Skip to main content

Legitimate security companies advertised through malware

e’ve seen a number of examples lately of legitimate security companies being advertised through malware.

It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (opens in new tab)(meaning,people who make commissions sale they refer).

1. Advertising through Trojan DNSChanger
We have observed both StopZilla and PC Tools being marketed in search redirects from Trojan DNSChanger (opens in new tab)infections. A video through Vimeo is available below; unedited raw video is available here (opens in new tab) (video taken on 1/22/2008).

Trojan DNS Changer video (opens in new tab) from alex eckelberry on Vimeo. Click here for a higher quality version (opens in new tab)

(Apologies for the poor voice recording quality.)

2. Advertising in LOP

Symantec and Zone Labs products have recently been observed being advertised through popups in CiD (opens in new tab) (Circle Development, aka C2 Media or Lop.com).

Symantec_cid_sb

(opens in new tab)

Zone_cid_sb

(opens in new tab)

(Observed on 2/6/2008)

3. Advertising in SurfSidekick

Ben Edelman (opens in new tab)also recently observed a full-screen popup of the Symantecstore.com site while running SurfSidekick (opens in new tab).

Traffic flowed as follows: From SurfSideKick (aka Deluxe Communications) to Traffic-Director to Digital River to Symantecstore. Ben was kind enough to provide a screen-capture and a full packet log (opens in new tab).

Ssk-trafficdirector-digitalriver-symantec-020308

(opens in new tab)

(Observed on 2/3/08)

Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.