From serving malicious ads to poisoning search engine results for recently deceased actress Brittany Murphy, rogue antivirus operations have been going strong all year long.
There was no recession in the rogue
According to Microsoft, four
of the top 11 threats
cleaned by its Malicious Software Removal Tool
between Dec. 8 and Dec. 16 were tied to rogue antivirus software. Just how much
damage the scareware rings behind these types of malware do to users'
pocketbooks can only be estimated, but the FBI recently put the figure in excess of $150 million.
Earlier in the year, Symantec reported in a study
of rogue antivirus operations
that the top 10 sales affiliates for the
distribution site TrafficConverter.biz averaged $23,000 per week in earnings
during a 12-month period.
"In general, yes, Symantec has seen rogue security software as a
malicious threat and money-making opportunity for criminals increase in popularity
during the past year, although the number of campaigns may actually be
decreasing as scareware vendors consolidate and some of the marginal players
are squeezed out," said Marc Fossi, manager of R&D for Symantec
According to Symantec, there were 43 million rogue antivirus installation
attempts from more than 250 distinct samples between July 1, 2008, and June 30, 2009.
"In addition, of the top 50 most-reported rogue security software
programs that were analyzed during that period, 38 of the programs were
detected prior to July 1,
2008," Fossi said.
Typically, attackers use search
engine optimization poisoning
techniques to get users to visit sites
pushing their wares. A recent example of this can be seen in the
flurry of malicious search results tied to the death of actress
Attacks also take the form of malicious advertisements,
such as the one that affected
"These advertisements can be on both malicious and legitimate sites and
they typically prey on users' fears of malicious code, claiming that if the ad
is flashing, the user's computer may be at risk," Fossi said. "The ad
will urge the user to follow a link that will supposedly provide the software
to remove the threats. So, a user will click on the link and they will be taken
to a site designed to market the rogue security software programs. These sites
are designed to look as legitimate as possible so that users will be convinced
that the products are authentic and will pay to download them in order to clean
up their system."
Another method of attack is via a staged downloader that, once on a
computer, downloads and installs other malicious code, he explained.
"One of the more popular methods of getting malicious code onto a
victim's computer is through drive-by download attacks," he said. "A
user would visit a site, even a legitimate site that an attacker has
compromised, and then malicious code would be installed on their machine. In
turn, that malicious code will install the rogue AV."
Typically, after the user has been tricked into buying the bogus software,
it doesn't do much except sit there. However, there have been examples of rogue
security software actually facilitating the installation of malicious code.
For example, bogus antivirus software distributed by Bakasoftware allows a
remote user to connect to the computer through an administrative interface and
download a bot called Cosma, SOCKS proxy or any other executable file, Fossi
"The continued prevalence of these programs emphasizes the ongoing
threat they pose to potential victims despite efforts to shut them down and
raise public awareness," he said.