Fake anti-virus programs set to rule the roost

The phenomenon of fake anti-virus (AV) software is growing at such a pace that it could grow to eclipse all other types of malicious software, one security company has suggested.

The Business of Rogueware, the latest threat report from PandaLabs, the research wing of Spanish AV company Panda Security, contains the usual round of statistics on malware growth found in all such vendor reports, but it is the section on rogue anti-virus that should make PC users sit up and pay attention.

In the first quarter of 2009, the company detected more bogus anti-virus files or variants than in the whole of 2008, 111,000 in total. Unconfirmed second quarter figures show that this rose during the second quarter to 374,000. This rise accords with similar statistics published last week by rival Sophos, which said that it was now detecting 15 new bogus AV sites a day, compared to five a day in the latter half of 2008.

PandaLabs is now predicting that this will rise to 637,000 over the course of 2009, a tenfold increase over 2008, infecting as many as 30 million PCs each month.

According to both companies, the sudden popularity of the scam is part technical, part economic.

Technically, rogue AV is often hard to detect because the software is essentially a confidence trick. The rogue program convinces the user that they are infected with malware when they are not, and the user agrees to install the software to remove the non-existent threat. The user willingly hands over anywhere between $29 and $79, without the bogus software having to do anything that would cause an anti-virus program to intervene.

Although some versions do also integrate detectible malware behaviour, the criminals have invested in enough server-side ‘polymorphism' - the practice of creating large numbers of executables of different sizes - to make detection the usual tiring war of attrition. In other cases, the rogue AV installs after a separate malware infection, which embeds the fake security warnings on the user's PC.

It also looks as if this years has seen the criminals perfecting their business model, assembling distribution channels with plenty of incentives to get the software on to the PCs of the average user. According to Panda labs, one affiliate of a bogus AV creation outfit they surveyed was estimated to be making as much as $87,000 in commission during a single week.

"The criminals are even using legitimate payment gateways," said Luis Corrons, head of PandaLabs. "In the end, we are not winning this battle with the bad guys."

Graham Cluley of Sophos recommends that users resolve not to buy any software from the web without first researching the company behind the code, for example, by looking up the domain through Whois.

It is also possible to check a vendor using public whitelists such as that held by the recently-formed Common Computing Security Standard Forum (CCSS), but in Cluley's view this approach has a fatal weakness. "I've seen fake AV companies claiming to be Kaspersky or Symantec." In other words, criminals are hijacking legitimate anti-virus brands to make the sale easier.