Fake AV Archive

Understanding Current Trends in the Fake AV/Scareware Ecosystem

The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.

Some groups have been arrested. Some have had their operations and entire call support centers shut down.

Some groups attracted too much attention, picked off the low hanging fruit and eventually walked away from their botnets.
In some cases, the groups just weren’t very skilled at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn’t keep up with the changes in anti-malware technologies, weren’t exactly dedicated to the effort, and simply fell off the map.

Scareware, Black Hat SEO and You

black_hat_rogue_av The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.

In a fascinating post, Bojan Zdrnja of the SANS Internet Storm Center, has detailed exactly how one specific rogue AV attack works and exposed the methods that the attackers are using to gain victims and plant their malware on legitimate sites. The analysis started with the acquisition of a heavily obfuscated PHP script, which, after analysis, turned out to be the main script used by one particular rogue AV gang.