Deceptonomics: A Glance at The Misleading Application Business Model
Since the early days of e-commerce,businesses have recognized the potential for the Internet to streamlinehow they interact with their customers. Oftentimes this meantdiminishing or eliminating the role of the businesses that were sittingin the middle, brokering the brick and mortar transaction. Goingstraight to the customer with a snazzy online store or auction Web sitecut these middle players (and their costs) out of the mix. This allowedthe business to take back profit margin, offer lower costs, andincrease transaction volume.
The benefits of gettingcloser to the customer haven’t been lost on those who peddle misleadingapplications. Misleading applications are programs that intentionallymisrepresent the security status of a computer by working to convincethe user that he or she must remove risks (usually nonexistent or fake)from the computer. The application will hold the user hostage byrefusing to allow him or her to remove or fix the phantom problemsuntil the “required” software is purchased and installed. Some peoplecall these programs “rogue anti-spyware” and others simply refer tothem as a category of spyware themselves. You’ll find plenty ofexamples of misleading applications on Symantec’s Security Risks (Other) page, and many of them will be near the top with names that sound like legitimate security or system tools.
Now, the problem of unwanted software is hardly new. If you throwcookies out of the equation, the bulk of the activity aroundpotentially unwanted technologies such as spyware and adware kicked offin earnest around 2000. Part of the problem was not the softwareitself, but the dizzying array of relationships involved in sellingadvertisements to appear in adware. There was an equally confusingnumber of organizations, individuals, and outright criminals involvedin the distribution of adware and spyware programs. A high-level viewof the “adware food chain” looks something like the diagram in Figure 1.
Figure 1. The adware food chain.
There have been plenty of articles and discussions on how the modelworks (and doesn’t work) so I won’t cover that here. Nonetheless, evenin this simplified diagram you can see that there are a large number ofparties involved in getting to the customer and ultimately turning abuck. There is a lot of room for pointing at someone else in theprocess and blaming them when something bad happens, but this modelalso provides plenty of targets for law enforcement and angry customerswho still know who to contact when unwanted ads pop up on theircomputer (the advertiser!).
Let’s turn our attention back to misleading applications, and we’llassume that you’re looking to make your money by peddling ordistributing some type of dubious software. Let’s also assume thatyou’d prefer to not have to deal with all the hassles of negotiatingwith advertisers and other players in the online marketing game. Thesetwo factors are a part of the siren call to the world of misleadingsoftware; you can leverage the same distribution techniques as adwareand spyware without having to please advertisers, ad networks, adbrokers or anyone else that is part of the food chain. Check out thesimple diagram in Figure 2:
Figure 2. The misleading application distribution network.
In this model, there is a much more direct flow of money back to thepurveyors of the misleading application. Cash is made from directpayments from “customers” looking to buy the program to fix exaggeratedor nonexistent computer problems, as opposed to the misleadingapplication company having to sell impressions to the advertisingcommunity. You’ll note that the distribution network can still be ascomplex or as simple as that of adware and spyware in order to increasethe number of installations and muddle the trail for law enforcement.One trend we have noticed with misleading applications is the tendencyto use Trojan horse programs to install the program onto a victim’scomputer. An example of this type of malware is Trojan.Spaxe.
The adware and spyware industry has gone through a large number ofchanges over the last 18 months (many of which were improvements) andwe’ve seen the volume of adware programs submitted to Symantec reducedconsiderably. In contrast, the number of misleading applications andassociated malware we’re seeing has been on the rise, presumably due tothe attractiveness of the business model. Keep a sharp lookout forthese deceptive programs. They’re not likely to ship confidential dataacross the globe to a phisher, but they may convince someone to turnover hard-earned cash directly to an Internet huckster.