Kaspersky Lab publishes the article "Rogue antivirus: a growing problem"

Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software including viruses, spyware, hackers and spam, announces publication of the article "Rogue antivirus: a growing problem" by Vyacheslav Zakorzhevsky, a senior malware analyst with the company's heuristic detection group.

Over the last few years there has been a sharp rise in the number of rogue antivirus programs – fake security solutions that falsely inform users that a malicious program has been detected on their computer. The main aim of these programs is to convince users that their computers are at risk and scare them into buying an "antivirus" product. Such programs enable cybercriminals to make illegal profits through deception, while users are lulled into a false sense of security, believing that their computers are protected by these rogue solutions.

Kaspersky Lab classifies this type of program as FraudTool within the RiskWare class. Currently Kaspersky Lab databases include about 30,000 signatures for rogue antivirus solutions and this number is constantly growing.

Rogue antivirus program are spread using the same methods that are used to spread most other malware, e.g. drive-by download when the user visits an infected site; via a Trojan downloader; or when the user clicks on an Internet advert or opens an email attachment. However more often than not, rogue antivirus programs are downloaded by the users themselves via dedicated (Hoax) programs. Hoax programs warn a user of a nonexistent threat (for example of a possible virus infection) and prompt the user to download a program to scan and clean the system. In many cases the rogue antivirus solution will be installed on the system even if the user declines the offer.

Cybercriminals use a range of methods to distribute rogue antivirus programs and other hazardous malware and to evade detection, such as dynamically generating the addresses of infected sites, or encrypting and then decrypting the main body of the malicious program.

When a rogue antivirus program gets onto a system it first supposedly scans the computer (this sometimes takes less time than the first scan of the system by a genuine antivirus program) and informs the user that malicious programs have been detected and that system resources have been modified. The rogue solution will then offer to remedy the errors and repair the system, but this service is not free. The more legitimate the software appears the more chance the cybercriminals have that the user will pay for this service.

If a user agrees to buy the rogue antivirus, there are several payment options available ranging from e-pay systems to an SMS message.

The author of the article points out that the interface of many rogue antivirus programs is almost identical, meaning that the developers of different programs are using the same code generator. The use of ready-made solutions means lots of similar programs can be created in a relatively short time.

The article provides statistics, which show the rise in the number of rogue antivirus programs from 2007 to August 2009. The number of new signatures rose sharply in May 2009. New rogue antivirus programs have become common: Kaspersky Lab detects between 10 and 20 new Hoax or FraudTool programs every day. This would have seemed incredible two or three years ago when a new malicious program of this type only appeared once every two days.

The main reasons for the huge increase in the number of rogue antivirus programs over the last year are that these programs are very easy to create; the distribution system is very effective; cybercriminals can make large profits in a short period of time.

The author concludes that adhering to a few simple rules can help protect systems from rogue antivirus programs: check whether the vendor has an official site and technical support, ignore programs which first scan a computer and then demand money for activation, ignore messages about infection that appear randomly while surfing the Internet and finally, install a reliable IT security solution from a legitimate antivirus vendor.

The full version of the article is available at www.viruslist.com.

This material can be reproduced provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of the Kaspersky Lab PR department.