Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/13/2009
10:33 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

PandaLabs: 35 Million Computers Infected With Rogueware Each Month

Rogueware is being distributed through Facebook, MySpace, Twitter, Digg, and targeted blackhat SEO attacks

London, August 13, 2009: PandaLabs, Panda Security's malware analysis and detection laboratory, announce the general availability of a multi-year study that examines the proliferation of rogueware into the overall cybercriminal economy. The report, "The Business of Rogueware," by PandaLabs researchers, Luis Corrons and Sean-Paul Correll, reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. PandaLabs predicts that it will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.

Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers), and cybercriminals are earning approximately $34 million per month through rogueware attacks.

In early 2009 social media sites, such as Facebook, MySpace, Twitter, and Digg, became large targets for rogueware distributors. The top five social media attacks involving rogueware are:

  • SEO attack against Ford Motor Company
  • Comments on Digg.com leading to rogueware
  • Twitter trending topics lead to rogueware
  • Rogueware exploits WordPress vulnerability to facilitate Blackhat SEO attack
  • Koobface moves to Twitter

    "Rogueware is so popular among cybercriminals primarily because they do not need to steal users' personal information like passwords or account numbers in order to profit from their victims," said Luis Corrons, PandaLabs Technical Director. "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream."

    Rogueware Morphs Quickly and Proves Difficult to Detect There are approximately 200 different families of rogueware, and PandaLabs expects the variations to continue to grow. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008. In Q309, PandaLabs estimates a rogueware total greater than the previous eighteen months combined.

    The primary reason for the creation of so many variants is to avoid signature-based detection by (legitimate) antivirus programs. The use of behavioral analysis, which works well with worms and Trojans, is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information. However, PandaLabs has started to identify more advanced malware variants that are using typical Trojan features, rootkits and other techniques to subvert virus detection technologies.

    How Rogueware Business Works and Tracking the Source The report details how the rogueware business works. Not unlike a traditional business, the rogueware business model consists of two major parts: program creators and distributors. The creators are in charge of making rogue applications, providing the distribution platforms, payment gateways, and other back office services. The affiliates are in charge of distributing the scareware to as many people and as quickly as possible.

    PandaLabs' research reveals that the affiliates are mostly comprised of Eastern Europeans recruited from underground hacking forums. They earn a variable amount per each install and between 50-90 percent commissions for completed sales. The PandaLabs report includes financial statements and photos from events hosted by the leaders of these organizations that are not dissimilar to corporate sales events.

    To read the full report, go to: http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf?sitepanda=particulares For real-time updates on PandaLabs research, follow @Panda_Security, @Luis_Corrons and @lithium on Twitter.

    About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security's new security model which can even detect malware that has evaded other security solutions.

    Currently, 94% of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), who work 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com For more information:

    Neil Martin [email protected] Tel. 0870 243 0690

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Commentary
    Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
    Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
    Edge-DRsplash-10-edge-articles
    7 Powerful Cybersecurity Skills the Energy Sector Needs Most
    Pam Baker, Contributing Writer,  6/22/2021
    News
    Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
    Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-35475
    PUBLISHED: 2021-06-25
    SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
    CVE-2021-32716
    PUBLISHED: 2021-06-24
    Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
    CVE-2021-32717
    PUBLISHED: 2021-06-24
    Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
    CVE-2021-32712
    PUBLISHED: 2021-06-24
    Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
    CVE-2021-32713
    PUBLISHED: 2021-06-24
    Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.