'Rogue antivirus' con game escalates to serious malware

You are peacefully surfing the Net when a message pops up saying something like "WARNING! We have detected the Plotzville virus on your computer. Click here to initiate cleaning with DefenderAntiVirus."

What you've just seen is the latest attempt to infect your computer. These "drive-by-downloads," so called because simply visiting some Web pages is enough to install malicious code on your computer, are becoming epidemic.

Maybe there is a virus on your computer, maybe not. If there is, the people who sell "DefenderAntiVirus" probably put it there. Or maybe they are just claiming it's there to con you into buying their product. Chances are if you click OK, you definitely will have an infected computer.

And "DefenderAntiVirus" -- or whatever high-sounding name they give it -- doesn't actually remove viruses. It may not do anything but put up messages designed to make you think it's working. Or it may actually install malicious software -- malware -- just so it can "detect" it. If you succumb to the pitch and order the software, cyber criminals also may misuse the credit card number you supplied to pay for it.

Such "fraudware" designed to scare people into buying bogus products has been an annoyance for some time; the security community refers to it as "Fake AV" or sometimes "rogue antivirus." But now these techniques are being used to spread more serious malware, said Wyman Miles, manager of security engineering for Cornell Information Technologies (CIT).

Several computers on campus have been compromised this way in just the last few days, Miles said, and security professionals across the country are reporting a similar surge in activity. These programs may be logging your keystrokes, stealing your passwords or even taking over the computer to use as part of a network of slaves to send out spam and more viruses. The malware targets Windows operating systems up through Windows 7. The damage can be slightly less if the user does not have administrative rights on the computer, but damage can still be done, Miles said. Macs and Linux systems so far seem to be immune.

Many people fall for these scams because fake antivirus programs are designed to appear as legitimate as possible. Many have fully developed Web sites where you can purchase and download the software. Some even return e-mails with a serial number and a valid, functioning customer service phone number. The service, however, is likely to be mainly a pitch to purchase "upgrades."

Cornell security experts have compiled a list of 47,000 Internet domains hosting malicious Web sites and are trying to devise ways to prevent campus users from reaching those sites. In the meantime, report any such pop-ups as flashing "Your computer may be infected" warnings to local tech support. The message, ironically, may be true.

Malware often reveals itself by "phoning home" or sending out large quantities of spam, and CIT has tools to automatically generate an alert when a machine sends suspicious traffic. "Chances are we'll see it on the network in a day or two and alert the user's technical support," Miles said.

He recommends that campus users install and keep updating Symantec Antivirus, available free to members of the Cornell community at http://uportal.cornell.edu; select the Bear Access tab and follow the "Protect my computer" link.

However, Miles said, it will not detect all malware installations. "It's not a silver bullet," he said. Other free utilities, such as Microsoft's Windows Defender, sometimes detect malware that Symantec misses, he said.

Media Contact

Joe Schwartz