Rogue anti-Virus earns almost $34 million a month

by Steve Ragan - Jul 30 2009, 16:30

The sale of rogue anti-Virus, by tricking infected users into paying for the removal on non-existent threats, is earning criminals millions of dollars per month, a new report from PandaLabs says. The report, which looks inside the criminal economy surrounding rogue anti-Virus software, is a culmination of research that took several years to complete.

Titled “The Business of Rogueware”, the report’s authors, researchers Luis Corrons and Sean-Paul Correll, look at the various forms of Rogueware that have been created over the years. Using that information, they paint a picture of how this new class of Malware has become an instrumental player in the overall cybercriminal economy. The study also provides in-depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute Rogueware via Facebook, MySpace, Twitter, and Google.

“Rogueware is so popular among cybercriminals primarily because they do not need to steal users’ personal information like passwords or account numbers in order to profit from their victims,” said Luis Corrons, PandaLabs Technical Director.

Rogue anti-Virus infections are easy to spot, they create pop-up warnings and offer scans that seem to come out of nowhere on a system. These scans and warnings will alert users to various issues and infections and often apply the names of actual Malware to hammer home a point. This point is fear, and, for a price, the Rogueware will offer to remove these supposed infections.

“By taking advantage of the fear in Malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream,” Corrons added.

During our testing of security software in The Tech Herald’s labs, we often infect the test system with rogue anti-Virus software to see if the product being tested will detect and remove it. The Rogueware is usually able to infect the system unimpeded.

The report mentions some interesting facts, none more so than the reasoning as to why it is so hard to stop the rogue anti-Virus problem. Approximately 35 million computers are newly infected with Rogueware each month, Panda said. With those numbers, traditional signatures don’t cut it. Unless the rogue anti-Virus application is downloading third-party Malware, then the AV engines will likely miss it.

There are approximately 200 different families of Rogueware, and PandaLabs expects the variations to continue to grow. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008.

The primary reason for the creation of so many variants is to avoid signature-based detection by legitimate anti-Virus programs. The use of behavioral analysis, which works well with Worms and Trojans, is of limited use against this type of Malware because the programs themselves do not act maliciously on computers -- other than displaying false information.

However, as the report mentions, PandaLabs has started to identify more advanced Malware variants that are using typical Trojan features, rootkits, and other techniques to subvert virus detection technologies.

The full report is available online, along with how the criminals are making money, which is mostly through affiliate systems. Panda shows users the breakdown of the various Rogueware applications and how they are disbursed online.

You can check it out for yourself by clicking here.

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Around the Web