We’ve blogged a few times about rogue AV, explaining how search engines have been abused using Black Hat Search Engine Optimization techniques to redirect web surfers to rogue AV websites.
Recently, we’ve noticed that the rogue AVs being spread are all equipped with an “Online Support” button. See the top right corner:
Pressing Support takes you into a live chat with the rogue AV Tech Support. We wondered whether it was a bot answering questions based on keywords or real people – and yes, they turned out to be real!
We learned that they offer Technical Support by chat, but also by phone and email. The email is especially useful if you don’t speak English. The live chat tells you (in English) to send an email in your native language to a given email address to receive support in your native language:
If you are infected with a rogue AV program which you picked up while using a search engine (Black Hat SEO again), and connect to their support, they will ask you which AV you want support for.
Once you tell them, they’ll provide you a ’Free Trial’ version of the program that will remove the infections found by the first one (they have very similar names).
The trial version looks like this:
This program has the same user interface, but a slightly different name – with the same “Online support” button.
The rogue AV will use the language of your OS. So if you are using a French Windows XP for instance, the rogue AV user interface will be in French, which makes it even more convincing.
While talking to the so-called support, we found out that the first rogue AV is a ‘Free Scanner’ only, whereas the ‘trial version’ is a fully functional product – the catch is that the trial period is only one day. Additionally, the trial version won’t remove the first product, so they also have special cleaners:
This is the Uninstaller. They have one for every product they “sell”. It does indeed remove the rogue AV from your computer, at least partially. Depending on the cleaner, you might end up with some files left on your computer, giving someone the ability to run the rogue AV again…who knows? The machine isn’t returned to its original state after cleaning; some of the registry changes are still present.
Once you have cleaned your computer, you are taken to an online survey:
It seems these guys take their customers’ opinion very seriously and do everything possible to provide the best possible products and services ☺
While talking to their technical support, I tried a few things to make sure I wasn’t talking to a smart bot. One thing I did was to ask a very simple maths question:
We wanted to locate the people behind the support and we found out they were most likely based in Ukraine.
While challenging the support people to make sure they weren’t bots, we came up with a funny hint.
This isn’t rocket science, but I thought I would share it with you, as it confirms our thoughts.
So I started asking for a smiley to see if the person was a real one, or a bot:
I knew they were going to use a normal smiley, so I asked for a long one and I will tell you why.
While talking to my colleagues at Kaspersky Lab, I found out that in Russia (and after some searches on social networks, in Ukraine too), a lot of chatters do their smiley without the eyes “:”.
This is a behavior that I haven’t seen anywhere else. Basically, for a long smiley, you would expect something like “:))))” but in those countries, they will remove the eyes and you will get something like “))))”. This would confirm our hypothesis about their location:
Those “))))” are the long smiley I requested. Funnily enough, their smiley has no eyes, exactly as I expected. Just confirms what we thought about the location.
I tried their support at 4am and they were indeed answering questions, proving that their support is indeed 24/7. They are offering support by email, chat, and phone and are very well organized. You can get uninstallers for older variants of their product, and also trial versions for their newer products.
The newer products “clean” the machine, unlike the previous ones. I decided to record a couple of sessions, so why don’t you take a look?