Purveyors of fake anti-virus or “scareware” programs have aggressively stepped up their game to evade detection by legitimate anti-virus programs, according to new data from Google.
In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.
Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.
Google found that miscreants spreading fake anti-virus have over the last six months taken aggressive steps to evade the two most prevalent countermeasures against scareware: The daily updates shipped by the legitimate anti-virus makers designed to detect scareware installers; and programs like Google’s which scan millions of Web pages for malicious software and flag search results that lead to malware.
Google’s automated system scanned each potentially malicious page in real time using a number of licensed anti-virus engines, and all of the files were rescanned again at the end of the study. Beginning in June 2009, Google charted a massive increase in the number of unique fake anti-virus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate anti-virus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.
“We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates,” said Niels Provos, principal software engineer for Google’s infrastructure group. “It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”
In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010.
“These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of [Internet] addresses through multiple domains,” the company said in its report. “This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker’s control. The intermediary is set up to redirect traffic to a set of active domains, which point to fake anti-virus distribution servers.”
Provos said the the domain rotation technique appears to be an extension of a “malware arms race” engineered to evade domain-based malware detection techniques.
“In fact, we noticed a distinct correlation between our improved ability to detect fake anti-virus, and the observed lifetime of each domain,” Provos said.
Last year, after a rogue ad on the New York Times Web site led to massive numbers of people being attacked by rogue anti-virus, I wrote a tutorial for The Washington Post called “What To Do When Scareware Strikes,” which details how to deal with these ambushes. The key is remain calm and avoid clicking on any prompts generated by the scareware. Check out that tutorial here.
In a separate report released Monday, Microsoft said its security products cleaned fake anti-virus related malware from 7.8 million computers in the second half of 2009, up from 5.3 million computers in the first six months of the year —an increase of 46.5 percent.
A copy of the Google report is available here (PDF).
Update, 4:47 p.m. ET: Security firm CA is reporting that the Storm Worm seems to have reawakened. According to CA, it was discovered bundled and distributed by Trojan downloader along with Win32/FakeAV or Rouge Antivirus malware.