Wednesday, April 14, 2010

The Rise of Fake Anti-Virus

For years, we have detected malicious content on the web and helped protect users from it. Vulnerabilities in web browsers and popular plugins have resulted in an increased number of users whose systems can be compromised by attacks known as drive-by downloads. Such attacks do not require any user interaction, and they allow the adversary to execute code on a user’s computer without their knowledge. However, even without any vulnerabilities present, clever social engineering attacks can cause an unsuspecting user to unwittingly install malicious code supplied by an attacker on their computer.

One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action. Visiting a malicious or compromised web site — or sometimes even viewing a malicious ad — can produce a screen looking something like the following:

At Google, we have been working to help protect users against Fake AV threats on the web since we first discovered them in March 2007. In addition to protections like adding warnings to browsers and search results, we’re also actively engaged in malware research. We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, “The Nocebo Effect on the Web: An Analysis of Fake AV distribution” is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th. While we do not want to spoil any surprises, here are a few previews. Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.

Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly:

In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately.