Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Microsoft Ups The Ante In Fight Against Rogue Antivirus

As prevalence of rogue antivirus attacks intensify, Microsoft takes legal action against 'malvertisers'

Microsoft has taken a hard line on malicious online advertisers -- also known as "malvertisers" -- by filing five lawsuits against the suspected fraudsters in what the software giant claims are the first-ever legal moves against malvertising. The software giant's suits came on the heels of a rogue antivirus attack on the high-profile New York Times' Website, where what was purported to be a Vonage ad on the Grey Lady turned out to be malware that served readers fake warnings that their computers were infected, along with a link to "antivirus software" they must purchase to clean them up.

This type of rogueware is becoming more efficient and lucrative, and cybercriminals are pumping out new versions in rapid-fire. According to recent research by PandaLabs, 374,000 new versions of rogueware samples were released in this year's second quarter -- and that number is expected to nearly double to 637,000 by the end of the third quarter. And according to PandaLabs, rogueware is now making the bad guys in excess of $400 million a year.

But can legal action really curb rogue AV and malvertising, especially if the perpetrators are hiding behind phony company names and aliases?

"Honestly, I don't expect it to slow down cybercriminals all that much. If they were scared, they wouldn't be creating and distributing the malware for profit," says Sean-Paul Correll, threat researcher & security evangelist for Panda. "It's definitely going to be an uphill battle for Microsoft and any future litigation seekers."

Microsoft isn't deterred, however. "Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits," blogged Microsoft's associate general counsel Tim Cranton late last week. "The lawsuits allege that individuals using the business names 'Soft Solutions,' 'Direct Ad,' 'qiweroqw.com,' 'ITmeter INC.,' and 'ote2008.info' used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users."

The software vendor filed its lawsuits in King County Superior Court in Seattle, and is seeking damages and injunctions due to "unjust enrichment and for intentional interference with contractual relationships and business expectancies," Microsoft wrote in its legal filings.

Microsoft says its own investigators have uncovered "a number of leads" that could be used to subpoena service providers, companies, or people with knowledge of the real identities of the fraudsters.

Some rogue AV programs even "clean" a victim's machine so they appear legitimate, at least until the victim's credit-card transaction goes through, according to PandaLabs. And the bad guys are automatically generating new, unique samples of this code that AV engines won't recognize. The distributors of these applications are typically in Eastern Europe, and can make commissions of 50 to 90 percent, according to researchers.

Researchers at Click Forensics, meanwhile, are drawing a connection between The New York Times' rogueware and the so-called "Bahama Botnet." In a blog posting last week, Click Forensics researchers said the NYTimes.com scam phoned back to a phony "Windows protection" domain with the same IP address as a computer associated with the botnet, as well as a similar Ukrainian scam.

"Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus. Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine," according to Click Forensics.

A Microsoft spokesperson says the New York Times incident underscores that "this kind fo threat is not limited to Microsoft networks," but to everyone who relies on online advertising.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.