System Defend Antivirus 2010 - new rogue AV ?!

Can someone of Avast folks check this out? Not detected by anyone on VT. (They bundle 200megs of .Net installers crap with it, the thing itself is just ~7MiB)

http://www.wilderssecurity.com/showthread.php?t=272624
http://www.thaivisa.com/forum/Real-Rogue-Antivirus-System-Defen-t326024.html
http://www.softpedia.com/get/Antivirus/System-Defend-Antivirus-2010.shtml
http://download.cnet.com/System-Defend-Antivirus-2010/3000-2239_4-75182270.html
http://www.brothersoft.com/system-defend-antivirus-2010-361369.html

needs to be run in a VM to see what it does after a couple of hours or days. My guess is obviously yes, that’s rogue. Again, remains to find out what it does. I wouldn’t risk an install ;D We need Polonus here :wink: and also Pondus is after rogue AVs…they’ll probably see that thread. Thanks for posting that’s interesting.

that’s all I got so far, not about the “AV”, but about the main site offering the download
http://www.mywot.com/en/scorecard/www.brothersoft.com

I can’t believe that CNet and softpedia are offering it too ::slight_smile:

edit: publisher >>>> hxxp://www.preedasoftware.com/ ( 61.19.247.206 based in Thailand)
hxxp://www.preedasoftware.com/index2.php
hxxp://www.systemdefendantivirus.com
nothing here: http://wepawet.iseclab.org/view.php?hash=7e47ba314c38630907a94fad07c54f03&t=1273860244&type=js
http://wepawet.iseclab.org/view.php?hash=ac1e2e1b636034021b3e5bfd8547c462&t=1273861319&type=js

As you said, need some VM to install, don’t have one handy ATM. Well, could try to install to a sandbox but don’t feel like that ;D

Yeah, that’s really a WTH…

I’ve edited my first post in the mean time, trying to find out more about the publisher…

http://www.wmtips.com/tools/info/?url=http://www.preedasoftware.com/
http://validator.w3.org/check?uri=http://www.preedasoftware.com/
again, Polonus could interpret that…may be there’s nothing there either, I haven’t got a clue. I’m not familiar at all with those web tools.

[b]Errors found while checking this document as XHTML 1.0 Transitional![/b]

other errors on the download page:
http://jigsaw.w3.org/css-validator/validator?uri=http://www.preedasoftware.com/index2.php
http://validator.w3.org/check?uri=http://www.preedasoftware.com/index2.php

Hi Logos,

You miss the malcode if you do not also check the links from that site
Suspicious at some time are/were:
http://www.google.com/safebrowsing/diagnostic?site=www.geardownload.com
At the crux of this may be regnow*com, a site full of adware and trojans…

http://safeweb.norton.com/report/show?url=regnow.com&x=0&y=0 alerted by Community Rating:
website- unsafe risky downloads reported by some users, here’s a few[ keylogger!!!
spy agent adware downloader-xz trojan lot of spyware and others??

well to sum it up: malicious software includes 74 trojans, 5 backdoors, 2 viruses.
Successful infection resulted in an average of 2 new processes on the target machine

Another link not completely beyond suspicion: http://www.google.com/safebrowsing/diagnostic?site=www.softwarelode.com

And finally then this link: http://www.google.com/safebrowsing/diagnostic?site=download.cnet.com
Malicious software includes 1 trojan.
Successful infection resulted in an average of 1 new process on the target machine,
last found to be there 2010-03-07,

polonus

yeah… ;D >>> I checked only two pages, the main one with the ads about the sites providing the download, and the main download page. Okay this said all you found is that sites providing the download are infected (including CNet), but you didn’t find anything related to this particular download, and its publisher >>> hxxp://www.preedasoftware.com and System Defend Antivirus 2010 ??? doesn’t seem easy :smiley: but I’m sure that’s a rogue, no possible doubt (intuitively yes…).

So this is what Softpedia calls ad-supported?! Shame on the guys. ::slight_smile: >:( :-X

With a behaviour like that, it’s beyond doubt that it’s not only useless, but definitely rogue as well. Those forced-to-be-clicked ads will point you to a malware-infested site sooner rather than later.

It’s a worthless crap and surely it may lead to drive-by-downloads for sure. I had collected few screenshot but all deleted because now I have deleted the VM. Testing this crap have spoiled my evening. >:(

why did you delete the screen shots, that’s exactly what we need ??? you could have taken them from the host system ::slight_smile: anyway, can you describe the behavior of that crap, assuming you tested it in a VM? some say it prompts for a first system check before installing…(mentioned either on wilders or another site…)

FWIW, there are a couple of screenshots on Wilders thread. Basically, it’s a Kaspersky GUI rip-off flooded with ads, even the logo is stolen from Kaspersky. ::slight_smile:

this I knew I saw them >>> what I meant is screen shots showing the “software” and system behavior, i.e. dialog boxes, prompts etc…anything suspicious or very obviously rogueware like.

it’s also on ZDnet France >>> hxxp://www.zdnet.fr/telecharger/logiciel/system-defend-antivirus-2010-39830683s.htm ::slight_smile:

Give me some time, I will post them. I am installing it again in VM.

okay :wink: >>> please post screen shots not just of the interface of the program, but first of all of suspicious behavior if any, like prompts to remove malware, system behavior change etc…

Okay, but please don’t ask me to test with any viruses…Lol.
Okay, before that let me to inform me few things that I remember

  1. After installation I saw my security centre service has been disabled. I manually turned it on and it is not registered there.
  2. No right click scan support.
  3. When I clicked on a brontok worm, it warns with old Avast v4 sound “caution a virus has been detected” and showed a default windows alert box that it has blocked something.exe to copy to system32 folder. :smiley:

Rest I will tell after this testing. :wink:

okay, I really didn’t mean that you had to do all that all over again in my fist answer, so I won’t ask you to test any virus either ;D thanks for testing anyway :wink: I cannot do it myself since the VM software I use sometimes for Linux doesn’t support 64 bit systems, although it says it does ::slight_smile:

Hi
I have tested it again and collected 34 screenshots. So please pardon me because it will be hard for me to attach them all one by one. I uploaded all in a zip to mediafire.
The link is

http://www.mediafire.com/?jmmwvmm2jyn

file name crap.zip :stuck_out_tongue:
I tested it in WinXP pro 32bit OS in VMWare, 512mb RAM.
Few things I noticed.

  1. It disabled Security centre service. May be because it doesn’t register itself to security centre.
  2. It changed my IE homepage to Blank and also changed some security settings. May be to ease the pop-ups. :stuck_out_tongue:
  3. Lots of spelling mistakes and bad grammer. Bad Thai translation.
  4. Installation guide tells to disable UAC in win7.

Installation is smooth and so is uninstallation.
After installation is pops up with a window to register with a serial auto-inserted. Unless registration you are entitled to use the program 92times after registration (no email address reqd) upto 31st dec 2014.
The progran frequently hangs and can be turned off easily with or withour taskmanager. memory usage ~64mb.
Lots of tools are there in the interface.

In my opinion it is not rogue but the crappiest AV ever seen by me. The only problem may be the pop-ups that may lead to drive-by-download.

ROTFLMAO. Well, this is my favourite… University Teacher, System Security Analyze, Antivirus Software Developer… my hero ;D

thanks a lot :wink: will have a look at your screen shots now…

edit: yeah, seems extremely adware