Rogueware attacks earn criminals $34 million per month

PandaLabs announced a multi-year study that examines the proliferation of rogueware into the overall cybercriminal economy. The report reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy.

The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. PandaLabs predicts that it will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year. Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers), and cybercriminals are earning approximately $34 million per month through rogueware attacks.

In early 2009 social media sites, such as Facebook, MySpace, Twitter, and Digg, became large targets for rogueware distributors. The top five social media attacks involving rogueware are:

1. SEO attack against Ford Motor Company
2. Comments on Digg.com leading to rogueware
3. Twitter trending topics lead to rogueware
4. Rogueware exploits WordPress vulnerability to facilitate Blackhat SEO attack
5. Koobface moves to Twitter

Rogueware morphs quickly and proves difficult to detect

There are approximately 200 different families of rogueware. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008. In Q309, PandaLabs estimates a rogueware total greater than the previous eighteen months combined.

The primary reason for the creation of so many variants is to avoid signature-based detection by (legitimate) antivirus programs. The use of behavioral analysis, which works well with worms and Trojans, is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information. However, PandaLabs has started to identify more advanced malware variants that are using typical Trojan features, rootkits and other techniques to subvert virus detection technologies.

How rogueware business works and tracking the source

The report details how the rogueware business works. Not unlike a traditional business, the rogueware business model consists of two major parts: program creators and distributors.

The creators are in charge of making rogue applications, providing the distribution platforms, payment gateways, and other back office services. The affiliates are in charge of distributing the scareware to as many people and as quickly as possible.

PandaLabs’ research reveals that the affiliates are mostly comprised of Eastern Europeans recruited from underground hacking forums. They earn a variable amount per each install and between 50-90 percent commissions for completed sales. The PandaLabs report includes financial statements and photos from events hosted by the leaders of these organizations that are not dissimilar to corporate sales events.

The full report, The Business of Rogueware, is available here.

Don't miss