Niels Provos of the Google Security Team has blogged about the rise of malicious web sites carrying rogue security products, which the Google team calls “Fake AV.” Google has been engaged in a constant battle against the sites because the operators who peddle them have been refining their techniques for poisoning Google search engine results in order to victimize Google users by drawing them to malicious download sites.
He wrote: “we conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, ‘The Nocebo Effect on the Web: An Analysis of Fake AV distribution’ is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th.”
He went on to say: “Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.
“Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly.”
Provos advises Web users not to purchase the rogues when they pop up their persistent, screaming warnings and instead, remove the malicious code from their machines.
“In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately,” he said.
Google Online Security Blog piece here.
How do you know what is an “antivirus and antispyware product from a trusted company?”
Check out the Sunbelt paper “How to Tell If That Pop-Up Window
Is Offering You a Rogue Anti-Malware Product.”
There are 2,279 rogues in VIPRE detections. For a description of the latest rogues that Sunbelt has found, check out our Rogue Blog here.