Beware of DoiiarRevenue.com: Mimicking an Adware vendor for fun and profit

See, it's confusing enough when your PC gets nailed with an infection bundle. You have all those popups, toolbars splattered everywhere and about six billion randomly named executables dumped into your system32 folder.

Who is responsible? Where did this stuff come from? And more importantly, where do I send the envelope stuffed with dogpoo?

Scatalogical fun and games aside, what happens when someone decides to mimic a well known Adware vendor and confuse things even further?

Well, that's exactly what seems to have happened here. DollarRevenue (whose own bundles of joy regularly turn up in all sorts of places) seem to have something of a fan - a fan that's riffing off their domain / subdomains and even naming their files in a similar fashion to their own. The files involved open up various backdoors on the PC, scan for exploits and there's evidence of Botnet activity, too. Ironic considering the number of times DollarRevenue's own executables have been found in Botnets, but to be honest I'm still too freaked out by those pointy-headed arrowmen to comment further.

At this point, I'd show you a screenshot of the real DollarRevenue site but it's currently offline, adding to the mystery (such as it is). You'll just have to make do with this craptacular screenshot from a cache. You get the general idea, at any rate (there's a better version here, assuming it loads, from the Internet Archive. Do those toe-tapping arrowhead....things....creep you out too? You know they do. Admit it. You'll be a better man for it.) Compare and contrast with the following:

...as you can see, there's a few differences (no freaky arrowhead men, for one thing).

Note the domain - doiiarrevenue.com.

Clever!

The Whois details for this site don't match the details for the real DollarRevenue site - no idea who Lisa A Richmond is, but I doubt DollarRevenue have started operating out of a PO Box address.

The copycat aspect continues with many of the subdomains - for example, a common DollarRevenue domain is promo.dollarrevenue.com. Can you guess what these guys were using until a day or two ago? That's right, promo.doiiarrevenue.com! And on it goes - one file started life as "drsmartload195a.exe", then went through a rapid selection of name changes until they settled on the rather inventive "drrrrrr.exe". Currently, the main download site gives us this - yeah, I know, not exactly spectacular. But these guys are chopping and changing their files all the time so it'd be wise to keep watching this domain for the time being. With regards who exactly is behind this, it's hard to say.....burnt affiliate? Possible. These guys are taking their obsession for mimicking DollarRevenue to a frankly scary place - to be honest, I'm surprised they haven't bothered making their site look more like the original, too. Hell, it wouldn't surprise me if these guys have simply grabbed some old DR binaries and edited the URLs inside the files to point to this domain. From the looks of it, they're likely to put many more files up for download over the next few days and I don't see how they could be coding all these new executables every five minutes.

This whole situation is extremely interesting - security sites, search engines and pretty much everything else out there have had to deal with typosquatters like this in the past. This is the first time I can recall seeing this happen to an Adware vendor, though of course I could be wrong. Assuming this isn't a legit DollarRevenue site - and I can't see how it could be - there'll be even more confusion in the "who just jacked me!" camp, as end-users struggle to find out exactly who just marched into their PC, set up camp and refused to stop squatting in their back gardens.

The question is, will DollarRevenue be able to do anything about it?