Rogue antivirus dissected - part 2 _ secureworks money laundering red flags

Rogue antivirus dissected – part 2 _ secureworks money laundering red flags

There is no other language translation available on the website – therefore it can be safely assumed that the entirety of forced installs of antivirus XP 2008 are being performed by russian-speaking individuals against non-russian-speaking victims.

How do we know that the targeted victims of this software are mainly non-russian users? On startup, the AV XP 08 installer first checks the locales installed on the victim system using the windows API getkeyboardlayout. It will exit immediately if it finds the user has one of the following locales, all of which are countries with large russian-speaking populations:

• russia

• czech republic

• ukraine

• belarus

• estonia

• latvia

• lithuania

Additionally, the installer checks the URL cache for internet explorer to see if the user has recently visited one of the following sites:

• vkontakte.Ru

• google.Ru

• tibsystems.*

money laundering red flags

• statsbank.Com

• boards.Cexx.Org

• adultwebmasterinfo.Com

• spywareinfo.*

• dialerschutz.De

• webmasterworld.Com

• crutop.Nu

• go[removed]yourself.Com

Between the locale and cache checks, this is enough to pretty much guarantee that russian-speaking users will not ever see an antivirus XP 2008 install show mysteriously up on their machine like it does on so many others worldwide. However, in the most recent installer version the locale/cache checks are performed but the results are not evaluated (probably due to a coding error) so the newest version (to be called antimalware 2009) might actually make it onto russian machines. We hate to see anyone have to deal with this pest, but perhaps this might help raise awareness of the problem in those countries. Affiliate system

Bakasoftware is a closed system – only invited users may sign up with the program. Invitations can be handed out only by existing users.Money laundering red flags once a new member joins, he/she is given access to a control panel which provides information about the program and number of different distributions (activex controls, codec installs and standalone executables) of the rogue antivirus to install on victim machines. Or the affiliate can simply use links/popup ads to push traffic to an online scanner that convinces unsuspecting users that they are infected and need to buy the full version of the program.

The image below shows all the different installer options that an affiliate can choose for AV XP 08:

If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days’ time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period.Money laundering red flags at that rate, the affiliate could be expected to earn over 5 million U.S. Dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day.

Bakasoftware hacked at the same time we were investigating the bakasoftware program, a russian hacker going by the handle neon posted a great deal of inside information about bakasoftware to the internet. Apparently an acquaintance of neon was able to hack into the bakasoftware website through a SQL injection exploit and obtain the administrative password. Using this information, neon was able to learn about and reveal several interesting details about the bakasoftware operation, including a list of the top earners in the affiliate program:

Affiliate ID

Affiliate username

Account balance (USD)












money laundering red flags




















NeoN did not indicate what time ranges these balances represent, but we believe these are totals for a single week. Even putting aside the tremendous amounts of money involved here, there are several interesting points of data in this list. The top earner, nenastniy is in all likelihood the same person we wrote about last year who sent political spam using the srizbi botnet. With access to a major spam botnet, earnings from delivering antivirus XP 2008 as a payload can be quite handsome it seems. Credit-card fraud and money laundering

Also interesting in the top earners list is the fact that krab, although the number two earner and supposedly administrator of the site, has a user ID in the 50s, where the next top earner, rstwm, has a user ID of 2.Money laundering red flags neon had a theory about rstwm’s earnings which he/she developed from looking into the stats page for rstwm:

It seems that rstwm maintains a conversion rate some days of over 75% – as opposed to the one or two percent of normal users. Also, rstwm has a very high refund rate – in this context, refund probably means chargeback, suggesting rstwm is likely using stolen credit card numbers to purchase the software and having the money credited to his affiliate ID. The bakasoftware system would provide the adminstrator(s) an excellent way to launder money from stolen credit cards. As long as the administrator didn’t get too greedy, there would always be enough legitimate (meaning not-charged-back) purchases of the software to avoid making the merchant account provider suspicious that the operation was entirely fraudulent and closing the account. Conclusion

money laundering red flags

Bakasoftware is just one of many rogue anti-malware affiliate programs. It should now be clear just why this particular scheme is so prevalent in today’s internet – the sheer amounts of money involved in installing just one rogue program are mind-boggling even to veteran security researchers. Even macintosh users are no longer immune to the threat of rogue AV attempting to worm its way onto systems, looking for that gullible one to two percent of users. In this case, user education might be the root of the problem: users are constantly bombarded with helpful warnings and alerts by every conceivable security application. The rogue AV developers are growing rich off of this fact.