Over 250 fake security software programs are scattered across the Web, each contributing to the roughly 43 million rogue installation attempts made on worldwide PCs since July 2008, according to a new Symantec Corp. report.
The study, which tracked malicious security software activity from July 2008 to July 2009, also found nearly 200,000 domain names associated with these rogue applications. While some users are being infected unknowingly, which Symantec referred to as “drive-by downloads,” most infected users are actually spending anywhere from US$30 to $100 purchasing the fake software and installing it to their computers.
Marc Fossi, manager of security response at Symantec’s Calgary offices, said the most surprising observation to come out of the study was how realistic looking the rogue security software has now become. One malicious security app, Antivirus 2009, looks almost identical to Windows Security Center, he said.
“Even the way they design their Web sites,” Fossi said. “They use the same colours and fonts that the legitimate anti-virus software vendors use.”
The makers behind another fake security program, SpywareSecure, were even more devious, he said.
Once the software became well-known as a rogue anti-virus program, most of the top Google search results for “SpywareSecure” were filled with pages claiming to remove the malicious software. Many of these removal techniques involved downloading even more fake security software.
“Basically you have rogue anti-virus apps claiming to remove other rogue anti-virus apps,” Fossi said.
The distributors for these rogue security programs lure cyber criminals (known as affiliates) to help them spread the malicious software. One of the largest distribution sites discovered by Symantec was TrafficConverter.biz, which claimed its affiliates were earning up to US$332,000 a month for installing and selling fake security software.
Fossi said that the install rates these affiliates could earn varied by country. In Canada, the payout averaged 52 cents per installation, compared with 55 cents for U.S. users.
“Some of the distributors had luxury cars very prominently displayed on their pages listed as prizes,” he said, adding that Symantec could not confirm whether any of those prizes were actually delivered to affiliates.
For enterprise IT managers, companies can be at risk from rogue security software transmitted through pop-up ads. According to Fossi, educating your staff on the differences between “scareware” and legitimate anti-virus software pop-ups is crucial.
He added that blocking Internet sites that spread these programs is very tricky, because the software is often hosted from legitimate Web hosting providers. “Also, the domains are frequently moved from one IP address to another,” he said. “Once the domain registration expired, many of these domains would go back to the hosting providers’ parking sites.”
By blacklisting these sites, you might actually be blocking access to a multitude of legitimate sites, Fossi added.
According to James Quin, a senior research analyst with Info-Tech Research Group Ltd., a lot of the risk enterprises face from these threats is related to the permissions that their users have for their devices.
“In many cases enterprise users do not allow their users full administrative access to their devices,” he said. “Much of the software that falls into this category will try and install itself via a hidden process. Controlling permissions can help mitigate this.”
Quin also said that organizations should implement technologies to monitor and manage access. Even though content filtering tools will never be perfect, they can definitively make things easier for enterprises by minimizing exposure.