Malwarebytes sounds alarm over anti-virus imposter website

Jolly roger keyoard key
31 Jan, 2013

Malwarebiter promises to protect users, but infects them with a Zeus Trojan instead, it is claimed.

Anti-virus vendor Malwarebytes has alerted consumers to a website it claims is delivering malware to computers.

The website, named Malwarebiter, was discovered earlier this week by Malwarebytes analyst Adam Kujawa.

Malwarebytes has accused Malwarebiter of copying its own website's styling to give it a veneer of credibility.

The company also accuses the alleged imposter of using spam or other underhand means to boost its Facebook following to increase its apparent legitimacy.

However, what has concerned the organisation most is that the website is apparently carrying out ‘drive-by’ attacks on users who do not even download the product.

“Traffic analysis from our visit revealed ‘roe.js’, a file containing javascript,” Joshua Cannell, malware intelligence analyst at Malwarebytes said in a blog post.

“Upon further inspection the file revealed an embedded iFrame object that links to a rogue IP hosting the Blackhole Exploit Kit.

“iFrames allow web developers to embed the contents of one webpage within another [and] using iFrames for drive-by malware attacks is common since they can be crafted invisible to the naked eye,” Cannell explained.

The roe.js file then executes either a java or a PDF exploit, resulting in the infamous Zeus Trojan being downloaded onto the visitor’s PC, roping it in to one of the internet’s most notorious botnets.

Anyone who installs Malwarebiter’s anti-malware programme will find it does not detect the newly installed Zeus malware. Instead, they may be directed to a second website, Ad-purge, which is a known fake spyware reporter.

In turn, both websites are linked to a third, Rebrand Software, which creates software products for private buyers who then sell it on as their own.

Furthermore, Malwarebytes claims numerous other pieces of malware have been discovered contacting the Rebrand Software domain.

Cannell said it is “vital” for PC users to protect themselves from software exploitation.

“The Java and PDF exploits found on Malwarebiter’s website could be prevented by keeping your software patched and up to date.

"However, this does not always solve the problem as both java and PDF viewers are highly targeted for exploitation, with new vulnerabilities discovered every day.

“In light of this, users might want to stop using java altogether. As for protection from malicious PDFs ... users might be better off viewing [them] in secure browsers, like Google Chrome,” advised Cannell.