|
|
Behind the reports of rogue antivirus scams is a multimillion dollar business lining the pockets of cyber-thieves. The threats arent new, but they have been growing in prevalence, according to malware researchers. Seven of the top 25 malware or unwanted software families from the second half of 2008 had a connection to rogue software, according to Microsoft experts. Two in particular—Win32/FakeXPA and Win32/FakeSecSen—were detected by Microsoft on more than 1.5 million computers.
The prevalence of the scams is driven by the profits. In a report in March, Finjan uncovered a rogueware affiliate network that hauled in an average of $10,800 a day. Such schemes are successful in part because attackers do a good job of mimicking the look of the Windows Security Center and other legitimate screens in Windows to give their phony scams an air of authenticity. Successfully fighting rogue antivirus schemes must involve teaching users about social engineering. With all this in mind, eWEEK is going behind the scenes of some of the successful rogue antivirus scams that have plagued the Internet.
|
|
|
|
- Exposing How Rogue Antivirus Sites Snag Victims
by Brian Prince - It Begins With Poisoned Google Searches
One of the ways purveyors of bogus antivirus tools rope users in is by poisoning Google search results. In the case here highlighted by eSoft, a search with the terms "nhl all-time scoring leaders" brought back more than just information about the National Hockey League. The fifth, sixth, seventh, eighth and tenth results led to malicious Websites where users were hit with fake warnings that their systems were infected, as well as a supposed cure. - How the Search Results Are Poisoned
According to eSoft, the compromised sites have a massive listing of search strings with the same keyword. For example, one compromised site harbored a number-related search terms, such as 'Windows XP double height taskbar' and 'taskbar items disappear XP.' At the bottom of the page there are generally links to other similar php pages with the same characteristics but a different keyword. The massive amounts of keywords and the links increase the page rank, eSoft explained. - Dirty Dancing with Malware
Sometimes these Google searches are abused by attackers toting promises of newsworthy exclusives. Such was the case when actor Patrick Swayze died last week. In this incident, some people searching for info about the actor's funeral found links leading to a site with a supposed video of rapper Kanye West interrupting Swayzes funeral as he interrupted MTV Video Music Awards show. Those who clicked on the video were led to yet another site that promises the video, but in fact gives them rogue AV. - A Look at a Cyber-criminals Management Server
This is a screenshot taken from a traffic management server controlled by cyber-criminals. The data demonstrates the success of a search engine poisoning campaign studied by Finjan earlier this year. The SEO-targeted technique led to hundreds of thousands of Google searches taking users to compromised sites. "The secret of its success is the fact that the use of such an SEO technique increases the infection volume dramatically," researchers wrote in the first issue of Finjan's 'Cyber Intelligence Report for 2009'. "In comparison, if cyber-criminals would focus on simply attacking one large site, the breach would quite likely be detected and fixed long before similar numbers could be reached." - The Warning
The bogus warnings typically tell users their Windows system is infected with a number of different viruses or spyware. Here is an example of what some of the warnings look like. - Finding Threats
In the image here, the installed rogueware has reported finding 38 threats. The problem—this was on a brand new install of Windows Vista. To get rid of it, of course, all the user had to do is pay to activate their copy of the fake AV. In the case of this particular scam, if users do not activate the software immediately, they are served at random intervals with additional messages about problems with their system. If they hit the Block button, they are again barraged with prompts to pay for the software. - Antivirus—Not Quite
One of the interesting twists in the saga of the infamous Conficker worm was its involvement in a bogus antivirus scam. When the worm first appeared, it was used as part of a scheme to get users to download fake programs. Later, computers with Conficker.C also got roped in. Those users were getting rogue AV believed by Kaspersky Lab to have originated on sites located in Ukraine. "Once its run, you see the app interface, which naturally asks if you want to remove the threats its 'detected'," wrote Aleks Gostev, Kasperskys director of Global Research & Analysis Team. "Of course, this service comes at a price - $49.95."
|
�������xڽZ[s۸�~~�d_nw7�ŗXbw�IHB��,�JV��eS�j�y�|8�o�i�&4�oAu�B�>�K9�lHbc.!KvfzC7o`�`ƛV�YQ|v$�UK*7�-;RL�DL1OwҨxLO^>.B࿎F�:���|=F#mX021q�#�yF.#An{R�7Yh[((6j{A،L���QLD�ruzH&$fvȿ�+����|>o~QLg\�M�<4#9
"��L7'f*Ή{'_t�t6g�4Wln(3сױ1,�?ۈnS3�a�ܰ)M�)vtZ4ܪwP臑WhNd�m�\)I�;-<><:�1)+Vʢ M�&x9tKS:f:bL��ÃnF1>�PC
�';�!{0#p\V5�Ra�5�G\攪1O|؈{G{(�a(;}�eq+)P�0nC�-U�̥z�U\Ɋn�'p�`� Ձ
^2R`-*��T� հq셜Þݙo&)?���>d R_�E!*aR= �>I�qv*
.[1aCuTD,O4͌3�Ky �W&�?�׀c:�sBrZ)ĺQĴdv-[�9Ϛ 7s.9n
�ٝօr�I�/ �ah��~I%_zlgŎv�jf�]f�fSO0[h>\
!I$STؖN�
ik'?aWy�Qq�& XR?Ó,)uN~t@���|@>��c/1)rd|�>s\�Mb�SH�;�{�$+}7i�c�q�D�8 +9�(<
^0Z�V� ��{7Ve�Lt"�dY>� "6#�h9p\+ɻt�qO@�"f.[㑙C�B0e�_�.Ն^ovﶍ#+𫄐Х$^�X�r:=
vA͘�wsN%!�JfI+knsqeQ�ap�S�#���Z7�>g6�7c�
3O�#�$��vjڧD�w�%
vӂ��ֽ�WˆלWestOuO~)\9c.��4ga-q�
a�cp+)=�jѤ:�>*7p}SU��A^8/V��K@V�nc�F��јf�TT>�g�_�Y#xO3+�(XP.�u1sg�ֽ]0?� �V|ț�jUxמ�o4g{l
qEig��`oiXI%k#x`+,B!�S]O�LmSg�NVӪ2�讞]BU:���m-.�U��3g`GG�*a�r�;LmTkq�ء�9��j[Xo�2cQ�J�v�V_�ܔ�&˼C]`I`z#p7PD'RMApuP�y#�y&յy8$Pc.kEb
�oDz j�*cnW~#�Z3�H䈘 �M؞(�.�D-bt7��"�)t�h8ɗn�&�5 ;όF�)xp98R.'2]([y�w~��ޑZuU�)RX^c݆��̪f�;OY�*@Λ�5`(�3<>яv&NXyB�)@
SPp�xdMADfTaz8�a��k`�9� &�*nZS�4,PB
qٓu"f�I^K�erDd�TF�-V%�� yD&'.�mϹZ��4%�f5!jC΅kn��VuoP7�`Tcy^�d `�. �)3�_Qg��dw��
��%+7L�>x� �G?>�HA
�W�{1q;b�!+lGrČaUjDOaXnI h��NjqE�,~BA�{S(Ж��3:E !hw==]},w<5�Daهy:5wht;iG^����xG�wp�ґZ-h%f�nHb,��
|
Network Security & Hardware 
See All Slideshows