Google: Fake antivirus makes up 15 percent of all malware

Google: Fake antivirus makes up 15 percent of all malware

Summary: A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software.

TOPICS: Google, Malware, Security
A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

For more on this story, read Google: Fake antivirus is 15 percent of all malware on CNET News.

Topics: Google, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Adverts

    If you use Firefox just use the addon Ad Block Plus.
    It blocks those ads on the pages.
    No more problem.
    • Firefox doesn't work...

      Wrong. The ads use many different technologies that the plug-ins for Firefox don't all yet block properly. Plus some of them are not from ads, but from search engine poisoning, and other methods. If anything Firefox is more of a problem than a help.
      • Firefox

        Firefox helps, but the target is not the browser or workstation: it is the user. If they can only suck the user into making one little error...

        We need better protection at several levels. The firewall, network, OS, security software, applications, and users all need to be prepared to manage threats. Right now, we are lucky to get one of 6. As long as that one can be circumvented by a frightened and ill-trained user we are vulnerable. Period.
        • Firefox

          I had an attack of this nature this past weekend. I immediately realized what it was and obviously didn't download the software. The problem was it would actually have been easier to get rid of if I had, because then I could have deleted the appropriate files and altered the registry. But as it was, I couldn't locate the files or the registry entries and despite using a host of malware and spyware scanners to identify the exact nature of the infection and then using HijackThis and ComboFix, I still couldn't get rid of it without resorting to professional help. And that's without actually downloading it. This attack happened almost exactly as described above, I was on a legit site and it popped up. Granted, I could have gotten it while possibly being on a site that's not exactly on the up and up, but it still got past Firefox. Yes, I do agree that an uneducated computer user is incredibly dangerous to themselves and their system, but don't pin all the blame on them. Even users who aren't IT professionals but are still more technical than the average user can still get surprise attacked.
      • AdBlock Plus No Script = Effective Countermeasures

        No one tool does everything.
        Dr. John
        • Good combination

          Not fool-proof (what is?) but better than anything IE has come up with.
          ubiquitous one
        • I second that..

          "...AdBlock Plus No Script = Effective Countermeasures ... No one tool does everything."

          I won't use FF without NoScript - what, with the inbuilt (and fully customizable) ABE protection engine, XSS sanitizer and HTTPS enforcement for user specified domains - you have but an inkling there of how much background browsing defense NS provides. Add to that AdBlock Plus and it's easy to use UI and its dynamic user control over domain-based ads, then you've just made for a d@mn secure time browsing! ;)

          In essence, FF + ABP + NS is just an awesome combo that i'd advise any person to take up. Their relevance to this particular case shouldn't be dismissed lightly by any reader of this particular blog.

          Thanks for bringing the subject to the fore.
          • Try surfing the internet without it

            Never mind just the security benefits, I don't have to look at those stupid ads and pop-up boxes anymore.

            Makes webpages a look a lot cleaner and cuts down on corporate contamination to boot.
            ubiquitous one
        • I give that combination to all my clients

          After a bit of explanation, and careful social engineering with respect to NoScript, I've not had a single complaint about not being able to access any content on any website, and when I ask I'm usually told NoScript is not in the least annoying to use.
          tracy anne
      • Good Point, Bad Point!

        You make the good point that Firefox does not block everything (and for that matter, cannot), but then you spit in the soup by following it immediately with a bad point, not even CLOSE to true, when you claim it is "more of a problem than a help".

        Of course this is false. Firefox + NoScript, or better yet, Firefox+NoScript+AdBlock, has set the bar high for safe browsing on the net, and saved a LOT of people from serious problems.
  • RE: Google: Fake antivirus makes up 15 percent of all malware

    I have been telling my customers for months that the facebook, myspace and tagged sites are getting hit with their advertisements and applications.
  • It's more than 15%!!!!

    The only malware I've had to clean off of a computer over the past 18 months are these fake AV programs. Sure there's probably a lot more floating around, but 99% of them are caught by AV programs. (real AV programs that is). This fake AV malware is horrendous. The makers should be sued until their great grandchildren hurt!
    • A lot more than 15%

      90% of the computers I've cleaned in the last 3 years are Rogue AVs such as AV2008, 09, and 10. Norton, TrendMicro, and others don't even know that these AVs are getting through. MalwareBytes work if you install it with another name (and delete restore points). SuperAntiSpyware works 90% of the time.
      • It's all in the timing

        MalwareBytes also works if you simply click it as soon as the PC boots up. The malware can only prevent MalwareBytes from running if it has loaded first. A fast initial click heads it off at the pass and it'll be cleaned out after another reboot.
      • Malwarebytes

        I've always been able to get Malwarebytes to work by booting in Safe Mode, thus preventing the fake AV malware from loading.

        • This may be but...

          I have found that some of this rogueware will not allow a safemode boot. I had a staffers PC come into my department yesterday that was infected with the CleanUP Antivirus garbage. After the initial disable restore and running all the tools I had in my cadre, I was unsucessfull in getting rid of all of it. It kept rewriting the hosts file even after no software was left. I finally downloaded Combofix and that was the magic key to cleaning and repairing all the Damage including the Hosts file. I downloaded it from if anyone else wants it. It seems tht this tool runs everything from inside a command window.

          I hope that someday they actually catch one of these bastards who write this crap so all of us IT screwdriver jockeys can take out all of our pent up aggression on them. At least it keeps us gainfully employed...
          • I agree, but, if all esle fails...

            I know what you mean, and I've had similar problems. I've found that sometimes the best way to remove this garbage is a live CD like UBCD4 Windows. It comes with Clam AV and you can do updates over the internet. And, you can do registry mods, or work on the hosts file without booting to Windows. (It's based on Linux) It's a great tool for diagnosing and fixing problems of all kinds.

            P.S. it will also retrieve data from systems with crashed OSs. At least on XP and earlier NTFS formatted systems. The encrypting file system only works to prevent this if you deliberately encrypt a folder, and set a password. Otherwise, the information can be retrieved.
        • Malwarebytes

          Malwarebytes saved me from the Security Tool virus. I wish I had tried it when I fist discovered a problem.
        • That doesn't always work tho...

          I've seen a few variants that even manage to load in Safe Mode.

          But in those cases, the fix is to google for the exact name of the fake AV product, and look at the removal instructions. Sometimes there are registry mods you have to do in order to get it to work properly.
        • Do a full Malwarebytes scan in safe mode

          Even after you boot into safe mode. Not just preventing the fake AV malware from loading. That way anything hidden in Regular Mode will be wiped away.
          ubiquitous one