Google finds fake anti-virus programs on the rise

A new report says that 15 percent of all malware found on the Web is fake anti-virus software

Fake anti-virus software is becoming more prevalent on the Internet, with its creators using clever methods to fool users into installing the programs, according to a new report from Google.

Google conducted a 13-month study looking at some 240 million Web pages. The company determined that 11,000 of those domains were involved in distributing fake anti-virus programs, and that those kinds of program comprise 15 percent of the malicious software on the Web.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

There are thousands of versions of fake anti-virus software, but all work on the premise of falsely telling users their computer has been infected with malware. The programs then badger users to buy the software, which often looks legitimate but has no real functionality.

Security iGuide

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," according to Google's report. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Users are typically asked if they want to clean their machine, which causes the fake program to download. Fake anti-virus usually spreads by social engineering ploys rather than by exploiting software vulnerabilities on the victim's computer, according to Google.

The scammers behind the fake anti-virus software frequently use online advertisements using popular keywords, although Google says it filters those advertised URLs to get rid of malicious ones.

Google will blacklist those domains to warn people, but those developing fake anti-virus software rotate the domains hosting their programs faster than ever to avoid the blocklist.

A domain hosting fake anti-virus software used to serve up the content for up to 100 hours in April 2009, Google said. But that figure fell to below 10 hours in September 2009 and then to less than one hour in January.

"These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of IP addresses through multiple domains," the report said. "This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker's control."

Google also found that legitimate anti-virus vendors were having more trouble identifying the fake programs due to an increased level of "polymorphism," a technique used to make an application look unique and evade malware scanners.

Fake anti-virus programs haven't escaped scrutiny from regulators. Following a complaint from the U.S. Federal Trade Commission (FTC), a U.S. district court ordered six people and two companies to stop selling fake security products such as WinFixer, Winanti-virus, DriveCleaner, ErrorSafe, and XP anti-virus.

As part of that case, the FTC levied a $1.9 million judgement against James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, but later reduced the judgement to $116,697 in June 2009.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies