e’ve seen a number of examples lately of legitimate security companies being advertised through malware.
It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (opens in new tab)(meaning,people who make commissions sale they refer).
1. Advertising through Trojan DNSChanger
We have observed both StopZilla and PC Tools being marketed in search redirects from Trojan DNSChanger (opens in new tab)infections. A video through Vimeo is available below; unedited raw video is available here (opens in new tab) (video taken on 1/22/2008).
Trojan DNS Changer video (opens in new tab) from alex eckelberry on Vimeo. Click here for a higher quality version (opens in new tab)
(Apologies for the poor voice recording quality.)
2. Advertising in LOP
Symantec and Zone Labs products have recently been observed being advertised through popups in CiD (opens in new tab) (Circle Development, aka C2 Media or Lop.com).(opens in new tab) (opens in new tab)
(Observed on 2/6/2008)
3. Advertising in SurfSidekick
Traffic flowed as follows: From SurfSideKick (aka Deluxe Communications) to Traffic-Director to Digital River to Symantecstore. Ben was kind enough to provide a screen-capture and a full packet log (opens in new tab).(opens in new tab)
(Observed on 2/3/08)
Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.