November 13, 2008

Rogue and Fraudulent Security Software and Websites a Growing Threat

The line between these two is blurring, but let's try to to define them anyway...
  • Rogue : The primary purpose of this software is to compromise your computer with the intent of giving the attacker access to it, to steal your information, or both. This is done by malicious code inside of the software that is installed or run on your computer without you knowing it. In most cases this software does not live up to advertised functionality. For example an anti-virus software that appears to be security software instead installs a trojan on your computer that records your keystrokes with the intent on stealing your account login credentials.
  • Fraudulent : The primary purpose of this software is to separate you from your money. This software might operate as advertised, but in many cases it doesn't. The software will use fraudulent practices to get you to buy it. Some of the tactics might be to scan your machine and then show you have several dangerous viruses on it or other such scare tactics. I have tested some of these on newly built virus-free systems only to have them report there are some 30 viruses on the machine. Scanning with a reputable product shows that it's clean. I have even seen cases where the fraudulent software places actual viruses on the system. :(
In my opinion the problem of rogue and fraudulent security software is quickly approaching epidemic proportions. I have seen a dramatic rise in the number of fraudulent applications and websites in the past few months to where there isn't a day that goes by where I don't come in contact with one or see one pop up. It used to be maybe once a month or so. And everybody is getting infected: my friends, relatives, co-workers, everyone is falling victim. Trend Micro says that 10 percent of all infections they see are caused by rogue software.

There are few solutions that I can think of currently at our disposal to solve this issue: education of users, law enforcement crackdown, and enforcement of usage policies by ISPs and web hosters.

User Education
It boils down to the basics and examples from the physical world map quite nicely to the cyber world: if it looks or sounds too good to be true, it probably is. You don't (usually don't) get something for nothing. While there are some great free software on the Internet you need to be wary. As a security professional help them by providing them with a list of known good security software and where to get them.

Law Enforcement Crackdown
My theory here goes: if the criminals think they can get away with it, they will. IMO, the deterrence factor is missing. There have been very few prosecutions so the risks of getting caught, unfortunately, are low. If there were no police watching the roadways would you still go the speed limit? Without the deterrence factor things will not get better.

There are many factors causing this problem but let me send a plea out to the folks in control of the budget purse strings: please fund your cyber police better! Provide training to them and hire more. Also tie any funding assistance to other countries to cyber crime cooperation. These topics are big enough for a separate post so I wont get into them here.

ISP Enforcing Usage Policies
I understand that ISPs and resource challenged like many of us and also are in the business to allow and route traffic but things are just out of hand. ISPs need to do several things: 1) enforce your EULAs, 2) stop routing to the bad networks, 3) react quicker to complaints and pressures from industry professionals about rogue elements on your networks, 4) MONITOR your networks for these bad actors and then shut them down and report them to the authorities, 5) react quicker to law enforcement queries. In many ways you, ISP, hold the keys to the cars that the criminals use. A better analogy is that you provide them with the roads they drive on. Put up those toll booths, stock them with machine gun wielding guards and stop them if they are doing bad.

One last note: ICANN please please please do your job of enforcing your domain registration policies with your authorized registrars. For more information see the great folks at who are combating this problem and news articles here from The Industry Standard, eWeek, and Axcess News.

UPDATE: A great win!
McColo hosting center, who had been hosting many websites that propagate malware, rogue security software, and spam has lost its Internet connection. Two Internet providers have stopped routing to this California-based hosting company. See article by Washington Post reporter Brian Krebs here. He also has an update here. The immediate result? IronProt reports spam has dropped by 66 percent. 66 percent! reports a 75 percent decrease. See graph.

This is a great example of how a community comes together for a good cause and makes a difference. Fight the good fight!

Speaking of McColo, check out a new report released by that shows that data and analysis behind the case against McColo. Several security researchers contributed their data and analysis to this article, including me. ;-)

No comments: