Diving Deep on Fake AV

By Matthew Hines  |  Posted 2009-10-21 Print this article Print

Phony anti-virus programs that attempt to prey on people's cyber-security concerns only to download malware onto their endpoints have been a major issue for several years now, and show few signs of fading from widespread usage.

And according to a new, in-depth report on the subject published by security software giant Symantec, the groups behind the marketing and distribution of the AV-themed threats only continue to grow more advanced and aggressive.

During the period stretching from July 1, 2008, to June 30, 2009, Symantec said that it received reports of some 43 million rogue security software installation attempts involving only 250 distinct samples of the attacks that it had been tracking.

"The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims despite efforts to shut them down and raise public awareness," researchers noted. "The perpetrators of these rogue security software scams are well-equipped to prey on Internet users. Many of these scams are very lucrative and appear to be run by highly organized groups or individuals who maintain an effective distribution network bolstered by multi-level marketing efforts."

The many distribution models used by attackers trying to deliver phony AV threats include traditional means such as spam, Web pop-up and banner advertisements, and search engine results, but a number of campaigns have now shifted to target users of online forums, social networking sites, and other newer phenomena such as Twitter and URL shortening services, experts said.

As with other popular malware delivery techniques, phony AV has become such a popular vehicle that researchers are now even seeing hard fought competition going on between various groups of attackers, with some scams even advertising to remove rebranded versions of the same misleading application program or versions of others.

"This often occurs once a rogue application becomes prevalent and other scam distributors advertise (misleading) applications that purport to remove the now widespread application," researchers said in the report. "Scam perpetrators seem unconcerned with creating the illusion of a trustworthy brand identity, but instead try to capitalize on the potential confusion resulting from the distribution of numerous rogue security products with similar names and interfaces."

So bad guys are trying to ride on the coattails of other bad guys who are themselves trying to take advantage of the success of other bad guys. I think we can safely say that online security has become something of a mess!

Some of the other conclusions of the report included findings that:

-Some 93 percent of the top 50 most prevalent rogue security applications were distributed as voluntary downloads.

-Another 93 percent of scams in the top 50 most prevalent rogue security applications were advertised through dedicated web sites.

-For rogue security application scams to be successful, the software must be advertised to potential victims. The software must also be reliably hosted in a location where it is available for download.

-Many fake AV GUI templates and cloning techniques are used to help these scams evade detection and be quickly rolled out anew.

-Complicated affiliate networks are in place to organize scam distribution and provide incentives for distributors.

-Malicious advertisements for these scams are often distributed on legitimate Web sites.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel