March 24, 2010

The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

Distributors or “affiliates” who sign up with, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year.

Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.

What’s remarkable about this entire ecosystem is that in many cases, victims who have this installer run on their systems often end up paying for the rogue anti-virus, in addition to unknowingly giving up their passwords and handing complete control of their computer to the bad guys running this distribution network.

Stats from Avprofit’s internal pages suggest that on average, about 4 percent of victims fall for the rogue anti-virus ruse and fork over their credit card information to purchase the worthless software. For example, on Feb. 28, one affiliate generated some 1,482 installs resulting in 66 sales and $1,650 in commissions. The day prior, the affiliate drummed up 1,323 installs, resulting in 57 sales for a daily income of $1,425.

A relatively recent copy of the installer that made available to affiliates was sent to two places:, which conducts extremely detailed, automated and free malware analysis, and, to see how well the installer was detected by various anti-virus tools on the market today.

According to, the installer dropped a file with this unique file signature, which also was flagged by another free and automated malware scanner — ThreatExpert — as ZeuS, a.k.a. “Zbot”.

Virustotal found that just 16 out of 42 anti-virus products it used to scan the installer file detected it as malicious.

The e-mail address listed in the Web site registration records for is “,” the same e-mail address used to register, the site that AVprofit’s installer reached out to in order to grab the ZeuS Trojan. That e-mail address also is affiliated with a number of Web sites responsible for helping criminals recruit money mules here in the United States and abroad.

Further reading:

Web Fraud 2.0: Franchising Cyber Crime

Massive Profits Fueling Rogue Antivirus Market

Rogue Antivirus Distribution Network Dismantled

10 thoughts on “AVprofit: Rogue AV + Zeus = $

  1. Tom

    Interesting – I just ran a md5/sha1 analysis at of the hashs provided in the ThreatExpert report and each one error-ed out every time.

    Please check you had introduced a correct hash and copied every character from the control key.”

      1. Tom

        Thanks! That did the trick.

        I really just wanted to see if whether or not my AV program detected it. It does, but the overall results have also improved quite a bit since Brian’s post: 33/41 (80.49%)

  2. padman68

    So what were the “16 out of 42 anti-virus products it used to scan the installer file detected it as malicious”?

  3. DrZaiusApeLord

    I never even heard of the ones that couldnt detect it. AhnLab-V3? Authentium?

    The top 10 or so AV products are pretty good at detection and SBE is free for home users. The whole ‘x out y couldnt detect this’ is a lame scare tactic.

Comments are closed.