Good (?) old times II

Some days ago we talked about how old infection techniques had emerged and how malware with economic goals had been combined with traditional viruses. Today, we have come across an interesting case with regard to one of the rogue morphs that has been recently detected, Antispyware3000.

 

The way it works is similar to the rest of rogue programs: once installed in the computer, it displays warning messages about false infections, so that we pay for the product, remove the threats and keep our system protected (which is not true, they will take our money and nothing else). The curious feature of this fake antivirus is that when accessing its website and downloading the installer; this installer is infected with W32/Jeefo.A, a virus that first appeared in 2003.

We don’t know whether the creators of this fake antivirus have done this on purpose or, on the contrary, they have not been careful enough when dealing with malware and have been given a taste of their own medicine.

New Rogue Antivirus: Total Defender

A new Rogue Antivirus program called Total Defender appeared over the weekend. 

_{The following data is included for informational purposes only. Please do not attempt to view or download files from the website.}

Domain: Total-Defender. com
IP: 94.247.2.41
Country: Latvia
Host: DATORU EXPRESS SERVISS Ltd.
Organization: ZlKon

File:  total-defender-setup.exe

Connects to:

0    200    HTTP    94.247.2.41    /ck.php    21
1    200    HTTP    94.247.2.41    /tdd.php?i=1
2    200    HTTP    94.247.2.41    /ck.php
3    301    HTTP    94.247.2.41    /tdp.php?ak=24DIGITHASH
4    200    HTTP    CONNECT    pp-pay.net:443
5    200    HTTP    CONNECT    pp-pay.net:443
6    200    HTTP    CONNECT    pp-pay.net:443
7    200    HTTP    CONNECT    bill-support.com:443 

Additional Info:

An interesting thing we noticed is that the Rogue did not attempt to
scare us into purchasing it, rather telling us that the computer was
secure after the scan.  The Rogue authors are probably doing this to
keep a high amount of Rogue installations active for the purposes of
data theft or for hire services.  

 

 

 

Rash of Rogue Security Malware

The amount of Rogue Security samples increases daily and today was no exception.  We discovered a rash of newly created domain names pushing rogue security software harder than ever.  I captured a video so that you may see what the site and infection process looks like.

In the January 2009 ISSA Journal (pdf) we covered the rogue epidemic in 2008 and from our data we predicted that they would be amongst the most prolific malware in 2009. 15 days into the new year and it feels like the prediction is already coming true. 

Note: The sites are live and infectious so do not attempt to visit them!

best2008-scan-av .com
forpc-av-scanner .net
best-scanner-pc .net
best2008-scan-av .com
av-pcscan-comp .com
quickly-scan-no-av .com
best6scan .com
easy6scan .com
bestscan6 .com
easy4scan .com
easyscan6 .com
fastscan6 .com
fast4scan .com
fastscan4 .com 
fastscan6 .com 
livescan4 .com 
livescan5 .com
livescan6  .com
newscan4 .com
newscan5 .com 
new7scan .com 
newscan6 .com 
plus4scan .com 
plus6scan .com 
plusscan4 .com
scan4easy .com 
scan4fast .com 
scan5best .com 
scan5plus .com 
scan6live .com
scan7live .com 
sg10scanner .com
sg11scanner .com 
sg12scanner .com

New ways to distribute rogueware

Nowadays, the most prevalent infections belong to rogueware, which are those fake antivirus, antispyware or anti-anything that try to take the money from the users by making them pay to remove nonexistent threats. As we showed recently, they are making huge amounts of money.

They are usually installed on victim's computers using drive-by-download techniques, as well as using the typical social engineering stuff we see to distribute any kind of malware through spam. We see this kind of spam on a daily basis, some samples are the usual spam message with a link to a supposed greeting card, others come with a trojan downloader that if run will download & install the rogueware, anothers are links to websites with photos or videos that will ask you to install some fake codecs (rogueware) to see them:

 

 

But today we have found an even more smart way to fool users. At first I though it was the typical message flowing around to get valid e-mail addresses:

 

Once you click on the link it takes you this place:

When clicking on "Download" the user will find out that it was not as free as he could have thought:

 

Of course the rogueware is not free; in fact it is not at all, as you pay and obtain nothing in exchange. Taking a look at the URL, I've notice that it has the word "antivirus2" in it. Then I removed the "2" and that's what I've obtained: 

Of course it belongs to a diiferent scam from the same guys.

Rogue mistakes!

As we have mentioned recently, the distribution of rogue antimalware programs has increased considerably and they have become a very widespread threat, even reaching Trojans, which have been leading the most active type of malware during these last years.

For example, today, more that 75% of the adware-type malware detected by our technicians have been this type of fake AV programs.

In the following image you can see a collage of different websites and interfaces belonging to several rogue antimalware programs:

Everyday we detect different variants of these programs and new websites from which they can be downloaded. All the fake programs have different names, interfaces, features… Taking into account the high number of different programs created, it’s easy that from time to time cybercrooks make mistakes. As you can see in the image below, the copy/paste technique doesn’t work properly:

  

 

Who Wants to Be a Millionaire?

During the last months I’ve been asked the same question almost every day: why are there so many rogueware infections? We have already published some data in the blog, as well as in the 2008 Q3 Report. The number of infections are somehow relevant:

As you can see, Adware is the top one, and this is due to the rogueware detections, included in the Adware category. With all the sensors we have now in the new products, which are connected to the Collective Intelligence, and due to this wave of infections I wanted to know if the feeling I had was real or not. From the 1st of June 2008 until yesterday, we have received reports from more than 2 million different computers. Even though our user base is much higher, I have only taken the data from products using the connection to the cloud and that have agreed to share information, which means that most of them are users of our free online scanner ActiveScan.

The next query was easy: how many computers out of these 2 millions have detected rogueware? About 70,000 different computers. That makes about a 3% of those 2 million computers.

How can we translate this to the whole world? We can extrapolate this information; even though this is not 100% accurate, it can throw some light on this issue. According to Forrester, there are about 1 billion computers (US billions, one thousand million for non US readers). That would make 30 million rogueware infected computers (3%.)

Then we have Gartner, which said that about a 3.30% of people is losing money due to phishing, so these are people that are actually sending their banking information to the phishers. Rogueware is much more agressive than phishing, but as we do not know how many users are being fooled to buy that "software" to get rid of fake infections, let's say that only that 3.30% of the people is paying. That would mean almost 1 million users buying rogueware (only in 4 months and 2 weeks!)

The price of each rogueware application varies, but let's say that 50€ is the average price. These are not difficult maths:

50€ * 1,000,000 = 50,000,000 € (US$ 69,000,000)

Ok, they are not earning this money at once, this is in 4 months and 2 weeks… so that means more than 11,000,000€ (US$ 15,000,000) per month.

So… Who Wants to Be a Millionaire?

Microsoft Security Center recommends you…

… this is part of a fake message used by a new rogue antivirus in a screensaver where users are warned that their system is infected and they need to update it with a fake Antivirus. PandaLabs has detected it as Adware/RogueAntivirus2010.

Besides, some weeks ago PandaLabs detected a previous version of this program called Adware/RogueAntivirus2009.

Taking into account the high activity of this type of applications, we wouldn't be surprised to see a new rogue called Adware/RogueAntivirus2011 in the next weeks. 

Here you can see different images of the screensaver displayed by RogueAntivirus2010:

We have prepared a video where you can see the full screensaver used by this rogue antivirus to deceive users. Click here to watch it.

Thanks to Oscar Anduiza for the sample.

The increase of adware in the third Quarter

Here …more and more Rogue Antivirus, we promised you some figures where we can see the increase of adware in this Quarter.

In this figure you can see the adware has the big increased at the moment. Adware started this year with a 28,58% and now it´s very close to 40%.

This amazing growing is due to the new fake / rogue antivirus applications…

  

…more and more Rogue Antivirus

As you probably know, in the last months the amount of new fake / rogue antivirus applications has grown a lot. Right now we are finishing the latest quarterly report, and while playing with statistics we've found out that the Adware detected has grown from about a 22,03% in Q2 to an amazing 37,49%, and it is due to this annoying programs.

I don't know if the current financial crisis has something to do with this, and the bad guys are realizing that banks are not quite healthy right now. Perhaps that's why they are targetting the users in a more straight way, anyway what it's true is that those attacks are growing exponentially.

This is one of the latest ones that has showed up in the lab:

Next week we'll show you some figures and more interesting stuff.

Thanks a lot to Asier Martinez for the sample!!