Rogue Anti-Spyware/Anti-Virus Outbreaks Rise Again Despite Law Enforcement Crackdowns

They're baaaaack! In August we reported that worldwide malware traffic and infections had dropped dramatically following an international crackdown on scareware providers. Part of that crackdown included crippling the bad guys' ability to process payment from their victims.

Rogue anti-spyware program, also known as scareware or fake AV, are designed to lure computer users into believing they're infected with malware and buying such malicious software. Rogue anti-spyware programs may be installed by a Trojan, which is bundled with freeware or other downloadable software often found in bitTorrent and file sharing directories, fraudulent porn sites, and fake online malware scanner web pages. Because rogue anti-spyware programs do not have real detection/removal capabilities, computer users end up paying for something of no use, and, what's worst, the creators of the scareware can take their credit card information and make fraudulent charges.

We and others noted that immediately after the crackdown, malware traffic and infections plummeted. Our reasoning back then was that this was most likely a temporary drop, and that it was only a matter of time before the scareware providers figured out a new way to get paid and get back in business. We were right. While the malware infections are still not up to early 2011 levels, it is clear that some very nasty infections are back and are now growing again. Here are a couple examples: Fake System Restore is a nasty infection that tricks you into thinking you are fixing problems with your computer by restoring it to an earlier state...for a fee. Take a look at the chart below which shows Google searches from people who got the infection. Note the drop in June, about the time of the FBI crackdown and then note the spike in mid-October when the bad guys clearly found out how to get paid again.

AV Security 2012 is another rogue anti-spyware program. AV Security 2012 creates fake pop-up messages telling you that it can remove the spyware on your computer, but only if you pay. The chart below shows Google searches for fixes to this malware spiked dramatically in mid-October, another sign that the infection is back stronger than ever.

Our internal statistics mirror much of what you see here. In the last month, our traffic and subscriptions are up 33% from the July and August lows. It's clear to us that the malware providers have once again figured out a way to get paid. After picking through tens of thousands of lines of code to dissect these infections, we have reason to believe that some of them are even using a US payment processor to help them do it, which is disappointing.

Even though the law enforcement crackdown appears to have only created a temporary speed bump in the malware arms race, we still applaud it. These criminals need to know that their extortion of millions of people around the world is not going unnoticed, and every effort should be made to shut them down permanently. Until that happens, we and others in our industry stand ready to take the battle to them and protect computers and our customers as best we can.