Rogue antivirus: a growing problem
During the past two years we’ve written many times about programs which pretend to be something that they are not. The most notorious are rogue antivirus solutions – programs which display messages saying the victim machine is infected, even though it is not. These programs neither scan nor clean computers, and they are actually designed to persuade users that their computers are at risk and scare them into buying the “antivirus” product. Such programs are often referred to as “scareware”: Kaspersky Lab classifies them as FraudTool, a subset of the RiskWare class.
FraudTool.Win32.SpywareProtect2009: the main window
Such programs are extremely widespread and are increasingly used by cybercriminals. Whereas Kaspersky Lab detected about 3,000 rogue antivirus programs in the first half of 2008, more than 20,000 samples were identified in the first half of 2009.
Common distribution techniques
First of all, how do rogue antivirus programs end up on victim machines? They are spread using the same methods use to distribute other malware: for instance, a Trojan-Downloader can secretly download such programs, or vulnerabilities in compromised/ infected sites can be exploited to perform a drive-by download.
More often than not, though, such programs are downloaded by users themselves – cybercriminals use dedicated (Hoax) programs or adverts to trick users into doing this.
Hoax programs are another type of fraudware; they are designed to persuade users that they need to download a “wonder-working” antivirus solution, and will install the rogue solution on the victim machine even if the user declines the offer.
Hoax programs get downloaded to victim machines either by using a backdoor or by exploiting a vulnerability on a website. Once such a program is installed, an alert appears which says the system contains multiple errors, the registry is damaged or that confidential data is being stolen.
(more from the source)
