Attack of the WinFixer Clones

Lately there has been a huge increase in the WinFixer affiliates/clones ... although these clones go to great lengths to hide their true idenity, you can sniff them out if you know where to look ... WinFixer is run by "Innovative Marketing" and their main distrubtion host is SetupAHost based in Canada, although WinFixer also has setup servers in several other countries.

Acting on a email tip from Sebastiaan S I browsed over to "performanceoptimizer(dot)com". Clicking the Download button redirects to a (https) payment site. Both of these sites are related and using the same IP address (190.15.73.254) However as you can see below there is already a problem ...

To show you the SetupAHost connection you have to look at the (https) traffic and the details which is displayed below and clearly shows (highlighted in red) SetupAHost.

Now if you browse over to "freerepair(dot)org" on the same IP address ... oh my even my AV (NOD32) knows it's WinFixer!

Another clone of the same IP Address is CryptDrive which Symantec describes as:
"CryptDrive is a misleading application that may give exaggerated reports about potential risks on the computer."

Sadly I though we had convinced ValueClick to break their ties with WinFixer ... but it looks like that is not the case.
Yes "ad2cash" is on the same IP as the above and there are quite a few other examples of the below ...

Published Sat, Oct 6 2007 3:34 by winhelp2002

Comments

# DoubleClick serves up DoubleSpeak

Tuesday, November 13, 2007 4:40 AM by Hosts News

eWeek has an article " DoubleClick Serves Up Vast Malware Blitz " which describes problems

# LimeLight Networks and connecting the dots

Friday, December 07, 2007 2:33 AM by Hosts News

Often times you have to look hard to connect the dots ... however it now seems LimeLight has been affiliated