Panda reports fast-spreading rogueware antivirus fraud rakes in millions

By Neil Roiter, Senior Technology Editor 29 Jul 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The incidence of rogueware -- antivirus scam programs -- is increasing dramatically as cybercriminals find they can turn a quick buck by selling unwitting PC users the ultimate in vaporware.

New rogueware strains have skyrocketed from about 92,000 in all of 2008 to 374,000 in Q2 this year and will leap by an estimated 637,000 in Q3, according to the Panda Security report, "The Business of Rogueware," released today. Panda estimates that victims are shelling out $34 million per month worldwide. It's an easy buck -- you infect a computer and wait for the credit card payment.

"They are diversifying their business," said Luis Corrons, technical director of PandaLabs. "Rogueware is not new, but they've figured out it's a really, really easy way to obtain money from consumers."

The bad guys are still going after your passwords, PIN numbers and credit card numbers, but that type of cybercrime is a more complex process: targeting specific banks and businesses to attack, infecting your machine with malware or fooling you into giving up information and then selling it at a devalued rate on the black market that's glutted with credit card numbers and PII.

Compare that to getting an average $59.95 for nonexistent software that fixes a nonexistent problem.

Rogueware typically displays fake pop-up warnings and launch messages in the task bar. They complete a fake scan of your system in seconds (if that doesn't tip you off, nothing will), with results showing that your system is infected with all sorts of nasty malware. They make changes to the OS to prevent their removal -- preventing users from restoring their desktops or screensavers till they follow the warnings and pay for rogueware.

Victims think the rogueware has eliminated the problem that their legit AV program has failed to touch. In some cases, they'll even remove their AV because they have found something better.

The names are deceptively reassuring and vaguely familiar -- Antivirus2009, Xpantivrus2008, XPAntiSpyware2009 and MSAntiSpyware2009. WinPC Defender, SystemSecurity, System Guard2009, etc. Panda has identified 200 different families of rogueware through Q2; 10 of these account for more than three-quarters of the variants.

Those hundreds of thousands -- approaching a million -- variants make life tough on legitimate AV vendors, using polymorphic techniques to change with each installation and challenging AV companies to spew out signatures. They are generally harder to detect than other malware, because they are not doing anything clearly. It's just that they are sending out bad information.

The business model is simple. There are program creators, who design the rogueware and provide distribution platforms and payment gateways, and affiliates, generally East European hackers, who receive payments per initial install and commissions for completed sales.

Rogueware distributers sometimes use legitimate payment processing vendors, said Sean-Paul Correll, Panda Labs threat researcher. Panda has had some success getting processors to shut down these payment gateways. In other cases, he said, rogueware scammers set up their own back-end processing systems in Russia, the Ukraine and other locations.

Botnet owners will sometimes use their bots to distribute rogueware, but Correll said this is atypical, because PC owners who don't fall for the scam -- and that's most of those who are infected -- will have their drives reformatted, destroying the bot in the process.

"The Conficker worm is a perfect example," he said. "They made a last-ditch effort to monetize when they received all that massive media attention, which was the opposite of what they wanted because they knew all the AV companies would be on top of them to eliminate it."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Server Threats and Countermeasures,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary