Google: Fake antivirus is 15 percent of all malware

by Elinor Mills

A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

Researchers also found that over the course of the study, domains used for distributing the malware were online for shorter and shorter periods of time in the face of Google's Safe Browsing technology. Used in Chrome and Firefox, Safe Browsing helps alert Web browsers to sites hosting malware, Provos said.

"As early as 2003, malware authors prompted users to download fake AV software by sending messages via a vulnerability in the Microsoft Messenger service. We observed the first form of fake AV attack involving Web sites, e.g. Malwarealarm.com, in our systems on March 3, 2007," the report says. "At that time, fake AV attacks employed simple JavaScript to display an alert that asked users to download a fake AV executable."

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," the report continues. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Fake antivirus is easy money for scammers, Provos said.

"Once it is installed on the user system, it's difficult to uninstall, you can't run Windows updates anymore or install other antivirus products, and you must install the [operating] system," rending it unusable until it is cleaned up, he said.

Provos said when encountering a fake antivirus message, Web surfers should close the browser and restart the program. People who are duped by the scam may have to get professional help in cleaning up the computer, he said. They should also monitor their credit card accounts because scammers can use the credit card information for identity fraud.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.

I CUT THE CORD...

First, on Comcast. What's the point of paying $60.00/month for "basic cable" which consists of 24 channels of nothing, when I can get so much free content from sites like Hulu, TBS.com, NBC.com, etc. and drop a whopping $9.99 for Netflix (all you can watch) movies streamed to your computer - or - if it's not available for streaming, then you can order your one DVD at a time for your viewing pleasure.

The other cord I cut was Facebook. This took considerable consideration considering my friend base, and so much personal information given. But now that they have gone back on their word for Privacy Protection (like most startups do after creating an audience) I've begun dismantling my personal profile and hope to carry my friends to our main profile at A Geek To Go! If I want anything to be divulged to the world, I may as well receive name recognition in the form of branding, right? If they are going to make money off of me and my friends, why can't I take part?

For more information check out this report from CNN: http://www.cnn.com/2010/TECH/05/12/facebook.backlash/index.html