Google says 11,000 domains distributing rogue anti-virus

Rogue anti-virus software currently accounts for 15 percent of all web-based malware and is growing in prevalence, according to researchers at Google.

During the course of a 13-month analysis of fake AV on the web, Google researchers analysed 240 million web pages collected by the search giant's malware detection engine and found that more than 11,000 domains were involved in the distribution of fake AV.

Google researchers wrote a paper about their findings, which they plan to release April 27 at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in California. Rogue AV is rising in prevalence faster than other forms of web-based malware, the company said.

The fraudulent programs, often called scareware, masquerade as legitimate security products that, when installed, identify false threats on the victim's machine. The scam is designed to deceive victims into paying registration fees to remove the purported malware.

“This malicious software takes advantage of users' fear that their computer is vulnerable, as well as their desire to take the proper corrective action,” Niels Provos, a member of Google's security team, wrote in a post on the search giant's Online Security Blog.

Criminals often leverage the public's interest in current events to spread the malware.

“Cybercriminals are using any sort of news, including rumors, to distribute their fake AV programs, and black [hat] SEO is still being used extensively to spread them,” Brulez said.

Gary Warner, director of research in computer forensics at the University of Alabama, told SCMagazineUS.com that cybercriminals this week poisoned searches related to the death of Polish President Lech Kaczyinski to distribute fake AV software. Other poisoned queries leading to fake AV this week included: “mine rescue teams”, “mega piranha trailer”, “kristen stewart Budapest”, “the katyn massacre movie”, and “jack johnson tour dates usa 2010”.

And black hat SEO is just one delivery mechanism for fake AV, Warner said. Cybercriminals also distribute their wares through spam messages and malicious advertisements.

Fake AV attacks that are spread via spam and online ads allow attackers to reach a large number of potential victims, Provos said.

Overall, fake AV attacks make up 50 percent of all malware delivered via online advertisements, representing a five-fold increase from a year ago, he said. In addition, rogue AV  accounts for 60 percent of the malware discovered on domains that include popular “trending” keywords.

The lifespan of fake AV domains has “decreased significantly” over the past year, Brulez said. 

“They don't need them to last long,” Warner said. “Criminals are registering hundreds of these [domains] and it's very easy for them to adapt.”

Google's soon-to be released research will expand on the characteristics of fake AV, how it differs from other types of web-based malware and how it has changed over time.

See original article on scmagazineus.com