Scareware purveyors advance to using blackmail and creating botnets

WHAT YOU CAN DO TO RECOVER: Use free VIPRE PC Rescue program

totalsecurity_crop450px_fakeSymantec and Panda Security have separately uncovered yet more evidence underscoring the rapid advance of scareware – and the increasing guile of its purveyors.

sean-paul-correll_crop1PandaLabs virus hunter Sean-Paul Correll recently discovered an attack that not only bombards you with obnoxious sales pitches for worthless antivirus protection – it also prevents you from opening any of your applications until you make a purchase. “It’s a major leap,” says Correll. “We have not seen this before.”

Meanwhile, Symantec researchers have now confirmed that another gang of scareware scammers aren’t content to just sell worthless programs – the are also pulling all PCs they touch into the “cosma” botnet.

To date, it was thought that scareware purveyors focused mainly on causing alarming – and bogus – virus scans to run on your PC, and then cornering you into paying $30 to $100 for a fake clean up.

But in this report issued today, 20Oct2009, Symantec reveals how the gang selling Antivirus XP 2008 is also taking over long term control of any PC they infect. This is being carried out manually by a controller who needs no special tech skills, Marc Fossi, manager of research and development at Symantec Security Response, told LastWatchdog.

Symantec obtained a copy of a drag-and-drop tool these crooks have at their disposal. The tool requires just a couple of clicks on a menu page to insert the infected PCs into the cosma botnet, as shown here:

bakasoftware_admin_botnet1So even if the victim does not make a purchase, his or her machine gets botted and can now be used to spread spam, steal account logins and carry out other criminal activities, including spreading more scareware promos.

Scareware integrates botnet creation

marc_fossii_90pxThe discovery that one group of bad guys has now integrated a slick bot-creation tool into their scareware campaign is a troubling development. “If they’re doing it, it’s likely others are too,” says Fossi. “It wouldn’t be any more difficult for other guys to do exactly the same thing.”

Other findings in Symantec’s report reinforce proof points in LastWatchdog’s 10June2009 investigative cover story published in USA TODAY.

  • From July 2008 to June 2009, Symantec received reports of 43 million attempts to install some 250 different strains of scareware, typically selling for $30 to $100.
  • The top five scareware promos were for SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, SpywareSecure, and XP AntiVirus.
  • Middlemen, called affiliates, earn from 1 cent to 55 cents for each PC they infect with scareware promotions, and a hefty cut of any actual purchases. Top affiliate are earning upwards of $300,000 per month.
  • At least one top-level distributor – there are an estimated dozen or so organizations who supply the malicious code and handle the financial transactions – is earning an estimated $1.2 million a year.

“It’s clear cybercriminals are willing, eager and well-equipped to prey on Internet users,” says Rossi.

Scareware meets ransomware

Panda’s finding that another enterprising scareware affiliate –  selling Total Security 2009  — has added a blackmail component to his to sales pitches is equally troubling.

So-called ransonware has been seen before. Six months ago, promos were being circulated for something called “FileFix Pro.” This particular scam involved encrypting files stored in the My Documents folder of the victim’s PC. Pitches would then follow to buy FileFix Pro to decrypt the files.

But the ongoing Total Security 2009 scareware campaign is much worse. It looks similar to the fear-based promos that trigger fake scans showing your PC to be riddled with viruses. But it goes a step further by locking out access to all other applications. When you click on any other application the text balloon (shown below) appears above the clock in the lower left corner of your desktop.

totalsecurity_warning_balloon You then get steered back to pitches to buy Total Security 2009. Your machine is now unusable. You won’t be able to open Microsoft Office, your favorite online game, or even your antivirus clean up tools. The only thing you can open is Internet Explorer – so you can navigate to the Total Virus 2009 shopping cart page.

There you can use Visa or MasterCard to pay $79.95 for a standard version. You may also opt to spend another $19.95 to purchase “premium” tech support services.

Once the payment clears, you receive a serial number to activate Total Security. You can then open your other applications.

Correll surmises that scareware purveyors are becoming more aggressive because the lucrative scam – in which sales affiliates routinely earn six figure monthly incomes, as Symantec has documented – may be getting saturated with practitioners.

“They may not be making enough money, or maybe they want to make more money,” says Correll.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone