Combating fake antimalware
Introduction
For some years, fake antimalware has been the most persistent single support issue for Norman's support organization. The reasons why this particular threat demands so much time and efforts are twofold:
- new variants are pushed out continuously,
- cleaning infected computers are difficult due to that fact that the malware consists of several different malicious components, thus re-infection is likely to happen.
However, in recent months the requests for support due to infections of fake antimalware have declined dramatically.
In this article, we will examine reasons why, and what implications this may have regarding the fight against malware in general.
Improved detection and cleaning abilities in Norman's antimalware software
Antimalware software improves constantly. Whenever new techniques are used by the cybercriminals, the security vendors adapt their software accordingly to catch the new threats.
Particular efforts are taken to protect customers against the malware families, which are widespread. One method used by the antivirus industry to accomplish this, is to create generic malware signatures for particular families. The theory is that this will enable the antimalware products to detect (and clean) new variants of malware belonging to these malware families.
Norman has of course invested considerable resources in combating fake antivirus by this method. Our commercial antimalware products for home and for organizations as well as our free Norman Malware Cleaner, have in recent months improved significantly with respect to detecting and cleaning fake antimalware.
However, even though our products have improved considerably, we were not convinced that this could fully explain the decline in our support requests.
Disruption of the monetary chain
The security expert Brian Krebs writes the excellent blog KrebsonSecurity, which has been referred to in previous security articles. In Kreb's blog postings Fake Antivirus Industry Down, But Not Out and Huge Decline in Fake AV Following Credit Card Processing Shakeup, he points to another significant factor, which explains the decline in the propagation of fake antimalware: Disruption of the payment system.
Actions have been taken against the institutions that allow payments (typically by credit card) to the cybercriminals behind the numerous fake antimalware products.
This ecosystem is dependent on the ability for the cybercriminals to get paid for their efforts (e.g. by convincing infected users to purchase the fake antimalware products), and when one part of this ecosystem is disrupted, the ecosystem itself collapses. Some of the persons and/or organizations behind the fake antimalware choose to use their resources elsewhere, an action that ensures more profit as long as the fake antimalware ecosystem is (partially) broken.
Coordinated efforts against cybercriminals
We have previously advocated the need for combating cybercriminals on more than one front. See for example our articles Fighting malware on two ends and Spam botnet Rustock beheaded, which both show examples of successful combats against cybercriminals by attacking the ecosystem more than one place.
Coordinated efforts between experts/authorities against cybercriminals seem like the most efficient method for combating cybercriminals. By using this tactic, different experts and authorities are able to focus on the part of the criminal chain that corresponds to their ability and expertise.
Recent history shows that the results are impressively good.
Selected Norman security articles about fake antimalware
