Anti-spyware demo revealed as malware in disguise

A strain of malware disguised as anti-spyware has become the latest double-agent in multi-step "convergence" crime online.

The scam, which prompts users to download malware by posing as an anti-spyware demo, has proliferated dramatically. Reported incidences of its distribution have increased by 1,000 percent in the last month, according to Don Jackson, senior analyst at SecureWorks.

Jackson believes the scam is being hosted by hackers using Russian Business Network services (RBN), an illegal ISP responsible for hosting a significant amount of malicious and criminal content on the web.

The scam reportedly lures users browsing "a legitimate, high-traffic website where a legitimate-appearing ad is hosted," claims Jackson.

A spokesperson for MessageLabs said the scam is similar to any other involving adware: "These things are coming off legitimate websites with material linked back to a disreputable source," the spokesperson said.

The malicious link from the advertisement then initiates a pop-up warning to users about a false security threat and prompts them to download a demo anti-spyware package, which they can then purchase; giving hackers immediate credit card details and a delivery method for a trojan such as Zlob, said SecureWorks' Jackson.

He suggested that the benefits of these types of scams for the hacker come through the on-selling opportunities for credit card information and selling access to infected computers.

Jackson also pointed out that while these scams present multiple benefits for hackers, they also rely on "a high degree of collaboration among a number of internet criminals for the full 'supply chain' to benefit to the greatest possible extent from the scam."

"What we're seeing a lot of is the convergence of attacks and groups of cybercriminals working closely together, there's a network of bad guys out there," said MessageLabs' spokesperson.

"Everyone's using each others technology, so the spyware guys will use spam tech to get out the spyware, which collects info for the spammers."

SecureWorks' Jackson claimed that these attacks are operating in a "grey area" of the law, as providing demos of anti-spyware software isn't regarded as a criminal offence.

Despite the threats posed by such attacks, some experts believe that these increasingly complex scams present evidence that the security industry is winning the battle against malware writers: "The fact that it sounds complicated can be taken as a sign that we're beginning to do very well," said Paul Ducklin, head of technology at security firm Sophos.