Google finds fake antivirus programs on the rise

A new report says that 15 percent of all malware found on the Web is fake antivirus software

Fake antivirus software is becoming more prevalent on the Internet, with its creators using clever methods to fool users into installing the programs, according to a new report from Google.

Google conducted a 13-month study (PDF) looking at some 240 million Web pages. The company determined that 11,000 of those domains were involved in distributing fake antivirus programs, and that those kinds of program comprise 15 percent of the malicious software on the Web.

There are thousands of versions of fake antivirus software, but all work on the premise of falsely telling users their computer has been infected with malware. The programs then badger users to buy the software, which often looks legitimate but has no real functionality.

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," according to Google's report. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Users are typically asked if they want to clean their machine, which causes the fake program to download. Fake antivirus usually spreads by social engineering ploys rather than by exploiting software vulnerabilities on the victim's computer, according to Google.

The scammers behind the fake antivirus software frequently use online advertisements using popular keywords, although Google says it filters those advertised URLs to get rid of malicious ones.

Google will blacklist those domains to warn people, but those developing fake antivirus software rotate the domains hosting their programs faster than ever to avoid the blocklist.

A domain hosting fake antivirus software used to serve up the content for up to 100 hours in April 2009, Google said. But that figure fell to below 10 hours in September 2009 and then to less than one hour in January.

"These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of IP addresses through multiple domains," the report said. "This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker's control."

Google also found that legitimate antivirus vendors were having more trouble identifying the fake programs due to an increased level of "polymorphism," a technique used to make an application look unique and evade malware scanners.

Fake antivirus programs haven't escaped scrutiny from regulators. Following a complaint from the U.S. Federal Trade Commission (FTC), a U.S. district court ordered six people and two companies to stop selling fake security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus.

As part of that case, the FTC levied a $1.9 million judgement against James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, but later reduced the judgement to $116,697 in June 2009.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlefake softwareantivirus

More about Federal Trade CommissionFTCGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place