X

Google: Fake antivirus is 15 percent of all malware

Google report shows that fake antivirus scams as a percentage of total malware have risen five-fold over the past year.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
This is an example of a message that pops up during a fake antivirus scam. Google

A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

Researchers also found that over the course of the study, domains used for distributing the malware were online for shorter and shorter periods of time in the face of Google's Safe Browsing technology. Used in Chrome and Firefox, Safe Browsing helps alert Web browsers to sites hosting malware, Provos said.

"As early as 2003, malware authors prompted users to download fake AV software by sending messages via a vulnerability in the Microsoft Messenger service. We observed the first form of fake AV attack involving Web sites, e.g. Malwarealarm.com, in our systems on March 3, 2007," the report says. "At that time, fake AV attacks employed simple JavaScript to display an alert that asked users to download a fake AV executable."

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," the report continues. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Fake antivirus is easy money for scammers, Provos said.

"Once it is installed on the user system, it's difficult to uninstall, you can't run Windows updates anymore or install other antivirus products, and you must install the [operating] system," rending it unusable until it is cleaned up, he said.

Provos said when encountering a fake antivirus message, Web surfers should close the browser and restart the program. People who are duped by the scam may have to get professional help in cleaning up the computer, he said. They should also monitor their credit card accounts because scammers can use the credit card information for identity fraud.