Is Your Anti-Virus Software Legit?

Rogue software attacks increasing, say security researchers

November 2008

For Windows users, it can be an unfamiliar, but believable prompt—“Antivirus 2009,” a program whose pop-up windows warn of security threats to a computer, and conveniently offer the solution to eliminate them. In some cases, the seemingly benevolent program even detects multiple intrusions, with the purported results displayed on an interface connected to a “full system scan:” Spyware is stealing your passwords. A “dialer” is loading up your desktop with pornography.

In each case, the goal remains the same: to get you to click on a button to “remove” the threats, “protect” your PC, and—this is the part they don’t tell you—rip you off and even steal your identity by sending you to a page where you input personal and financial data in order to purchase the bogus anti-virus product. “There’s a simple rule of thumb that applies here,” says David Perry, global director of education for Trend Micro. “If something is claiming ‘you have a virus and we’re going to fix it’—if it comes out of the blue and says you have a virus, and you’ve never heard of them before, they are a hundred percent fake.”

Rogue anti-spyware programs like “Antivirus 2009” are on the rise, security experts warn. Panda Security, a software company headquartered in Bilbao, Spain, puts the number of affected computers somewhere around 30 million (an extrapolation based on the percentage of computers Panda identified through their free online scanner as having been infected—3 percent of 2 million—and the number of known computers worldwide, which is approximately 1 billion, according to Forrester Research.) Admittedly imperfect, Panda’s estimation likely understates the problem if all historic cases of fake anti-virus attacks are taken into consideration, says Trend Micro’s Perry.
   
The bogus programs make their way onto a victim’s computer via attachments on spam e-mails, blog postings, instant messenger platforms and more. While some fake anti-virus “brands” like Antivirus 2009 are little more than products of the criminal imagination, others mimic well-known security vendors like Trend, Symantec or McAfee. In certain cases, the programs display errors that appear to be coming from Windows itself, according to Ryan Sherstobitoff, Panda’s chief corporate evangelist.

“I’ve seen variants where it actually modifies something in the ‘Start’ tray, for example, and you start getting these pop up messages saying “new Trojan detected,” Sherstobitoff says. “Or when you log in, it starts modifying the login screen or desktop or web pages. It tries to get your attention to say you’re infected.”
   
The criminals’ goal, according to both the Trend and Panda researchers, is to coax people into paying $50, $60 or $70—through a credit card number or PayPal—for what they think is an anti-virus solution. “In fact, it’s generating profits for the cyber-criminal,” says Sherstobitoff. “It’s only a nominal amount of money. It’s not taking a grand or ten grand out of people’s pockets….By the time the end user realizes they’ve been duped, it’s too late.” That is, the criminals have already disconnected the PayPal account and moved to their next target. “Most of this stuff is about robbing from you right in the here and now,” Perry agrees. Nevertheless, some particularly brazen fake anti-virus programs are designed to prompt users to renew after thirty days, according to Sherstobitoff.
As troublesome as the financial loss may be, fake anti-virus attacks can lead to residual identity theft-related problems, as criminals use the attacks to obtain personal or financial information. Even e-mail addresses obtained from unsuspecting marks can have value in the black market, says Jamz Yaneza, Trend’s threat research manager. “Spamming is another big business.”
 
Perry says he meets a fake anti-virus attack victim at least “once a week.” Even at a recent family gathering, Perry says, somebody came up and teased him about an anti-malware program he’d recently acquired. He said it installed “way faster” than a product he’d purchased from Trend. “I gave him my business card and sent him…to our tech support,” Perry said. “Eventually, we were able to remove [it].”
Anti-virus vendors aren’t the only software providers that have been imitated by online criminals, Perry says. He’s seen malicious attacks disguised as updates for Flash or Adobe Acrobat. “They’re attacking every possible sector, but there seems to be a peculiar irony to attacking rogue anti-malware,” Perry says.

Yaneza agrees. “Anti-virus, anti-malware—any type of security on your computer is a must, a baseline. I think that’s a reason people get caught up in the predicament of installing this.”
 
As with other types of crime, the frequency of such online scams is expected to rise as legitimate markets lose steam in the ailing economy. “It’s a new way for cyber-criminals to actually make a buck in tough economic times,” says Sherstobitoff.
   
Fortunately for consumers, a little awareness can go a long way in preventing losses from a fake anti-virus attack. “No company out there puts out a service like that— where it will automatically install and tell you something’s wrong,” says Yaneza. “Like all the cyber-crime we see, this is just a reflection of a regular old con game from another century,” says Perry. “It is, in fact, old wine in a new bottle.”