News

Symantec: Rogue Security Software a Big Business

• By William Jackson
• 10/19/2009

Scaring computer users into buying and installing useless or potentially malicious security programs is becoming a big business, according to a study of rogue software being released today by Symantec Corp.

The yearlong study (PDF), conducted from July 2008 through June 2009, identified 43 million attempts to install 250 different phony programs claiming to protect computers against viruses and other malware, the bulk of it aimed at North America. The software is priced from $30 to $100 each; U.S. users appear to be the most coveted victims with distributors earning an average of 55 cents per installed program.

Most of the programs are downloaded and installed intentionally by users who have been tricked into believing their computers are infected. The software at best provides a false sense of security, according to Marc Fossi, research and development manager for Symantec Security Response.

"Rogue software for the most part doesn't offer you any protection at all," Fossi said. "You think you've purchased an anti-virus solution when in fact it's not doing anything for you."

At worst, the programs can expose victims to downloads of malicious code that can compromise a computer and prevent it from reaching legitimate security sites, and leave purchasers vulnerable to identity theft and fraud from credit card information used to purchase the phony programs.

"It's not just a $30 lesson any more," Fossi added.

Defining rogue software is easy. According to Symantec, it is a "misleading application (also known as scareware) that pretends to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides the user with little or no protection whatsoever and, in some cases, can actually facilitate the installation of malicious code that it purports to protect against."

But identifying it is not always easy. "It can be extremely difficult for the average user to determine who is legitimate or not," Fossi said.

The scams use product names, Web sites and marketing language that mimic legitimate products. Symantec advises users to buy anti-virus products only from reputable vendors, but there are no clear indicators for identifying legitimate companies. Only a handful of major vendors have international name recognition, and magazines and Web sites that review and evaluate the products typically only include the more prominent companies. This can leave many lesser-known but legitimate companies lumped with rogue vendors as unknown quantities.

"This stuff actually does hurt some of the smaller legitimate vendors," Fossi said.

The top five reported rogue security applications identified by Symantec the study were SpywareGuard 2008, Antivirus 2008, Antivirus 2009, Spyware Secure and XPAntivirus.

The sellers recruit distributors to market the programs, typically offering either a percentage for each program sold for a fee for software installed. Fees range from 1 cent to 55 cents per install, with the highest fees going to English-language countries. The United States is at the top with 55 cents per install, followed by the United Kingdom and Canada at 52 cents, and Australia at 50 cents. The study identified nearly 200,000 domains with rogue software, with 53 percent of the servers hosting them located in the United States.

According to the Web sites promoting the rogue software, distributors can earn up to $20,000 per week, with bonuses of up to 20 percent for high volumes of sales and are even offered points for valuable prizes such as electronics and even automobiles.

Of course, "that could have been made up to entice affiliates," Fossi said. There is no way to confirm that these amounts of money are ever earned or that any prizes have been awarded.

Also unknown is whether the affiliates and distributors are intentionally selling phony software, or whether they are innocent dupes.