Understanding Current Trends in the Fake Anti-Virus/Scareware Ecosystem

The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.

Some groups have been arrested. Some have had their operations and entire call support centers shut down.

Some groups attracted too much attention, picked off the low hanging fruit and eventually walked away from their botnets.

In some cases, the groups just weren’t very skilled at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn’t keep up with the changes in anti-malware technologies, weren’t exactly dedicated to the effort, and simply fell off the map.

However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like TDSS (and its extreme complexities) or the more recent Black Internet (also known as “Trojan-Clicker.Win32.Cycler”) support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.

At the same time, the commodity exploit kits that the various cyber-criminal groups use to distribute their rogueware have not become any more complex. Instead, some of the more complex kits available in online marketplaces have disappeared with simpler kits like Eleonore and Phoenix remaining. Most of their exploitation, shellcode, encryption and evasion technologies remain uninspired and fairly static. And a good portion of malware distribution relies on very simple uses of technology, not the creation of new technology, “social engineering”. Basically, the abuse of an environment that helps fool a user into running an executable on their system that they should not trust.

What does this tell us? For the most part, effectively delivering malware to end user systems still works with simpler, less expensive, means. Which suggests one of several things:

1. End users are not patching their machines.
2. The vulnerabilities are not known and patched quickly enough, or the automatic update utilities are not taking effect quickly enough.
3. Too many end users continue to run their system without effective security protection.

Why? There are a variety of reasons that can be argued. It could still be a rational rejection of security advice – users gamble that the efforts of expending the effort to keep informed and their systems up to date are not worth the risk infection/complete compromise (although when you work with owners of infected systems, the “rational” rejection doesn’t seem quite so rational any longer). It could be because of network policies, decided by IT departments and other groups. It could be a lack of understanding about security needs altogether and how to keep software organized and up to date. And finally, that certain types of security products are not terribly effective at keeping malware off of systems. Most likely, it is because of a mix of all of these reasons.

Cybercriminals build complexity into their software when they need to, so increasing complexity in their “support utilities” like rootkit components while simplifying delivery technologies tells us that the best solutions preventing drive-by exploitation and malware delivery continue to be under-utilized.

The lowest hanging fruit is most always taken first.