The URL which the Inquirer has discovered is http://0fficial-page-com/AVG1. [Note that it uses a zero not a capital 'o'.] Don't be fooled.
According to Rick Ferguson, a senior security advisor with anti-virus specialist, Trend Micro, this type of attack isn't original but the danger has so far received only minimal publicity.
Rick reckons the best known incidence of this attack is avg-online-scanner.com. This software tricks victims into downloading a malware app called Winspywareprotect.
Naturally, the malware 'detects' the existence of fake 'threats' and tricks the victim into paying money online to 'remove' the threats.
As Ferguson explained, "Cybercrime is moving away from inflicting the maximum damage in the shortest time towards remaining undetected for the longest period and extracting the maximum cash."
He reckons the standard industry practice with anti-virus software is going to have to change. Ferguson estimates that viruses with 'unique' signatures are presently appearing at the rate of around 26,500 per hour.
"A typical PC would grind to a halt just trying to download and process all those signatures," Ferguson explained. For that reason, Trend has moved towards creating online databases of email addresses, web sites and file names.
So, instead of using signatures, Trend's software can detect suspicious activity and then check online if any of it relates to known malicious URLs or files. Information from all three databases can be correlated.
Significantly, the Inquirer had a great deal of trouble removing the malware which appears to originate from a file called 1temp.exe. Luckily, anti-virus expert Prevx had detected this particular nasty back in March .
The malware is clever because it allows the browser to go to ordinary web sites but blocks all attempts to download a cure from the well-known anti-virus experts such as AVG itself and Panda Software.
The Inquirer hasn't investigated thoroughly, but monies paid to the fake AVG site appear to go to Russia.
Malware spoofs AVG web site
By Tony Dennis on Nov 27, 2008 12:22AM