Researchers Warn of Fake Anti-Spyware

Anti-virus vendor Finjan reports an increase in "ransomware" and cautions users not to download unfamiliar anti-spyware products that could actually harbor attacks.

The latest report issued by Finjans Malicious Code Research Center highlights the growth of several emerging breeds of cyber-attack, including the increasing popularity of so-called "ransomware" and viruses that are being spread via fake anti-spyware applications.

The anti-virus software makers research arm said in its Web Security Trends Report, issued on May 16, that the growth of "rogue anti-spyware" and the emergence of hackers looking to hold stolen corporate data up for ransom are two of the fastest growing trends in the security threat landscape.

In general, virus rootkits continue to pose one of the most prevalent and challenging obstacles for IT administrators to overcome, according to the study.

Mirroring a trend that surfaced in the anti-virus community several years ago, the rise of rogue anti-spyware takes advantage of the publics growing fear of spyware, said officials of Finjan, headquartered in San Jose, Calif.

In these attacks, hackers disguise the malware in programs advertised online as free anti-spyware applications. Once downloaded onto a users computer, the applications may deliver their own payloads of malicious code or expose affected machines to subsequent attacks.

In some cases, said Yuval Ben-Itzhak, chief technology officer at Finjan, the false anti-spyware tools even run fake computer security scans that claim to find existing spyware programs on infected devices. The software then directs the computers user to a Web site where the user is encouraged to purchase a full version of the free application already on the PC.

/zimages/6/28571.gifTodays hackers code for cash, not to create chaos. Read more here about how hacking has become a business.

"The awareness of the average end user about spyware has increased, so dishonest people are trying to take advantage of that," Ben-Itzhak said. "There are also underground networks where this sort of code is being sold to anyone who wants it. Im not sure whos paying for it, but its being made widely available."

The maturation of the spyware industry to the point where attacks can outwardly appear to function just like the tools meant to fight them is just another piece of evidence of the increasing sophistication of the hackers creating such threats, he said.

As another sign of hackers growing professionalism, Finjan officials pointed to the increasing frequency of ransomware attacks, in which hackers take over files on a specific computer and offer to unlock them only in exchange for some sort of payment. The programs typically scour a computers hard drive looking for specific keywords that might denote documents containing personal or financial data.

In one recent case cited in the Finjan report, hackers used a spyware program known as CryZip to demand an electronic payment of $300 in order to release the data. The spyware uses archive software to create a password-protected archive on the infected computers that includes the files being taken hostage.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

In order to collect, the program leaves a text message on the infected machines explaining what has been done and warning victims not to involve the police. The victim is promised a password with which to gain access to the archived files after the ransom is paid.

Another version of the program installs an annoying message on infected computers during their startup cycle that demands payment for its removal.

"For an experienced end user, something like this might pretty easy to get rid of, but the average user, especially at home or in a small business, isnt familiar enough to do anything about it," Ben-Itzhak said. "Its more evidence of the shift from kids who launch attacks because they want to shut down your machine, to criminals who want to keep it connected to the Web so they can continue to make money off of you."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.