Tech Bitch

A 41-year-old woman has been charged with distributing bogus anti-virus software to over a million Internet users.

Lee Shin-ja, a former CEO of Media Port, is said to have earned over 9.2 billion won (approximately £4.5 million) since 2005 with a free anti-spyware program that displayed fake security warnings and directed Internet users to purchase Media Port’s Doctor Virus clean-up solution costing 3850 won (£2) a month.

Seoul Central District Prosecutors Office claims that 41-year-old Lee hired two computer programmers to assist in the scheme. Both have been charged in connection with the case, and are said to have deliberately coded the software to display false security alerts on files which were not infected with spyware or other malware.

More and more people are becoming concerned about the security of their personal computer - and it’s all too easy for the unscrupulous to try and fool users into believing a bogus warning. In this case 3.96 million Internet users are reported to have tried the free software, with 1.26 million people going on to purchase the ‘cure’. With those kind of figures it’s no surprise that the authorities are looking seriously into whether a large number of people have been defrauded by scareware.

Experts in white costs note that there are hundreds of different security programs wanting a piece of the South Korean market, many of which are not well-known in the rest of the world. Unlike much of the rest of the world, it’s not uncommon for South Korean computer users to run multiple anti-virus programs at the same time - probably because many of their homegrown solutions are crap don’t come with an on-access scanner.

This environment increases the likelihood that people will download and ‘test the water’ with a product they stumbled across on the internet. Unfortunately it seems there are cybercriminals desperate for increasing market share who are prepared to scare users into making an ill-informed security purchase. An unnamed spokesperson for Doctor Virus claims that their software is no longer displaying bogus security warnings.

ESET announced today that for the third consecutive month INF/Autorun, a generic detection for malware that uses the Windows Autorun facility to infect machines, was the number one detected threat in February.

The AutoRun facility allows programs on removable media such as CDs, DVDs and USB memory sticks to run automatically when the media is present. Although very convenient for installing legitimate programs, it is now frequently used as an infection vector that many security experts, including ESET, recommend that we disable the functionality.

Trojans using Autorun to infect computers is one of the more common threats in the last few months. In fact, this is one of the tricks the infamous Mocmex ‘digital photo frame’ malware uses. Turning off the Autorun feature reduces the risk of infection, but as with any portable storage media, we should all ensure that USB devices are scanned when they’re opened to make sure nothing malicious is lurking there.

Other highlights of ESET’s monthly report is the adware family, Win32/Adware.Virtumonde (Vundo), which is frequently amongst the top five threats of ESET’s ThreatSense.Net data. Bot herders are paid to install it on compromised machines, where it then directs the compromised machine to sites used as proxies for advertisements at addresses stored locally in the System32 folder. Virtumonde is not self-replicating, but is widely disseminated and can be very difficult and time-consuming to remove if it does manage to get itself installed.

Top 10 Threats for February 2008:

1. INF/Autorun (9.43%)

2. Win32/Adware.SearchAid (8.05%)

3. WIN32/Toolbar.MyWebSearch (3.11%)

4. Win32/Adware.Virtumonde (2.09%)

5. Win32/Adware.Virtumonde.FP (1.69%)

6. Win32/Pacex.Gen (1.65%)

7. Win32/Agent (1.53%)

8. WIN32/Obfuscated.A1 (1.33%)

9. Win32/IRCBot.AAH (1.17%)

10. Win32/PSW.OnLineGames.NLI (1.15%)

Cyber-crooks are looking for ways to test their creations before distributing them. An investigation conducted by Panda Security has shown that cyber-crooks are collaborating on different forums and pages to develop test-tools that replicate the scans of some of the leading security solutions. This allows hackers to check their creations will be undetected before launching them.

The tool is very similar to Hispasec’s legitimate ‘Virus Total’ tool. The increasing interest in these new tools coincides with the removal of the ‘do not distribute the sample’ option in ‘Virus Total’ which allowed files to be scanned without sending the sample to security companies.

These tools represent another piece of the new malware dynamic, in which cyber-crooks no longer seek to cause widespread alerts and make the headlines, but to go unnoticed. They therefore want to check their creations are undetected by companies before launching them.

This recent increase of malware collaboration poses an active threat to security systems. Participating in such forums, exchanging knowledge and testing new malware ideas helps crooks facilitate the development of more effective malware. It is important, therefore, to have an up-to-date security measures in place for full protection.