Fake AV Maturing Fast

By Matthew Hines  |  Posted 2008-12-05 Print this article Print

The phony AV malware model continues to find popularity among attackers, as demonstrated by Sophos in a recent report tracking the twists and turns of one particular breed of the so-called "scareware" social engineering technique, through which distributors of the programs convince end users to download malicious files disguised as security applications that actually include infections themselves.

As in the case in many of the scareware threats, the specific threat identified by Sophos' researchers also prompts users infected with the fake AV software to download additional programs to wipe the purported malware programs they find off their machines.

In addition to downloading even more malware onto the devices of people who fall for the attacks, the scareware programs also require users to pay for the phony cleansing programs, and steal their personal information and credit card data in the process.

The scareware example identified in the report was generated in Russia, according to SophosLabs, and has been dubbed FakeAlert/FakeAV by researchers. Sophos noted that the threat was originally uncovered by experts at SecureWorks.

Sophos claims to be following "a few dozen" sites that are currently selling such scareware attacks to other hackers, many of which are disguised as online shopping and bill payment applications.

The FakeAlert attacks themselves are being distributed primarily through adult sites through which user-built content infects users via phony multimedia player downloads or updates.

In its report, Sophos shows off all the various aspects of the attack-authoring system behind FakeAlert, including a fairly advanced GUI. Interestingly, if individuals attempt to access or buy the toolkit from IP addresses based in former Soviet States or China, the distribution sites cut them off before they can do so.

This specific FakeAlert iteration also offer tools that allow attackers to track performance statistics related to their efforts, such as just how many machines they've successfully infected.

Based on the metrics that researchers have been able to spy on, it would appear that it's easy for attackers to begin making hundreds of dollars per day once up and running, with many larger operations supercharging their work by distributing their threats via extensive affiliate networks.

Ironically, Sophos found that at least the site it has tracked that markets FakeAlert to other attackers goes to such great lengths to show off its usability -- offering a series of screenshots detailing the features, that it was easy for the researchers to pinpoint the exact location of the operators and other details the criminals would likely prefer to keep hidden. The experts were even able to identify one individual behind the site through their ICQ chat information.

Though, the company points out that even once they have identified someone responsible for distributing the program as part of an affiliate network, it remains hard to turn them over to authorities, or even get their site shut down.

"We are often being asked whether this activity is legal and if it can be stopped through legislation. The affiliate promotion mechanism surely makes it hard to assign blame to anyone specifically," writes Romana Ward of SophosLabs in the blog post detailing FakeAlert. "The webmasters who participate in the FakeAV promotion do not see as it as a criminal activity: they simply direct the traffic from their adult sites somewhere else."

The fact that some of the phony AV threats actually include some real security functionality also makes it harder to stop such efforts, she said. A lack of global law enforcement standards, combined with the attackers' avoidance of local distribution is another mitigating factor.

"The group that writes the software and runs the business may have an excuse: some FakeAV software even contains rudimentary virus detection ability, which doesn't make it a real anti-virus program, but will sure make any sort of court battle more difficult," Ward said. "Finally, by not targeting the Russian audience, there is little chance of a lawsuit being opened based on complaints from outside of Russia."

So there you have it. Much like many other mature threat models, phony AV has become a sophisticated morass that will likely take years to untangle and slowdown. Sweet.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel