21.2006 Downloader.Adload.ee
Kaspersky 4.0.2.24 08.21.2006 Trojan-Downloader.Win32.Adload.ds
McAfee 4833 08.21.2006 DollarRevenue
NOD32v2 1.1717 08.21.2006 Win32/TrojanDownloader.Adload.NAY
Sophos 4.08.0 08.21.2006 Troj/Adload-IK

Spyware Warrior did an interesting post about DollarRevenue in May. Here was their conclusion about DollarRevenue and another outfit called Gimmycash:

Are the GimmyCash affiliates cheating by bundling the gimmy files with DollarRevenue and others? Are they getting paid that 40 cents for each download of a gimmygames.exe and gimmysmileys.exe file even though the application are never actually installed? If any other spyware researchers have any observations or thoughts on this, I'm most interested.

At any rate, some affiliates are apparently making a lot of 40 cents and 30 cents based on all the complaints, HijackThis logs and reports seen on the web. It's no wonder affiliates of these kinds of programs bundle as many pay-per-install adware applications into one infestation and push them through exploits. It's all about the money folks, the cash, the moola, the dollar revenue and gimmy cash, nothing else.

Link, here.

Hopefully some legal action is being considered against DollarRevenue. Downloading programs like this have ruined many home systems. And telling us Bin Laden has been caught (something that would make me jump for joy) as a lure is pretty sick.

Sunbelt and CastleCops run a group called PIRT, Phishing Incident Reporting and Termination Squad, which goes after Internet phishermen by reporting them to the "right people." They are looking for people to pass on their "phishy" e-mails to them, or even become a "handler."

Alex also does the Sunbelt blog, which I have found to be a great resource on computer security.

Chris Gunn provides and designs websites. He also does a few free websites and moderates newsgroups to serve what he considers "public interests." Chris and I are considering doing a new website on fraud and will be working on promoting the Biz.Stolen newsgroup.

Very much in the "planning stages," but we'll see what happens.

No comments: