Rogue AV/AS prolific

[AplusWebMaster]

FYI...

Rogueware growth - 2009 ...
- http://www.darkreading.com/shared/pr...leID=218700073
July 29, 2009 - "All told, 374,000 new versions of rogueware samples were released in this year's second quarter - and that number is expected to nearly double to 637,000 in the third quarter. PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks... the numbers have been spiking during the past year:
In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year*. "And there were two times as many in Q2 versus Q1," PandaLabs' Carrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000." But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link... These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application... So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers. PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans..."
* http://www.pandasecurity.com/homeuse...rts#Monographs

Following the Money: Rogue Anti-virus Software
- http://voices.washingtonpost.com/sec...rail_of_r.html
July 31, 2009

[AplusWebMaster]

FYI...

Q2-2009 - $34m in Rogueware per month...
- http://www.theregister.co.uk/2009/08...reware_market/
7 August 2009 - "Fraudsters are making approximately $34m per month through scareware attacks, designed to trick surfers into purchasing rogue security packages supposedly needed to deal with non-existent threats. A new study, The Business of Rogueware*, by Panda Security researchers Luis Corrons and Sean-Paul Correll, found that scareware distributors are successfully infecting 35 million machines a month. Social engineering attacks, often featuring social networking sites, that attempt to trick computer users into sites hosting scareware software have become a frequently used technique for distributing scareware. Tactics include manipulating the search engine rank of pages hosting scareware. Panda reckons that there are 200 different families of rogueware, with more new variants coming on stream all the time... Luis Corrons, PandaLabs' technical director: "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream." In Q2 2009, four times more new strains were created than in the whole of 2008, primarily in a bid to avoid signature-based detection by genuine security packages..."
* http://www.pandasecurity.com/homeuse...rts#Monographs
"... results:
• We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.
• Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers).
• Cybercriminals are earning approximately $34 million per month through rogueware attacks..."

[AplusWebMaster]

FYI...

Cybercrime Hub in Estonia
- http://blog.trendmicro.com/investiga...ub-in-estonia/
Aug. 26, 2009 - "... this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu (Estonia), employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation. This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company owns two networks in the United States. We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Rogue AV goes Green
- http://securitylabs.websense.com/con...logs/3469.aspx
09.02.2009 - "Given the world's ever-increasing environmental concerns, it’s easy to see why malware authors are monetizing via an eco-friendly strategy. Just as the scare tactics of rogue AVs have already taken their toll, yet another ingenious twist appears - this time resorting to a friendlier, “greener” tone. Green-conscious people, beware! The latest scheme states that, for every fake AV you buy, a donation will be made to an environmental care program. It’s very simple and direct – buy the software and save the planet. Unlike other rogue AV campaigns that offer “free trial versions,” this ploy actually requires the user to buy the malware with a credit card, all the while assuring the user that a donation will be made to a green cause. This social engineering scheme appears to be picking up steam—as stories of fake AV grief from victims posted on the Web continue to pour in." (including search engine poisoning w/links to the rogue software)

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

FakeAV for 9/11
- http://blog.trendmicro.com/fakeav-for-september-11/
Sep. 10, 2009 - "As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint. Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware... several malicious Web sites that can all be found in the poisoned Google search results... The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results and rely on reputable news agencies instead."
(Screenshot available at the URL above.)

- http://www.sophos.com/blogs/gc/g/200...rs-exploit-911
September 11, 2009

[AplusWebMaster]

FYI...

NY Times pushes Fake AV malvertisement
- http://countermeasures.trendmicro.eu...alvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".

* http://blog.trendmicro.com/fakeav-for-september-11/

** http://troy.yort.com/anatomy-of-a-ma...on-nytimes-com

[AplusWebMaster]

FYI...

Fake A/V hacks for another celebrity death...
- http://www.sophos.com/blogs/gc/g/200...eware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."

[AplusWebMaster]

FYI...

Rogue Anti-Virus SEO Poisoning...
- http://securitylabs.websense.com/con...logs/3479.aspx
09.16.2008 - "SEO poisoning is fast becoming a trend in spreading rogue anti-virus software. This type of attack coupled with relevant news items that might be of interest to users from all walks of life is a lethal combination. Search terms related to the recent MTV Video Music Awards brouhaha and President Obama’s off-the-record comments about Kanye West, as well as updates on murdered Yale graduate student Annie Le, are the latest targets... Upon visiting these search results, visitors would be presented with the standard fake / rogue AV Web site. To make matters worse, (real) anti-virus have very poor detection rates..."

- http://www.virustotal.com/analisis/5...896-1253125434
File setup_build6_195.exe received on 2009.09.16 18:23:54 (UTC)
Result: 1/41 (2.44%)

- http://www.virustotal.com/analisis/5...10e-1253125440
File Soft_71.exe received on 2009.09.16 18:24:00 (UTC)
Result: 3/41 (7.32%)

(Screenshots of the fake AV Web site, as led to by the search engine, available at the Websense URL above.)

- http://isc.sans.org/diary.html?storyid=7144
Last Updated: 2009-09-17 07:36:18 UTC

[AplusWebMaster]

FYI...

Fake Twitter accounts for Fake AV
- http://www.f-secure.com/weblog/archives/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."

(Screenshots available at the URL above.)

- http://www.sophos.com/blogs/gc/g/200...ttack-twitter/
September 21, 2009

[AplusWebMaster]

FYI...

Fake Malwarebytes - Bogus Sponsored Link Leads to FAKEAV
- http://blog.trendmicro.com/bogus-spo...ads-to-fakeav/
Sep. 24, 2009 - "Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware - bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ). Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist... In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website. Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines..."

(Screenshots available at the URL above.)