What’s Protecting Millions of Computers? Fake Security Software

A new report from Symantec details how tens of millions of computers are "protected" with rogue security software that makes them more vulnerable...and a lot of people paid to install it.

By now most savvy Internet users have seen popups and other advertising warning that their computer is infected with a worm or a virus, but for a small fee and a quick download, that problem can be cleared right up! Unsurprisingly, these “scareware” offers are scams, hoping to dupe unwitting users into turning over money for what’s (at best) useless software. At worst, users may be literally paying to install software that compromises the security of their computer or even lets remote attackers take over the machine.

Sound far-fetched? Not according to a new report (PDF) from Symantec: the company’s new Report on Rogue Security software says that in the year between July 1, 2008, and June 30, 2009 Symantec received a whopping 43 million reports of attempted installations of fake security programs. Moreover, during the same period 250 such programs were detected in the wild, and 38 of the top 50 programs were around before July 1, 2008, suggesting these applications have a life cycle far longer than the typical trojan horse, worm, or virus.

Symantec didn’t have any way to know—and hasn’t offered any figures—for how many of those installations may have been successful, but the company reports that some 93 percent of the software installations for the top 50 rogue programs were intentionally downloaded by users—meaning most of the 43 million-or-so users who download these things were successfully duped.

Many of the fake security programs are priced from $30 to $100, with a great deal of the marketing for the products being done by middle-man affiliate partners who typically earn between 1 and 50 cents per successful download. The most successful “master sites” for bogus security software seem to have been Bakasoftware, TrafficConverter, and Dogma Software. Although TrafficConverter was shutdown in November 2008 (as part of the pursuit of the Downaup worm), the site claimed to have as many as 500 affiliates for distributing bogus security software, with top performers earning over $300,000 per month for getting Internet users to install the software.

Symantec urges Internet users to only use reputable, validated security software. In addition, users can reduce their risk by avoiding clicking on links in email messages, never opening email attachments from unknown sources, and being wary of popup and banner advertisements that mimic system dialog boxes and displays.