Fake Antivirus Malware

The world has made a bit of temporary progress against the bad guys.

Almost every week during 2010 and the first six months of 2011, I cleaned malware off computers after it was installed by poisoned web sites. It usually started with a window designed to resemble a security program alleging to have found malware and offering to scan for it or clean it off. Any touch on a button – OK, Cancel, or even the X in the corner – would elevate its permission level and allow it to install the real malware. The payload ranged from simple annoying popup balloons and windows aimed at getting you to surrender a credit card number, to a complete takeover of the operating system to make it inoperable until you surrendered a credit card number. (In neither case would your computer go back to normal if you gave a credit card number. If you think it might, you’re missing the point. These are bad guys. They do not have consciences, they do not feel guilt, they do not care if you like them.)

And in the worst case, root kits would be installed that could not be removed without reformatting the hard drive, and perhaps your keystrokes would be recorded and sent back to the Ukraine or your dog would be killed or who knows what. Fortunately most of them were not that nasty.

I’ve gotten almost none of those calls in the last two months. I’ve been preening because I figured it was something specific to my clients: (1) you are wise and well-informed and practice safe computing, as well as being strikingly good-looking; and (2) you are less prone to being attacked because my patching service keeps your computers up to date.

It turns out there is one more important reason, as detailed by Ed Bott in his column today: there has actually been a huge drop in malware attacks after an effective international law enforcement effort in May and June.

The most significant arrest came on June 23, when Russian police arrested the head of the company that processed payments for a major network of web sites distributing fake antivirus malware (including the “Mac Defender” malware that provided a rude awakening for Mac users this summer).

Servers and networks were rolled up in the US and twelve other countries in a coordinated effort put together by the FBI. Enigma Software Group describes its perception of the result:

On our end, we’ve seen a drastic drop in scan logs from new users, support logs, detections, and support tickets from new customers. Basically, we’ve witnessed a 60% decline in new fake AVs, scareware, and rogue anti-virus incidents.

Noted security researcher Brian Krebs has more details about the effect of the arrests and the disruption of the bad guys’ ability to process credit card payments. (His earlier article has fascinating details about the arrests and the financing of the malware industry.)

There is one thing that all the researchers agree on, though. The bad guys will be back. They will come up with new companies that will handle their credit card transactions, new banks that will launder their money, new server complexes that will host their servers, and perhaps a new idea about how to seduce you into clicking an OK button. These are cockroaches and they will return. Here is an interesting story to remember: three years ago, the volume of spam worldwide dropped by more than 40% in one night when authorities cut the Internet connection to a single building in San Jose. It was a triumph – and it was only a matter of days before operations were relocated to overseas ISPs and the networks of compromised PCs began to send spam just like before.

Stay alert and hey – let’s be careful out there!

Share This