Google: Fake antivirus is 15 percent of all malware

This is an example of a message that pops up during a fake antivirus scam.

(Credit: Google)

A rise in fake antivirus offerings on Web sites around the globe shows that scammers are increasingly turning to social engineering to get malware on computers rather than exploiting holes in software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents 15 percent of all malware that Google detects on Web sites, according to 13-month analysis the company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

Researchers also found that over the course of the study, domains used for distributing the malware were online for shorter and shorter periods of time in the face of Google's Safe Browsing technology. Used in Chrome and Firefox, Safe Browsing helps alert Web browsers to sites hosting malware, Provos said.

"As early as 2003, malware authors prompted users to download fake AV software by sending messages via a vulnerability in the Microsoft Messenger service. We observed the first form of fake AV attack involving Web sites, e.g. Malwarealarm.com, in our systems on March 3, 2007," the report says. "At that time, fake AV attacks employed simple JavaScript to display an alert that asked users to download a fake AV executable."

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," the report continues. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Fake antivirus is easy money for scammers, Provos said.

"Once it is installed on the user system, it's difficult to uninstall, you can't run Windows updates anymore or install other antivirus products, and you must install the [operating] system," rending it unusable until it is cleaned up, he said.

Provos said when encountering a fake antivirus message, Web surfers should close the browser and restart the program. People who are duped by the scam may have to get professional help in cleaning up the computer, he said. They should also monitor their credit card accounts because scammers can use the credit card information for identity fraud.

Read ON

On iPhone, beware of that AT&T Wi-Fi hot spot

Samy Kamkar has created a program that can be used to intercept Google Maps on a hijacked iPhone.

(Credit: Samy Kamkar)

A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.

Samy Kamkar, who created a worm that garnered him a million friends on MySpace overnight in 2005, said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a "man-in-the-middle" attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name "attwifi."

Typically, an iPhone will look for a specific MAC address--the unique identifier for the router--to verify that the wireless network is a device a user agreed to join previously, according to Kamkar. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has "AT&T Wifi" attached, he said.

"The iPhone joins the network by name with no other form of authentication," he said.

Kamkar said he made this discovery recently when he was at a Starbucks and disconnected from the AT&T Wi-Fi network.

"I went into the settings to disconnect and the prompt was different from normal," he said. "I went home and had my computer pretend to be an AT&T hot spot just by the name and my iPhone continued to connect to it. I saw one or two other iPhones hop onto the network, too, going through my laptop computer. I could redirect them, steal credentials as they go to Web sites," among other stealth moves, if he had wanted to.

To prove that a hijack is possible, Kamkar wrote a program that displays messages and can make other modifications when someone is attempting to use the Google Maps program on an iPhone that has been intercepted. He will be releasing his hijacking program via his Twitter account: http://twitter.com/samykamkar.

Kamkar hasn't attempted the hijack on an iPod Touch, but plans to determine whether it has the same vulnerability.

iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.

Asked for comment an Apple spokeswoman said: "iPhone performs properly as a Wi-Fi device to automatically join known networks. Customers can also choose to select to 'Forget This Network' after using a hot spot so the iPhone doesn't join another network of the same name automatically."

Kamkar, an independent researcher based in Los Angeles, first made a name for himself by launching what was called the "Samy" worm on MySpace in order to see how quickly he could get friends on the social-networking site. The cross-site scripting (XSS) worm displayed the words "Samy is my hero" on a victim's profile and when others viewed the page they were infected.

He served three years of probation under a plea agreement reached in early 2007 for releasing the worm.

Read ON

Do not pay for security software

Basic security protection can be enough.

After the recent disaster of an antivirus app update from security vendor McAfee, I took a quick look at what the laptop and PC companies--from whom most people get their security software--were offering in the way of security software on new computers.

Here's what I wanted to see: computers pre-packaged with with Microsoft's free antivirus software, Microsoft Security Essentials(download), which I've found to be robust enough for all users except the most cavalier sloppy clickers out there. MSE is also lightweight enough that it doesn't slow your computer and is largely invisible when doing updates. And it's free. Did I already say that?

It's not that free software is better by nature. The full-feature, paid security suites are robust computer and information protectors, especially for people who might otherwise get themselves into trouble online due to a lack of education on basic computing security practices. There's nothing wrong with saving these folks from trouble. But are you one of them?

McAfee-type flubs are also rare, and nothing's magically protecting Microsoft, AVG, Avast, and any other free antivirus apps from the same fate. But I say, given the problems that you might have with any antivirus app, why pay money for features you don't need? It's not like your money buys you complete peace of mind.

So where can you buy a computer with MSE pre-installed? Microsoft confirms that no top-tier computer maker is yet offering it pre-installed on new PCs. That's a shame. In Microsoft's own retail stores, though, MSE is part of the included software suite.

The standard offering now is a trial (time-limited) version of either Symantec's Norton security suite or McAfee's, for no charge, or the option to select either Norton or McAfee. On some product lines you can opt out of the pre-installation of either of these products and get a computer completely unprotected if you ask. Others will let you opt out of the setup of a pre-loaded security suite when you first power up your computer. On these machines, you can easily download MSE and install it yourself.

Keep in mind that connecting an unprotected computer to the Internet is not the smartest thing in the world to do. While I do not believe the hype that a new, unprotected computer will be instantly taken over and turned into a zombie for the Russian mafia, if it connects to the Net over Ethernet or Wi-Fi without running security software, you still don't want to do much, if any, surfing without a protection app installed. (One way to stay belt-and-suspenders safe: download the installer for MSE from a protected computer, put it on a flash drive, and then install it on your new computer before you let it connect to the Net.)

So why can't you get the excellent Microsoft app pre-installed instead of Norton or McAfee? Because the companies that make the paid apps pay the manufacturers for converting trial users to subscribers. Microsoft Security Essentials is free, and Microsoft pays computer makers nothing for installing it. So it's in the manufacturers' financial interests to keep offering you security suites that are too big, too expensive, and frankly too flaky.

A Dell rep even told me that the suite you're more likely to be offered depends on the "deal of the month" that Dell has with the security vendors (Symantec or McAfee). It's like walking into a Best Buy, she said: some days the big in-store displays push one product; some days another. It depends on the deal.

Sure, this is capitalism at work, and we can't really fault that. But in this case I call foul. Users' computer security is more important than making a few bucks from them, and not all security suites are created equal, certainly not equal enough to be swapped out based on the deal of the moment. It's time for computer vendors to do the right thing for users, and that means offering good free security apps if they're better for users. And for many users, they are.

Read ON