Fake Antivirus: a highly profitable business for miscreants

In October 2008, the SecureWork Company has published a set of two articles which demonstrates that selling fake antivirus could be a very profitable business.

The "Fake Antivirus" business

That kind of fraud has existed for several years now. Here is a short description which explains how it works. While browsing the web, a user suddenly triggers a popup window which warns him about a possible infection found on his computer. It also offers him to download a free tool to further analyse his computer. That tool is in fact a Trojan that:

• Infects the computer,
• Informs the user that a full scan of the whole disk has found tens of malwares on the computer (it is a lie),
• Offers him to buy a highly efficient antivirus to clean-out the computer.

 The exact scenario may vary, but the result is always the same: the user is prompted to buy the antivirus proposed by the miscreant. If he declines the offer his computer then operates badly (because the Trojan causes various disruptions) and frequent messages pop up to remember the user about buying the antivirus. This antivirus is in fact a fake which just stops the annoyances by removing the Trojan previously installed.

The number of fake antivirus frauds reported yearly soared during 2008. In September 2008, the US-CERT published a warning statement about that fraud. In November 2008, Microsoft added some of the well known fake antivirus (including the one studied by SecureWork) in the list of malwares caught by the "Malicious Software Removal Tool" (MSRT : a free tool that works with "Windows Update" to detect and clean well-known malwares found on the computer). In November and December 2008 MSRT cleaned that way more than 1 400 000 computers infected by fake antivirus.

 

A highly profitable business

SecureWork analysed a fake antivirus named "Antivirus XP 2008". It is the 2008 edition of a long list of fake antivirus branded "Pandora Software". Since the time SecureWork performed that analysis, the fake antivirus name has changed several times with names like "AntiMalware 2009" or "AntiVirus 2009".

The SecureWork analysis shows that the fake antivirus has some features which make it look like a real antivirus product:

• it has a complete configuration interface,
• it is able to detect some very well known viruses,
•  it can be used to change some Windows security settings. For example it is able to list or edit the "CurrentVersionRun" Registry entries or to uninstall Internet Explorer BHO objects.

SecureWork thinks that these minimalistic features might be there to refute the claim that "Antivirus XP 2008" would be a fake antivirus.

SecureWork then details the retailing chain they discovered for "Antivirus XP 2008", and the amount of money gathered by that business. It actually found a Russian web site named "Bakasoftware.com" which offers visitors to become an affiliate of the "Antivirus XP 2008" program. However, you must be able to read Russian (the website is in Russian only), and you must be sponsored by an affiliate. The website explains that affiliates are remunerated with a commission from 58 to 90 percent on the sales of the antivirus. Statistics shown on "bakasofware.com" (which are in line with the figures stolen by a Russian hacker who illegally penetrated the website) indicates the amount of money an affiliate could expect from that business. It shows that the best affiliate won 146 000 US dollars in ten days by selling 3000 antiviruses (each copy is sold 50 USD and 2 % of the 150 000 victims actually bought the antivirus after their computers were infected). Of course to get the audience of 150 000 victims in 10 days, everything is allowed: infection through botnets, through trapped web sites, etc…

These are extreme figures (top seller, 90% commission), but they should be also very attractive for crooks.

                                                                        

A quite usual practice within the underground community

Bakasoftware is not a unique case, and other companies around the world run the same kind of business. On the request of the FTC (Federal Trade Commission : an independent agency of the United States government that aims at protecting consumers), a US district court has issued on the 10-dec-2008 a temporary restraining order (TRO) against two North America companies which were distributing the same kind of fake antivirus.

 

For more information

SecureWorks analysis:

• Rogue Antivirus Dissected - Part 1: http://www.secureworks.com/research/threats/rogue-antivirus-part-1/
• Rogue Antivirus Dissected - Part 2: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/