Utilizing the power of the Umbrella Security Graph, our Labs Team is constantly on the lookout for any anomalies that could indicate potential threats. Recently, we’ve noticed several domains that appear to be search engines triggering a number of predictive models in the Security Graph.

These high-volume domains seemed to be stable, but a number of red flags quickly became apparent: demonstrated fast flux behavior, residence at low reputation IP subnets, and an alarmingly low secure rank. Although the software appeared legitimate, and the domain registered at .IN had been around for a long time, a quick investigation indicated that the sites were involved in a PC optimizing scam:





Screen Shot 2013-07-16 at 1.39.01 PM

We began by loading the websearch[.]helpmefindyour[.]info site, and saw the usual search window with an advertisement. Nothing suspicious here – until we used a outdated user agent when browsing the same site. The advertisement about fixing your ‘slow’ PC appeared. 

Screen Shot 2013-07-12 at 1.27.50 PMScreen Shot 2013-07-12 at 1.28.13 PM 

Getting a speed boost for your PC is fine, however, the changed behavior revealed by an outdated user agent resembles malicious downloads that exploit vulnerabilities of older systems. (Doesn’t it remind you of other Rogue AVs out there?) We got the executable from the site and ran it on a CLEAN VM. See the screenshots for the red alerts – they’re showing entirely made-up errors found on a clean system.

Screen Shot 2013-07-12 at 1.28.33 PMScreen Shot 2013-07-12 at 1.04.14 PM

In addition to a “registry cleaner”, that, of course, found things to fix on our system, we were offered the installation of two additional applications: a backup tool and another optimization tool.

Screen Shot 2013-07-12 at 1.03.17 PM Screen Shot 2013-07-12 at 1.03.14 PM (1)

Several more ‘errors’ were found on our system, and only a handful of them could be fixed with the free version. Fixing the 100+ remaining issues required one to buy the product.

Screen Shot 2013-07-12 at 1.07.18 PM Screen Shot 2013-07-16 at 4.42.47 PM

A few minutes after having installed this tool, another window popped up informing us of 30 malware infections needing to be fixed, which required the purchase of yet another product. 

Screen Shot 2013-07-16 at 5.01.49 PMScreen Shot 2013-07-16 at 4.57.00 PM

These executables don’t appear to be malicious per se – however, programs asking for money to install bogus PC optimizers are blatant scamware products you need to be aware of. 

Additional malicious domains:

websearch.a-searchpage.info websearch.coolwebsearch.info websearch.good-results.info websearch.greatresults.info websearch.helpmefindyour.info websearch.homesearchapp.info websearch.homesearch-hub.info websearch.lookforithere.info websearch.pu-result.info websearch.pur-esult.info websearch.pu-results.info websearch.resulthunters.info websearch.searchannel.info websearch.searchdwebs.info websearch.searchingissme.info websearch.searchmainia.info websearch.searchouse.info websearch.searchrocket.info websearch.simplespeedy.info websearch.soft-quick.info websearch.youwillfind.info

This post is categorized in: