Fake antivirus overwhelming scanners
Criminals look for easy money
By John Dunn | Techworld | Published: 15:25, 01 October 2009
Fake antivirus programs are multiplying at such a rate they could start to overwhelm the detection capabilities of signature-based scanners, the latest figures from the Anti-Phishing Working Group (APWG) have hinted.
Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008.
The reason for the growth in numbers is what is known in technical terminology as ‘polymorphism', an old defence technique which involves changing the binary checksum of every copy (or download) of a piece of malware. This makes it much more difficult for antivirus programs to detect the programs.
Related Articles on Techworld
"The primary reason for the creation of so many variants is to avoid signature-based detection by legitimate antivirus programs," says PandaLabs' director and APWG member, Luis Corrons in the report. "The use of behavioural analysis is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information."
The figures themselves are the good news because each statistic is, by definition, a detected sample. But these are likely to be only a percentage of the true picture. Fake antivirus software can be hard to catch using heuristics because they are often willingly installed by users who think the programs to be genuine, bypassing systems such as Vista's User Account Control (UAC).
Elsewhere in the report, the APWG reports a 66 percent increase in infected PCs in Q2 of 2009 form the same period on 2008, to a total of 11.9 million, and over the half the total number scanned. This total includes all types of malware and fake AV will only be a small portion of that, but it demonstrates the scale of the problem. Large numbers of PCs are getting infected either because users have no protection or that software is unable to cope with new malware.
Banking and password-stealing Trojans accounted for 16.6 percent of infected PCs during the first half of 2009, downloading Trojans 4.2 percent.
According to Corrons, the rogueware business is controlled by up to 200 gangs globally, but 78 percent of the business could be in the hands of a top ten criminal entities.
The APWG report for January to June 2009 can be downloaded from the organisation's website.