Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 AM
Connect Directly

Rogueware On A Roll: 640,000 New Variants Of Fake AV In Q3

PandaLabs researchers say fake antivirus distributors are ramping up production of new versions of their rogueware to evade detection

With rogueware more efficient and lucrative than ever before, cybercriminals are pumping out new versions in rapid-fire, according to new research that will be released today in conjunction with Black Hat USA. All told, 374,000 new versions of rogueware samples were released in this year's second quarter -- and that number is expected to nearly double to 637,000 in the third quarter.

PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks. "It lets them obtain a lot of money with less effort," says Luis Corrons, technical director of PandaLabs, who will present Panda's new findings at the conference, also in Las Vegas this week. "With [banking] Trojans, they need to hire a professional programmer to develop a Trojan that targets customers of certain banks, then you have to have it deployed...They are diversifying the business [with rogueware infections]."

Corrons says rogueware is now making the bad guys in excess of $400 million a year.

Bilking $50 or so from an unsuspecting user who thinks the rogueware is real antivirus software is "like taking candy from a baby," says Sean-Paul Correll, threat researcher and security evangelist for PandaLabs. In fact, the numbers have been spiking during the past year: In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year.

"And there were two times as many in Q2 versus Q1," PandaLabs' Corrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000."

But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link (think Erin Andrews) purportedly from a"friend," for instance. "They had been using a lot of banking Trojans and trying to commit identity theft, but in the last year it has been all about rogueware," Carrons says.

These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application. Many of these "applications" now even "clean" the victim's machine so it appears legit in order to buy some time while the credit card transaction goes through, according to PandaLabs.

"The barrier here is that you eventually have real AV detecting them as a virus," Correll says, thus forcing attackers to crank out new samples quickly to evade detection. "It's a bit of a cat-and-mouse game."

So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers.

PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans, and they earn anywhere from 50 to 90 percent commission on successful sales.

Joe Stewart, director of malware research for SecureWorks, found that an affiliate who sells the so-called Antivirus XP 2008 (and now 2009) gets a 58 to 90 percent commission on sales of the around $50 package, pulling in more than $5 million, according to research he released last fall.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.