Rogue Security Software Infects Millions of PCs: Symantec

Symantec has released a report (.PDF) on what it calls "rogue security software." According to the report, Symantec has detected over 250 distinct rogue security software programs, and during the timeframe of the report, July 2008 - June 2009, 43 million attempted downloads of such rogue programs. The company was unable to determine exactly how many installs completed.

One of the most prevalent ways for these bogus AV programs to install is when a user browses to a website, which then pops up a message saying that "your PC is vulnerable," or "your PC is infected" or other similar warning. This type of scenario is an attempt to install "scareware" on a user's PC. If a user falls for the warning, he could download and install what is essentially malware. Of course, that's not the only way that such programs are distributed. They also infect PCs via the tried-and-true email attachment method. Of course, more users are savvy enough to avoid that trap, and many webmail providers pre-scan your email anyway.

That is yet another reason to use a free webmail provider such as Gmail. For example, if you redirect your email (even your own domain's email) through Gmail, it will check for spam and malware, and at the same time allow you to reply back to the email originator via the email address that was used.

Just as with legitimate businesses, traffickers in rogue security software use affiliate-based programs to distributed their malware. According to the report, these affiliates can make a considerable amount of money:

In the case of TrafficConverter.biz, the website was associated with the Downadup worm as a URL from which Downadup attempted to download its payload. The site was shut down in November 2008 before the worm could download the unknown payload. TrafficConverter.biz and other reincarnations of the website paid affiliates $30 per sale of their rogue security software programs, such as XP Antivirus. The site purported to have at least 500 active affiliates, with top affiliates earning as much as $332,000 in a month for installing and selling security risks—including rogue security software programs—onto users’ computers. The top 10 earning affiliates purportedly each earned $23,000 per week, on average.

You probably recall the Downadup worm, also known as Conficker, which was probably one of the most highly publicized malware programs of all time. Of course, with all the publicity, it was more a bust than a bang.

Still, some common sense and people wouldn't run into these rogue security programs in the first place. The key points are: have some sort of security software on your system (such as Microsoft's new free software); don't believe a site that tells you you're infected assuming you already have AV software installed; and don't open attachments you aren't expecting.

The top 10 rogue security programs, according to Symantec, are:

1. Spyware Guard 2008
2. AntiVirus 2008
3. AntiVirus 2009
4. Spyware Secure
5. XPAntivirus
6. WinFixer
7. SafeStrip
8. Error Repair
9. Internet Antivirus
10. DriveCleaner