It won't come as a surprise to regular readers of this blog that there's a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media.

That's to be expected: journalists tend to love facts and figures. Anti-malware researchers (well, this anti-malware researcher) have/has a tendency to be more cautious, and while the statistics in the report from Symantec certainly give a flavour of the sheer scale of the problem, they're a snapshot taken from a particular viewpoint, not the whole panorama. (That said, a lot of resources seem to have been expended on this report: it's probably not a million miles out.)

Unfortunately, some journalists have simply gone to the highlights page in the executive summary and recycled the figures (one newscast infuriated me by advising "don't allow pop-ups" as if that was all there is to fixing the problem), whereas the really interesting and useful content is in the descriptions of the mechanisms behind these scams. We have an overview paper on the topic at http://www.eset.com/download/whitepapers/Free_but_Fake.pdf by ESET Latin-America's Cristian Borghello, but for a more detailed approach, the much longer paper based on a longitudinal study is well worth looking at.

However, Rob Rosenberger's reaction is also interesting: he took the opportunity to tweet a reminder of an article he wrote back in March about fake AV and virus hysteria. Somewhat predictably, he regards the anti-malware industry as a major contributor to the fake (or rogure) anti-malware problem. An interesting idea, coloured by his preoccupation with the idea that "virus hysteria" - an unpleasant phenomenon that I too have seen much too much of in the past 20 years - is partly the creation of the anti-malware industry. Well, I'm not going to tell you that the entire anti-malware industry is (and always has been) whiter than white. Still, I don't think that a similarity in pricing and addiction to signature updates really accounts all by itself for the success of fake AV syndrome.

At this year's Virus Bulletin conference, there was an interesting and amusing panel session that addressed both free anti-virus and fake AV, and I think there's a clue there. Many people mistrust anti-malware products, and quite a few think they should be free. (No, that wouldn't work for me: I have this addiction to food, which requires me to earn a living.)

Fake AV often exploits this desire for something for nothing, by offering a free product that turns out to be far from free. It does, to some extent, mimic a legitimate model of "This product has detected such and such malware on your system, but you'll have to pay us to remove it", but that model hasn't been particularly associated with mainstream AV. (A number of shareware products have used a similar model, though.) And I certainly can't think of a legitimate product that forces itself onto your PC as a pop-up and scans it without asking permission before asking for payment before removing the malware it finds, real or not.

Where there is confusion, though, it derives from the ways that fake AV products try to blur the boundaries between fake and real, using spoofed web sites, forged certifications, advertising collateral and other information stolen from real products, and so on.

Another approach we've seen much more of in recent years is the use of legal action to try to restrict the ability of real security vendors to detect not only fake AV, but nuisances such as certain kinds of adware that may not be considered to be malware in the strictest sense of the word. Juraj Malcho, head of ESET's lab in Bratislava, presented a fascinating paper on the topic "Is there a lawyer in the lab?" at Virus Bulletin 2009, as I mentioned in a previous blog. We can't put up the paper itself until the end of the year because of the terms of the agreement made with Virus Bulletin when a conference paper is accepted, but a PDF version of the presentation is available here and here.

Other links:
http://tech.yahoo.com/news/nm/us_cybersecurity_symantec
http://news.bbc.co.uk/1/hi/technology/8313678.stm
http://www.theregister.co.uk/2009/10/20/scareware_psychology/
http://www4.symantec.com/Vrt/wl?tu_id=TeCm125590003756772344

David Harley
Director of Malware Intelligence