System Defend Antivirus 2010 - new rogue AV ?!

[doktornotor]

Can someone of Avast folks check this out? Not detected by anyone on VT. (They bundle 200megs of .Net installers crap with it, the thing itself is just ~7MiB)

http://www.wilderssecurity.com/showthread.php?t=272624
http://www.thaivisa.com/forum/Real-Rogue-Antivirus-System-Defen-t326024.html
http://www.softpedia.com/get/Antivirus/System-Defend-Antivirus-2010.shtml
http://download.cnet.com/System-Defend-Antivirus-2010/3000-2239_4-75182270.html
http://www.brothersoft.com/system-defend-antivirus-2010-361369.html

[Hermite15]

needs to be run in a VM to see what it does after a couple of hours or days. My guess is obviously yes, that's rogue. Again, remains to find out what it does. I wouldn't  risk an install We need Polonus here and also Pondus is after rogue AVs...they'll probably see that thread. Thanks for posting that's interesting.

that's all I got so far, not about the "AV", but about the main site offering the download
http://www.mywot.com/en/scorecard/www.brothersoft.com

I can't believe that CNet and softpedia are offering it too

edit: publisher  >>>> hxxp://www.preedasoftware.com/ ( 61.19.247.206  based in Thailand)
hxxp://www.preedasoftware.com/index2.php
hxxp://www.systemdefendantivirus.com
nothing here: http://wepawet.iseclab.org/view.php?hash=7e47ba314c38630907a94fad07c54f03&t=1273860244&type=js
http://wepawet.iseclab.org/view.php?hash=ac1e2e1b636034021b3e5bfd8547c462&t=1273861319&type=js

[doktornotor]

As you said, need some VM to install, don't have one handy ATM. Well, could try to install to a sandbox but don't feel like that 

I can't believe that CNet and softpedia are offering it too

Yeah, that's really a WTH...

[Hermite15]

I've edited my first post in the mean time, trying to find out more about the publisher...

[Hermite15]

http://www.wmtips.com/tools/info/?url=http://www.preedasoftware.com/
http://validator.w3.org/check?uri=http://www.preedasoftware.com/
again, Polonus could interpret that...may be there's nothing there either, I haven't got a clue. I'm not familiar at all with those web tools.

Errors found while checking this document as XHTML 1.0 Transitional!

other errors on the download page:
http://jigsaw.w3.org/css-validator/validator?uri=http://www.preedasoftware.com/index2.php
http://validator.w3.org/check?uri=http://www.preedasoftware.com/index2.php

[polonus]

Hi Logos,

You miss the malcode if you do not also check the links from that site
Suspicious at some time are/were:
http://www.google.com/safebrowsing/diagnostic?site=www.geardownload.com  
At the crux of this may be regnow*com, a site full of adware and trojans...

http://safeweb.norton.com/report/show?url=regnow.com&x=0&y=0 alerted by Community Rating:
website- unsafe risky downloads reported by some users, here's a few[ keylogger!!!
spy agent adware downloader-xz trojan lot of spyware and others??

well to sum it up: malicious software includes 74 trojans, 5 backdoors, 2 viruses.
Successful infection resulted in an average of 2 new processes on the target machine

Another link not completely beyond suspicion: http://www.google.com/safebrowsing/diagnostic?site=www.softwarelode.com

And finally then this link: http://www.google.com/safebrowsing/diagnostic?site=download.cnet.com
Malicious software includes 1 trojan.
Successful infection resulted in an average of 1 new process on the target machine,
last found to be there 2010-03-07,

polonus

[Hermite15]

Hi Logos,

You miss the malcode if you do not also check the links from that site

yeah... >>> I checked only two pages, the main one with the ads about the sites providing the download, and the main download page. Okay this said all you found is that sites providing the download are infected (including CNet), but you didn't find anything related to this particular download, and its publisher >>> hxxp://www.preedasoftware.com and System Defend Antivirus 2010   doesn't seem easy but I'm sure that's a rogue, no possible doubt (intuitively yes...).

[doktornotor]

So this is what Softpedia calls ad-supported?! Shame on the guys. 

With a behaviour like that, it's beyond doubt that it's not only useless, but definitely rogue as well. Those forced-to-be-clicked ads will point you to a malware-infested site sooner rather than later.

[sg09]

So this is what Softpedia calls ad-supported?! Shame on the guys. 

With a behaviour like that, it's beyond doubt that it's not only useless, but definitely rogue as well. Those forced-to-be-clicked ads will point you to a malware-infested site sooner rather than later.

It's a worthless crap and surely it may lead to drive-by-downloads for sure. I had collected few screenshot but all deleted because now I have deleted the VM. Testing this crap have spoiled my evening. 

[Hermite15]

why did you delete the screen shots, that's exactly what we need you could have taken them from the host system anyway, can you describe the behavior of that crap, assuming you tested it in a VM? some say it prompts for a first system check before installing...(mentioned either on wilders or another site...)

[doktornotor]

why did you delete the screen shots, that's exactly what we need you could have taken them from the host system

FWIW, there are a couple of screenshots on Wilders thread. Basically, it's a Kaspersky GUI rip-off flooded with ads, even the logo is stolen from Kaspersky. 

[Hermite15]

why did you delete the screen shots, that's exactly what we need you could have taken them from the host system

FWIW, there are a couple of screenshots on Wilders thread. Basically, it's a Kaspersky GUI rip-off flooded with ads, even the logo is stolen from Kaspersky.  

this I knew I saw them >>> what I meant is screen shots showing the "software" and system behavior, i.e. dialog boxes, prompts etc...anything suspicious or very obviously rogueware like.

[Hermite15]

it's also on ZDnet France >>> hxxp://www.zdnet.fr/telecharger/logiciel/system-defend-antivirus-2010-39830683s.htm 

[sg09]

why did you delete the screen shots, that's exactly what we need you could have taken them from the host system anyway, can you describe the behavior of that crap, assuming you tested it in a VM? some say it prompts for a first system check before installing...(mentioned either on wilders or another site...)

Give me some time, I will post them. I am installing it again in VM.

[Hermite15]

why did you delete the screen shots, that's exactly what we need you could have taken them from the host system anyway, can you describe the behavior of that crap, assuming you tested it in a VM? some say it prompts for a first system check before installing...(mentioned either on wilders or another site...)

Give me some time, I will post them. I am installing it again in VM.

okay >>> please post screen shots not just of the interface of the program, but first of all of suspicious behavior if any, like prompts to remove malware, system behavior change etc...