Network News

X My Profile
View More Activity

Massive Profits Fueling Rogue Antivirus Market

In the cyber underworld, more and more individuals are generating six-figure paychecks each month by tricking unknowing computer users into installing rogue anti-virus and security products, new data suggests.

One service that exemplifies a very easy way these bad guys can make this kind of money is TrafficConverter.biz, one of the leading "affiliate programs" that pays people to distribute relatively worthless security software. Affiliates are given a range of links and Javascript snippets they can use to embed the software in hacked and malicious Web sites, or tainted banner advertisements online.

AV360googlejack.jpg

Unsuspecting users who view one of these hacked sites or ads see a series misleading warnings saying their computers are infected with malware, and offering a free scan. Those who agree are prompted to download a program that conducts a bogus scan and warns of non-existent threats on the user's system. The software also blocks the user from visiting legitimate security Web sites. The user is then pestered with increasingly deceptive and incessant prompts to purchase the software (see the screen shots above and below for some of the more subtle examples).

The user's system remains in this state until he or she figures out how to remove the software or relents and pays for a license. At that point, the affiliate responsible for generating that installation is paid by TrafficConverter.biz about $30. The software is sold for between $50 and $75 per license.

Whether the distribution of this software violates the law may depend on how it is distributed. The Federal Trade Commission has taken civil actions against purveyors of this rogue anti-virus software for unfair and deceptive trade practices. If, however, affiliates are distributing this software via Web sites or PCs that they have hacked, that would be illegal by almost any standards.

AV360fakereboot.jpg

TrafficConverter.biz was dismantled on Nov. 29, 2008, most likely because the same domain was referenced deep inside the guts of the Conficker worm, a family of malware that is estimated to have infected at least 10 million Microsoft Windows systems.

Prior to site's demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program. While that data set is incomplete, the information available on the top-earning affiliates helps explain why so many consumers are reporting infections from rogue anti-virus products: Successful affiliates are making money hand over fist with these programs.

The graphics below show the Top 10 earners in the TrafficConverter program, broken out by earnings over two-week periods from mid-June to mid-August 2008. Some of the biggest earners made more than $330,000 a month in commissions.

June 16, 2008 - June 30, 2008

TCaff1.jpg

July 1, 2008 - July 15, 2008

TCaff2.jpg

July 16, 2008 - July 31, 2008

TCaff3.jpg

Aug. 1, 2008 - Aug. 15, 2008

TCaff4.jpg

Joe Stewart, senior malware researcher for SecureWorks, published research late last year showing similarly large profits made by affiliates of Baka Software, another rogue anti-virus distribution program.

Stewart said his analysis of the TrafficConverter affiliate earnings suggests that some of the highest-grossing affiliates declined to have their names and incomes listed on the top stats pages.

"Some of these people also choose to not be on the 'top earners' list. I'm guessing they are earning way too much so it would be discouraging to the lower-level affiliates," Stewart said. "They might also be doing money laundering of stolen credit cards instead of relying on victim software installs, which we suspected was going on in the Baka program as well."

TrafficConverter.biz was also sought by Microsoft Windows systems infected with the first variant of the Conficker worm. Conficker infected systems were instructed to visit that domain and download a specific file name that suggested it would attempt to install rogue anti-virus software.

TCcontest.jpg

By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.

At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site -- perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.

And flood the site it did. According to Stewart's review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.

The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.

Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.

TrafficConverter.biz was forced offline at the end of November, but it was resurrected just a few days later at TrafficConverter2.biz. The site to this day boasts at least 500 active affiliates, all pushing a new rogue product called Antivirus360. What's more, a new contest -- for luxury goods, including a Mercedes S-Class -- is already underway.

One final observation: As we noted last month, Microsoft has issued a $250,000 reward for information leading to the arrest and conviction of the individual(s) responsible for unleashing the Conficker worm. I wonder, though, if that amount is at all enticing to any of these affiliates if they know who was responsible, since apparently that kind of money can already be earned in a little more than a month's time.

By Brian Krebs  |  March 16, 2009; 11:20 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  | Tags: conficker, joe stewart, rogue antivirus, trafficconverter.biz  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hacking iTunes Gift Cards, and an iTunes Update
Next: Newsflash: Local Man Launches Virus Epidemic

Comments

You don't have to pay a dime for excellent anti-virus software.

Go to download.com

Do a search for Avast.

Download their free version.

It's easy to use and does not suck up all the computer's memory.

Posted by: kevinschmidt | March 16, 2009 1:00 PM | Report abuse

You don't have to spend a dime on anti-virus software.

Go to download.com

Do a search for 'Avast'.

Install their free version.

It works great.

Posted by: kevinschmidt | March 16, 2009 1:04 PM | Report abuse

Buying and/or installing software into your PC is like letting someone into your home, or date your little naive sister. know who/what you're dealing with and understand the risks. Learn your cyber-smarts or get your a$$ kicked.

Posted by: eiverson1 | March 16, 2009 6:00 PM | Report abuse

These malware distributors are just as bad as the mortgage brokers who gave out high-value, high-interest loans to those who could least afford them. And the people who get tricked into loading the software and paying the blackmail fee are almost as bad as those who signed on the mortgage contract's dotted line.

This is a timeless theme. Greater user / consumer literacy coupled with better and enhanced law enforcement should help to turn the tide against the malware distributors.

That is not to say that people won't try to make some serious coin at this scam. But if their customer base is limited, the allure of six-figure per month wages will hopefully go away.

Posted by: CB12 | March 17, 2009 9:08 AM | Report abuse

When it is connected to the Internet then it is not safe. From badly written Operating System to hawkish hacker standing out there to hijack vulnerable system, the users are the mercy of the unknown.

Since the regulators themselves respond only when crime has been committed, there must be a think-tank where predictions can be made ahead of crime.

The software industry is a hide and seek industry liken to the game of cat and rat. They know the public know little and they capitalize on this flaw. Yet, where one expects to see regulations none is available. No standard of operation in order not to curtail innovation but there must be watchdog to monitor development in this industry, a lot is going on behind the scene.

Posted by: Deleola | March 17, 2009 9:10 AM | Report abuse

Friends and I have often wondered whether even the "legitimate" anti-virus vendors might be connected in some way with virus generators.

Posted by: morris2 | March 17, 2009 9:18 AM | Report abuse

One of these anti-virus offers took over my son's computer. It wouldn't allow any programs or applications to boot up until we purchased the software. We couldn't get it off. We had to junk the computer. These people should be tracked down and thrown in jail.

Posted by: sannhet | March 17, 2009 11:38 AM | Report abuse

My wife's system was just hit by Sysguard, installed by a bogus program hidden on a Website that said it was updating Adobe software.
Incredibly annoying, kept popping up every minute with sysmodal windows warning of infections.
Had to use regedit to clean it off the system.

Posted by: rickhan | March 17, 2009 11:43 AM | Report abuse

Good article. I've always cast a wary eye on these programs.

I especially love the aptly-named Baka Software company. "Baka" in Japanese means "fool", "idiot", "moron", or "stupid" (as in what you will say about yourself when you download their useless anti-virus program).

http://en.wiktionary.org/wiki/Transwiki:Baka_(Japanese_insult)

Posted by: SoquelbytheCreek | March 17, 2009 11:52 AM | Report abuse

I got hooked by Antivirus 360 this past weekend. It was appended to a private mp3 upload and offered thru an email list of private links to downloading URLs for film and mp3s of books, records and movies. I was angry that the uploader hadn't warned me, but they didn't know it was onboard either. Here's the antidote to Antivirus 360 which I eventually found by googling on the subject: MalwareBytes AntiMalware. You can download it free off the net. It shuts
antivirus 360 down instantly. Incidentally, I downloaded Avast for the sixth or seventh time and found it did not rid me of antivirus 360. Avast is so disturbing to one's puter that I eventually have to uninstall it. Keep the passwords to avast on file. They'll work again anytime you decide to download it again.

Posted by: miker3 | March 17, 2009 11:54 AM | Report abuse

A couple of quick searches and we find that TrafficConverter.biz has been identified as a problem site since 2007, linked to thousands of other malware sites. We know the domain registration company and we know the gmail account used to register it. How far back can this be traced?

Presumably someone in some governmental agency has been doing this...or does no one care? Brian, of course, can get these guys shut down with two phone calls; we've saw this happen just a couple of months ago. When no one in authority will get off his butt, we have to depend on the Post.

Posted by: whatthe2 | March 17, 2009 11:59 AM | Report abuse

Why not launch a DOS attack on TrafficConverter.biz?

Posted by: Garak | March 17, 2009 12:14 PM | Report abuse

Friends and co-workers bring me their computer to de-gunk, and it's always the same thing: a pop-up they misidentified as coming from windows told them they had a virus, and BAM, they get hit.

One lady who brought me her machine fell for one of the ads, and got a $90.00 charge for "Antivirus 2008" on her credit card. When she complained to her card issuer, they researched it and found that the charge went to a "company" in Russia.

A lot of people think they have virus protection on their computers, and don't realize that the Norton or McAfee product that came on their computer is a 45-60 day trial.

I use various free software (AVAST, Malwarebytes, etc.) to get rid of these jokers. I don't pay for anti-virus, anti-malware, and I put on a free firewall product as well. The free products do a good job of protecting, but it comes down to people's comfort level.

Really, in my experience, the user is the weakest link. You need to be aware of what programs you're running, and keep them and Windows updated. Read before you click on anything, and do not allow program to automatically open after downloading.

As for a legal remedy, that's going to take a lot of cooperation between countries and their financial institutions. Don't expect that to happen anytime soon.

Posted by: stn_cald | March 17, 2009 12:18 PM | Report abuse

Hi, I seem to had a similar experience when a anti-virus offer named "Anti-Virus Number One" which nearly took over my son's computer. I didn't subscribe a renewal although my Micro Trend software (hope I got that name right) protection expired recently. I clicked into a window warning me of 36 viruses, malware, adware and spyware and urged me to buy software protection - 6 mos for $29.95 or 1 year for $89.95 and Lifetime protection for the same price - $89.95 dollars. I didn't take a bite because I never inquired about this certain anti-virus software before. What's more, the offer did not have a company's website address. Later the computer was doing okay but I will check again...thanks to the folks about the free download "Avast." Please let me know if you've seen "Anti-Virus Number One" before? From this article, I am smelling a rat about those ripoffs. Thanks!

Posted by: ASL-Man | March 17, 2009 1:28 PM | Report abuse

@ASL-Man: There are dozens of different names for these programs, but they're all pretty much the same in how they function (or don't), how they are spread, and the way they take the user's system hostage.

Posted by: BTKrebs | March 17, 2009 1:32 PM | Report abuse

I do not know about other internet providers but in Phoenix, AZ Cox cable offers the McAfee Internet Suite free to all its subscribers. I have yet to encounter a downloaded virus problem.

Posted by: pogg15robert | March 17, 2009 2:33 PM | Report abuse

When you buy a new computer you will receive instructions on how to restore it to "Factory State", either by using a CD/DVD or by pressing a Function key during startup.

If you suspect your computer has been compromised by a virus/worm/trojan you need to restore it to "Factory State" to be sure it is clean.

This will be easy to do if you follow 2 basic rules:

1. Regularly back up or save all of your documents, pictures, music, etc. to an external USB drive. I use one I bought for $80 that has built-in RAID 1 (mirroring) capability and installed 2 500GB drives ($70 each) in it. So if 1 drive dies there will always be the other one with a mirror image of the data.

2. Save all the CDs/DVDs and serial numbers/license keys of your software. You can save the physical media, but I save all of that in my external drive to make it easier.

If you want to go even further, once a year swap out one of those mirrored drives and keep it in a safe deposit box. All the data on the remaining drive automatically gets copied to the replacement drive. After a year has passed do it again -- swap one of the mirrored drives with the one in the safe deposit box.

This is all you need to do. It is not too difficult to safeguard your digital life.

Posted by: red_gti2000 | March 17, 2009 3:49 PM | Report abuse

Even with the strongest laws, some people will still participate and encourage this type of activity in the name of sheer greed. Really unfortunate. I agree with the previous comment, if you use common sense and are smart about your approach to security, it's not too difficult to safeguard your digital life.

Posted by: Frostbe | March 17, 2009 4:25 PM | Report abuse

I've been a critic of affiliate marketing of software (specifically security-related software) for a while, now.

I understand that there are legitimate affiliate programs, and many legit products used affiliate programs.

But, in my experience, any time you reward people, and organizations you don't know, and don't control, on a per-install basis, it is naive to believe they will only use honest tactics to distribute your product.

Now, of course, this article is specifically about the distribution of rogue products, using that same distribution model. Truth is, the legit side makes detection and enforcement against the crooks harder, IMO.

As I see it, affiliate marketing is a bad system, no matter who uses it.

Posted by: BrianAKATheDean | March 17, 2009 4:39 PM | Report abuse

Somehow picked up a rogue 'system security' virus. Constant 'warnings' and 'requests to register via credit card'. Ran my Spyware Doctor (PC Tools)scan which immediately identified virus but failed to remove same. Still waiting for an answer from them after 4 days. Finally did the smart and easy thing by using the restore feature of my windows XP. Restored to a safe earlier date and elimated the virus.

Posted by: geosinner101 | March 17, 2009 5:14 PM | Report abuse

About 8 months ago I had a friend call me in a panic saying she "did something" to her computer and it would not work. She read back a message about "Virus detected" etc.

I ended up spending four hours on her computer to get rid of the then-named Antivirus 2008. The attack had taken over her Windows OS, including the registry. I could not surf with her computer to check for fixes as it would redirect me to the malicious site to purchase the fix.

This was before the days that Malwarebytes was a well known fix (turned out it was the ONLY product that fixed her computer.)

I downloaded Malwarebytes on my notebook and transferred the program on to her computer. Performed a scan (that takes about 15 minutes, so be patient) and it found the problems and fixed her computer.

The cool thing about Malwarebytes is free to use. They have a pay feature, but that is only if you want it to protect you as you are using your computer.

My conclusion: Probably 90% of Americans are NOT computer literate. With convincing looking messages and alerts it's very easy to con these people into downloading viruses and Trojans.

I don't know what the solution is. The security companies (ESET, Norton, Trend) can't do too good a job at eliminating threats otherwise they are out of business. Computer user education won't work since people have other things to do. Understanding computers is not on most people's list.

Guess this is a roundabout way of saying nothing will ever change. Criminals, con artists, the gullible, and the security guards will all be in plentiful supply.

Posted by: businesslitigationgroup | March 17, 2009 6:54 PM | Report abuse

switch to ubuntu (or any other unix-based OS), and be free of the anti-virus racket and its biggest component: microsoft's toyware. you can try ubuntu out without making any changes to your current setup. get it at ubuntu.com .

Posted by: kloro2006 | March 17, 2009 7:49 PM | Report abuse

If you ever accidentally download mal-ware - or fake anti-virus software and you have Windows XP or Vista - Use System Restore.

1. Click on your "start" button.
2. Go to "All Programs."
3. Go to "Accessories."
4. Then to "System Tools."
5. Then to "System Restore."
6. A new screen is presented to you and just select "Restore my computer to an earlier time."
7. A calendar should appear with dates; select a date that has a bold number with your mouse. Make sure the date is before you made the mistake on your computer. Click "next" and close all open programs to ensure a safe restore. The keep clicking "Next," and the computer will then gather some information and restart your computer to the restore point.
8. When your computer is restarted, a similar window will be presented. It will tell you if the restore was successful and if any files were renamed in the process.

Just select a date that was before you downloaded the bad stuff - and poof - it's gone and you have a clean system.

I don't know why the author of this article did not mention to use System Restore. System Restore has saved my sanity several times.

Posted by: alance | March 17, 2009 8:36 PM | Report abuse

I think in the long run the entire concept of the world wide internet is doomed. The malware problem gets worse every year, the amount of spam keeps growing, and nobody has a plan to fix this. Being on the internet is turning into more of a hassle than anything else, and just unplugging the computer starts to sound like an attractive alternative..

Posted by: jackrussell252521 | March 17, 2009 9:26 PM | Report abuse

Whatever happened to critical thinking skills? I just cannot comprehend how so many can be so computer illiterate. Seriously, it’s not difficult to properly secure a computer and keep it that way. I know it’s harsh, but you reap what you sow. I also think this speaks more about a state of societal decline than just rampant computer illiteracy.

Posted by: xAdmin | March 17, 2009 10:24 PM | Report abuse

MalwareBytes AntiMalware rocks! It gets rid of everything and it's free! Don't believe me, do your own research on it and you'll be glad you found it. Saves a lot of headaches and the signature files are updated constantly so it's never outdated.

Posted by: vdhillon | March 17, 2009 10:33 PM | Report abuse

alance: System restore only rolls back your PC's configuration, it does not uninstall software. It would be great if that were the case, anti-virus software would then be completely unnecessary for any malware removal, but unfortunately it's not.

Posted by: mcarmean09 | March 18, 2009 9:07 AM | Report abuse

Privet

Posted by: c28783 | March 19, 2009 1:27 PM | Report abuse

Having quality, fully updated antivirus/antispyware protection is critical. Free programs are often great, but if they don't update themselves automatically, if they don't protect you from downloading new infections, and if they don't include protection for things that aren't technically "viruses," you have to take the initiative to make up the deficiencies yourself. You have to look carefully at the difference between the paid and free versions and make a decision. There is a good analysis of free software available at http://spywarehammer.com/simplemachinesforum/index.php?topic=2333.0

But the comments above about using common sense are absolutely right. When new malware appears, it takes time before antivirus programs start to recognize it. Once it is on your computer, it is not a simple thing to remove it, no matter how good your antivirus program is. Sometimes a badly infected computer simply isn't salvageable.

For an illustration: I posted some scan results on new malware at http://ksforum.inboxrevenge.com/viewtopic.php?p=33924#p33924 and at http://ksforum.inboxrevenge.com/viewtopic.php?p=32320#p32320 There are some very fine products being tested, and most of them missed those samples at first.

These types of scans are the norm, not the exception. Even the highest rated software may miss one infection in twenty, and there are a lot more than twenty samples of malware out there waiting for you. Don't assume something is safe if your AV has no complaints. Use your head, don't follow links or open attachments in spam (even if it claims to be from Facebook, Classmates.com or another trusted source), use some browser other than Internet Explorer (examples include Firefox and Opera), and have javascripts disabled by default in that alternate browser. Using an OS other than Windows is very helpful, though exploits targeting Macs and Linux users do exist.

Posted by: AlphaCentauri | March 20, 2009 1:48 PM | Report abuse

You DID it, Mr. Krebs: after unknown thousands of victims suffered financial losses (either from paying these scumbags to [not] fix their PC, or paying someone like me to remove this crapware), your article has apparently shamed Visa and MasterCard into shuting down TrafficConverter's merchant accounts.
Great work, Brian. I kill malware for a living, and I make time each day to read your blog. Journalism can be a public service: here's proof!

Posted by: williehorton | March 21, 2009 4:07 PM | Report abuse

I didn't think anyone would be stupid enough to actually pay for this kind of crap until some old man at work told his story of being "tricked" in this manner.

I mean, I've had malware in my day (not in several years though), and I always got rid of it by research and effort. This extortion racket in the guise of anti-virus is apparently wildly successful.

Preying upon stupidity has always been the best way to earn a buck. BTW, feel free to donate to my church while you're at it.

Posted by: bob1231 | March 21, 2009 8:14 PM | Report abuse

Just discovered this issue on a client computer. My fear is that the uninstallation procedure might be difficult or impossible. These companies need to be brought down and the executives need to be prosecuted.

Stu Kushner
http://www.progressiveoffice.com

Posted by: stukushner | March 22, 2009 5:04 PM | Report abuse

In Russia price for Lexus IS250 starts at $51700

Posted by: sw0rdf1sh | March 26, 2009 4:53 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company