A recentThe often well-resourced and IT-savvy scammers who create fake antivirus programs use varied packers and polymorphism on each installation to evade signature-based detection.
Distributors of fake antivirus pop-up scams and the like rely on misleading online advertisements to scare users into thinking their computers are infected, while offering a free download to scan for malware. This type of malicious software, often called scareware, has a high infection rate because it uses social engineering techniques to trick users into installing it, or worse still, handing over their credit card details to pay for a worthless subscription fee. Ironically, attackers have been leveraging Internet users' increased awareness of the need to keep their computers secure to distribute fake AV software and other malware programs, such as the Storm Trojan.
Social engineering exploits various psychological triggers such as greed, fear or curiosity to induce or seduce people into ignoring common sense and breaking security rules. Although the social engineering methods used in these attacks are fairly simple, attackers are using more sophisticated methods to deliver their ads and defend their distribution network. For instance, the readers of the New York Times were targeted last year by scammers who initially posed as the Internet telephony provider Vonage Holdings Corp. The initial ad the hackers paid to place on the site was innocuous, but was later switched to one that warned NYTimes.com visitors that their computers may be infected with viruses. Clicking on the link then redirected visitors to a site that offered to sell antivirus software. By paying to place ads on such high-profile sites, attackers gain an air of respectability and believability.
Real antivirus programs are struggling to keep up with fake antivirus malware as well. The often well-resourced and IT-savvy scammers who create fake antivirus programs use varied packers and polymorphism on each installation to evade signature-based detection. They have also dramatically increased the number of pages that try to download their malware, overwhelming the ability of legitimate antivirus programs to keep blacklists and malware-detection signatures up to date, which reduces the chances of their attack being detected.
One reason why these malicious sites are increasingly difficult to blacklist is that attackers use what is called domain rotation, a technique used by attackers to drive traffic to their distribution servers by setting up a number of either dedicated or legitimate sites that they've infected, which in turn redirects browsers to another intermediary site set up to redirect traffic onto their servers.
Another trick behind the success of these programs is that it often doesn't matter whether you click 'Yes,' 'No,' or 'Cancel' to close a pop-up alert, the alerts don't stop appearing. (In this situation, instruct users to kill the browser session by pressing Ctrl+Alt+Delete to launch the Windows Task Manager. Then, terminate the process for the browser -- iexplore.exe, firefox.exe -- and, when restarting, do not restore the previous browser session, if prompted by the browser.) If you think the computer may have been infected, disconnect it from the Internet and run a full-system scan using your original antivirus software. If you find that your antivirus program can't update itself, then malware may be blocking access to the update files. Sites such as Symantec.com and Microsoft.com often publish free advice on how to remove specific malware based on the symptoms the computer is experiencing.
The best way to prevent fake antivirus at the enterprise level is to reinforce a security awareness training plan for employees: It's important to prepare the staff to deal with social engineering attacks of this kind. If you use scenario-based training with realistic examples of what the staff may encounter, you can build up their resistance to the psychological triggers used in social engineering attacks and make them less susceptible to being tricked into breaking security policy. Simple security posters warning against clicking on pop-ups and ads that are too good to be true can be very effective and keep users aware of the danger. Most AV programs will display a warning if a user tries to access a site that it thinks carries malicious code, and users should be made aware that they are not allowed to ignore or override these warnings; unfortunately, disallowing overrides is not something that can be set up within the antivirus system itself.
It should be made clear during user awareness training that all enterprise computers already have antivirus and antimalware software installed, and that it is the responsibility of the IT department to maintain this protection: Users do not need to take action themselves. In addition, ensuring that users are not logged in with administrative rights will prevent most from being able to install unwanted programs. Also, while it might seem that just telling users to turn off pop-ups -- as with telling them to turn on or off any security settings -- is a good idea, doing so is often fraught with difficulties. I would avoid this if at all possible.
You also need to have a well-defined process for handling a security incident that an employee can begin as soon as he or she suspects something is wrong. If someone is concerned about any aspect of his or her computer's behavior, perhaps because of continuous prompts or sluggish behavior, then he or she should report it to the IT department. This process should also include a provision for proactively informing other users when a new scam is spotted, thus reinforcing the best practices you have been promoting.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in August 2010