This is a summary of a popular posting to Mark's Sysinternals Blog (http://www.sysinternals.com/blog). You can read the entire blog post at http://www.sysinternals.com/blog/2006/01/antispyware-conspiracy.html.
Since the release of the first antivirus products, many people have believed in a conspiracy theory that has antivirus companies generating their own market by paying virus writers to develop and release viruses. I don't subscribe to that theory, and I trust the major security vendors, but recent trends show that a fuzzy line exists between second-tier antispyware vendors and the malware their products clean.
The most innocuous of malware-like anti-malware behaviors is to advertise with Web site banners and pop-ups that mislead users into thinking that they have a malware problem. Most of the ads look like Windows error messages, complete with Yes and No buttons, and clicking anywhere on the image, even the No button, results in the browser following the underlying link to the target page. I recently ran across an example of this behavior when a click on an ad image took me to a page at http://www.myspwarecleaner.com. The page looks like a Microsoft Internet Explorer (IE) error message and guides visitors to download and install an antispyware utility called Spyware Cleaner.
When I ran Spyware Cleaner on a freshly installed copy of Windows XP, the software reported nearly a dozen extreme risk and high risk infections that include innocuous items such as cookies left by MSN.com and several built-in Windows COM components. Of course, to remove the infections, a user must pay to register the software. Who makes Spyware Cleaner? You won't find out on the Myspywarecleaner Web site. A Whois lookup of the domain name shows that it belongs to Gary Preston of Secure Computer LLC.
A few days later, I ran into the same banner ad on another site and clicked again. This time, I was taken to http://www.spywarestormer.com. I downloaded the spyware cleaner, ran it on the same clean XP installation, and it reported seven infections. Once again, the reported infections were false positives. The Whois report for spywarestormer.com lists it as being registered to Domains by Proxy, through GoDaddy.com, so whoever is behind Spyware Stormer apparently wants to remain anonymous.
Unfortunately, sleazy antispyware vendors don't stop with misleading banners and false infection reports. Either they, or partners that have a vested interest in sales of their products, are actually infecting machines so that users are essentially blackmailed into purchasing their products. For example, the most trafficked threads on the Sysinternals forums are ones related to a malware infection dubbed "Spyaxe." The malware continuously pops up tray balloons informing users that their systems are infected; clicking on a balloon opens the Spyaxe Web site (http://www.spyaxe.com). Spyaxe denies any connection with the underhanded advertising, but it's hard to believe someone would promote Spyaxe this way without some financial incentive.
SpySheriff (http://www.spysheriff.com) is another antispyware vendor-promoted in the same way as Spyaxe. Recently, someone sent me a link to a Web page that, if visited using an IE version that hasn't been patched with December's security updates, slams the system with a deluge of malware: eight viruses, eight spyware packages, and seven adware products. After the infection, Internet browsing is made virtually impossible by the constant pop-ups, and processes are continually connecting to remote SMTP servers and Web pages. You can view a written chronology of the initial infection, as well as a movie I created depicting the process, in my blog post at http://www.sysinternals.com/blog/2006/01/antispyware-conspiracy.html.
Not surprisingly, the SpySheriff Web site reveals little about the company behind it. A Whois lookup of the domain points to Popandopulos Ltd. in Greece as the owner, but the associated email address is [email protected], which is a Russia-based domain. List.ru appears to be an ISP, so it's doubtful that the Spysheriff domain registration is accurate.
Is the connection between the infestation and SpySheriff one simply created by a SpySheriff fan or is this evidence of an antispyware conspiracy? It's hard to believe the former, and if it's the latter, then companies such as Secure Computer, which registered the myspywarecleaner.com domain in 2004, and Popandopulus, which registered spysheriff.com in May 2005, have been in business long enough to show that their business model is working—and that's far too long. I know that at least one state attorney general's office is investigating the Spyaxe case, and I hope that this article and blog post spurs more action. Misleading and malicious advertising for antispyware casts a shadow on the entire industry.
