Users hammered by fake AV resurgence

GFI Software released its VIPRE Report for February 2012, a collection of the 10 most prevalent threat detections encountered during the month.

Most notably, GFI Labs has been documenting a new wave of fake antivirus applications (or rogue AV) on its Malware Protection Centre blog. Growing since the start of the year, last month brought a significant spike in new variations of rogue AV.

“While the velocity at which rogues were successfully propagating may have slowed toward the end of last year, they are certainly back now, and they remain a popular tactic among cybercriminals,” said Christopher Boyd, senior threat researcher at GFI Software.

“Users should not let their guard down. As always – no matter how convincing they look – always take the time to evaluate any piece of software that claims your PC is infected, prompts you for a credit card number or asks you to share any sensitive data, especially if it’s software that you or your employer did not install.”

Many rogue AV programs are being distributed via spam containing malicious links to the Blackhole exploit, a tool used by cybercriminals to target unpatched vulnerabilities in software applications from industry leaders like Microsoft and Adobe.

Users infected by rogue AV may be redirected to fraudulent websites, have their systems hijacked by software appearing to scan their PCs or plagued by messages warning of viruses and other PC security risk. These scareware tactics trick users into providing credit card data to purchase non-existent protection.

Rogue AV utilities are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours.

Industry experts discovered that the personal web site of Twilight author Stephenie Meyer had been compromised, resulting in the site serving malware to visitors. The site had been compromised to host Crimepack, an exploit kit that takes advantage of known vulnerabilities of various Web browsers and the Windows OS to install malware.

Computers exploited by Crimepack can be turned into so-called “zombie’ clients, whereby criminal groups can control the infected machines remotely, using them to undertake an array of malicious tasks, such as spamming and launching denial of service (DoS) attacks.

Gamers were targeted via YouTube videos encouraging users to download a program that would generate codes that could be redeemed for free Microsoft Points, the online currency used by millions of Xbox users worldwide. The bogus generator prompted the victim to fill out various surveys in order to receive a password and continue the code generation.

Despite the best efforts of Microsoft and a number of security specialists, the Kelihos Botnet has continued to gain momentum in the wild.

Capable of sending out billions of spam emails in a day, Kelihos has been used to bombard users with spam relating to pornography, Viagra, and fake pharmaceutical companies. After being suppressed towards the end of 2011, evidence uncovered by industry experts suggests that a new variant is on the loose, rebuilding the botnet and adding to the global spam burden.

Other high profile scams detected during February included a gift card scam that appeared on a fake Tumblr blog, in time for Valentine’s Day, which purported to be from lingerie firm Victoria’s Secret. With the company about to open its first UK outlets, we may see more localized examples of this in the coming months.

GFI ThreatNet’s statistics revealed that Trojans once again dominated the top 10 threat list, taking half of the spots.