[ISN] Rogue anti-virus takes off

From: InfoSec News <alerts_at_private>
Date: Fri, 11 Dec 2009 04:19:40 -0600 (CST)
Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>

http://www.itweb.co.za/index.php?option=com_content&view=article&id=28736

By Kirsten Doyle
ITWeb portals editor
8 Dec 2009

Scareware, fake anti-virus (AV) programs alarming users into thinking 
their machines are infected, is on the rise.

So says Sergey Golovanov, senior malware analyst, non-Intel research 
group manager at Kaspersky Lab, during an interview at the company's New 
Horizons media tour. These programs are widespread and are being used by 
cyber criminals more and more. To date, the company has seen around 320 
families of fake AV. 

The security giant discovered around 3 000 rogue AV programs in the 
first half of last year. The same period of 2009 saw over 20 000 samples 
being identified. Kaspersky Lab discovers between 10 and 20 new programs 
of this kind every day. A few years ago, a new program of this type only 
appeared once every two days.


Distribution techniques

Golovanov says scareware ends up on victims' machines, much in the same 
way as malware. A Trojan-downloader can covertly download such programs, 
or vulnerabilities in compromised or infected sites can be exploited to 
perform a drive-by download.

He says, however, that these programs are usually downloaded by users 
themselves, as cyber criminals use dedicated programs or adverts to con 
users into doing this.

Internet advertising and spam are other methods used by criminals to 
distribute scareware. Many sites, even legitimate sites, host banners 
advertising a product that claims to solve all sorts of malware issues. 
In addition, when surfing the Internet, a user may also find pop-ups 
appearing in the browser window offering a free anti-virus download.


Clever imitations

According to Golovanov, rogue AV carefully mimics genuine programs. The 
programs will scan, and then display a sequence of messages, 
notifications of an error, followed by a message claiming that malware 
has been found on the system. Following this, it will pop up a message 
offering the user the opportunity to install an anti-virus program to 
deal with the malware, at a price of course.

Once a free trial version that allegedly detects, but does not fix the 
malware problem, has been downloaded, a message is displayed saying the 
full version should be activated at a cost. These programs often appear 
very genuine, as the more people are conned, the more money ends up in 
the pockets of cyber criminals.

According to Kaspersky Lab, programs often use the same mechanisms as 
polymorphic worms and viruses to combat AV solutions. The main body of 
the program is encrypted to conceal strings and links. To ensure the 
program runs correctly, dynamic code within the file decrypts the body 
of the malware prior to the payload being delivered.


How to protect

Although fake infections do not damage the victims' machines, cyber 
criminals are using these programs to extort money from novice users. He 
advises that legitimate programs designed to combat malware will never 
first scan a computer and then demand money for activation. Be aware 
that you should never pay for a product which does this.

He urges users to click only on messages from a legitimate AV solution 
installed on the PC, and ignore any warning messages that pop up 
randomly while surfing the Internet.


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Fri Dec 11 2009 - 02:19:40 PST

This archive was generated by hypermail 2.2.0 : Fri Dec 11 2009 - 02:26:59 PST