What next for rogue AVs?

In 2009 I wrote a blogpost about a new trend in rogue AV attacks (http://www.securelist.com/en/blog/208187938/Rogue_AV_raising_the_stakes) – the cloning or copying of the GUIs of genuine anti-malware products. I predicted that we would soon see rogue AVs that were visually almost exact copies of legitimate security software – and only a few months later, we saw some very convincing imitations: fake Kaspersky, Avast, Symantec, McAfee and Avira products.

In May 2010, we saw a new rogue AV attack featuring a fake version of Microsoft Security Essentials, and at the beginning of 2011 we saw a whole new wave of rogue AVs that included fake versions of AVG 2011 and Kaspersky Anti-Virus for Windows Workstations. Our predictions couldn’t have been more accurate. However, in addition to the abovementioned, I recently found an ‘interesting’ website. Try to spot what’s wrong in the screen shot below:

The answer lies in the bottom right-hand corner. The criminals behind rogue AV attacks now not only clone GUIs, but also copy attack notifications as well. The red balloon you see is an exact copy of a standard KAV for Workstation malware detection notification.

So, what is the main problem here and what will it lead to? Well, in 2009 alone, the FBI estimated that victims of rogue AV attacks lost around US$150 million [1], and I firmly believe that the figure for 2010 will be higher.

In most cases, victims lost their money after having been tricked into paying for purported disinfections after receiving fake notifications. However, today the picture is changing. The issue facing even the most experienced users is how to distinguish between fake and legitimate anti‑virus solutions before installing them on a computer. Just imagine a rogue AV being installed that has cloned virtually every aspect of the original solution: from the GUI to the names of malware. Maybe a handful of advanced users could check the system’s process names and file paths to determine the legitimacy of the software, but even this can be faked by the criminals. They can create the same paths, the same file names and the same process names. So, what we are facing here is the likelihood that criminals will not only make money from victims by employing fake virus warnings, but also from the sale of rogue AV products. As mentioned previously, such products could dupe even the most experienced of users.

The criminals have another advantage too. Many legitimate AV companies not only sell their goods via an official website, but also through online stores and partner sites. What if one or more of these sites were hacked and a new, high-tech rogue AV delivered to a user’s machine? Who would pay for the damage – the online store or the vendor?

Now imagine another scenario: what if the criminals start registering and building fake online stores selling several cloned AVs? How would the average user be able to tell if they were purchasing a real or a fake solution?

The matter could partially be resolved if vendors were to sign files so that users could check the digital signature. However, we know from recent experience that digital certificates are not an absolute guarantee that a file is legitimate and clean. This would also require users to be experienced enough to know how to check signed files.

With no ideal method of protecting users against these threats, the AV industry needs to generate some new ideas as to how we can stamp out this type of fraud.

Latest articles:

Bulletin Archive