Rogue Antivirus Operations Thrive in 2009

There was no recession in the rogue antivirus industry in 2009.

According to Microsoft, four of the top 11 threats cleaned by its Malicious Software Removal Tool between Dec. 8 and Dec. 16 were tied to rogue antivirus software. Just how much damage the scareware rings behind these types of malware do to users' pocketbooks can only be estimated, but the FBI recently put the figure in excess of $150 million.

Earlier in the year, Symantec reported in a study of rogue antivirus operations that the top 10 sales affiliates for the distribution site TrafficConverter.biz averaged $23,000 per week in earnings during a 12-month period.

"In general, yes, Symantec has seen rogue security software as a malicious threat and money-making opportunity for criminals increase in popularity during the past year, although the number of campaigns may actually be decreasing as scareware vendors consolidate and some of the marginal players are squeezed out," said Marc Fossi, manager of R&D for Symantec Security Response.

According to Symantec, there were 43 million rogue antivirus installation attempts from more than 250 distinct samples between July 1, 2008, and June 30, 2009.

"In addition, of the top 50 most-reported rogue security software programs that were analyzed during that period, 38 of the programs were detected prior to July 1, 2008," Fossi said.

Typically, attackers use search engine optimization poisoning techniques to get users to visit sites pushing their wares. A recent example of this can be seen in the flurry of malicious search results tied to the death of actress Brittany Murphy. Attacks also take the form of malicious advertisements, such as the one that affected NYTimes.com visitors in September.

"These advertisements can be on both malicious and legitimate sites and they typically prey on users' fears of malicious code, claiming that if the ad is flashing, the user's computer may be at risk," Fossi said. "The ad will urge the user to follow a link that will supposedly provide the software to remove the threats. So, a user will click on the link and they will be taken to a site designed to market the rogue security software programs. These sites are designed to look as legitimate as possible so that users will be convinced that the products are authentic and will pay to download them in order to clean up their system."

Another method of attack is via a staged downloader that, once on a computer, downloads and installs other malicious code, he explained.

"One of the more popular methods of getting malicious code onto a victim's computer is through drive-by download attacks," he said. "A user would visit a site, even a legitimate site that an attacker has compromised, and then malicious code would be installed on their machine. In turn, that malicious code will install the rogue AV."

Typically, after the user has been tricked into buying the bogus software, it doesn't do much except sit there. However, there have been examples of rogue security software actually facilitating the installation of malicious code.

For example, bogus antivirus software distributed by Bakasoftware allows a remote user to connect to the computer through an administrative interface and download a bot called Cosma, SOCKS proxy or any other executable file, Fossi said.

"The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims despite efforts to shut them down and raise public awareness," he said.