Rogue Anti-Virus (aka FakeAV, FakeAlert, Fraud Trojan, Scareware, etc) is a common subset of the plethora of malware families out there. The typical characteristics of Rogue AV include:
A compelling Anti-Virus software Graphic User Interface which displays fake reports of virus infections on the user's computer
A prompt to clean up the alleged viruses on the computer
A demand for a removal fee of anywhere between US $40 and US $100
Unsurprisingly rogue AV generates a copious income level for its “purveyors”, and therefore it is ubiquitous. Well, almost ubiquitous. Even though rogue AV families form a large proportion of the samples from various sources, and many Anti-Virus companies report a variant of rogue AV within the top 10 most prevalent threats, yet it is interesting to note that when we drill down to sample submissions from our Indian customers over the past quarter, rogue AV is conspicuous by its absence. The number of incidents of rogue AV does not even make the top 20 threat types. This implies that rogue AV may not be as prevalent in India as in other parts of the world. How may this be explained?
As with other “professional malware”, Rogue AV tends to have a geographical bias, the targets being mainly home users in North America and Europe. The evidence for this, apart from the reported instances globally, is clear in terms of the choice of language, i.e. English, used to communicate with the victim, and the choice of currency, i.e. US dollars, to steal from the victim.
In addition, many rogue AV families make heavy use of Google Trends and Search Engine Optimization (known as Black Hat SEO in the security community) poisoning to execute on the computers of millions of internet surfers out there. A description of these specific techniques is a subject for another blog, but suffice to say that the abuse of SEO may not have affected Indian internet surfers, who are fewer in number and searching for India-specific content, as much as those in other countries. There is even a distinct possibility that, as for certain spam campaigns, IPs originating from India are rejected by the rogue AV establishment as unsuitable for exploitation.
However, there are indications that the trends might be changing, even if only slightly. There is an anecdote of a user in India who was searching for “Mehndi” (Henna) in Google, and got pop ups about her computer being infected. Fortunately this user was using the latest version of K7’s flagship security product which blocked the rogue AV even before the bad application was allowed to touch the computer. It is, however, a warning that, as Indian incomes grow and internet access becomes more widespread, surfers in India might become more susceptible to rogue AV attacks. It is important for users to be more vigilant, whilst also ensuring good security practises such as up-to-date Anti-Virus software, a well-configured firewall, and a fully-patched operating system.
Samir Mody
Senior Manager K7TCL