Malware, Network Security

Google says 11,000 domains distributing rogue anti-virus

Rogue anti-virus software currently accounts for 15 percent of all web-based malware and is growing in prevalence, according to researchers at Google.

During the course of a 13-month analysis of fake AV on the web, Google researchers analyzed 240 million web pages collected by the search giant's malware detection engine and found that more than 11,000 domains were involved in the distribution of fake AV.

Google researchers wrote a paper about their findings, which they plan to release April 27 at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in San Jose, Calif. Rogue AV, which currently accounts for 15 percent of all malware Google detects on the web, is rising in prevalence faster than other forms of web-based malware, the company said.

The fraudulent programs, often called scareware, masquerade as legitimate security products that, when installed, identify false threats on the victim's machine. The scam is designed to deceive victims into paying registration fees to remove the purported malware.

“This malicious software takes advantage of users' fear that their computer is vulnerable, as well as their desire to take the proper corrective action,” Niels Provos, a member of Google's security team, wrote in a Wednesday post on the search giant's Online Security Blog.

Criminals often leverage the public's interest in current events to spread the malware. Just this week, a new fake AV campaign capitalized on the death of Peter Steele, frontman of the heavy metal band Type O Negative, Nicolas Brulez, senior anti-virus researcher at Kaspersky wrote in a blog post Wednesday.

Not long after the news broke on Wednesday, attackers utilized black hat search engine optimization (SEO) tactics to poison search results so that their malicious links appeared near the top when someone looked for information on the death, Brulez said. Clicking on one of the links led users to a rogue program called CleanUp AntiVirus.

“Cybercriminals are using any sort of news, including rumors, to distribute their fake AV programs, and black [hat] SEO is still being used extensively to spread them,” Brulez said.

Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, told on Thursday that cybercriminals also this week poisoned searches related to the death of Polish President Lech Kaczyinski to distribute fake AV software. Other poisoned queries leading to fake AV this week included, “mine rescue teams,” “mega piranha trailer,” “kristen stewart Budapest,” “the katyn massacre movie,” and “jack johnson tour dates usa 2010,” Warner said.

And black hat SEO is just one delivery mechanism for fake AV, Warner said. Cybercriminals also distribute their wares through spam messages and malicious advertisements.

Fake AV attacks that are spread via spam and online ads allow attackers to reach a large number of potential victims, Provos said.

Overall, fake AV attacks make up 50 percent of all malware delivered via online advertisements, representing a five-fold increase from a year ago, he said. In addition, rogue AV  accounts for 60 percent of the malware discovered on domains that include popular “trending” keywords.

The lifespan of fake AV domains has “decreased significantly” over the past year, Brulez said. 

“They don't need them to last long,” Warner said. “Criminals are registering hundreds of these [domains] and it's very easy for them to adapt.”

Google's soon-to be released research will expand on the characteristics of fake AV, how it differs from other types of web-based malware and how it has changed over time.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.