CyberSafety.co.za

Panda Security’s anti-malware laboratory has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

“The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations.

Once a computer is infected, any attempt made by the user to run a program or open a document will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95 (almost R600). Victims are also offered ‘premium’ tech support services for an additional €19.95 (about R150). Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“Users are often infected unknowingly – in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” says Matthews. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus.”

For this reason, Panda has published the serial numbers required to unblock the computer if it has been hijacked on the PandaLabs blog. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of the fake antivirus.

PandaLabs recently published a report about the lucrative business of rogueware. The shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats and that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying. The PandaLabs report is available here.

The serial numbers and a video demonstrating how this scam operates is available on the PandaLabs blog.

Panda Security’s malware analysis and detection laboratory has released a comprehensive study on the proliferation of rogueware into the cyber-crime economy.

Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. Panda predicts that it will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year. Approximately 35 million computers are newly infected with rogueware each month (approximately 3.5% of all computers), and cyber-criminals are earning approximately $34 million per month through rogueware attacks.

“The Business of Rogueware”, Panda’s report, reviews the various forms of rogueware that have been created, and shows how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cyber-criminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

In early 2009 social media sites such as Facebook, MySpace, Twitter, and Digg, became large targets for rogueware distributors. The top five social media attacks involving rogueware are:

1. SEO attack against Ford Motor Company

2. Comments on Digg.com leading to rogueware

3. Twitter trending topics lead to rogueware

4. Rogueware exploits WordPress vulnerability to facilitate Blackhat SEO attack

5. Koobface moves to Twitter

“Rogueware is so popular among cyber-criminals primarily because they do not need to steal users’ personal information like passwords or account numbers in order to profit from their victims,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially since popular social networking sites have become mainstream.”

Rogueware morphs quickly and proves difficult to detect

There are approximately 200 different families of rogueware, and Panda expects the variations to continue to grow. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008. In Q3, Panda forecasts a rogueware total greater than the previous eighteen months combined.

The primary reason for the creation of so many variants is to avoid signature-based detection by (legitimate) antivirus programs. The use of behavioural analysis, which works well with worms and Trojans, is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information. However, Panda Security has started to identify more advanced malware variants that are using typical Trojan features, rootkits and other techniques to subvert virus detection technologies.

How rogueware business works – and tracking the source

The Panda report details how the rogueware business works. The rogueware business model consists of two major parts: programme creators and distributors — not unlike a traditional business. The creators are in charge of making rogue applications, providing the distribution platforms, payment gateways, and other back office services. The affiliates are in charge of distributing the rogueware to as many people and as quickly as possible.

Panda’s research reveals that the affiliates are mostly comprised of Eastern Europeans recruited from underground hacking forums. They earn a variable amount per each install and between 50-90 percent commissions for completed sales. The Panda report includes financial statements and photos from events hosted by the leaders of these organizations that are not dissimilar to corporate sales events.

To read the full report, click here.

For real-time updates on Panda’s research, follow @Panda_Security

According to global IT vendor Panda Security, the 56th variant of the Boface family of worms has just appeared. Each of these variants has been designed especially to use Facebook to distribute and download malware. This is largely due to the enormous global popularity of this social network and the potential it offers for reaching numerous users. The BJ variant in particular uses Facebook to download and install rogue anti-malware and trick users into believing they are infected and consequently buy a fake antivirus.

Data compiled through the free Panda ActiveScan online scanner has shown that since August 2008, 1% of all computers scanned were infected by a variant of Boface.

“Extrapolating this data in line with the number of Facebook users (approximately 200 million), we arrive at a figure of 2 million users that could be infected,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “The increasing number of variants in circulation is due to the aim of cyber-crooks to infect as many users as possible and therefore boost their financial returns”.

Almost 40% are in the United States, with the rest distributed across many different countries. The number of infections observed for this type of malware since August, indicates an exponential growth rate as high as 1,200%, comparing April 2009 with August 2008.

The rogue anti-malware business is one of the most prolific cyber-crime activities, with respect to the number of examples in circulation. Panda forecasts quarterly growth of more than 100% for the current year.

The new variant: how it works

The new Boface.BJ worm reaches computers in several ways: email messages with attachments, internet downloads, files transferred via FTP, IRC channels and P2P file-sharing networks.

Once the computer has been infected, the worm kicks into action once infected users have entered their Facebook accounts. In that moment, it sends a message to the entire network of friends, including the infected user. Anyone clicking on the link in the message will be taken to a fake YouTube page (called “YuoTube) where they will supposedly be able to see a video. However, they will first be prompted to download a media player. If the user accepts, the fake antivirus will be immediately downloaded.

From the moment it is installed, this malware will launch messages claiming that the computer is infected and that the user must buy a solution.

Given Facebook’s viral nature of networks, it is fair to assume that this message will spread exponentially leading to very high infection rates.

“Users of social networks like this normally trust the messages they receive, so the number of reads and clicks is often very high,” says Matthews. “Clearly, in addition to the security measures of the social network itself, users have to take on board certain security and personal privacy basics, to avoid falling victim to fraud and contributing to its propagation.”

To prevent this type of fraud, Panda Security offers the following advice:

1)    Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, other social networks and also email.
2)    If you do click on any such link, check the target page carefully (in this example, it is clearly a fraud). If you don’t recognize it, close your browser.
3)    Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.
4)    If, however, you have still gone ahead and downloaded and installed some type of executable file, and your computer begins to launch messages saying that you are infected and that you should buy an antivirus, this is very probably a fraud. Never entered your credit card details, as you will be putting your money at direct risk. And above all, make sure you get a second opinion on the security of your system, with any reliable free online security solution such as Panda ActiveScan.
5)    As a general rule, make sure your computer is well protected, to ensure that you are not exposed to the risk of infection from any malicious code. You can protect yourself with the new, free Panda Cloud Antivirus solution.

Panda Security’s antimalware laboratory has revealed that cyber-crooks are exploiting the current upheaval in America’s motor industry by launching a black hat SEO (Search Engine Optimization) attack using the name of embattled American car manufacturer Ford Motor Co. as bait to distribute malware on the Internet. The IT security vendor has discovered 1.2 million results in searches related to Ford which point to these malicious pages.

“If users searching for information about Ford click one of the malicious results, they are taken to a webpage in which it seems as if they are about to see a video,” explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “If they try to watch the video, they will be prompted to download another program. This program, however, is really a fake antivirus. Panda has detected two fake antivirus programs that are distributed in this way: MSAntiSpyware2009 and Anti-Virus-1.”

These fake antiviruses are designed to make users believe that their computers have been infected by malware. They do this by simulating a scan of the system and supposedly detecting malware. Users are then offered the chance – through pop-ups and banners – to buy the pay version of the fake antivirus to clean their computers. If they don’t buy it, the malicious code will prevent the computer from operating properly in an attempt to force users into buying the product.

Over the last year, this type of malware has increased significantly. According to data from Panda, the number of variants of fake antiviruses has increased one hundredfold between the first quarter of 2008 and the corresponding period in 2009. In fact, in the first three months of 2009 no less than 111,086 new strains of fake antiviruses were detected – 20% more than in the whole of 2008.

“What’s interesting about this attack, however, is that this is one of the only black hat SEO attacks to focus on a single brand,” concludes Matthews.

Watch a video describing the infection process here.

For more information about this infection, go to the PandaLabs blog.

In our previous post, we looked at SEO being used by cyber-crooks to distribute malware – especially fake antivirus. In this post we look at a specific example of this happening: Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here. Below is an example of one of hijacked searches:

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software like below:

Sample hijacked search terms include the following:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

Post by Sean-Paul Correll, PandaLabs.

Panda Security has revealed that cyber-criminals are manipulating search engine results to distribute malware, in particular, fake antivirus products.

‘The reasons for this is simple – the criminals need to attract users to malicious sites in order to infect them,’ says Jeremy Matthews, head of Panda’s sub-Saharan operations. ‘What’s new, however, is the inventive ways they are drawing users to these Web pages.’

In the past, users were lured to compromised websites by means of massive sending of spam. Targeted users read emails, clicked on the links they included and were unwittingly directed to a malicious Web page. Now, there’s a change in strategy: due to the fact that users are more wary of messages received from unknown senders, criminals are using more effective ways of ensnaring new victims. They are using a Google tool called Google Trends which, among other things, lists the most popular searches of the day – anything from Obama’s inaugural address to the Oscar nominations).

Once they know the top searches and hot topics of the day, they create a blog full of the most searched for words (e.g. Obama, Penelope Cruz etc.) and videos supposedly related to these topics. This way, they increase the blog’s ranking to place it among users’ first search results.

“Users who trust these results will end up on a Web page where they will be asked to download a codec or plug-in, etc. in order to watch the video. If they do so, they will be downloading malware – in most cases a fake antivirus,” explains Matthews.

Fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.

SEO techniques

This type of attack is benefiting from advanced SEO (Search Engine Optimization) techniques. These are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a website and improving its ranking in search engine results lists. This is the case of the webpage selling the Malwaredoctor fake antivirus, designed specifically to achieve a high ranking in search engines (for more info about this phenomenon click here).

In addition to standard SEO techniques, attackers are also using techniques known as “Black Hat SEO”, which could be described as illegal search engine positioning techniques used to by-pass search engine policies, present alternative content or affect the user’s experience. Occasionally, it can be difficult to determine which techniques are legitimate or not, as this can depend on the policies of the search engine.

Attack obfuscation

Attackers are always keen to make malicious site identification for anti-malware vendors harder.  In order to do this they are starting to use a more advanced way of launching these attacks. Some of the malicious pages they handle behave differently and show different content depending on the origin of the user that visits them.

In order to hide the attack, a script is inserted that determines the origin of the visitor. If a user types the URL they want to visit in the browser bar, the legitimate, correct content is displayed. However, if the user has come from a manipulated Google search, they will be taken to the malicious Web page.

MSAntispyware 2009: A different example

PandaLabs recently detected a Web page that appeared to establish a new model. While generally pages selling fake antiviruses either do not contain specific tags or those they contain are designed to improve indexing in search engines, the page from which MSAntispyware 2009 was distributed represented a significant change. Here, all the tags and processes were designed to prevent the page from being indexed in search engines.

The reason for this was to make it more difficult for malware analysts and security companies to prevent infections by techniques such as the blocking URLs through search engine queries with specific parameters.