Topic: Google

Google: Fake antivirus makes up 15 percent of all malware

Summary: A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software.

By Elinor Mills | April 28, 2010 -- 04:44 GMT (21:44 PDT)

A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

For more on this story, read Google: Fake antivirus is 15 percent of all malware on CNET News.

Topics: Google, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

61 comments

Log in or register to join the discussion

Adverts

If you use Firefox just use the addon Ad Block Plus.
It blocks those ads on the pages.
No more problem.

MoeFugger
28 April, 2010 06:25

Reply Vote
- Firefox doesn't work...
  
  Wrong. The ads use many different technologies that the plug-ins for Firefox don't all yet block properly. Plus some of them are not from ads, but from search engine poisoning, and other methods. If anything Firefox is more of a problem than a help.
  
  Narg
  28 April, 2010 10:07
  
  Reply Vote
  - Firefox
    
    Firefox helps, but the target is not the browser or workstation: it is the user. If they can only suck the user into making one little error...
    
    We need better protection at several levels. The firewall, network, OS, security software, applications, and users all need to be prepared to manage threats. Right now, we are lucky to get one of 6. As long as that one can be circumvented by a frightened and ill-trained user we are vulnerable. Period.
    
    wpeckham@...
    28 April, 2010 11:18
    
    Reply Vote
    - Firefox
      
      I had an attack of this nature this past weekend. I immediately realized what it was and obviously didn't download the software. The problem was it would actually have been easier to get rid of if I had, because then I could have deleted the appropriate files and altered the registry. But as it was, I couldn't locate the files or the registry entries and despite using a host of malware and spyware scanners to identify the exact nature of the infection and then using HijackThis and ComboFix, I still couldn't get rid of it without resorting to professional help. And that's without actually downloading it. This attack happened almost exactly as described above, I was on a legit site and it popped up. Granted, I could have gotten it while possibly being on a site that's not exactly on the up and up, but it still got past Firefox. Yes, I do agree that an uneducated computer user is incredibly dangerous to themselves and their system, but don't pin all the blame on them. Even users who aren't IT professionals but are still more technical than the average user can still get surprise attacked.
      
      themosh
      28 April, 2010 21:05
      
      Reply Vote
  - AdBlock Plus No Script = Effective Countermeasures
    
    No one tool does everything.
    
    Dr. John
    28 April, 2010 14:50
    
    Reply Vote
    - Good combination
      
      Not fool-proof (what is?) but better than anything IE has come up with.
      
      ubiquitous one
      28 April, 2010 18:35
      
      Reply Vote
    - I second that..
      
      "...AdBlock Plus No Script = Effective Countermeasures ... No one tool does everything."
      
      I won't use FF without NoScript - what, with the inbuilt (and fully customizable) ABE protection engine, XSS sanitizer and HTTPS enforcement for user specified domains - you have but an inkling there of how much background browsing defense NS provides. Add to that AdBlock Plus and it's easy to use UI and its dynamic user control over domain-based ads, then you've just made for a d@mn secure time browsing! ;)
      
      In essence, FF + ABP + NS is just an awesome combo that i'd advise any person to take up. Their relevance to this particular case shouldn't be dismissed lightly by any reader of this particular blog.
      
      Thanks for bringing the subject to the fore.
      
      thx-1138_
      29 April, 2010 06:08
      
      Reply Vote
      - Try surfing the internet without it
        
        Never mind just the security benefits, I don't have to look at those stupid ads and pop-up boxes anymore.
        
        Makes webpages a look a lot cleaner and cuts down on corporate contamination to boot.
        
        ubiquitous one
        29 April, 2010 15:49
        
        Reply Vote
    - I give that combination to all my clients
      
      After a bit of explanation, and careful social engineering with respect to NoScript, I've not had a single complaint about not being able to access any content on any website, and when I ask I'm usually told NoScript is not in the least annoying to use.
      
      tracy anne
      29 April, 2010 16:03
      
      Reply Vote
  - Good Point, Bad Point!
    
    You make the good point that Firefox does not block everything (and for that matter, cannot), but then you spit in the soup by following it immediately with a bad point, not even CLOSE to true, when you claim it is "more of a problem than a help".
    
    Of course this is false. Firefox + NoScript, or better yet, Firefox+NoScript+AdBlock, has set the bar high for safe browsing on the net, and saved a LOT of people from serious problems.
    
    mejohnsn
    29 April, 2010 20:56
    
    Reply Vote
RE: Google: Fake antivirus makes up 15 percent of all malware

I have been telling my customers for months that the facebook, myspace and tagged sites are getting hit with their advertisements and applications.

tech@...
28 April, 2010 09:17

Reply Vote
It's more than 15%!!!!

The only malware I've had to clean off of a computer over the past 18 months are these fake AV programs. Sure there's probably a lot more floating around, but 99% of them are caught by AV programs. (real AV programs that is). This fake AV malware is horrendous. The makers should be sued until their great grandchildren hurt!

Narg
28 April, 2010 10:05

Reply Vote
- A lot more than 15%
  
  90% of the computers I've cleaned in the last 3 years are Rogue AVs such as AV2008, 09, and 10. Norton, TrendMicro, and others don't even know that these AVs are getting through. MalwareBytes work if you install it with another name (and delete restore points). SuperAntiSpyware works 90% of the time.
  
  JayMar13
  28 April, 2010 11:02
  
  Reply Vote
  - It's all in the timing
    
    MalwareBytes also works if you simply click it as soon as the PC boots up. The malware can only prevent MalwareBytes from running if it has loaded first. A fast initial click heads it off at the pass and it'll be cleaned out after another reboot.
    
    Nemesys_z
    28 April, 2010 11:09
    
    Reply Vote
  - Malwarebytes
    
    I've always been able to get Malwarebytes to work by booting in Safe Mode, thus preventing the fake AV malware from loading.
    
    Rick
    
    rick@...
    28 April, 2010 11:40
    
    Reply Vote
    - This may be but...
      
      I have found that some of this rogueware will not allow a safemode boot. I had a staffers PC come into my department yesterday that was infected with the CleanUP Antivirus garbage. After the initial disable restore and running all the tools I had in my cadre, I was unsucessfull in getting rid of all of it. It kept rewriting the hosts file even after no software was left. I finally downloaded Combofix and that was the magic key to cleaning and repairing all the Damage including the Hosts file. I downloaded it from bleepingcomputer.com if anyone else wants it. It seems tht this tool runs everything from inside a command window.
      
      I hope that someday they actually catch one of these bastards who write this crap so all of us IT screwdriver jockeys can take out all of our pent up aggression on them. At least it keeps us gainfully employed...
      
      Jrats_Revenge
      28 April, 2010 12:42
      
      Reply Vote
      - I agree, but, if all esle fails...
        
        I know what you mean, and I've had similar problems. I've found that sometimes the best way to remove this garbage is a live CD like UBCD4 Windows. It comes with Clam AV and you can do updates over the internet. And, you can do registry mods, or work on the hosts file without booting to Windows. (It's based on Linux) It's a great tool for diagnosing and fixing problems of all kinds.
        
        P.S. it will also retrieve data from systems with crashed OSs. At least on XP and earlier NTFS formatted systems. The encrypting file system only works to prevent this if you deliberately encrypt a folder, and set a password. Otherwise, the information can be retrieved.
        
        mikey0f777
        29 April, 2010 11:05
        
        Reply Vote
    - Malwarebytes
      
      Malwarebytes saved me from the Security Tool virus. I wish I had tried it when I fist discovered a problem.
      
      iluvbirds25
      28 April, 2010 14:23
      
      Reply Vote
    - That doesn't always work tho...
      
      I've seen a few variants that even manage to load in Safe Mode.
      
      But in those cases, the fix is to google for the exact name of the fake AV product, and look at the removal instructions. Sometimes there are registry mods you have to do in order to get it to work properly.
      
      Wolfie2K3
      28 April, 2010 18:41
      
      Reply Vote
    - Do a full Malwarebytes scan in safe mode
      
      Even after you boot into safe mode. Not just preventing the fake AV malware from loading. That way anything hidden in Regular Mode will be wiped away.
      
      ubiquitous one
      28 April, 2010 18:42
      
      Reply Vote