The incidence of rogueware -- antivirus scam programs -- is increasing dramatically as cybercriminals find they can turn a quick buck by selling unwitting PC users the ultimate in vaporware.
New rogueware strains have skyrocketed from about 92,000 in all of 2008 to 374,000 in Q2 this year and will leap by an estimated 637,000 in Q3, according to the Panda Security report,
"They are diversifying their business," said Luis Corrons, technical director of PandaLabs. "Rogueware is not new, but they've figured out it's a really, really easy way to obtain money from consumers."
The bad guys are still going after your passwords, PIN numbers and credit card numbers, but that type of cybercrime is a more complex process: targeting specific banks and businesses to attack, infecting your machine with malware or fooling you into giving up information and then selling it at a devalued rate on the black market that's glutted with credit card numbers and PII.
Compare that to getting an average $59.95 for nonexistent software that fixes a nonexistent problem.
Rogueware typically displays fake pop-up warnings and launch messages in the task bar. They complete a fake scan of your system in seconds (if that doesn't tip you off, nothing will), with results showing that your system is infected with all sorts of nasty malware. They make changes to the OS to prevent their removal -- preventing users from restoring their desktops or screensavers till they follow the warnings and pay for rogueware.
Victims think the rogueware has eliminated the problem that their legit AV program has failed to touch. In some cases, they'll even remove their AV because they have found something better.
The names are deceptively reassuring and vaguely familiar -- Antivirus2009, Xpantivrus2008, XPAntiSpyware2009 and MSAntiSpyware2009. WinPC Defender, SystemSecurity, System Guard2009, etc. Panda has identified 200 different families of rogueware through Q2; 10 of these account for more than three-quarters of the variants.
Those hundreds of thousands -- approaching a million -- variants make life tough on legitimate AV vendors, using polymorphic techniques to change with each installation and challenging AV companies to spew out signatures. They are generally harder to detect than other malware, because they are not doing anything clearly. It's just that they are sending out bad information.
The business model is simple. There are program creators, who design the rogueware and provide distribution platforms and payment gateways, and affiliates, generally East European hackers, who receive payments per initial install and commissions for completed sales.
Rogueware distributers sometimes use legitimate payment processing vendors, said Sean-Paul Correll, Panda Labs threat researcher. Panda has had some success getting processors to shut down these payment gateways. In other cases, he said, rogueware scammers set up their own back-end processing systems in Russia, the Ukraine and other locations.
Botnet owners will sometimes use their bots to distribute rogueware, but Correll said this is atypical, because PC owners who don't fall for the scam -- and that's most of those who are infected -- will have their drives reformatted, destroying the bot in the process.
"The Conficker worm is a perfect example," he said. "They made a last-ditch effort to monetize when they received all that massive media attention, which was the opposite of what they wanted because they knew all the AV companies would be on top of them to eliminate it."