From: InfoSec News (alertsinfosecnews.org)
Date: Fri Dec 11 2009 - 04:19:40 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>

http://www.itweb.co.za/index.php?option=com_content&view=article&id=28736

By Kirsten Doyle
ITWeb portals editor
8 Dec 2009

Scareware, fake anti-virus (AV) programs alarming users into thinking
their machines are infected, is on the rise.

So says Sergey Golovanov, senior malware analyst, non-Intel research
group manager at Kaspersky Lab, during an interview at the company's New
Horizons media tour. These programs are widespread and are being used by
cyber criminals more and more. To date, the company has seen around 320
families of fake AV.

The security giant discovered around 3 000 rogue AV programs in the
first half of last year. The same period of 2009 saw over 20 000 samples
being identified. Kaspersky Lab discovers between 10 and 20 new programs
of this kind every day. A few years ago, a new program of this type only
appeared once every two days.

Distribution techniques

Golovanov says scareware ends up on victims' machines, much in the same
way as malware. A Trojan-downloader can covertly download such programs,
or vulnerabilities in compromised or infected sites can be exploited to
perform a drive-by download.

He says, however, that these programs are usually downloaded by users
themselves, as cyber criminals use dedicated programs or adverts to con
users into doing this.

Internet advertising and spam are other methods used by criminals to
distribute scareware. Many sites, even legitimate sites, host banners
advertising a product that claims to solve all sorts of malware issues.
In addition, when surfing the Internet, a user may also find pop-ups
appearing in the browser window offering a free anti-virus download.

Clever imitations

According to Golovanov, rogue AV carefully mimics genuine programs. The
programs will scan, and then display a sequence of messages,
notifications of an error, followed by a message claiming that malware
has been found on the system. Following this, it will pop up a message
offering the user the opportunity to install an anti-virus program to
deal with the malware, at a price of course.

Once a free trial version that allegedly detects, but does not fix the
malware problem, has been downloaded, a message is displayed saying the
full version should be activated at a cost. These programs often appear
very genuine, as the more people are conned, the more money ends up in
the pockets of cyber criminals.

According to Kaspersky Lab, programs often use the same mechanisms as
polymorphic worms and viruses to combat AV solutions. The main body of
the program is encrypted to conceal strings and links. To ensure the
program runs correctly, dynamic code within the file decrypts the body
of the malware prior to the payload being delivered.

How to protect

Although fake infections do not damage the victims' machines, cyber
criminals are using these programs to extort money from novice users. He
advises that legitimate programs designed to combat malware will never
first scan a computer and then demand money for activation. Be aware
that you should never pay for a product which does this.

He urges users to click only on messages from a legitimate AV solution
installed on the PC, and ignore any warning messages that pop up
randomly while surfing the Internet.

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]