The
Ultimate
Guide to Scareware Protection
Throughout the last two years, scareware
(fake security software),
quickly emerged as the single most profitable money making strategy
for cybercriminals to take advantage of. Due to the aggressive
advertising practices applied by the cybercrime gangs, thousands of
users fall victim to the scam on a daily basis, with the gangs
themselves earning hundreds of thousands of dollars in the process.
Not surprisingly, the
latter part of
2009 was prone to mark the peak of the scareware
business model, whose affiliate program revenue sharing scheme is
not only attracting new cybercriminals due to its high pay-out
rates, but also, is directly driving innovation within the
cybercrime underground acting as a reliable financial incentive.
This end user-friendly guide aims to educate the Internet user on
what scareware is, the risks posed by installing it, its delivery
channels, avoiding and reporting it to the security community
(taking into consideration the fact that 99% of the current releases
rely on social engineering tactics), and most importantly, how to
recognize it.
What is Scareware?
Basically, scareware, also known as rogueware or put in simple
terms, fake security software, is a legitimately looking application
that is delivered to the end user through illegal traffic
acquisition tactics starting from
compromised web sites (Sony
PlayStation’s site SQL injected, redirecting to rogue security
software),
malvertising (malvertising;
Fake; Scareware
pops-up at FoxNews; Ukrainian
“Fan Club” Features Malvertisement at NYTimes.com), or blackhat
search engine optimization (9/11
related keywords hijacked to serve scareware; The
most dangerous celebrities to search for in 2009; The
Web’s most dangerous keywords to search for), to
ultimately attempt to trick the user into believing their computer
is already infected with malware, and that purchasing the
application will help them get rid of it.
Upon execution, certain scareware releases will not only prevent
legitimate security software from loading, but it will also prevent
it from reaching its update locations in an attempt to ensure that
the end user will not be able to get the latest signatures database.
Moreover, it will also attempt to make its removal a time-consuming
process by blocking system tools and third-party applications from
executing.
There have also been cases where scareware with elements of
ransomware has
been encrypting an infected user’s files, demanding
a purchase in order to decrypt them,
as well as a single reported incident where a scareware
domains was also embedded with client-side exploits.
For the time being, scareware releases are exclusively
targeting Microsoft Windows users.
The characteristics of Scareware - Pattern
Recognition For a Scam
Due to the fact that the scareware campaigns maintained by partners
in the affiliate network use a standard template distributed to all
of them, scareware sites all share a very common set of deceptive
advertising practices, which can easily help you spot them before
making a purchase.
For instance, the majority of scareware sites attempt to build more
authenticity into their propositions by using “non-clickable”
icons of reputable technology web sites and
performance evaluating services, such as PC
Magazine Editors’ Choice award, Microsoft
Certified Partner, ICSA
Labs Certified, Westcoast
Labs Certified, Certified
by Softpedia, CNET
Editors’ Choice, as well as ZDNet
Reviews — the real ZDNet
Reviews are
unaware of the scareware’s existence.
Yet another popular social engineering tactic are the fake
comparative review templates, basically showing a
chart where the scareware outperforms software offered by some of
the leading security companies.
Since the end user who’s about to conduct an impulsive purchasing
decision, doesn’t have the till to double check these claims, the
attached screenshot indicates how three different scareware brands (Virus
Shield 2009, Windows
Security Suite and Malware
Destructor 2009) are all using the same template
claiming their superiority over legitimate security software.
The diverse list of tactics leads us to the fear-driven social
engineering tactic of simulating a real-time antivirus scanning
in progress dialog, which in reality is nothing else but a
static script, with anecdotal cases where Mac users are presented
with a Windows-like My Documents folder window.
The
scanner’s results are static, fake and have absolutely no access
to your hard drive, therefore the claims that “You’re Infected!;
Windows has been infected; Warning: Malware Infections founds;
Malware threat detected” should be considered as a fear
mongering tactic.
Legitimate online malware scanners offered for free by their vendors
include, but are not limited to:
TrendMicro’s Housecall
Kaspersky’s Online Malware Scanner
F-Secure’s Online Malware Scanner
ESET’s Online Malware Scanner
BitDefender’s Online Malware Scanner
PandaSecurity’s Cloud Antivirus
McAfee’s Online Malware Scanner
Rising’s Online Malware Scanner
Dr. Web’s Online Malware Scanner
Symantec’s Online Malware Scanner
CA’s Online Malware Scanner
Among the key characteristics of scareware remain the professional
site layout, as well as the persistent re-branding of the template
in an attempt to shift the end user’s attention from the previous
brand’s increasingly bad reputation across the web. Combined, these
characteristics result in an efficient social engineering driven
scam that continues tricking thousands of victims on a daily basis.
The Delivery Channels and Traffic Hijacking Tactics
of Scareware Campaigns
There’s a high probability that your last encounter with scareware
came totally out of blue. Despite the fact that cybercriminals are
always looking for new push and pull strategies for their malware
releases, there are several tactics currently representing the most
popular delivery channels for scareware. Let’s review some of them.
Blackhat
search engine optimization (SEO) -
blackhat search engine optimization remains the
traffic acquisition method of choice for the majority of
cybercriminals looks
for quick ways to hijacking as much traffic as possible using
real-time events as themes for their campaigns. This tactic
consists of hundreds of thousands of hijacked keywords parked on
domains maintained by the criminals. Upon visiting any them, the
now tricked into believing the site is serving legitimate
content end user, is automatically redirected to a simulated
real-time antivirus scanning screen.
o The relevance
of the themes is
automatically syndicated such as Google
Trends in order to ensure that the window of opportunity for a particular
event is hijacked for the purpose of serving scareware.
It’s important to point out that each and every campaign relies
on the end user’s gullibility into manually downloading and
executing the scareware compared to drive-by attacks where the
infection will take place automatically through the use of
client-side vulnerabilities.
o
Some of most recent and still ongoing blackhat SEO campaigns
include - 9/11
related keywords hijacked to serve scareware; Federal
forms themed blackhat SEO campaign serving scareware and News
Items Themed Blackhat SEO Campaign Still Active
Systematic
abuse of social networks/Web 2.0 services -
there hasn’t been a single social network or Web 2.0 service
that hasn’t been
abused for scareware serving purposes. From Twitter, Scribd
and LinkedIn to Digg and Google
Video,
the systematic abuse of these services through the automatic
registration of hundreds of accounts by outsourcing
the CAPTCHA-recognition process,
remains an active asset in the arsenal of the scareware
campaigner
Malvertising (malicious
advertising) - malvertising is
the practice of serving malicious ads on legitimate and high
profile sites in an attempt to exploit the end user’s trust in
their ability to filter out such ads. Notable cases where
scareware windows pop-up out of the blue include - Fake
Antivirus XP pops-up at Cleveland.com; Scareware
pops-up at FoxNews, Digg,
MSNBC and Newsweek scareware campaign through malvertising
Pushed
by some of the most prolific botnets such as Conficker and
Koobface -
The Koobface
botnet gang which I’ve been tracking over the past
couple of months, is not only among the most active
blackhat SEO cybercrime enterprises online
— at least for the time being — but there have been cases where
they’ve been directly installing scareware
on Koobface infected hosts. Despite its current
idleness, the Conficker botnet gang has already made three
attempts to monetize the millions of infected hosts, by reselling
access to them to two different
gangs, but has also attempted
to install scareware on
them.
Now that you know what scareware is and how it reaches you, it’s
time to review some of practical ways for recognizing, avoiding and
reporting it to the security community for further analysis.
Recognizing, Avoiding and Reporting Scareware
Recognizing the bad apples and flagging them
Due to the dynamic and constant re-branding of known scareware
releases, maintaining a list of brands to recognize, avoid and be
suspicious about is highly impractical.
However, the most logical approach in that case would be to maintain
a list of legitimate antivirus software vendors in
an attempt to raise more suspicion on those who are not within the
list. One
such list is maintained by the CCSS (Common
Computing Security Standards Forum), and for the time being includes
the following vendors:
AhnLab (V3)
Antiy Labs (Antiy-AVL)
Aladdin (eSafe)
ALWIL (Avast! Antivirus)
Authentium (Command Antivirus)
AVG Technologies (AVG)
Avira (AntiVir)
BitDefender GmbH (BitDefender)
Cat Computer Services (Quick Heal)
ClamAV (ClamAV)
Comodo (Comodo)
CA Inc. (Vet)
Doctor Web, Ltd. (DrWeb)
Emsi Software GmbH (a-squared)
Eset Software (ESET NOD32)
Fortinet (Fortinet)
FRISK Software (F-Prot)
F-Secure (F-Secure)
G DATA Software (GData)
Hacksoft (The Hacker)
Hauri (ViRobot)
Ikarus Software (Ikarus)
INCA Internet (nProtect)
K7 Computing (K7AntiVirus)
Kaspersky Lab (AVP)
McAfee (VirusScan)
Microsoft (Malware Protection)
Norman (Norman Antivirus)
Panda Security (Panda Platinum)
PC Tools (PCTools)
Prevx (Prevx1)
Rising Antivirus (Rising)
Secure Computing (SecureWeb)
Sophos (SAV)
Sunbelt Software (Antivirus)
SUPERAntiSpyware (SAS)
Symantec (Norton Antivirus)
Trend Micro (TrendMicro)
VirusBlokAda (VBA32)
VirusBuster (VirusBuster)
An
alternative list of legitimate antivirus software providers is also
maintained by the VirusTotal service.
If you’re serious about security and care
about your data, you wouldn’t trust your computer’s integrity to an
application called Doctor
Antivirus 2008, Spyware
Preventer 2009, Power
Antivirus, Total
Virus Protection,
Malware Destructor 2009, Cleaner
2009, Smart
Antivirus 2009, Antivirus
VIP or Advanced
Antivirus
2009,
would you?
Another practical step in recognizing scareware, is to research
the potentially malicious domain in question by either using Google.com, or an engine
maintained by Google’s Anti-Malvertising.com project. The search
engine is using a database of sites maintaining lists of scareware
related domains, and greatly increases the probability of seeing the
suspicious domain in the results.
Keeping in mind that the end user has full control of the scareware
window that popped-up on their screen — despite its modest
resistance when attempting to close it down – downloading a copy of
it, and once making sure you’re not going to execute it, submit
it to a multiple antivirus scanning service such as VirusTotal.com to
further ensure its real nature, may in fact help protect millions of
users across the globe against this particular release since the
service shares the malware binaries across multiple vendors.
The file submitted on the attached screenshot may not be detected by
your antivirus vendor as scareware, but has already been flagged as
scareware by several other.
Avoiding and Preventing the Scareware Campaign
As in real-life virus outbreak,
prevention is always better than the cure. In terms
of scareware, handy Firefox-friendly add-ons
such as NoScript —
which you can see in action against an ongoing scareware campaign —
can undermine the effectiveness of any scareware campaign, delivered
through any of the distribution channels already discussed.
The "Newest" Google Chrome is now very effective against these attacks.
In a fraudulent scheme relying exclusively on social engineering
tactics, fear in particular, and a business model that’s largely
driven by the end user’s lack of awareness on this nearly perfect
social engineering scam, vigilance, absence of gullibility, and
common sense suspicion, remain your best protection. |
