Rogue software writers seem to have found the perfect business model. A long standing threat to computer users worldwide, its success is fuelled by a constant stream of profits. The ease with which users fall for their scare tactics is one reason these criminals have remained in business for so long and why rogue antivirus software is one of the most prevalent Web threats today — and for the foreseeable future.
Rogue software first appeared back in 2000 as programs that mimicked HDD cleaners and computer registry repair software, but have since evolved into the type of bogus application we’re all familiar with today: Rogue antivirus.
Malware writers are constantly refining and changing their tactics, introducing new rogue AV strains that trick users into downloading their software. So effective is their approach that the result is a marked increase in the rate of infection and headline-grabbing stories. At GFI, we have started to identify rogue software in the guise of fake firewalls, fake security tools for rootkits, and other similar programs. Two of the latest rogue programs we have detected are Windows Saviour FireWall and Security Protection.
One of the reasons malware writers are so successful is because they have created user interfaces that look just like those in legitimate products, making it hard for unsuspecting users to distinguish between the real and fake AV product. Malware writers not only use the vendors’ brand colors, but the structure and content are almost identical as well.
Putting things in perspective
Dozens of new strains of rogue AV surface daily and targets are far-reaching. According to the
Anti-Phishing Working Group’s (APWG) latest report from January, the number of rogue AV software detected increased by 13% in Q2 2010 compared to Q1.
When you look at the sheer volume of strains of rogue AV out there, it seems that this family of malware is unstoppable. It isn’t. Although there are many variations that are as yet undetected, experts in the AV industry are constantly on the lookout for rogue AV types and users can do their part by following whenever possible practical and basic security practices. Furthermore, a higher level of awareness and education is key to reducing the impact of rogue AV products on computer users.
Like any online malware threat that has the sole purpose of making a profit for its creators, rogue software does not stagnate or disappear. In fact, once detected and analyzed, one can see how sophisticated and complex in design the samples are, and I’m not talking about their payloads — which is another matter altogether.
With the boom of search engine usage, especially on Google, rogue software uses intuitive keywords based on hot topics, celebrity scandals, major events like a Royal Wedding, holidays such as Easter, and other news and events to poison search engine results.
Anybody, anywhere in the world with an interest in the latest news and gossip can be tricked into clicking on what they believe are legitimate links. What is interesting is that no data, apart from general infection counts, can be acquired from the search results.
The introduction of new technology and the boom in users accessing the Web via their mobile devices has also created a huge market for cybercriminals and rogue software writers. Recent research shows that rogue AV software is now also infecting mobile devices.
Apple’s Mac users have not been spared either. News that the Trojan.OSX.Macdefender.a (v) infected Mac users made headlines; rattling the Apple community and going somewhat close to debunking the myth that “The Mac is malware-proof.”
Because search engine poisoning attack methods rely mostly on chance (the probability of browsers clicking poisonous links), security researchers have a difficult time analyzing data and identifying preventive strategies. Attacks on mobile devices at least allow experts to measure rogue AV statistics for research purposes, i.e., what is an infection’s impact on certain demographics, specific devices, or varying age brackets? With this data, researchers can determine high risk areas and prioritize security solutions in those markets.
Perhaps the most interesting insight we can gain from watching rogue AV’s progression over the years is that, instead of abandoning old tactics in lieu of new ones, cyber criminals are merely adding to the growing list of methods they’re already employing. As rogue AV creators continue to cast a wider net for victims on the Internet, as we’ve seen phishers do, the most common method of attack — luring users to click dodgy text and image links — has just become a bit more sophisticated.
Unfortunately, the future for rogue AV looks bright because the threat needs to be considered in terms of profit and loss. Rogues will evolve and keep growing so long as criminals can profit from them. But, like any legitimate business that has a product that doesn’t sell, they will stop the attacks as soon as it doesn’t yield profits and will look for a different avenue to make money.
For now though, rogue software continues to work for cyber criminals because they are constantly changing the shape and form of their programs.
Jovi Bepinosa Umawing is a threat researcher at GFI Software, a provider of security and IT solutions to the mid-market.
