Rogue security programs are 'ongoing threat'

Symantec's analysis of fake security software over 12 months finds 43 million attempts to install some 250 programs, most of which were coded in English.
Written by Vivian Yeo, Contributor

Rogue security software, also dubbed scareware, is an "ongoing threat" that is impacting largely users from English-speaking markets, according to findings from a year-long study by Symantec.

Released Tuesday, Symantec's report on rogue security software noted that 250 rogue security programs launched some 43 million attempts to prompt user installation between July 2008 and June 2009.

Further analysis on the top 50 most reported scareware was carried out between July and August this year, during which Symantec found that 38 of the programs had been detected prior to Jul. 1, 2008.

"The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims, despite efforts to shut them down and raise public awareness," the security vendor said in the report.

The five most commonly reported rogue security applications during the study were SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, Spyware Secure and XP AntiVirus.

Over 90 percent of the top 50 scareware had a dedicated Web site to support the scam, Symantec said. More than 194,000 domain names associated with rogue security applications were observed during the two-month evaluation period.

Web advertising was another popular tool, used in 52 percent of the installation attempts, added the company. Scammers also employed "black hat search engine optimization" to "poison search results" in order to be ranked higher on search results. They capitalized on topical and popular news, events and celebrities, such as during the Conficker worm saga, where scam perpetrators created Web sites containing terms such as "remove virus".

Besides playing on consumer fears, scammers also attempted to trick users via social engineering techniques, Symantec reported.

A major risk associated with rogue security programs is that users are provided a "false sense of security", said the vendor. Such applications also potentially expose PCs to additional threats as they may instruct the user to adopt more lenient security settings, or block compromised machines from accessing legitimate Web sites of security companies. In addition, users' personal data including credit card details submitted during the registration process, could be used without their knowledge or sold in the underground economy.

Asia's language diversity slowing attacks
Just over 60 percent of install attempts involving the top 50 scareware applications, targeted users in North America, Symantec said in the report. Some 31 percent of these scams occurred in Europe, the Middle East and Africa (EMEA), while the Asia-Pacific, including Japan, and Latin America regions were targeted in 6 percent and 2 percent, respectively, of such attempts.

The disparity in rogue software attacks likely corresponded to the fact that the majority of malicious activity globally is also detected in the North America and EMEA regions. In addition, most of the rogue programs were developed and distributed in English, although there were exceptions such as CodeClean, which targets Korean users.

The top five countries that housed servers hosting the rogue applications were in North America and Europe. The United States had the biggest share, accounting for 53 percent of all servers, while Germany ranked second with a share of 11 percent. China was the only Asian country to be ranked among the top 10, accounting for 3 percent of the servers.

Alvin Ow, Symantec's senior director of systems engineering for Symantec in Asia Pacific and Japan, told ZDNet Asia in an e-mail that threats aimed at disabling security technology will increase going forward. They are also becoming more difficult to detect, he noted.

"Profit is the primary motivation for creators and distributors of rogue security software scams and with such a lucrative underground economy, it looks as though scareware will continue to be an ongoing threat despite efforts to [contain them]," he explained. "Scareware authors will continue to push the security boundaries and devise innovative ways to break down user' protective barriers, in order to increase their profits."

According to Ow, enterprises need to remain vigilant against sophisticated attacks by mitigate them by deploying legitimate security software and regularly updating antivirus definitions. Other safeguards that can be employed include maintaining a whitelist of trusted Web sites, upgrading all browsers to the latest, patched versions and scanning all e-mail attachments at the gateway.

Editorial standards