Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Source of rogue malware tracked down

Cybercriminals have unleashed a blizzard of rogue anti-virus software to plunder naive users, and the amount of money involved is astounding. 

Joe Stewart, director of malware research at SecureWorks, said one leading set of fake AV programs is Antivirus XP 2008 and its more recent edition, Antivirus XP 2009. Both are rogue AV programs put out by Russian company Bakasoftware and sold to English-speaking computer users. 

Stewart discovered that top earners are likely making up to $5 million a year by controlling large botnets of infected computers and siphoning money into their own accounts, he told Thursday.

Even the nominal earner could make $50,000 to $200,000 a year on average, Stewart estimated.

“It was surprising to us how much money these guys are making,” he said.

Antivirus XP 2008 is the most prevalent rogue antivirus program right now, Stewart said.

Bakasoftware sells the product through a network of affiliates who are recruited in underground forums, Stewart said.

Affiliates distribute the product in different ways — some advertise the software on their websites, others send out spam, but the most effective method is controlling botnets, he said. With a botnet, affiliates can execute a command to potentially hundreds of thousands of computers at once.

Stewart came across on a Russian hacker forum revealing top Bakasoftware affiliate earners. The report was posted by a hacker using the alias "NeoN," who claimed that an acquaintance used SQL injection to hack into the Bakasoftware website, obtain the administrative password and get inside information about Bakasoftware profits.

According to the report, Stewart said, the top three earners made $158,568.86, $105,955.76 and $95,021.16. It is unclear how long it took them to make this.

A separate post from the supposed administrator of the site, an affiliate with the handle "Krab," shows additional earning statistics, which Stewart analyzed in his research:

“If these stats are to be believed, one affiliate was able to install 154,825 copies of Antivirus XP 2008 in 10 days' time and 2,772 of those copies were actually purchased by the victims,” Stewart wrote in his research. “This only represents a one-to-two percent conversion rate but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period.”

Though a one-to-two-percent conversion rate is average, some affiliates are achieving up to a 75-percent conversion rate. These affiliates are likely maximizing their profits by using stolen credit card numbers to purchase the software and having the money credited to their affiliate ID — in other words, performing identity theft, Stewart said.

He said he hopes his findings illustrate that users have to be suspicious of things popping up unexpectedly, which would indicate fake anti-virus software.

“There's no legitimate virus software that's going to [unexpectedly] appear on your system and tell you're infected with hundreds of things,” Stewart said.

Attempts to reach Bakasoftware were unsuccessful.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.