Google Researchers Reveal Extent Of Fake AV

New research from Google underscores the breadth of fake antivirus operations on the Web.

An analysis of 240 million Web pages collected by Google’s malware detection infrastructure over a 13-month period discovered more than 11,000 domains involved in the distribution of rogue antivirus (AV). While that may be a small overall percentage, Google’s research found that fake AV accounts for 60 percent of the malware discovered on domains that include trending keywords.

According to Niels Provos, software engineer with Google’s Anti-Malware Team, the findings are part of a paper entitled “The Nocebo Effect on the Web: An Analysis of Fake AV Distribution,” which will be presented on 27 April at the Workshop on Large-Scale Exploits and Emergent Threats in San Jose, Calif. The paper reveals some of the common characteristics of these scams, which have emerged as one of the most profitable criminal operations on the Internet.

“At Google, we have been working to help protect users against Fake AV threats on the Web since we first discovered them in March 2007,” Provos blogged. “In addition to protections like adding warnings to browsers and search results, we’re also actively engaged in malware research.”

One of the most popular techniques is for scammers to poison search results using popular terms that increase the page rank of their malicious site. This can typically be seen after major news events. The operations also spread their wares through malicious ads, as demonstrated by the recent attack targeting players of Farm Town, a popular online game played on Facebook.

According to Google, fake AV accounts for 50 percent of all malware delivered via ads, which represents a five-fold increase from just a year ago. “This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action…we recommend only running antivirus and antispyware products from trusted companies,” Provos blogged. “Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately.”