'Scareware' : Fake antivirus software

[Al-khiyal]

Hacked Facebook applications lead to fake antivirus software

October 16, 2009 -- New applications are turning up on Facebook. Unfortunately, some of them are fake antivirus programs. While researching Web sites that host malicious software, Roger Thompson, chief research officer of software security company AVG, noticed something funny. A Russian Web site known for hosting malware was getting lots of referrals from Facebook. On further investigation, Thompson found the referrals were coming from a Facebook application called "City Fire Department," a game where multiple players respond to emergency calls. The application had been modified to deliver an iframe, which is a way to bring content from one Web site into another. The iframe serves up code that tries to exploit vulnerabilities in a PC's software. If it finds one - a process that happens nearly instantly - it then downloads a fake antivirus program called Antivirus Pro 2010. Thompson posted screenshots on AVG's blog.

Bogus antivirus programs have been around for a long time, but they've become an increasing nuisance this year as those who create them seemed to have stepped up their game. When installed on computers, the programs nag users to buy them. The applications, which can cost upwards of US$60, are generally useless against real security threats. Thompson thought the people who wrote City Fire Department might be behind the scam. But the malicious code was actually hosted on Facebook, which led Thompson to theorize that the developers of City Fire Department inadvertently had their Facebook passwords obtained by a hacker, after which the application was modified. The password credentials could have been compromised through a phishing scam, or a developer's PC could have been hacked. City Fire Department's developers acknowledged a problem on Facebook on Thursday. "The application has been taken offline until we can resolve all issues," according to the post. "We understand the frustration some users are feeling, and we will update with a timeline as soon as we can. Obviously, we would rather have a properly functioning game running instead of a half-working game."

Facebook has been notified. The social-networking site "certainly takes security seriously, and they respond very quickly but the stuff that comes out of left field is hard to defend against," Thompson said. Three or four other applications had also been modified, Thompson said. Facebook can deactivate the applications until they are cleaned up. The situation also poses a danger to enterprises, who may allow their users access to Facebook through their firewall, thus opening a vector to deliver malware. "The corporate firewall doesn't provide any security," Thompson said. Facebook representatives could not be immediately reached for comment.

[Al-khiyal]

Fake antivirus attacks, demands ransom

October 17, 2009 -- The fake antivirus phenomenon has taken an unpleasant turn with the discovery of a Windows program that not only cons users into buying an unnecessary license but appears to lock files and applications on the victim's PC. According to security company Panda Security, rogueware program Total Security 2009 starts out in conventional fashion with the 'discovery' of a non-existent malware infection for which it demands an unusually ambitious $79.95 (£50), and even has the cheek to ask a further $19.95 for 'premium' technical support.

Users deciding against purchasing the license find that all files and applications on their PC have been designated as 'infected' and made inaccessible until the user follows on-screen instructions to buy a license using the only working application, Internet Explorer. According to Panda Security, the technique used to block access involves simple interception of Windows calls to open files and applications, closing them before they can open. Sophisticated techniques such as file encryption are not needed. "This intercepting technique has been used before in other malware, for instance any rootkit malware, which is specifically designed to hide and kill processes silently in the background. However, this is the first time in history it has been spotted in conjunction with rogueware," said Panda Security's technical director, Luis Corrons. Panda Security's demonstration video shows the con working on an XP system.

The program itself is remarkably developed, as has become a new trend for bogus antivirus in recent months, and mimics the design and configuration options found on many legitimate programs, including setting up 'updates', privacy settings and scanning schedules. It is even possible to change the default language from English to German or Spanish. "The way this rogueware operates presents a dual risk: first, users are tricked into paying money simply in order to use their computers; and second, these same users may believe that they have a genuine anti-virus installed on the computer, thereby leaving the system unprotected," said Corrons.

The bogus program would get on to a user's PC in the first place after they had either clicked on a link in a spam email, or by visiting an infected distribution website, or even by visiting the program's convincing-looking product homepage. Once registered, Total security 2009 remains on the system. "This technique allows the criminals to make money before the AV companies catch up to them with signatures to finally detect the threat. Specifically, criminals will generate a new undetected sample on the fly and then distribute it to users. Knowing that the AV companies will detect it shortly, the criminals force users into purchasing the rogueware before the signature detection can kick in to remove it," said Corrons.

The program has been circulating for some weeks and infection rates are believed to be small. But the technique of combining fake antivirus prompts with a form of ransom-cum-hijacking will probably become a new front in the fake antivirus industry's campaign to make people buy more completely useless programs. In the last year, fake antivirus programs have become possibly the biggest money-making scam on the Internet after spam marketing, even managing to find distribution on false pretences through premium Internet sites such as The New York Times. There is growing evidence that many genuine antivirus programs don't detect some of these scam programs, which might also be a reason behind their success.

[Al-khiyal]

Symantec spots 250 different types of fake antivirus

October 19, 2009 -- Cybercriminals are earning as much as £858,000 a year out of scareware, says Symantec. Scareware, which is also known as fake antivirus, is a ploy by cybercriminals to get web users to download dodgy programs using realistic messages and pop-ups warning of fake malware infections. Web users are scared into purchasing the bogus security software at £20 to £30 a time. In some cases the hoax software downloaded onto a PC also contains keyloggers and other malware that harvest information for use in ID theft.

According to Symantec's Rogue Security Software report, scareware has become one of the most popular forms of malware on the web today because "it preys on our fears when using the internet - if we believe we're open to a security threat then we're more likely to make a knee-jerk reaction". The security firm said it had detected over 250 different types of scareware to date, and many of the cybercriminals drafted in to help distribute scareware are paid per install, which can result in earnings of up to £56,000 per month.

Symantec also revealed scammers earn the most money off of U.S. users, although UK and Canadian users were close behind. "Where Scareware differs from ID theft is that once set up, the whole victimisation process is automated by malicious software, from dissemination, to infection, to the scam, to the collection of money. In this way it is a significant cybercrime development," said Professor David Wall, a leading expert on cybercrime from Leeds University.

[Al-khiyal]

Fake security software in millions of computers - report

WASHINGTON, October 19, 2009 (Reuters) -- Tens of millions of U.S. computers are loaded with scam security software that their owners may have paid for but which only makes the machines more vulnerable, according to a new Symantec report on cybercrime. Cyberthieves are increasingly planting fake security alerts that pop up when computer users access a legitimate website. The "alert" warns them of a virus and offers security software, sometimes for free and sometimes for a fee.

"Lots of times, in fact they're a conduit for attackers to take over your machine," said Vincent Weafer, Symantec's vice president for security response. "They'll take your credit card information, any personal information you've entered there and they've got your machine," he said, referring to some rogue software's ability to rope a users' machine into a botnet, a network of machines taken over to send spam or worse.

Symantec found 250 varieties of scam security software with legitimate sounding names like Antivirus 2010 and SpywareGuard 2008, and about 43 million attempted downloads in one year but did not know how many of the attempted downloads succeeded, said Weafer. "In terms of the number of people who potentially have this in their machines, it's tens of millions," Weafer said.

It was also impossible to tell how much cyberthieves made off with but "affiliates" acting as middlemen to convince people to download the software were believed to earn between 1 cent per download and 55 cents. TrafficConverter.biz, which has been shut down, had boasted that its top affiliates earned as much as $332,000 a month for selling scam security software, according to Weafer. "What surprised us was how much these guys had tied into the whole affiliated model," Weafer said. "It was more refined than we anticipated."

[Cheba_Mami]

There are also fake e cards send from 123greetings which is not the case, it's a virus.
There are many many attachments with emails from known persons but it's not an attachment it is a VIRUS!
Be aware!

Miss Cheba.