Network News

X My Profile
View More Activity

Rogue Antivirus Distribution Network Dismantled

A major distribution network for rogue anti-virus products has been shut down following reports by Security Fix about massive profits that the network's affiliates were making for disseminating the worthless software.

On Monday, Security Fix profiled, a program that pays affiliates handsome commissions for spreading "scareware" products like Antivirus2009 and Antivirus360. Scareware tries to frighten consumers into purchasing fake security software by pestering them with misleading and incessant warnings about threats resident on their systems.

According to a message posted at and its sister sites, the program's credit card payment processor pulled the plug on them shortly after our story ran. is currently unreachable, but a message posted to the home page earlier this morning reads:

On March 18th, in the evening, with no warnings, the German Merchant Processing was cut off. Merchant was at the bank personally (without intermediaries), proved and with the arrangements on the highest level. Up until now the bank was not replying to our inquiries, but finally we received answers from them your Merchant was blocked and the account frozen until the determination of the facts. According to unofficial channels, we have been able to ascertain the following:

"I am sorry to inform you that both VISA and MC have done a surprise on site visit at the [...] offices in Frankfurt. They are actually there as we speak.

They have instructed WC to freeze your account until further notice and both of these companies have different reasons for doing so:

VISA; they want to investigate where all the volume comes from.
MC; High [chargebacks] the past few days."

This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:

There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).

As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.
So, the decision was made to default and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.
Thanks to everyone for succesful [sic] business cooperation.

By Brian Krebs  |  March 20, 2009; 1:08 PM ET
Categories:  Cyber Justice , Fraud  | Tags: antivirus360, takedown,,  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: FTC Takes on
Next: Web Fraud 2.0: Data Search Tools for ID Thieves


I'm sure it's all a misunderstanding. LOL

Thanks, Brian, for your work and for the blog.

Posted by: JkR- | March 20, 2009 2:58 PM | Report abuse

Virtual high five, BK.

Posted by: lostinthemiddle | March 20, 2009 5:58 PM | Report abuse

It's stunning to me that it took a newspaper story to get any action on this sort of criminal enterprise. The security community and law enforcement should be ashamed that the way is being led by media outlets like the Washington Post and the BBC. Thanks for stepping up to the plate. Perhaps the security community will catch up shortly.

Posted by: ejevo8 | March 20, 2009 10:06 PM | Report abuse

I love the language syntax errors. Boris and his eastern european thieves are so easy to spot.

Posted by: swatkins1 | March 21, 2009 5:26 AM | Report abuse

Thank you for the article. It certainly reaffirms I made the right decisions. I had the fake antivirus popup occur last night and first thing this morning while at a UK newspaper website. To shut it down, however, I had to invoke the Task Manager \ end program. Repeated clicking on "cancel" within the popup did nothing.

Posted by: PAH9356 | March 21, 2009 6:04 AM | Report abuse

SEE !!!

Sometimes publishing quality research in a timely fashion has its rewards.

If only it was 'all the time.' LOL

Posted by: | March 21, 2009 7:13 AM | Report abuse

Nice one Brian :o)

Those of us working on the sec com, actually are working extremely hard on shutting folks like this down. I myself spend money out of my own pocket tracking the sources and trying to get them shut down (I don't work for a company, so have to pay for everything myself).

Sadly, the only effective method we've seen in the last few years, of getting those with authority to do anything - is publication. Private reports such as those I send myself, usually result in a "thanks, we'll look into it" and rarely get taken any further (just do a search on RapidSwitch (documented on my blog), and you'll see what I mean).

Posted by: MysteryFCM | March 21, 2009 7:34 AM | Report abuse

You don't know how pleased I am.
This time last year I and my sister were battling for days on end trying to get rid of that virus.
I don't recall how we did.
But we use ENOD anti virus and it has never come back.

Terrific reporting....atta way to go.!!!! We strongly recommend that you get a BONUS....on us!!!

continue your wonderful efforts....

Posted by: rahard | March 21, 2009 10:01 AM | Report abuse

Congratulations, Brian !!!

Applause !

Posted by: observer31 | March 21, 2009 10:02 AM | Report abuse

Brian: Of all of the people getting a bonus these days (i.e. AIG), you are the only one who deserves one.

Posted by: dingdong789 | March 21, 2009 10:30 AM | Report abuse

Good work sir..keep up the good fight!!

Posted by: rbaldwin2 | March 21, 2009 11:17 AM | Report abuse

ejevo8, you're exactly right--why does it take publicity from a newspaper article to force action? It's the same from people registering obviously fake domains, like It's pathetic that these companies just shrug their shoulders and ignore any problems.

Posted by: smmd2007 | March 21, 2009 1:47 PM | Report abuse

I hope the next Tech Czar is given $millions and a baseball bat with a free license to go after any and every Internet threat... the last administration tied the Tech Czars hands (via NSA).

The next 9/11 might actually be bodies if they can hack traffic control, railroad switching, etc.

Posted by: geomguy | March 21, 2009 5:39 PM | Report abuse

swatkins1 wrote: "I love the language syntax errors. Boris and his eastern european thieves are so easy to spot."

That nice former President of Nigeria who's sending me a big piece of his secret Zimbabwe bank account just for letting him use my name, SS number, and credit card number writes in much better English.

The money should be here any day now.

Posted by: Garak | March 21, 2009 8:09 PM | Report abuse

BK, I am being thanking you for excellent story.

Posted by: oldiesfan1 | March 21, 2009 10:17 PM | Report abuse

The virus appeared on my machine but considering the I had active anti-virus software I couldn't understand how I was getting this warning. With it's local I thought it might have been a Microsoft product but when I ran it, it asked for money. As a result I made sure my software was all current and scanned my computer again. It took half the day because it's an old computer and very slow. I could easily see how someone could be fooled and considering I'm not that much of a computer expect it's a wonder that I wasn't. Keep up the good work and keep us all current. Thanks.

Posted by: cjride | March 22, 2009 5:05 AM | Report abuse

Thank you for the article, up until now, no publication really considered this to be a threat until your article revealed it's intentions.

My XP workstation was infected with antivirus2009 last December and immediately disconnected my Ethernet cable connection,(i'm old fashioned)it took over two hours, IF one has the time and is familiar with regedit, I set the recycle bin to delete upon removal, disabled server services and set the clear memory pagefile upon shutdown, rebooted into safe mode & ran spybot just to view the registry entries paths and keys associated with antivirus2009, copied and paste into text file, rebooted again, removed about 40+ entries manually using regedit, removed the folder antivirus2009 but there were about 3 dll's which I had to remove all attributes using the attrib command and move them into a flash drive, didn't trust the recycle bin to remove them. Rebooted again in safe mode all registry entries from spybot scan of antivirus2009 were gone.

I then rebooted again with networking enabled and use Firefox to find articles and fixes and saw a few registry entries which should be removed as well.

I removed it the hard way but was curious, especially when it disabled McAfee anti virus and would receive "you have no anti virus program" warning from XP itself.

What did I do with the flash drive? I connected it to my iBook and reformatted & re-connected it to the XP Desktop and recognized the flash drive but had to be repaired and reformatted.

This may sound a lot since Symantec and other anti-virus programs are able to remove it but being in the IT field I was curious.

Posted by: yakuratt | March 22, 2009 9:10 AM | Report abuse

In the title of the article, shouldn't the second word be quoted? They didn't sell antivirus software, they sold "antivirus" software.

Posted by: MoonDJ | March 22, 2009 9:49 AM | Report abuse

@moondj -- hence, the "rogue" qualifer, which is pretty standard across the security industry.

Posted by: BTKrebs | March 22, 2009 9:56 AM | Report abuse


Does Jean Phillipe Schoeffel have anything to do with it?

Posted by: dlafky1 | March 22, 2009 10:49 AM | Report abuse

Quotes or no quotes, in his article the phrase "scareware" with a price tag to go correctly describes this scam.

Intention of antivirus2009 was to scare users in actually believing they were paying for a legitimate product but instead were paying for vaporware.

It reminded me of the AOL scam last decade where AOL users would receive a e-mail indicating something akin to our processor or CPU or system has lost your AOL account info, please reply with your name credit card, SSN# etc.

This is a very good article for the fact I saw very few references other than tech blogs on how to remove it last December.

I'm Glad Brian Krebs wrote this article, it has a "PLEASE READ" appeal to it.

Posted by: yakuratt | March 22, 2009 11:16 AM | Report abuse

Hats off to you BK. I can't tell you how many PCs I had to reformat over the last 3 months all do to AV 360. Amazing what this blog has done for the security community. .....(golf clap).....

Posted by: SWiM | March 22, 2009 12:34 PM | Report abuse

Love your columns. Great job getting the bad guys. Are you changing your name to Elliot Ness?

Posted by: duanelaw1 | March 22, 2009 1:52 PM | Report abuse

I had to deal with one of these "Antiviruses" couple of days ago.
Great job Brian!

Posted by: ABHFGTY | March 22, 2009 2:10 PM | Report abuse


If you've already covered this issue, please ignore or simply delete this comment.

In 2005 and later in 2006, we were entrapped by WLI (Web Loyalty Inc) "Reservation Rewards" scam probably thru one of our frequent travel sites. Once I detected the small charges on our credit card statements, I had the "membership" terminated.

I searched for information and found out that a law firm had a class action against WLI and followed the case from then on. Many otherwise legitimate travel booking and e-commerce sites apparently were happy to put WLI's misleading "Rewards" link on their sites for a fee(The attorneys published a list of these which I'll be happy to provide.)

The issue I'm most unhappy about is the willingness of otherwise reputable vendors to provide my charge card info to scammers like WLI without my specific authorization. My "implied consent" is probably buried in some legalese on the site, but vendors who perpetuate a scam like this will ultimately lose my business.

Finally, I received an email announcing that WLI has entered into settlement to resolve the issue while still maintaining that they did nothing illegal. The link for more info is:

I thought your readers might like to know about this.


Posted by: Carmanjw | March 23, 2009 10:08 AM | Report abuse

It's about time! My roommate infected my computer with AntiVirus 2009 while I was on vacation in October 2008. I did removal instructions I found on websites - multiple times and couldn't get rid of it. The amount of time spent on fixing it was maddening. Also had McAfee. Not only does McAfee employ the same annoying and aggressive popups, sales tactics, etc, to get you to renew but it didn't even work to get rid of this very serious threat. Never again. Expensive, annoying, and didn't even work. Also couldn't believe how under reported this threat was.

Posted by: margherita555 | March 23, 2009 1:35 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company