The rogue antivirus economy
Brian Krebs recent Security Fix post on the rogue antivirus economy describes an enormously profitable activity whose margins would make most legitimate businesses envious. By now we are all familiar with Rogue Antivirus programs, which generally use social engineering tri
cks to install on an unsuspecting user’s computer and try to scare them into buying absolutely worthless software that is, in fact, malware. With the explosion of new opportunities for social engineering facilitated by social networking, criminally motivated rogueware scams are also on the rise. The affiliate systems that have sprung up to distribute this malware have created their own cottage industry, receiving handsome wages even in the global economic downturn. Monthly commissions of 200,000 Euros and above are not uncommon, as are contests within the affiliate systems that give away luxury cars, gold bullion and other exotic prizes to the top affiliates. Krebs mentions at the end of his article that Microsoft’s bounty on the Conficker worm’s originator amounts to little more than a month of affiliate commissions and so would not be very appealing to anyone engaged in this activity.
PandaLabs has written a few posts on Rogue AntiMalware campaigns and all the moving parts associated with this movement. Because malware is ultimately the most dangerous part of this equation, it garners the lion’s share of attention. As more about the inner workings of the affiliate systems become known, we will likely learn that the threat represented by these systems has been underestimated. For starters, the affiliates are free to modify what their malware actually does as long as its reporting to the affiliate servers is not affected. That means that in addition to the annoying and useless rogue antimalware infections, additional crimeware can be attached, resulting in the loss of personal data that may be residing on the infected machine. Furthermore, when the victim of rogue antimalware decides to purchase the “product”, their credit card details are being sent to payment systems completely controlled by cybercriminals. It’s only a matter of time before this information is bought and sold on the black market.
A business such as this needs a good supply chain and it seems as if they have it. The bad guys can set up an affiliate site in very short order. We need to start thinking of ways to take down the infrastructure of malware distribution as a means of slowing down the bad guys’ profit motive. Many of the same fundamentals of capitalism that exist in the real world also apply to the cybercriminal world. Higher barriers are to entry and lower profit potential often leads to less innovation and growth for an industry. The takedown of McColo shows that the distribution of rogue malware can be negatively affected by changes in the infrastructure. I believe it would be beneficial for all concerned to support those individuals and organizations that are involved in documenting the underpinnings of malware distribution networks and more importantly, liaising between security vendors, government agencies and law enforcement.
Although the fight against malware is much more than the sum of its parts, the industry should take a closer look at new ways in which we can slow the spread. It can only bring good to all but the cybercriminals.
![[Post to Twitter]](http://www.pandainsight.com/en/wp-content/plugins/tweet-this/icons/tt-twitter.png){kind=icon}
Having witnessed some of this first-hand, I can completely understand the depth of this industry. Up until recently I was connected into an individual who was deeply rooted in this industry and made more in a month than I did in a year… which makes you think! I’ve gotten insights into custom, daily-generated, mutated malware which is undetectable… and absolutely scary.
It’s a deep underworld economy out there, and it’s growing faster than we want it to, and still thriving in this downed economy.