Misleading Applications: faking left, running right
About a year ago we wrote about misleading applications and the business models behind them.Misleading applications, also commonly known as “rogue antispyware”applications, claim to detect and remove threats from your computer.What they actually do instead is report threats on clean computers andrequest payment for removal of these non-existent threats. Today, theirnumbers are on the rise, making up a larger portion of the securityrisks in the threat landscape. For example, we have discovered morethan 40 new misleading applications since June 2007.
So how have they risen to such prominence? Misleading applicationsplay upon a user’s concern that malicious threats may reside on his orher computer. “Your computer may be at risk!” is the overriding themewhen a user encounters one of these risks. The irony is that themisleading application itself is far from benign.
So how are users coming into contact with misleading applications?The simple answer is through surfing the Internet. Suspicious bannerads often lead to these applications. (“If this banner is flashing,your computer may be at risk!”) On blogs, social networking sites,newsgroups – anywhere unregistered comments and posts can be left –links to misleading applications are not hard to find. Users who followsuch unsolicited (and often off-topic) URLs can find themselvesencountering misleading applications.
Figure 1: Comments on YouTube leading to misleading applications.
Figure 2: Off-topic newsgroup post with URLs pointing to misleading applications.
However, these sorts of installation vectors rely on a user activelyclicking on a link for the installation to occur. Far more nefariousare misleading applications that yell for the user’s attention,grabbing them by their virtual collar, and shouting “install me, oryou’re in trouble!”
In particular, misleading applications are often installed togetherwith content from adult and pirated software Web sites. When visitingthese sites, users are already frightened that they will becomeinfected by malicious software (and this belief isn’t unfounded). Sowhen a misleading application falsely states they are infected, momentsafter visiting one of these sites, they are more likely to believe itand pay money to have these fake threats removed.
The following video demonstrates two such activities that result in the appearance of in-your-face misleading applications – searching for software cracks and browsing adult content:
These aggressive installation vectors seem to be very effective inincreasing the installation base of many misleading applications. Byoffering users shelter from risky activity, albeit false security,misleading applications have suddenly appeared in the spotlight.
To learn more about misleading applications, visit Symantec’s new microsite,dedicated to these tricky, deceptive risks. The site discusses whatmisleading applications are, why they pose a threat, and what you cando to protect yourself against them.