Immunet Blog

I recently attended a Stanford Security Seminar talk on An Analysis of Fake Antivirus, given by Moheeb Abu Rajab of Google's Anti Malware team. The talk summarized the recently released research report by Google's security team called The Nocebo Effect: An Analysis of Rogue Antivirus Distribution; included here are the key trends from the report and from the security talk that are most relevant to Web users:

The Web continues to provide a very attractive platform for distributing malware to millions of consumers

• Social engineering attacks that prey on the naivete and intrinsic human motivations of users has become a rising attack trend. Social engineering "tricks" users into engaging in behavior that makes their PC vulnerable to further attacks, increasing the likelihood that they will be infected with malware. 

• These social engineering attacks are on the rise both in absolute volume of attacks, and also relative to drive-by downloads that focus on exploiting vulnerabilities in the browser or plugins to deliver malware. It has become much easier to trick a human being using psychology and playing on user fears than it is to exploit a technology weakness in a machine.

• Fake antivirus (Fake AV) or rogue security software is a form of social engineering attack that displays fake pop-ups on the user's PC that are designed to look like the operating system status alert, or a browser window status alert, that "tricks" the user into thinking they have a virus on their computer when they in fact DO NOT have a virus.  Users become scared (thus the term "scareware") that the virus is going to damage their computer, and as a result end up paying the fake AV vendor with their credit card details for a subscription that will not remove the fake virus, but may in fact deliver more malware to the PC.

• Fake AV is responsible for 50% of all malware delivered via Ads, which represents a five-fold increase from just a year ago. Google's malware detection infrastructure found over 11,000 malware-ridden domains through its process between January 2009 - January 2010.

Why Should You Care About Fake Antivirus?

While you may be savvy and security-conscious enough not to fall victim to scareware or rogue antivirus programs, your friends, family and colleagues may not be as well informed. They probably aren't reading this blog post (unless you've forwarded it to them), and may not be aware that there is a difference between legitimate antivirus and rogue antivirus. A simple "heads up" or "share this" action from you may actually save your friends a great deal of headache and financial worry.

Here are some Smart Tips to Share on Avoiding Rogue Antivirus:

1. Keep your antivirus up to date. If you use signature-based virus detection like Microsoft Security Essentials, Norton, AVG, McAfee, Avira, Avast, etcetera, make sure you have the latest virus updates. As Niels Provos of Google states, “We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates. It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.” 

2. Always use real-time antivirus protection like Immunet Protect, even if you already have traditional antivirus. Immunet is ideal as an extra, light, companion layer of added protection that will help catch viruses that your other AV may not always detect (did you know that on average traditional, signature-based security solutions only catch 50% of threats?)

3. Install a firewall and keep it on at all times

4. Keep your Windows operating system software set to "automatic updates"

5. Don't click on pop-up windows, or ads that "scare" you into taking immediate action. Beware of ads with flashing exclamation points, and urgent calls to action that include the words "infection, infected, virus detected", for example.

6. Be aware of top "trendy keywords" and be particularly mindful of clicking on links or search results for these top trendy keywords. A trendy keyword is a keyword that has risen in popularity in a short timeframe as a result of a time-based event, such as a natural or man-made disaster (e.g. Haiti earthquake, Gulf oil spill, hurricane, flood, etc), a celebrity event or celebrity news trend, or media-driven news story.

To find out what the current trendy keywords are, which malware promoters are likely ALSO targeting via advertising and fake links on search engines, you can use the keyword tools like Google Trends.

7. Stay calm, and think before you click, especially links in e-mail or on social networking Web sites.

8. If you are presented with scareware alerts, even after taking the above precautions, read this helpful tutorial that Brian Krebs wrote for The Washington Post called “What To Do When Scareware Strikes"

9. If you believe you have encountered malware on your PC via a rogue antivirus program, Immunet may be able to help! You can submit the suspicious file (or files) you believe to contain a virus or some other form of malicious code to submit@samples.immunet.com.

10. You can report the website that delivered the rogue AV to the FTC Bureau of Consumer Protection via their Online Complaint Wizard.

11. If you provided any credit card data to a company that you believe may be behind a social engineering attack, be sure to notify your credit card company immediately of potential fraud, and consider registering for identity protection services, which will prevent anyone from using the information you provided (including your name, billing address, and credit card information) to steal your identity for criminal purposes.

12. Do your part as a safe online citizen, and pass this message along to a neighbor, a friend, a family member, or a colleague. Don't get scared, get smart, and share the knowledge to keep the people you care about safe online.

 

I just read a recent blog post by Tory Jennings of CoreTrace that mentions Symantec’s new Internet Security Threat Report (ISTR). The threat report is a must-read for any security professional, as it highlights current trends in the threat landscape based on real data taken from the world's largest security software maker.  Consider this statistic:  Symantec blocked an average of 100 potential attacks per second across its userbase in 2009, or 6,000 potential attacks per minute, 360,000 attacks per hour, or 8.6 million attacks per day.  The key takeaway from these numbers? Internet users are TRULY "under attack", and as millions more users embrace social networking sites and interact with each other online, the issue of collective security and protection against malicious threats becomes even more important for every Netcitizen.

A Symantec article titled, “Cybercrime’s Financial and Geographic Growth Shows No Slowdown during the Global Economic Crisis" shows that hackers were more active than ever last year. The multitude of cyber threats has not only increased, but become more sophisticated, more global in reach, better funded, and caused greater damage from a financial perspective.

The Threat Report, coupled with June's Consumer Reports State of the Net 2010 Report, drives home the point to consumers and security professionals alike that Internet threats and user security are key concerns requiring a radically different and collaborative approach to what is ultimately a community-wide problem.

Consider these statistics from the State of the Net 2010 Report:

 The report, available on newsstands and in summary format from the Consumer Reports website, states:

• Within the past year, 9 percent of social network users experienced some form of abuse, such as malware infections, scams, identity theft, or harassment.

• Among all computer users, established threats, such as spyware and phishing e-mail scams, persist at alarmingly high levels, and virus infections increased significantly since last year. Forty percent of online households surveyed reported that they had at least one virus infection in the past two years. 40%!

What percentage of the 40% who were infected with at least one virus infection actually had antivirus protection that didn't work effectively enough? We don't know for sure, but we do know that approximately 50% of online users have inadequate, expired, or no antivirus protection at all.

Consumer Reports estimates that cybercrime cost American consumers $4.5 billion over the past two years and prompted over 2.1 million computers to be replaced as a result of the havoc wreaked. Imagine what the global damage from those same threats must be? The report also states that these findings "provide a reminder that it's still important to use the best anti-malware software available." [hint hint -- get Immunet, it's always up-to-date and it works as extra protection beyond your existing antivirus, plus it's free].

Seriously, these are sobering statistics, and they are ones that keep the team here at Immunet up late at night (in addition to working hard on product improvements and launching the new release of Immunet Protect for June...). We truly do care about making the Internet a safer place, one Immunet user at a time, one community of friends and family at a time.  

Of the features we have developed for the new 2.0 release is a simple community tool that makes it incredibly easy for users to extend antivirus protection to their contacts. Why would you want to extend protection beyond your own PC to those of your friends, family members, coworkers, and most frequent contacts? Here's why...

At Immunet, we believe that security begins with the end user, but it certainly shouldn't end there. If you are a community of one, you can take the "every man/woman/child for herself" approach and say, "I don't care if my friends don't have antivirus, at least I have it". But as we know in the age of Web 2.0 and social networks, NO one is an island, and the Internet is about connection, sharing, collaborating. Connecting online should not include inadvertently infecting someone you just emailed or shared a URL link with because it was full of malware that your antivirus software didn't detect. Talk about a social networking faux pas.

We believe that engaging and connecting with others' online, whether it's via Facebook, email, Twitter, games, or other means, that act of connecting online comes with certain responsibilities, such as socially "safe", security-conscious behavior. What are some examples of "socially safe, security conscious" behaviors?

1.  Make sure you are protecting yourself and your PC against threats. Make sure your antivirus is up to date. If you turn your protection off, or haven't scanned in a while, make a habit to turn it back on or scan frequently at regular intervals.

2. Use strong passwords, use a different password for each site, and don't give your password out to anyone, especially via email, which is not secure. 

3. Adjust your privacy settings to "Maximum" if you can. Check privacy settings on all services you use, including Facebook, Twitter, LinkedIn, any online groups, forums, and even Web services.

4. Only share with known people. Don't accept friend requests from total strangers, even if it looks like someone you know knows them...it might be a fake identity. Don't be fooled. See the article on "Online Con Artists" for more reasons why you should be wary.

5. Only share information, content, photos and posts about yourself that you would not be embarrassed about if somehow your privacy settings suddenly stopped working temporarily (as in the Facebook case from this week, where private Facebook chats and pending friend requests were exposed due to a Facebook security flaw).

6. Do not share content, photos or information about your friends, family or coworkers that you did not get explicit permission to share -- they may be more private than you and don't want all YOUR friends knowing that they had a party this weekend that their own social contacts may not have been invited to.

7.  Finally, protect your most beloved people -- the friends, family members, and frequent contacts that you TRULY care about. I call these people your "lifeboat", or those social contacts whom you communicate with most frequently. These are people who trust you to help them out, and whom you know would help you in return. No, these are not your 5,000 Facebook "friends" including someone you went to preschool with that you don't even remember anymore.  Your lifeboat people would call you for help if they were ever a victim of identity theft, or an online scam, or had their PC hacked by a cybercriminal, because they know you care about them and can do something to help. 

PLEASE suggest that they protect themselves. In fact, don't just suggest it to them, actually HELP THEM OUT.  Recommend what YOU use, whether it be to download free antivirus software, or the install a helpful password manager tool since it's challenging to memorize strong passwords, or to sign up for identity theft protection to prevent fraud.

Explain to them why they should change their behavior, if you know it is risky, such as implementing the Top 7 Things You Should Stop Doing on Facebook as recommended by Consumer Reports.

Call them up and walk them through the steps for what to do. If you can, better yet, go to their house and help install it for them (like I did with my parents, who are technically clueless and THOUGHT they had updated antivirus on their home PCs but hadn't renewed their subscription in months. Now they do have real-time protection because I installed Immunet for them, and I see their status online so know they are safe...). 

Why does protecting your lifeboat matter a lot? Because you have influence to protect them, and they are the ones that are most likely to infect you or affect you if they are practicing socially unsecure or unsound online behavior. If their privacy settings are off, the data you've shared with them becomes less private for you (your chat with them is now exposed, your postings on their wall now made public to everyone). If their antivirus is not updated or they don't have antivirus, they are the ones most likely to infect you with malware. If their email gets hacked, then your contact information that resides in their address book is now going to get spammed by hackers. All this means damage to your friend, and collateral damage to you in some way.

Please be a friend and help your friends be safer and more secure online. It will give them greater peace of mind to know you care enough to help protect them, and you'll have greater peace of mind knowing that the people you care about the most are better protected as a result of your personal efforts.

Protect a friend with Immunet