" fake antivirus "

40% of all fake antiviruses created in 2010

–       11.6% of all computer threats gathered over the last 21 years belong to this category

–       34,8% of all computers worldwide are infected

Panda Security has warned of the recent proliferation of fake antiviruses (also known as ’rogueware’), as 40% of all fake antiviruses ever created have been created this year. That is, ever since this type of malicious code was first reported four years ago, 5,651,786 unique rogueware strains have been detected, out of which 2,285,629 have appeared from January to October 2010. 

If the number of rogueware specimens is compared to the total number of malware strains included in Panda’s Collective Intelligence database, 11.6% of all samples correspond to fake antiviruses. “This is a staggering figure, especially if you consider that this database contains all malware detected in the company’s 21 year-history and rogueware only appeared four years ago”, says Jeremy Matthews, head of Panda’s sub-Saharan operations. 

Rogueware’s sophistication, realism and social engineering techniques are the basis of its success, as shown by the fact that more and more users are falling victim to this scam. So far this year, 46.8% of all computers worldwide have become infected with some sort of malware, and 5.40% have been affected by rogueware.

While there are many different types of rogueware, the top fake antiviruses are created to generate a profit.

Every new victim of a fake antivirus scam allows hackers to make money by selling antivirus licenses that users will actually never get, stealing credit card data they can sell on the black market and use to make online purchases, etc.

According to a study conducted by Panda, rogueware authors make over $34 million a month (approximately $415 million a year).

How fake antiviruses work

Even though the fraudulent business of rogueware was first reported in 2006, it was not until 2008 that this type of malicious code actually started to proliferate. Users can become infected simply by browsing the Web, downloading codecs for media players, clicking links in emails, etc

Once they have infected a system, these applications try to pass themselves off as antivirus solutions that detect hundreds of threats on the victim’s computer. When the user goes to remove the threats, they are asked to buy the ‘full’ product license, and very often they take the bait and end up doing so. However, once they buy the license, they will never hear from the ‘seller’ again and still have the false antivirus on their computer.

“The best way to protect yourself against fake antiviruses is to have a good real one, like Panda, stalled. Always initiate all program and software installations yourself, and don’t trust pop up programs that make excessive claims”, concludes Matthews.

For more information about Panda, visit http://www.pandasecurity.com/.

Follow us on Facebook and Twitter @PandaSecurityZA

Fake antivirus now hijacks, blocks computers

Panda Security’s anti-malware laboratory has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

“The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations.

Once a computer is infected, any attempt made by the user to run a program or open a document will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95 (almost R600). Victims are also offered ‘premium’ tech support services for an additional €19.95 (about R150). Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“Users are often infected unknowingly – in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” says Matthews. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus.”

For this reason, Panda has published the serial numbers required to unblock the computer if it has been hijacked on the PandaLabs blog. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of the fake antivirus.

PandaLabs recently published a report about the lucrative business of rogueware. The shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats and that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying. The PandaLabs report is available here.

The serial numbers and a video demonstrating how this scam operates is available on the PandaLabs blog.

Panda report reveals thriving rogueware economy

Panda Security’s malware analysis and detection laboratory has released a comprehensive study on the proliferation of rogueware into the cyber-crime economy.

Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. Panda predicts that it will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year. Approximately 35 million computers are newly infected with rogueware each month (approximately 3.5% of all computers), and cyber-criminals are earning approximately $34 million per month through rogueware attacks.

“The Business of Rogueware”, Panda’s report, reviews the various forms of rogueware that have been created, and shows how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cyber-criminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

In early 2009 social media sites such as Facebook, MySpace, Twitter, and Digg, became large targets for rogueware distributors. The top five social media attacks involving rogueware are:

1. SEO attack against Ford Motor Company

2. Comments on Digg.com leading to rogueware

3. Twitter trending topics lead to rogueware

4. Rogueware exploits WordPress vulnerability to facilitate Blackhat SEO attack

5. Koobface moves to Twitter

“Rogueware is so popular among cyber-criminals primarily because they do not need to steal users’ personal information like passwords or account numbers in order to profit from their victims,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially since popular social networking sites have become mainstream.”

Rogueware morphs quickly and proves difficult to detect

There are approximately 200 different families of rogueware, and Panda expects the variations to continue to grow. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008. In Q3, Panda forecasts a rogueware total greater than the previous eighteen months combined.

The primary reason for the creation of so many variants is to avoid signature-based detection by (legitimate) antivirus programs. The use of behavioural analysis, which works well with worms and Trojans, is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information. However, Panda Security has started to identify more advanced malware variants that are using typical Trojan features, rootkits and other techniques to subvert virus detection technologies.

How rogueware business works – and tracking the source

The Panda report details how the rogueware business works. The rogueware business model consists of two major parts: programme creators and distributors — not unlike a traditional business. The creators are in charge of making rogue applications, providing the distribution platforms, payment gateways, and other back office services. The affiliates are in charge of distributing the rogueware to as many people and as quickly as possible.

Panda’s research reveals that the affiliates are mostly comprised of Eastern Europeans recruited from underground hacking forums. They earn a variable amount per each install and between 50-90 percent commissions for completed sales. The Panda report includes financial statements and photos from events hosted by the leaders of these organizations that are not dissimilar to corporate sales events.

To read the full report, click here.

For real-time updates on Panda’s research, follow @Panda_Security

Cyber-crooks use Facebook to drive rogue anti-malware business

According to global IT vendor Panda Security, the 56th variant of the Boface family of worms has just appeared. Each of these variants has been designed especially to use Facebook to distribute and download malware. This is largely due to the enormous global popularity of this social network and the potential it offers for reaching numerous users. The BJ variant in particular uses Facebook to download and install rogue anti-malware and trick users into believing they are infected and consequently buy a fake antivirus.

Data compiled through the free Panda ActiveScan online scanner has shown that since August 2008, 1% of all computers scanned were infected by a variant of Boface.

“Extrapolating this data in line with the number of Facebook users (approximately 200 million), we arrive at a figure of 2 million users that could be infected,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “The increasing number of variants in circulation is due to the aim of cyber-crooks to infect as many users as possible and therefore boost their financial returns”.

Almost 40% are in the United States, with the rest distributed across many different countries. The number of infections observed for this type of malware since August, indicates an exponential growth rate as high as 1,200%, comparing April 2009 with August 2008.

The rogue anti-malware business is one of the most prolific cyber-crime activities, with respect to the number of examples in circulation. Panda forecasts quarterly growth of more than 100% for the current year.

The new variant: how it works

The new Boface.BJ worm reaches computers in several ways: email messages with attachments, internet downloads, files transferred via FTP, IRC channels and P2P file-sharing networks.

Once the computer has been infected, the worm kicks into action once infected users have entered their Facebook accounts. In that moment, it sends a message to the entire network of friends, including the infected user. Anyone clicking on the link in the message will be taken to a fake YouTube page (called “YuoTube) where they will supposedly be able to see a video. However, they will first be prompted to download a media player. If the user accepts, the fake antivirus will be immediately downloaded.

From the moment it is installed, this malware will launch messages claiming that the computer is infected and that the user must buy a solution.

Given Facebook’s viral nature of networks, it is fair to assume that this message will spread exponentially leading to very high infection rates.

“Users of social networks like this normally trust the messages they receive, so the number of reads and clicks is often very high,” says Matthews. “Clearly, in addition to the security measures of the social network itself, users have to take on board certain security and personal privacy basics, to avoid falling victim to fraud and contributing to its propagation.”

To prevent this type of fraud, Panda Security offers the following advice:

1)    Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, other social networks and also email.
2)    If you do click on any such link, check the target page carefully (in this example, it is clearly a fraud). If you don’t recognize it, close your browser.
3)    Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.
4)    If, however, you have still gone ahead and downloaded and installed some type of executable file, and your computer begins to launch messages saying that you are infected and that you should buy an antivirus, this is very probably a fraud. Never entered your credit card details, as you will be putting your money at direct risk. And above all, make sure you get a second opinion on the security of your system, with any reliable free online security solution such as Panda ActiveScan.
5)    As a general rule, make sure your computer is well protected, to ensure that you are not exposed to the risk of infection from any malicious code. You can protect yourself with the new, free Panda Cloud Antivirus solution.

Fake AVs lure victims using Ford as a bait

Panda Security’s antimalware laboratory has revealed that cyber-crooks are exploiting the current upheaval in America’s motor industry by launching a black hat SEO (Search Engine Optimization) attack using the name of embattled American car manufacturer Ford Motor Co. as bait to distribute malware on the Internet. The IT security vendor has discovered 1.2 million results in searches related to Ford which point to these malicious pages.

“If users searching for information about Ford click one of the malicious results, they are taken to a webpage in which it seems as if they are about to see a video,” explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “If they try to watch the video, they will be prompted to download another program. This program, however, is really a fake antivirus. Panda has detected two fake antivirus programs that are distributed in this way: MSAntiSpyware2009 and Anti-Virus-1.”

These fake antiviruses are designed to make users believe that their computers have been infected by malware. They do this by simulating a scan of the system and supposedly detecting malware. Users are then offered the chance – through pop-ups and banners – to buy the pay version of the fake antivirus to clean their computers. If they don’t buy it, the malicious code will prevent the computer from operating properly in an attempt to force users into buying the product.

Over the last year, this type of malware has increased significantly. According to data from Panda, the number of variants of fake antiviruses has increased one hundredfold between the first quarter of 2008 and the corresponding period in 2009. In fact, in the first three months of 2009 no less than 111,086 new strains of fake antiviruses were detected – 20% more than in the whole of 2008.

“What’s interesting about this attack, however, is that this is one of the only black hat SEO attacks to focus on a single brand,” concludes Matthews.

Watch a video describing the infection process here.

For more information about this infection, go to the PandaLabs blog.

Blackhat SEO fuels rogue security campaign

In our previous post, we looked at SEO being used by cyber-crooks to distribute malware – especially fake antivirus. In this post we look at a specific example of this happening: Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here. Below is an example of one of hijacked searches:

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software like below:

Sample hijacked search terms include the following:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

Post by Sean-Paul Correll, PandaLabs.