Conficker Scareware Scammers Use Symantec as Lure

Scammers are using Symantec's name as part of a ploy to lure those panicked by the Conficker worm into buying fake anti-virus. Meanwhile, vendors such as IBM are stating the number of infections may be higher than they thought.

Scammers are continuing their efforts to exploit public fears over Conficker, this time with promises of protection via a product made to look similar to Symantec's Norton Antivirus 2009.

Attackers have been blasting out e-mails that mention the names of Symantec executives talking about the worm and linking to a Website that uses the name "AntiVirus 2009." The Website also compares the software it is selling to well-known products from companies such as Kaspersky Lab and AVG Technologies.

The e-mails - which also include a "product activation code" - feature phony messages such as this one: "???It???s definitely serious,??? Kevin Haley, director of security response at Symantec, said of the virus thought to be embedded in millions of network computers across the globe."

"After clicking on the link inside the message, we find that it redirects to a Website where the user is promptly given directions on how to make a payment," blogged Mayur Kulkarni of Symantec Security Response. "Whether or not any product will be made available after the payment is made is still unknown at this point. Even if it were, its effectiveness would be questionable because it will most likely be a rogue application or pirated software."

More figures about the number of Conficker infections are leaking out, though exact numbers remain elusive. Estimates from various security pros have put the number of infections from around 1.3 million to several million more.

Yesterday, IBM's Internet Security Systems (ISS) division reported that it detected the worm on 4 percent of the IP addresses it monitored. IBM officials, however, cautioned against applying those numbers to the overall situation across the world.

"I want to list just a few more caveats so that everyone out there can understand these numbers and interpret them in an appropriate way," blogged Holly Stewart, threat response manager for IBM's ISS X-Force. "First, our count is based on distinct IP address. Most personal computers these days use DHCP, which means that their IP address can change every time they connect to a network."

"For this reason, some of the hosts are most certainly counted more than one time in our numbers," Stewart explained. "On the other hand, many infected computers may be behind NAT devices, and in those cases multiple infected computers may only be counted a single time in our numbers."

The presence of removal and detection tools and the efforts of the research community are believed to have impacted the worm's growth. Users looking for tools to fight the worm are advised to go directly to the vendor Websites or to known, trusted sources.