Next week’s Cyber Risk Report (CRR) will cover the successful prosecution of a gang of Internet criminals by the United States Federal Trade Commission (FTC). Their scam was selling “scareware,” bogus computer security software, including “Antivirus XP 2008,” from 2003-2008. One of the co-defendants had in 2005 been ordered to pay Symantec 3.1 million dollars in compensation for selling pirated copies of its popular Norton brand. Last week, the first of the defendants in the case settled with the FTC for the entirety of his assets less legal fees, a sum amounting to $116,697, in lieu of a much larger judgement of 1.9 million dollars. The other defendants will have their days in court starting in July, barring any continuances.
The defendants used interactive advertisements that suggested that they had scanned a victim’s PC and found malware, tracking cookies and pornography that did not exist but that could be removed for $39.95. If the initial approach was unsuccessful, the rogue anti-virus software would alter search engine results to include false warnings of spyware infections and would display pop-ups to the user warning of data loss.
They even had a 3-year renewal option, and a back-end billing service that would geographically locate victims using their IP addresses and invoice them in their local currency. For example, a Cisco Security Intelligence Operations researcher located in Australia found the sale price in Australian dollars (AUD).
On one advertising network alone, the defendants displayed these advertisements nearly 680 million times at a cost of over 1 million dollars to the defendants. In addition, they installed the bogus security software on computer systems that had already been infected by other malware and were members of botnets.In August 2008, researchers at Cisco Security Intelligence Operations infected a honeypot to monitor the activity of the software. The researchers discovered extremely clever social engineering components and a back-end infrastructure that stretched from Germany to Panama. The malware’s success is in part attributed to its myriad of propagation techniques and social engineering aspects.Later, in March 2009, Cisco Security Intelligence Operations researchers observed the Pushdo botnet installing the bogus XP AntiVirus software onto computer systems that it had already infected. In addition to infecting the original host, Pushdo dropped the bogus security software onto removable USB storage devices in order to infect other systems to which the device was connected.The defendants went to great effort to evade signature-based antivirus detection. In at least one case, only two of the 36 vendors participating in the virustotal.com portal offered any protection.
Even though this malware has been effective at evading signature-based antivirus solutions, Cisco has successfully protected its customers from these threats with Cisco IronPort Web Reputation Technology and the Cisco Botnet Traffic Filter. In addition to targeting the individual executable programs, Cisco targets the infrastructure used by the criminals. Cisco IronPort Web Reputation blocks all traffic to the criminals’ web servers and legitimate servers that have been compromised, protecting users who may have been confused by the deceptive advertisements. The Cisco Botnet Traffic Filter mitigates existing infections by preventing the rogue security software from contacting (phoning home) criminal-operated command-and-control systems and blocking malicious software updates.It’s difficult to say just how much money “Antivirus XP 2008″ netted the criminals. In a write-up about a break-in to one of the members of the Antivirus 2008 affiliate program, Joe Stewart at SecureWorks predicts roughly $900,000 per week.Stay tuned. Court action continues next month with the other defendants.