May 18, 2009 at 10:52Fake antiviruses undercover Comodo CA
Rogue Antivirus (fake antivirus) is a program that simulates the actions of an antivirus product, detects pseudoviruses in the system and requires either to pay money for their treatment, or to download updates that are already real spyware. Despite the obviousness of such a “divorce,” many users are not aware that they have become the target of fraud. Especially those who believe in secure certificates issued by trusted certifiers.
One of the blog userswrites about how he is on one of the offsets of the next Rogue antivirus (guardlab2009.com), he was faced with the fact that the certificate was issued by none other than Comodo CA, which produces the same product of the Internet Security class, formerly known as a good free firewall. After checking the sites on the same IP, the author noticed that Comodo CA issued certificates to other similar "fakes", some of which are really spyware. For example, secure.a5bill.com distributes Win32 / Adware.CoreguardAntivirus under this brand.
The most interesting thing is that certificates whose expiration date also receive renewal from Comodo. So, rapid-antivir-2009.com, rapid-antivir2009.com, rapid-antivirus2009.com, redirected to secure.xsoftstore.com had a certificate issued before April 28, 2009. However, now an updated certificate is being used there until the end of July.
There has still not been a formal reaction from Comodo CA to the blogger’s appeal.
Addition: a list of the most famous sites with fake antiviruses
One of the blog userswrites about how he is on one of the offsets of the next Rogue antivirus (guardlab2009.com), he was faced with the fact that the certificate was issued by none other than Comodo CA, which produces the same product of the Internet Security class, formerly known as a good free firewall. After checking the sites on the same IP, the author noticed that Comodo CA issued certificates to other similar "fakes", some of which are really spyware. For example, secure.a5bill.com distributes Win32 / Adware.CoreguardAntivirus under this brand.
The most interesting thing is that certificates whose expiration date also receive renewal from Comodo. So, rapid-antivir-2009.com, rapid-antivir2009.com, rapid-antivirus2009.com, redirected to secure.xsoftstore.com had a certificate issued before April 28, 2009. However, now an updated certificate is being used there until the end of July.
There has still not been a formal reaction from Comodo CA to the blogger’s appeal.
Addition: a list of the most famous sites with fake antiviruses