The .co.cc domains, littered with malicious sub domains hosting exploit pages and malicious java applets for the past several months, are now hosting FakeAv pages and “BestAntivirus2011.exe”.
While the FakeAv rotation through .co.cc is not a shocker to security researchers at this point, one interesting domain popped out from the tens of thousands of .co.cc sub domain fakeav hits over the past day…”antispyware-macbook(dot)co(dot)cc”. This marketing quirk is odd, even for these guys. Does this domain suggest that another Apple based malware is in the works? Possibly. For now, I doubt it, because the Windows platform continues to be the dominant player, and this malware distributor seems to be very persistent at targeting the Windows platform. But it is very odd that this group is marketing “Fast Windows Antivirus 2011” from “macbook” domains.
Whatever group is using these domains, they have been very successful at conning large advertising networks into hosting their banner ads that redirect to these .co.cc sites. What they develop next is anyone’s guess. Here is a non-exhaustive list of the terms used in sub domains currently peddling the “Bestantivirus2011.exe” from these free and incredibly cheap .co.cc hosting domains over the past day or so. When users visit pages at these sites, they are presented with the usual “Your computer is infected!” scareware and “Windows Security has found on your system and will perform fast scan of system files” scam:
The pages are currently detected as “Hoax.HTML.Fakeantivirus.y”, but the variants have been changing frequently over the past few months. It does not seem that these pages are related to “Lizamoon” (although they could be some cross-over), as there are rumors that the affiliate program is already shut down. The FakeAv referenced here is actively distributed at the moment. Researchers may notice the dropped component passed the Harry Potter reference “BOMBARDAMAXIMUM” as a cmd line argument.