Misleading application, rogue software, fake AV: call it what you will, it’s everywhere. The authors of these applications are pumping them out by the hundreds, fooling many Internet surfers, and in the process they’re making big bucks out of it. In fact, as many of our readers will be well aware by now, it is the focus of a white paper Symantec has just released entitled Symantec Report on Rogue Security Software.
So if there are so many of these things, why should one called Windows Enterprise Defender be any different from the rest? Firstly, it tries to pass itself off as Windows Defender, which is a legitimate security product released by Microsoft. Obviously the name is similar but so is the GUI:
Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:
Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.
The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009....
The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.
In the report, the following distribution and advertising trends were observed:
• Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
• Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or...
Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.
Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.
Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security...
Given their financial motivations, the distributors of rogue security software scams need to affect a broad number of potential victims. Getting the program onto a victim’s computer is a critical step in rogue security software scams and the scammers use a variety of techniques to do so. While some rogue security software programs rely on just a few specific techniques to achieve this, many of them incorporate multiple techniques to improve the odds of success. The distribution techniques for rogue security software programs can be simplified into two groups: installation methods and advertising methods.
The installation methods for rogue security software can either be intentional or unintentional. Scammers who persuade victims that they need the rogue software to address security concerns lure the victims into downloading the software intentionally. This is a common approach to rogue security software installation that was used by 93 percent of the top rogue security...
In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of cardboard boxes for a...
Every day when I walk into work I’m greeted by an avalanche of data on new malware and Internet scams. The numbers in the last few years have been staggering. And when you think about the people behind the numbers it can get quite sad—people who’ve had their computers taken over, been scammed, stolen from, and just plain abused by cyberthiefs. It can get to you. A lot of days I don’t feel so good. Today I feel better. The FBI just announced they will arrest nearly 100 people involved in a phishing scheme.
The FBI calls it Operation Phish Fry. Operation Phish Fry means that someone in the FBI loves a bad pun. But the important thing is it means that a whole bunch of bad guys are going to jail. It’s not going to eliminate all phishing attacks (we detected 55,389 phishing Web site hosts in 2008 alone). But this latest move takes a lot of bad guys off the Internet and...
Despite the recent economic downturn, phishing and spam scams are still profitable for attackers, possibly because phishers are able to quickly target their scams to match prevailing attitudes. For instance, phishers are enticing potential victims with lures that spoof well-known financial institutions and which promise easy access to low-interest loans and credit. Spammers are also attempting to use the uncertainty of the financial situation to their advantage. While it might be expected that spam offering stock market tips or other financial opportunities would drop off during a period of market uncertainty, it is likely that such a drop-off would be balanced out by an increase in spam offering such recession-related enticements as low-interest loans and easy access to credit.
Many phishing attacks that spoof financial services brands prompt users to enter credit card information or banking credentials into fraudulent sites. If this ruse is successful, phishers can then...
A driving force behind the growing speed and efficiency of malicious code development is the demand for goods and services that facilitate online fraud. This is demonstrated by the flourishing profitability of confidential information sales in the online underground economy. For example, one person who was arrested for computer related credit card fraud in 2008 had possession of a condominium, a luxury vehicle, and over 1.6 million dollars in cash, among other valuable goods. All of which were presumably obtained by fraudulent means.
Malicious code that exposes confidential information is of particular value because the information is critical to several illegal practices, such as identity theft and credit card fraud. In many instances, well-organized programmers are developing this code on a large scale, much as how development occurs in a legitimate software enterprise. The confidential information obtained by the malicious code is then used for fraud or advertised for...
The prevalence of Web-based applications and the ease of which these applications can be exploited using vulnerabilities have contributed to the widespread nature of Web-based attacks. Attackers can successfully reach and compromise a massive number of targets, and this remains as the source of motivation behind Web-based attacks. Attackers who wish to take advantage of client-side vulnerabilities no longer need to actively compromise or break into specific networks to gain access to those computers. Instead, by attacking websites, attackers can use them as means to mount client-side attacks.
An attacker can exploit any number of Web application vulnerabilities, such as SQL injection vulnerabilities, to help mount their Web-based attack. Surprisingly, many of these vulnerabilities are not used to directly compromise enterprise data assets or gain access to sensitive information. They are used simply as a way of injecting malicious content into websites as a means of...
As we talk to enterprise and consumer customers, we are finding that many don’t understand the risks of the Internet today, why their computers have been compromised, or how the threat landscape has really changed. The fact that simply visiting your favorite website can either lead to malware silently being installed on your computer without ever clicking on anything, or being plagued by misleading applications, such as fake antivirus software, seems to be a surprise to many users and IT managers alike.
The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.
One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where...
The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.
As stated in the Symantec Report on the Underground Economy, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that...
One topic of discussion in the recently released Symantec Report on the Underground Economy is software piracy. Software piracy occurs primarily in two basic forms: physical counterfeiting and file sharing. Counterfeiters create unauthorized physical copies of software intended for sale as legitimate products (though often the attempt to create a realistic valid copy is minimal). The motivation of counterfeiters is typically financial gain, and customers who know that the software is counterfeit are likely trying to save money. In contrast, piracy by means of file sharing—whether by copying a disc for a friend, uploading files using a peer-to-peer (P2P) application, or some other means—is not typically profitable for the people who share the files. The advent of rapid P2P file-sharing protocols has provided a readily available means for people to distribute and obtain...
...
