Fake Anti-Malware: Blurring the Boundaries

It won’t come as a surprise to regular readers of this blog that there’s a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media.

That’s to be expected: journalists tend to love facts and figures. Anti-malware researchers (well, this anti-malware researcher) have/has a tendency to be more cautious, and while the statistics in the report from Symantec certainly give a flavour of the sheer scale of the problem, they’re a snapshot taken from a particular viewpoint, not the whole panorama. (That said, a lot of resources seem to have been expended on this report: it’s probably not a million miles out.) 

Unfortunately, some journalists have simply gone to the highlights page in the executive summary and recycled the figures (one newscast infuriated me by advising "don’t allow pop-ups" as if that was all there is to fixing the problem), whereas the really interesting and useful content is in the descriptions of the mechanisms behind these scams. We have an overview paper on the topic at http://www.eset.com/download/whitepapers/Free_but_Fake.pdf by ESET Latin-America’s Cristian Borghello, but for a more detailed approach, the much longer paper based on a longitudinal study is well worth looking at.

However, Rob Rosenberger’s reaction is also interesting: he took the opportunity to tweet a reminder of an article he wrote back in March about fake AV and virus hysteria. Somewhat predictably, he regards the anti-malware industry as a major contributor to the fake (or rogure) anti-malware problem. An interesting idea, coloured by his preoccupation with the idea that "virus hysteria" – an unpleasant phenomenon that I too have seen much too much of in the past 20 years – is partly the creation of the anti-malware industry. Well, I’m not going to tell you that the entire anti-malware industry is (and always has been) whiter than white. Still, I don’t think that a similarity in pricing and addiction to signature updates really accounts all by itself for the success of fake AV syndrome.

At this year’s Virus Bulletin conference, there was an interesting and amusing panel session that addressed both free anti-virus and fake AV, and I think there’s a clue there. Many people mistrust anti-malware products, and quite a few think they should be free. (No, that wouldn’t work for me: I have this addiction to food, which requires me to earn a living.)

Fake AV often exploits this desire for something for nothing, by offering a free product that turns out to be far from free. It does, to some extent, mimic a legitimate model of "This product has detected such and such malware on your system, but you’ll have to pay us to remove it", but that model hasn’t been particularly associated with mainstream AV. (A number of shareware products have used a similar model, though.) And I certainly can’t think of a legitimate product that forces itself onto your PC as a pop-up and scans it without asking permission before asking for payment before removing the malware it finds, real or not.

Where there is confusion, though, it derives from the ways that fake AV products try to blur the boundaries between fake and real, using spoofed web sites, forged certifications, advertising collateral and other information stolen from real products, and so on.

Another approach we’ve seen much more of in recent years is the use of legal action to try to restrict the ability of real security vendors to detect not only fake AV, but nuisances such as certain kinds of adware that may not be considered to be malware in the strictest sense of the word. Juraj Malcho, head of ESET’s lab in Bratislava, presented a fascinating paper on the topic "Is there a lawyer in the lab?" at Virus Bulletin 2009, as I mentioned in a previous blog. We can’t put up the paper itself until the end of the year because of the terms of the agreement made with Virus Bulletin when a conference paper is accepted, but a PDF version of the presentation is available here and here.

Other links:
http://tech.yahoo.com/news/nm/us_cybersecurity_symantec
http://news.bbc.co.uk/1/hi/technology/8313678.stm 
http://www.theregister.co.uk/2009/10/20/scareware_psychology/ 
http://www4.symantec.com/Vrt/wl?tu_id=TeCm125590003756772344

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Author David Harley, ESET

  • http://Vmyths.com Rob Rosenberger

    David, I agree with your assessment of me! I hope that doesn’t sound odd. Great column.

    First let’s get the obvious out of the way. I made my name by fighting virus hysteria, thus my perception has always been colored by this notion. And although I can appreciate a free antivirus, I feel VERY strongly that AV vendors should get paid a day’s wage. No arguments there, my friend!

    Specifically, I want to make it clear that I agree with you: “a similarity in pricing and addiction to signature updates” didn’t in itself create “the success of fake AV syndrome.”

    I try to make a distinction between the “antivirus industry” versus the entire “computer security industrial complex,” which includes all those employees who review, buy, and deploy products for their firms. These are the people who may have been anointed as a “virus expert” because they once carried around a floppy disk with antivirus software on it.

    We agree the antivirus industry created a lot of hysteria — but more to the point, I think we agree it was the overwhelming “industrial complex” that regurgitated & amplified the hysteria. So “when it comes to fake-AV scams,” I said in my column, “the computer security industrial complex isn’t part of the solution, it’s actually part of the problem.” I don’t mean to single out the AV vendors here.

    We agree, too, that the victims’ confusion “derives from the ways that fake AV products try to blur the boundaries between fake and real.” It’s a time-honored trick used by scammers & false prophets. Enough said.

    However, I don’t know if you agree with me when I say “the battle cry ‘get yourself some antivirus software’ has become so mantra, that all of society sternly refuses to question its validity.” So please let me clarify my statement. Yes yes yes, AV vendors shout it for marketing reasons — but the overwhelming “industrial complex” has turned this battle cry into a mantra that cannot be questioned. (Lest you be deemed a heretic.) I don’t single out the AV vendors here, either.

    So again, I agree with your assessment of me and I hope I’ve shown why it shouldn’t strike you as odd. My very best to you!

    Rob

  • http://www.eset.com/threat-center/blog/ David Harley

    Hi, Rob.

    A FAS sidenote: as it happens, I did once carry an antivirus floppy around: I somehow got into this industry via a circuitous route involving systems administration, informatics and user support.

    We’ve been in agreement over many issues over the years, even if we haven’t discussed them… And virus hysteria (maybe we should start calling it malware hysteria now) is generally one of them. So it doesn’t surprise me that we’re generally in agreement here.

    As to your point about the the “get some AV” battlecry is concerned… I think for most people, it’s easier and safer to use AV, even if it’s only an extra layer of protection. In fact, it -has- to be an extra layer: AV is not usually a sufficient defence in itself, and hasn’t been for many years. You -can- use other protective strategies to the point where the returns from using AV are vanishingly small: however, most people don’t, so I’m not about to say that AV is unnecessary, even if someone offers me a job as a tennis pro. (Unlikely scenario…)

    Anyone else reading this thread: back in the dark ages, Rob wrote a paper (http://vmyths.com/mm/fas/fas.pdf) on False Authority Syndrome, which I’ve cited many times here and elsewhere, and will again: some of the detail may have dated, but the principles haven’t changed a bit. If you haven’t read it – and I recommend that you do – it may make the FAS reference above a bit less obscure. :)

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

7 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.