Rogue anti-virus takes off

Scareware, fake anti-virus (AV) programs alarming users into thinking their machines are infected, is on the rise.

So says Sergey Golovanov, senior malware analyst, non-Intel research group manager at Kaspersky Lab, during an interview at the company's New Horizons media tour. “These programs are widespread and are being used by cyber criminals more and more. To date, the company has seen around 320 families of fake AV.”

The security giant discovered around 3 000 rogue AV programs in the first half of last year. The same period of 2009 saw over 20 000 samples being identified. “Kaspersky Lab discovers between 10 and 20 new programs of this kind every day. A few years ago, a new program of this type only appeared once every two days.”

Golovanov says scareware ends up on victims' machines, much in the same way as malware. “A Trojan-downloader can covertly download such programs, or vulnerabilities in compromised or infected sites can be exploited to perform a drive-by download.”

He says, however, that these programs are usually downloaded by users themselves, as cyber criminals use dedicated programs or adverts to con users into doing this.

Internet advertising and spam are other methods used by criminals to distribute scareware. Many sites, even legitimate sites, host banners advertising a product that claims to solve all sorts of malware issues. “In addition, when surfing the Internet, a user may also find pop-ups appearing in the browser window offering a free anti-virus download.”

According to Golovanov, rogue AV carefully mimics genuine programs. “The programs will scan, and then display a sequence of messages, notifications of an error, followed by a message claiming that malware has been found on the system. Following this, it will pop up a message offering the user the opportunity to install an anti-virus program to deal with the malware, at a price of course.”

Once a free trial version that allegedly detects, but does not fix the malware problem, has been downloaded, a message is displayed saying the full version should be activated at a cost. “These programs often appear very genuine, as the more people are conned, the more money ends up in the pockets of cyber criminals.”

According to Kaspersky Lab, programs often use the same mechanisms as polymorphic worms and viruses to combat AV solutions. The main body of the program is encrypted to conceal strings and links. To ensure the program runs correctly, dynamic code within the file decrypts the body of the malware prior to the payload being delivered.

Although fake infections do not damage the victims' machines, cyber criminals are using these programs to extort money from novice users. He advises that legitimate programs designed to combat malware will never first scan a computer and then demand money for activation. “Be aware that you should never pay for a product which does this.”

He urges users to click only on messages from a legitimate AV solution installed on the PC, and ignore any warning messages that pop up randomly while surfing the Internet.