Rogue AV: A wolf in sheep's clothing
Rogue anti-malware, also known as rogue AV, has become the delivery vehicle of choice for the cybercriminals seeking to infect endpoints with their payloads. Those endpoints consist of both the consumer and enterprise. The ESET Global Threat Trends Report for April 2010 contains a short article called “Free but Fake.” Better yet, one of our most active researchers, Cristian Borghello from our Latin American office, wrote an excellent paper on rogue anti-malware.
If you haven't had a chance to view the convincingly crafted fake scans from our various rogue AV pages, here's one that I took off of one of my testing workstations prior to the infection. The first stage requires the user to take a particular action. In this case – and many others – it can't infect the system without human assistance.
According to a recent paper on large-scale exploits and emergent threats that Google released in late April at the Usenix Workshop, rogue AV accounts for more than 15 percent of all malware Google detects. In the report, Google outlines that from January 2009 until February 2010, more than 11,000 domains were involved in rogue AV distribution.
I have also had recent discussions with colleagues over fake/rogue anti-malware that didn't break the law by infecting endpoints. This isn't actually fake security software, just highly substandard with disproportionately strong messaging.
This aligns strongly with an article from Bruce Schneier that I recall reading entitled “A Security Market For Lemons” (Wired, April 2007). In his article Bruce states:
“Of course, it's more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.”
Bruce closes the article with:
“With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.”
I agree that a new tactic that's not illegal, such as a deluge of confusing messages and products (more than our customers currently experience), has the potential to impact the revenue of legitimate companies and leads the end-user into having a false sense of security with a highly inert product.
So what do we do about blatantly rogue anti-malware? Below are four points to consider:
- The executable itself shouldn't be allowed to touch or run on the endpoint. While possible, this is easier said than done due to the myriad permutations of endpoint configurations.
- Rogue software, like other malware, may be detectable via behavioral analysis. Implement a highly regarded anti-malware product with excellent static and/or dynamic detection (i.e., positive user feedback and presale dialog – not marketing hype)
- If the rogue executable is discovered, send it to the security response team for your anti-malware product. This allows them to add static detection and update their dynamic detection algorithms.
Attacks are cyclical, so once there is a much more effective means for dealing with rogue AV, you can rest assured there will soon be another angle leveraged to gain a foothold in the endpoint. In the meantime, it's an arms race and there are a lot of security vendors working hard to meet the escalating threats head-on. As a security community, keeping the lines of communication open and flowing to share threat intelligence is one of our greatest strengths in this protracted fight.