Massive Profits Fueling Rogue Antivirus Market

[KilJaden]

In the cyber underworld, more and more individuals are generating six-figure paychecks each month by tricking unknowing computer users into installing rogue anti-virus and security products, new data suggests.

One service that exemplifies a very easy way these bad guys can make this kind of money is TrafficConverter.biz, one of the leading "affiliate programs" that pays people to distribute relatively worthless security software. Affiliates are given a range of links and javascript snippets they can use to embed the software in hacked and malicious Web sites, or tainted banner advertisements online.

Unsuspecting users who view one of these hacked sites or ads see a series misleading warnings saying their computers are infected with malware, and offering a free scan. Those who agree are prompted to download a program that conducts a bogus scan and warns of non-existent threats on the user's system. The software also blocks the user from visiting legitimate security Web sites. The user is then pestered with increasingly deceptive and incessant prompts to purchase the software (see the screen shots above and below for some of the more subtle examples).

The user's system remains in this state until he or she figures out how to remove the software or relents and pays for a license. At that point, the affiliate responsible for generating that installation is paid by TrafficConverter.biz about $30. The software is sold for between $50 and $75 per license.

Whether the distribution of this software violates the law may depend on how it is distributed. The Federal Trade Commission has taken civil actions against purveyors of this rogue anti-virus software for unfair and deceptive trade practices. If, however, affiliates are distributing this software via Web sites or PCs that they have hacked, that would be illegal by almost any standards.

TrafficConverter.biz was dismantled on Nov. 29, 2008, most likely because the same domain was referenced deep inside the guts of the Conficker worm, a family of malware that is estimated to have infected at least 10 million Microsoft Windows systems.

Prior to site's demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program. While that data set is incomplete, the information available on the top-earning affiliates helps explain why so many consumers are reporting infections from rogue anti-virus products: Successful affiliates are making money hand over fist with these programs.

The graphics below show the Top 10 earners in the TrafficConverter program, broken out by earnings over two-week periods from mid-June to mid-August 2008. Some of the biggest earners made more than $330,000 a month in commissions.

June 16, 2008 - June 30, 2008

July 1, 2008 - July 15, 2008

July 16, 2008 - July 31, 2008

Aug. 1, 2008 - Aug. 15, 2008

Joe Stewart, senior malware researcher for SecureWorks, published research late last year showing similarly large profits made by affiliates of Baka Software, another rogue anti-virus distribution program.

Stewart said his analysis of the TrafficConverter affiliate earnings suggests that some of the highest-grossing affiliates declined to have their names and incomes listed on the top stats pages.

"Some of these people also choose to not be on the 'top earners' list. I'm guessing they are earning way too much so it would be discouraging to the lower-level affiliates," Stewart said. "They might also be doing money laundering of stolen credit cards instead of relying on victim software installs, which we suspected was going on in the Baka program as well."

TrafficConverter.biz was also sought by Microsoft Windows systems infected with the first variant of the Conficker worm. Conficker infected systems were instructed to visit that domain and download a specific file name that suggested it would attempt to install rogue anti-virus software.

By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.

At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site -- perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.

And flood the site it did. According to Stewart's review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.

The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.

Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.

TrafficConverter.biz was forced offline at the end of November, but it was resurrected just a few days later at TrafficConverter2.biz. The site to this day boasts at least 500 active affiliates, all pushing a new rogue product called Antivirus360. What's more, a new contest -- for luxury goods, including a Mercedes S-Class -- is already underway.

One final observation: As we noted last month, Microsoft has issued a $250,000 reward for information leading to the arrest and conviction of the individual(s) responsible for unleashing the Conficker worm. I wonder, though, if that amount is at all enticing to any of these affiliates if they know who was responsible, since apparently that kind of money can already be earned in a little more than a month's time.

View: Original Article

[Rock Lee]

Wow. I will let my embrassment show & say that in my earlier days I did too fall

for this trap. Thankfully I had the presence of mind to figure out how to get rid of

the fake shxt that they conned me into. Some of us aren't so lucky though. I do

know of a few who actually paid for the software, coming to find that it was a worm

in the download that they installed. Yes, the did contact authorities on the situation,

still nothing has come. The wheels of justice turn too slow for me. Whoever thought

of this idea in economic terms is a genius. In terms of ethics, I have no choice but

to second guess them. If they want money then I guess they figure why not fxck

up someone else's life (computer & or financial wise) along with it...

[Ambrocious]

Even before I read about Antivirus 360 on here, I had come across this very rogue program on a friends computer once. When I saw it...and how it acted...I knew that it was rogue after I tried to close it down and it came right back up with prompts to buy it. I eradicated it with a combo cocktail if you will of SUPERANTISpyware Pro, MalwareBytes, SpyBot S&D, Kaspersky, followed by the uninstall of Kaspersky and the reinstall of other antiviruses one after the other.

By the time I had cleaned the system out...it had found SO MUCH CRAP (all sorts of viruses and spyware/addware/malware) that it numbered far into the thousands.

The Internet has lost all forms of innocence to me now...I know that soon the emergence of some pretty awful things is soon to come and I hope and pray that NSANEDOWN survives it all once it's said and done for.

Oh and a HUGE thanks for all of this news and stuff here too! It helps me be on the tips of my toes when dealing with securing peoples computers! I have an unofficial computer repair thing going on in my small town here and I have to say...NsaneDown is one huge help and has been a huge help for quite some time! It's about time for my yearly "Thank You" thread that I do once or twice a year...no really I have made them for the past 2 years at least!

[Infinite_Vision]

I enjoy reading articles like this because it keeps me inform about things around the net. I've been with the Nsane forum since it started and knew that this site was one of the best if not the best. I knew Nsane and Lite when Lite was working on the KLite project. Though, I don't talk much, I browse this forum everyday to check on the latest news and software.

[Ambrocious]

I enjoy reading articles like this because it keeps me inform about things around the net. I've been with the Nsane forum since it started and knew that this site was one of the best if not the best. I knew Nsane and Lite when Lite was working on the KLite project. Though, I don't talk much, I browse this forum everyday to check on the latest news and software.

My GOD! Member number 120...you HAVE been around for ages! And yes I agree Nsanedown is really freaking sweet in so many ways. If they stick around another ten years...I'd vote for some form of expansion...whatever that might be I don't know.

[nooooooooo]

I wish people had more common sense when it came to fake AV programs... "Hey that AV program somehow wormed it's way into my computer! And it just seems to have a generic name "Antivirus [year name]". I guess it must be legit (without looking up reviews)."

[KilJaden]

You should always take into account the fact that these are scare ware, and since most computer users aren't to tech savvy , they are easy targets. This is one of the main reasons Antivirus 2008 was so "popular" ,if you put the user in a state of panic and he will do almost anything you want.