Google Finds Fake Antivirus Programs on the Rise

Fake antivirus software is becoming more prevalent on the Internet, with its creators using clever methods to fool users into installing the programs, according to a new report from Google.

Google conducted a 13-month study looking at some 240 million Web pages. The company determined that 11,000 of those domains were involved in distributing fake antivirus programs, and that those kinds of program comprise 15 percent of the malicious software on the Web.

There are thousands of versions of fake antivirus software, but all work on the premise of falsely telling users their computer has been infected with malware. The programs then badger users to buy the software, which often looks legitimate but has no real functionality.

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," according to Google's report. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Users are typically asked if they want to clean their machine, which causes the fake program to download. Fake antivirus usually spreads by social engineering ploys rather than by exploiting software vulnerabilities on the victim's computer, according to Google.

The scammers behind the fake antivirus software frequently use online advertisements using popular keywords, although Google says it filters those advertised URLs to get rid of malicious ones.

Google will blacklist those domains to warn people, but those developing fake antivirus software rotate the domains hosting their programs faster than ever to avoid the blocklist.

A domain hosting fake antivirus software used to serve up the content for up to 100 hours in April 2009, Google said. But that figure fell to below 10 hours in September 2009 and then to less than one hour in January.

"These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of IP addresses through multiple domains," the report said. "This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker's control."

Google also found that legitimate antivirus vendors were having more trouble identifying the fake programs due to an increased level of "polymorphism," a technique used to make an application look unique and evade malware scanners.

Fake antivirus programs haven't escaped scrutiny from regulators. Following a complaint from the U.S. Federal Trade Commission (FTC), a U.S. district court ordered six people and two companies to stop selling fake security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus.

As part of that case, the FTC levied a $1.9 million judgement against James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, but later reduced the judgement to $116,697 in June 2009.

Subscribe to the Security Watch Newsletter

Comments