Fake antivirus software using stolen certificates, typosquatting

Bogus antivirus solutions use stolen security certificates and typosquatting domains to dupe gullible, bypass malware detection

Malware posing as antivirus solutions rely on a whole bag of tricks to spread unchecked -- and many of those tricks are still in wide circulation and with no end in sight.

An increasingly common trick found in fake antivirus solutions is the use of stolen digital code-signing certificates. With this practice, a cyber criminal can take a rogue application and make it seem like the product of a legitimate software development house.

This issue first came to Microsoft's attention back in 2009, by way of a breed of malware called Win32/Winwebsec. That software sports a stolen set of code-signing credentials, masquerades as a legitimate system protection tool, and constantly interrupts the user with bogus "virus found" warnings. Users are invited to pay a "registration fee" to silence the warnings.

It's generally considered difficult to steal such certificates, since it requires a direct attack on the certificate-issuing authority. But Microsoft's analysis of the certificates used in Win32/Winwebsec and a similar application, Win32/FakePav, indicates that the cyber criminals responsible are constantly stealing new certificates and not simply working from a stockpile of older, easily invalidated ones.

Also, according to Symantec, Microsoft Windows doesn't check often enough for certificate revocations, which makes it easier to get away with using stolen certificates. Even worse, many legitimate malware apps assume that the presence of such a certificate means the program is legit; thus the fraudulent apps can bypass malware detection.

Another trick being abused by cyber criminals is typosquatting, the vile practice of using a slightly misspelled domain name to harvest traffic by those who mistakenly type in the wrong URL.

An analysis by consultancy firm High-Tech Bridge showed that among some 385 typosquatting domains that resemble those of top antivirus and security software firms, 164 were designed as moneymaking systems, either by displaying ads or "redirecting users to questionable websites selling illegal or semi-legal products and services." If prospective users don't know what the original website for a given company is meant to look like, it's easy for them to be suckered.

However, the companies in question have purchased around 107 or so of these typosquatting domains and now redirect users to their original, legitimate domains. Visitors to "Kasperski.com," for instance, are now redirected to the legitimate Kaspersky Lab site.

High-Tech Bridge noted that the top domain registrars for registering fraudulent domains were Fabulous.com, GoDaddy.com, and PublicDomainRegistry.com, and the vast majority of the fraudulent sites -- 75 in all -- were hosted in the United States.

This story, "Fake antivirus software using stolen certificates, typosquatting," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.