What does a young Chinese hacker do once he’s achieved legendary status for developing Microsoft Office zero-day exploits and using them to hoover up piles of sensitive data from U.S. Defense Department contractors? Would you believe: Start an antivirus firm?
That appears to be what’s happened at Anvisoft, a Chinese antivirus startup that is being somewhat cagey about its origins and leadership. I stumbled across a discussion on the informative Malwarebytes user forum, in which forum regulars were scratching their heads over whether this was a legitimate antivirus vendor. Anvisoft had already been whitelisted by several other antivirus and security products (including Comodo), but the discussion thread on Malwarebytes about who was running this company was inconclusive, prompting me to dig deeper.
I turned to Anvisoft’s own user forum, and found that I wasn’t the only one hungry for answers. This guy asked a similar question back in April 2012, and was answered by an Anvisoft staff member named “Ivy,” who said Anvisoft was “a new company with no past records, and we located in Canada.” Follow-up questions to the Anvisoft forum admins about the names of company executives produced this response, again from Ivy:
“The person who runs anvisoft company is not worth mentioning because he is unknown to you. Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.”
A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.
Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:
Registrant: wth rose Moor Building ST Fremont. U.S.A Fremont, California 94538 United States
Administrative Contact: rose, wth firstname.lastname@example.org Moor Building ST Fremont. U.S.A Fremont, California 94538 United States (510) 783-9288
A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the email@example.com address usurped by “firstname.lastname@example.org” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.
The current Internet address of anvisoft.com is 22.214.171.124, and a reverse DNS lookup on this IP address tells me that there are at least three other domain names hosted at this address: nxee.com, oyeah.com, and coversite.com. The latter forwards to a domain parking service and its WHOIS information is shielded.
But both oyeah.com and nxee.com also were originally registered to wth rose and email@example.com. And their WHOIS records history went back even further, revealing a more fascinating detail: Prior to being updated with Anvisoft’s corporate information, they also were registered to a user named “tandailin” in Gaoxingu, China, with the email address firstname.lastname@example.org.