Rogueware On A Roll: 640,000 New Variants Of Fake AV In Q3

With rogueware more efficient and lucrative than ever before, cybercriminals are pumping out new versions in rapid-fire, according to new research that will be released today in conjunction with Black Hat USA. All told, 374,000 new versions of rogueware samples were released in this year's second quarter -- and that number is expected to nearly double to 637,000 in the third quarter.

PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks. "It lets them obtain a lot of money with less effort," says Luis Corrons, technical director of PandaLabs, who will present Panda's new findings at the conference, also in Las Vegas this week. "With [banking] Trojans, they need to hire a professional programmer to develop a Trojan that targets customers of certain banks, then you have to have it deployed...They are diversifying the business [with rogueware infections]."

Corrons says rogueware is now making the bad guys in excess of $400 million a year.

Bilking $50 or so from an unsuspecting user who thinks the rogueware is real antivirus software is "like taking candy from a baby," says Sean-Paul Correll, threat researcher and security evangelist for PandaLabs. In fact, the numbers have been spiking during the past year: In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year.

"And there were two times as many in Q2 versus Q1," PandaLabs' Corrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000."

But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link (think Erin Andrews) purportedly from a"friend," for instance. "They had been using a lot of banking Trojans and trying to commit identity theft, but in the last year it has been all about rogueware," Carrons says.

These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application. Many of these "applications" now even "clean" the victim's machine so it appears legit in order to buy some time while the credit card transaction goes through, according to PandaLabs.

"The barrier here is that you eventually have real AV detecting them as a virus," Correll says, thus forcing attackers to crank out new samples quickly to evade detection. "It's a bit of a cat-and-mouse game."

So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers.

PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans, and they earn anywhere from 50 to 90 percent commission on successful sales.

Joe Stewart, director of malware research for SecureWorks, found that an affiliate who sells the so-called Antivirus XP 2008 (and now 2009) gets a 58 to 90 percent commission on sales of the around $50 package, pulling in more than $5 million, according to research he released last fall.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.