Report: Rogue antivirus software pays off for scammers

Updated March 23, 5:03 a.m. PDT with a link to the new Cybercrime Intelligence Report.

Online scammers are making a lucrative business out of redirecting visitors from legitimate Web sites to sites that try install rogue antivirus software, according to a report due to be released by security firm Finjan on Monday.

Finjan's Malicious Code Research Center came across a traffic management server in Ukraine used by underground online scammers to keep track of how many redirects their rogue antivirus sites get from legitimate sites that have been compromised.

Typically, rogue antivirus software displays a message saying that the PC is infected and offering antivirus software for sale. In a successful attack, the scammers end up with the victim's credit card information and don't bother to install any legitimate software.

Members of the "affiliate network" who compromise legitimate Web sites get 9.6 cents for each successful re-direct, Finjan said in its latest Cybercrime Intelligence Report. There were 1.8 million unique users redirected to the rogue antivirus software during 16 consecutive days Finjan was monitoring the network, or about $10,800 for each day, the researchers calculated.

Finjan also discovered that between 7 percent and 12 percent of people end up installing the rogue antivirus software and 1.79 percent of them paid $50 for it.

Finjan researchers said they weren't certain how the legitimate Web sites were compromised. Once the sites were compromised, the scammers made heavy use of search engine optimization techniques to get those sites ranked high in search results by dynamically generating search keywords with typos and popular terms that people might use, Finjan said.

Lured by the high ranking on search engines, visitors end up on the compromised sites and are immediately redirected to pages that try to install rogue antivirus software on their computers.

[xtrasico]

We are not safe anywhere. Offline or online... But we got to continue living. Right? Next thing we'll know is that instead of Health or Physical Education class our kids will be taking Online Safeness Education. Makes sense to me. What do you think?

[Aquatroni1965]

The people who released all the versions of this rogue antivirus software, from SpyAxe, through SpywareStrike, AntivirusXP2008 and AntivirusXP2009, among others, have made well over 100 million dollars U.S. through scamming people to purchase their worthless software. The funny thing is that their websites are STILL up and running and absolutely NO ONE has done anything about their "business" tactics except to "track" them and give statistics. NO ONE has ever shut them down or gone after them in any way. Meanwhile, thousands of people a year fall for this scam..... Until someone actually does something about it, it will only continue.

[Sam Papelbon]

they probably exist in foreign lands where the law can't reach. don't let that stop you from taking the matter into your own hands, though.

[gggg sssss]

blame ATT, MCI, etc. They could easily stop this before it ever hits contiental USA.

[fubar22]

Those damn North Koreans.

[Tiggersspring]

So come on name and shame lets have a list of Scam Antivirus Progs, at least that way people would be better informed and more able to avoid the scammers. As far as any legitimate antivirus producers being compromised, all I can say is "come on keep up" if you get put on a bad list then who's fault is that? Your the ones who get paid to stop malware, doesn't bode well for the quality of your software does it? And finally, just a personal note to the big antivirus company's that charge excessive amounts to remove a virus, that for some reason or another got past their program, "STOP CHARGING" you get paid enough for the program, now support it.

[gggg sssss]

3 got by SYmantec AV thsi month. Pretty bad, but then we all know that SAV sucks. Now we have proof.

[Dango517]

As one of the luck ones that got away, I can tell you these are no ordinary virus/spyware program. The Rogue Variant I had, came in through a redirected YouTube site then attempted to install through a phishing applet saying I had viruses and to download their software. I threw everything I had at it and none of it worked. This PC is well protected. In a last ditch effort I uninstalled as much of it as I could find, manually but after several days of insecurity I re-installed the OS.

A security specialist told me these can contain Spyware, Malware and Viruses all at once or just some of them in any combination. Rogue Variants can also be modified quickly to evade the usual scans and current definitions. ("All" of mine in fact.)

This voice of experiences says, avoid all mysterious applets. If these will not close on the Windows taskbar, do not press any of the buttons on them, simply log off. Any button you press might comprise your PC by authorizing a download.

[davismccarn]

The latest version of SMITFRAUDFIX ( http://www.majorgeeks.com/SmitFraudFix_d6019.html ) will successfuly remove almost all flavors of these pests; but, I, too, keep wondering why somebody doesn't sue them out of existence.
The trick, by the way, to keep from downloading it in the first place is to use CTRL-ALT-DEL (or the Task Manager) to end the application as it invaiably refuses to close if you try the usual Red-X

[BtmnHatesRbn]

What? Viruses? C'mon! Take Dvorak's advice and shut the computer down when you're done with it, or put the cable modem or whatever connection that's being used to sleep or off. Or use something bonkers to surf with, like the Wii.

[Sam Papelbon]

considering the people who would be most affected by this type of malware are those who aren't familiar with it, and the only article that comes up when you click the 'rogue anti-virus' tag is this one, i think you would be doing a great service to the internet to better define what you mean by 'rogue antivirus' so that the uninformed reader doesn't think it's just another brand name.

kind of like putting up a sign that says 'beware smudyaps'. thanks for the warning, but what are we supposed to watch out for again?

[Dango517]

I did a little searching myself using the search terms "rogue variant". I ended up with one. My McAfee site advisor says it's an (?) unchecked site. Okay, how's feeling lucky? "Once bitten twice shy" they say, I'm not going near it.

http://search.yahoo.com/search?ei=utf-8&fr=slv8-tyc7&p=rogue%20variant&type=

Site is:

roguevariant.com

[James E. Morrow]

For a list of rouge anti-virus programs I would strongly recommend consulting the list on this page.

http://www.spywarewarrior.com/rogue_anti-spyware.htm

[Patrick5651]

Using a credit card will allow a purchaser of goods or services to 'flag' the transaction and file a dispute, which will prevent the final clearance of the sale.

You have 60 days in which to file a dispute, which will lead to a reversal of an unfair transaction. After 60 days, you own it.

Keep all papers and information about the transaction until you are satisfied that it was a good one.

Remember to check your monthly statement, because if you discover after 60 days that you have been had, case closed, its yours.

[gggg sssss]

but now the Russians have your CC number.The $50 for the remover is trivial. Any Russian is of course welcome to prove it is not Russians but Chinese that are doing this.

[rweaver56]

I've just about had enough of this internet bullcrap. It aint worth the trouble.

[fubar22]

But it's sooooooooooooooo awesome making fun of people. Come on...Don't give up now. You can do it.......Put on the angry eyes and get to it.

[Dango517]

That's part of the point of it all. The other is the economy. If you haven't wondered what a cyber war looks like simply look around your in one. Do you surrender?

[rweaver56]

Is this rogue antivirus better than Norton?

[CA1900]

So get a Mac, and enjoy the internet without the hassle.

[fubar22]

Sure.........and we'll all join hands and sing n' dance with glee until the cows come home. But you still have to contend with condiscending ***** like myself. Better luck next time Skippy!
You wouldn't happen to be from humboldt would you?

[Grant_D]

Norton does little to nothing to stop at least the vast majority of these programs from getting on the computer. I work at a campus help desk and the majority of the virus removal we do is this type of thing. As one earlier poster mentioned Smitfraudfix works well, as does the program malwarebytes (even the free version). Malwarebytes has removed almost every one of them without a hitch. I've only seen a couple that it didn't, and it's possible that newer updates will. Thankfully most people get spooked when the programs ask for money. You'd think the fact that they see a program that they've never seen before would deter them from believing the fake scan or even paying the money, but it doesn't always work out that way.