Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Microsoft Ups The Ante In Fight Against Rogue Antivirus

As prevalence of rogue antivirus attacks intensify, Microsoft takes legal action against 'malvertisers'

Microsoft has taken a hard line on malicious online advertisers -- also known as "malvertisers" -- by filing five lawsuits against the suspected fraudsters in what the software giant claims are the first-ever legal moves against malvertising. The software giant's suits came on the heels of a rogue antivirus attack on the high-profile New York Times' Website, where what was purported to be a Vonage ad on the Grey Lady turned out to be malware that served readers fake warnings that their computers were infected, along with a link to "antivirus software" they must purchase to clean them up.

This type of rogueware is becoming more efficient and lucrative, and cybercriminals are pumping out new versions in rapid-fire. According to recent research by PandaLabs, 374,000 new versions of rogueware samples were released in this year's second quarter -- and that number is expected to nearly double to 637,000 by the end of the third quarter. And according to PandaLabs, rogueware is now making the bad guys in excess of $400 million a year.

But can legal action really curb rogue AV and malvertising, especially if the perpetrators are hiding behind phony company names and aliases?

"Honestly, I don't expect it to slow down cybercriminals all that much. If they were scared, they wouldn't be creating and distributing the malware for profit," says Sean-Paul Correll, threat researcher & security evangelist for Panda. "It's definitely going to be an uphill battle for Microsoft and any future litigation seekers."

Microsoft isn't deterred, however. "Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits," blogged Microsoft's associate general counsel Tim Cranton late last week. "The lawsuits allege that individuals using the business names 'Soft Solutions,' 'Direct Ad,' 'qiweroqw.com,' 'ITmeter INC.,' and 'ote2008.info' used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users."

The software vendor filed its lawsuits in King County Superior Court in Seattle, and is seeking damages and injunctions due to "unjust enrichment and for intentional interference with contractual relationships and business expectancies," Microsoft wrote in its legal filings.

Microsoft says its own investigators have uncovered "a number of leads" that could be used to subpoena service providers, companies, or people with knowledge of the real identities of the fraudsters.

Some rogue AV programs even "clean" a victim's machine so they appear legitimate, at least until the victim's credit-card transaction goes through, according to PandaLabs. And the bad guys are automatically generating new, unique samples of this code that AV engines won't recognize. The distributors of these applications are typically in Eastern Europe, and can make commissions of 50 to 90 percent, according to researchers.

Researchers at Click Forensics, meanwhile, are drawing a connection between The New York Times' rogueware and the so-called "Bahama Botnet." In a blog posting last week, Click Forensics researchers said the NYTimes.com scam phoned back to a phony "Windows protection" domain with the same IP address as a computer associated with the botnet, as well as a similar Ukrainian scam.

"Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus. Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine," according to Click Forensics.

A Microsoft spokesperson says the New York Times incident underscores that "this kind fo threat is not limited to Microsoft networks," but to everyone who relies on online advertising.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.