Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.
The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009. The United States was the location for a majority of the servers hosting rogue security software, accounting for 53 percent of the total (figure 1). This result isn't surprising since the United States has a well-established broadband structure that can support these scams, and most of the rogue security software scams observed by Symantec are marketed in English.
When the distribution of the servers hosting rogue security software and their corresponding DNS servers was analyzed, there appeared to be a high degree of correlation between the two (figure 2). As such, this may indicate that distributors of rogue security software were not using botnets as part of their hosting infrastructure (although some exceptions, such as the rogue security software associated with the Downadup worm, may exist). Instead, they were likely using commercial Web server hosting providers. Since botnets can be operated through a variety of non-commercial environments, such as home computers, the use of botnets as rogue security software servers would likely have resulted in a more even distribution of server IP addresses across the entire address space versus the concentration that was observed, shown as peaks in figure 2.
Another interesting characteristic that Symantec observed in the rogue security software servers was that while most rogue security software domain names were linked to a single Web server, some of these networks spanned multiple Web servers. Also, some domains were observed being hosted on more than one server. As such, techniques such as IP blocking or the blacklisting of servers that distribute rogue security software cannot be solely relied upon as a protection mechanism.
In addition, Symantec applied an analysis method developed as part of the WOMBAT project* to automatically cluster all domain names exhibiting a number of common characteristics (e.g., in the way they had been created and configured). The Symantec Report on Rogue Security Software analyzes two such rogue security software networks in detail and describes their shared characteristics. These similarities strongly suggest that the tasks of registering, creating, and hosting these rogue security software domains were automated and that the same entity may be responsible for both networks. In addition, both networks were split between two different ISPs, suggesting an attempt to provide some level of redundancy in case one of the clusters was taken offline by the ISP.
A commmonly observed characteristic of rogue security software operation was the prevalent use of popular Web-based email accounts to register rogue security software domains. These registrants likely use these email services because they are easily anonymized. Also, some of these domain registration services can either protect registrant privacy or do not verify identities and email addresses making them popular among these scam distributors.
For more information about misleading applications, please download the Symantec Report on Rogue Security Software.
* This blog is based on data provided by the Symantec Research Labs team, which was collected using research methods developed as part of WOMBAT (the Worldwide Observatory of Malicious Behaviors and Attack Threats, a three-year European Commission-funded project composed by Symantec and eight other academic and industrial external partners working to provide new means to understand the existing and emerging threats that are targeting the Internet economy and its users. See http://www.wombat-project.eu/).