We’ve seen a number of examples lately of legitimate security companies being advertised through malware.
It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning,people who make commissions sale they refer).
1. Advertising through Trojan DNSChanger
We have observed both StopZilla and PC Tools being marketed in search redirects from Trojan DNSChanger infections. A video through Vimeo is available below; unedited raw video is available here (video taken on 1/22/2008).
Trojan DNS Changer video from alex eckelberry on Vimeo. Click here for a higher quality version
(Apologies for the poor voice recording quality.)
2. Advertising in LOP
Symantec and Zone Labs products have recently been observed being advertised through popups in CiD (Circle Development, aka C2 Media or Lop.com).
(Observed on 2/6/2008)
3. Advertising in SurfSidekick
Ben Edelman also recently observed a full-screen popup of the Symantecstore.com site while running SurfSidekick.
Traffic flowed as follows: From SurfSideKick (aka Deluxe Communications) to Traffic-Director to Digital River to Symantecstore. Ben was kind enough to provide a screen-capture and a full packet log.
(Observed on 2/3/08)
Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.
Alex Eckelberry
(Additional credit to Adam Thomas at Sunbelt for creating the video)