Websense, our neighbour in San Diego, has reported a fake anti-malware scam centred on Labor Day social engineering. The scam uses malicious SEO (Search Engine Optimization) techniques, sometimes referred to as index hijacking or SEO poisoning, to misdirect potential victims. When the victim uses Google to search for Labor Day sales (apparently these are very popular in the US), the bad guys use SEO poisoning to ensure that some of the highest ranking hits are actually malicious URLs that redirect the victim to a site "warning" him that his machine is infected, and offers "free but fake" anti-virus software. According to Websense, AOL and ASK.com have been affected by similar SEO poisoning.
(We have a paper on our white papers page on the topic of fake anti-malware,written by Cristian Borghello, one of my colleagues in ESET Latin America. This describes how "free" anti-malware can turn out to be pretty expensive.)
There’s nothing particularly new about SEO poisoning, of course: my colleague on the AMTSO Board of Directors, Igor Muttik, wrote a comprehensive chapter for the AVIEN Malware Defense Guide* on web attacks that includes a section on index hijacking. Similarly, malware frequently uses social engineering based on public holidays to lure its victims – remember the Waledac 4th of July spam, which we and Websense, among others, also flagged? - as well as other attention-grabbing topics such as theAthens fires. Nevertheless, it’s well worth reiterating that this kind of social engineering isn’t restricted to spamming out malicious attachments or links. You may trust Google’s good intentions, but that doesn’t mean that every link that turns up in a Google search is going to be trustworthy.
Like legitimate concerns who make money out of their web presence, the bad guys also like to take steps to ensure that their "business" is top of the heap in web searches.
Sophos have also brought our attention to a slightly novel wrinkle currently employed by fake AV distributors. In this case, it’s a fake AV product which doesn’t just tell you that you’re infected by imaginary malware, but tells you which files are "spyware". We have seen instances where a system is deliberately attacked in order to sell the "solution": for instance, part of the pitch for one type of fake file recovery software was to encrypt some of the victim’s files and flag them as "corrupted", so that the fake software can "repair" them. Fortunately, this isn’t quite the same: the Trojan isn’t actually creating malware on the victim’s machine: it’s simply creating garbage files and flagging them as malicious. However, they can’t execute and are easily removed (you certainly don’t need to buy the fake AV to remove them.
You may wonder what’s to stop these guys generating real malware. Well, not much: there’s nothing to stop one malicious program generating another, which a third (the fake security software) claims to detect and remove. The reason that we don’t see this more often may simply be that the authors of fake AV are constantly trying to blur the distinction between fake security software and the real thing. This has at least two advantages for them:
So they may be holding back from generating real malware in contexts where it will make it harder for them to claim in court, for example, that the fake scanner is legitimate security software.
However, that doesn’t mean that some criminal genius won’t decide that it makes sense to write the malware and the "anti-malware" at the same time. In fact, there are precedents for this that go back to the 1990s: indeed, I once declined to participate in a book project that was intended to teach the art of antivirus development by describing how to write specific viruses, and then describing how to write detection routines.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
*Dr. Igor G. Muttik, A Tangled Web, in "The AVIEN Malware Defense Guide for the Enterprise", ed. Harley, Syngress 2007.