As Jakub mentioned, I’ll soon be presenting at the Virus Bulletin conference in Geneva. I’ve spent a lot of time looking at rogue security software in the last year, so I’m looking forward to sharing some of my findings.
The subject of rogues (or “scareware”) is a timely one. You may have heard reports in the past few days of a couple of malware attacks which involved rogues. One of these was an attack where visitors to the New York Times web site were seeing pop-ups telling them that their computer was infected, then being redirected to a fake online malware scanner. There have also been several reports of “hackers” exploiting the news of Patrick Swayze’s death in order to direct people to (you guessed it) a fake online scanner.
Not only were both of these attacks distributing rogues, they were both pushing the same rogue. We call it Win32/FakeXPA.
Win32/FakeXPA has been using these distribution methods for a while now. The New York Times attack was accomplished through a malicious advertisement; these have been used to distribute rogues via legitimate web sites at least since early 2007. The second attack was not an attempt to exploit the death of Patrick Swayze specifically, but rather part of an ongoing campaign that Win32/FakeXPA’s distributors have been running to poison results from search engines to lure people to their malicious sites. Most popular search terms are exploited in this way, by rogues like Win32/FakeXPA and other types of malware too.
These are the same techniques that have made Win32/FakeXPA the most prevalent rogue for some time. Despite the press, we are not seeing increased activity from Win32/FakeXPA through our telemetry or from our customers.
I’ll be talking about both of these distribution techniques (and a lot more about rogues) in Geneva. I hope to see you there!
– Hamish O’Dea