Microsoft and Fake AV Products
During the first half of 2008, Microsoft removed almost 9 million copies of Win32/Zlob from infected computers - more than twice as many as any other threat. In their Security Intelligence Report 5 they described Zlob infections like this: "Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake 'spyware warnings' that are actually advertisements for rogue security software". An especially prevalent way to get Zlob during that times was to be prompted to install a missing Codec or Video player when visiting a site advertised by a spam message.
On November 19th, Microsoft announced that their Malicious Software Remove Tool could now remove the newest batch of fake antivirus products, and that in the first 9 days of the new release, they had removed 994,000 of these fake products, which they refer to collectively as Win32/FakeSecSen. The announcement came from the Microsoft Malware Protection Center's Threat Research & Response Blog, which revealed that 548,218 of those 944,061 machines were in the United States. For every 1,000 machines they scanned, five HAD BEEN infected with a fake Antivirus product.
Wait, HAD BEEN? Yes. The blog goes on to point out, that of those 944,061 machines which detected as infected, only 198,812 had an ACTIVE infection including the "main .exe". The other 700,000 or so had actually already had the infection declawed, either manually or by another anti-virus program, but residual files indicating the former infection were still present. In other words, the MILLION MACHINES CLEANED was really TWO HUNDRED THOUSAND MACHINES DISINFECTED, and EIGHT HUNDRED THOUSAND CLEANED UP A LITTLE BIT MORE THAN THEY ALREADY HAD BEEN. By comparison to that, the real danger may be Renos, where 565,000 machines were actually disinfected. But, what is Renos? Win32/Renos is another entire family of fake AV products. After the blog post was published, the Analysis section of the Win32/Renos entry was updated to say "On November 19th a signature for TrojanDropper:Win32/Renos.N started detected particular uninstall files. This incorrect detection affects users of all Microsoft Antivirus solutions." This was fixed in the December MSRT, but one has to wonder how many of the amazing number of Renos infections were due to this fake detection?
The most recent batch of fake products, covered by Win32/FakeSecSen, has a great collection of screen shots of the various fake products on the "Analysis" tab, including Micro Antivirus 2009, MS Antivirus, Spyware Preventer, Vista Antivirus 2008, Advanced Antivirus, System Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus, XPert Antivirus, and Power Antivirus.
Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.
(from the Microsoft Malware Protection Center).
Earlier versions of MSRT also detected fake viruses, primarily under the names Win32/FakeXPA and Win32/SpySheriff, the former detecting mostly "Microsoft look-alike products" while the latter covered many of the first fake protection products, including BraveSentry, DiaRemover, MalwareAlarm, Mr. AntiSpy, PestTrap, PestWiper, SpyMarshal, SpySheriff, and SpyTrooper. An intermediary version was called Win32/FakeXPA.
The FTC and Fake AV
OK, with that as background, let's agree that millions of computers have been infected with various brands of fake security products and look at the FTC action.
On December 10th, the FTC released a Consumer Alert entitled:
"Free Security Scan" Could Cost Time and Money
Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a “free security scan,” especially when faced with a pop-up, an email, or an ad that claims “malicious software” has already been found on your machine. Unfortunately, it’s likely that the scary message is a come-on for a rip-off.
The free scan claims to find a host of problems, and within seconds, you’re getting urgent pop-ups to buy security software. After you agree to spend $40 or more on the software, the program tells you that your problems are fixed. The reality: there was nothing to fix. And what’s worse, the program now installed on your computer could be harmful.
According to attorneys at the Federal Trade Commission (FTC), the nation’s consumer protection agency, scammers have found ways to create realistic but phony “security alerts.” Though the “alerts” look like they’re being generated by your computer, they actually are created by a con artist and sent through your Internet browser.
Click for the Full text of the FTC Consumer Alert as a PDF also available as an HTML version.
More importantly, they requested and received a temporary restraining order from the
U.S. District Court for the District of Maryland. In this action, they have accused five people of running two companies that are responsible for most of these fake products, and a sixth of receiving funds from the scam.
Under the FTC Act, 15 U.S.C. § 45(a), the Federal Trade Commission is in charge of enforcing the prohibition against "deceptive or unfair acts or practices in or affecting commerce. As part of that enforcement the FTC has the right to "secure such equitable relief as may be appropriate in each case, including restitution for injured consumers, consumer redress, and disgorgement" 15 U.S.c. § 53(b).
The companies being targeted here are:
"Innovative Marketing", a company incorporated in Belize, with offices in Kiev, Ukraine, who has done business as Billingnow, BillPlanet PTE Ltd., Globedat, Innovative Marketing Ukraine, Revenue Response, Sunwell, Synergy Software BV, Winpayment Consultancy SPC, Winsecure Solutions, and Winsolutions FZ-LLC.
"Bytehosting Internet Services", an LLC registered in Ohio with an office at 3864 McMann Road, Suite A, Cincinnati, Ohio.
The charge is that their business practice was "a massive Internet-based scheme that tricks consumers into purchasing computer security software" which exploited consumers' "legitimate concerns about Internet-based threats like spyware and viruses by issuing false security or privacy warnings to consumers for the sole purpose of selling software to fix the imagined problem". After running a simulated "Free scan", the software would claim to have detected "a host of malicious or otherwise dangerous files and programs, including viruses, spyware, or illegal pornography", and encourage the consumer to download their product to fix it. The downloaded products would run another scan, and then urge the consumer to spend $39.95 to solve the problem by buying "the full version".
"MORE THAN ONE MILLION CONSUMERS HAVE PURCHASED THE DEFENDANT'S SOFTWARE PRODUCTS TO CURE THEIR COMPUTERS OF THE NON-EXISTENT PROBLEMS "DETECTED" BY THE DEFENDANT'S FAKE SCANS!!!!!"
(emphasis, and all those nice "!!!!!" added by the blogger)
These guys are the ones who have been making the money, all the way back to 2003, selling products including but not limited to WinFixer, WinAntivirus, DriveCleaner, WinAntiSpyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, XP Antivirus 2008, etc.
While most of us know these products as they are delivered by viruses, the defendants actually paid for advertising as well. Just one of the defendants purchased $3.3 million in advertisments from the MyGeek network (now known as AdOn) between October 2004 and November 2006. The ads were displayed more than 680 million times!
After MyGeek began refusing to run their ads, the defendants created their own fake advertising groups, such as Burn Ads, Preved Marketing, AdTraff, NetMediaGroup, and Uniqads, which they sold to websites offering a share of the advertising revenue. These fake advertising companies began to approach sites, claiming they represented legitimate sites that wanted to place advertisements, including CareerBuilder.com, Frontgate, Travelocity.com, Priceline.com, and other sites. The ads which were displayed, when viewed from IP addresses belonging to their business partners, always showed ads for the legitimate companies, but when viewed by outside IP addresses, the ads for their fake scanners were displayed.
Believing themselves to be doing business with legitimate advertising companies, the ads found their way to places such as Major League Baseball and National Hockey League sites, the National Association of Realtors, the Economist magazine, and others.
The defendants are:
James Reno (Bytehosting), who ran "setupahost.net". Reno provided contracts with some of these ad-distribution vendors, ran Bytehosting, and provided the Call Center which supposedly took tech support calls about their products. Part of the call center's job was to obstruct and delay consumers from obtaining refunds by misleading them about the nature of the scan, or telling them a refund had already been issued to them, when it had not. Almost all of Bytehosting's revenue came from Innovative Marketing.
Sam Jain (Innovative Marketing), who resided in California. Jain is the CEO of Innovative Marketing, and co-founded the company in 2002. A large financial investor in the company, Jain handled much of the marketing and sales, and worked out the relationship with companies to take their credit card payments.
Daniel Sundin (Innovative Marketing), who resided in London, England. Sundin ran Vantage Software and Winsoftware, Ltd. He was also the COO and is now CTO of Innovative Marketing. He set up the company headquarters in Kiev, and also opened facilities in Argentina and India. His old company, Vantage Software, paid for many of the original domain names, such as Winfixer.com, DriveCleaner.com, WinAntivirus.com, and SystemDoctor.com. The foreign banking is handled by Sundin.
Marc D'Souza (Innovative Marketing), who resided in Toronto, Canada. D'Souza ran Web Integrated Net Solutions. D'Souza took over the role of working on the credit card payment processor relationships. He and his father Maurice established numerous merchant accounts with payment processors around the world to clear their cards, which was hard to maintain because of the very high level of chargebacks and complaints from consumers. Marc and his father each retained "millions of dollars in proceeds" in their bank accounts. They are no longer associated with Innovative Marketing and are the subject of a lawsuit in Canada where Innovative Marketing claims they have embezzled millions of their dollars.
Kristy Ross (Innovative Marketing), who resided in Maryland. Ross was the marketing person, responsible for placing millions of dollars worth of false and misleading advertisements. Despite warnings on multiple occasions that the ads were exploitive and deceitful, she continued to place these ads.
Maurice D'Souza, who resided in Ontario, Canada and received "ill-gotten funds" from his son Marc (see above).
The FTC action includes a "Prayer for Relief" which requests that the court award "such relife as necessary to redress injury to consumers resulting from the Defendants' violations of the FTC Act, including but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies." They also ask that they protect and return funds and property that the defendants have in their possession or have purchased as a result of their ill-gotten gains or proceeds.
For more details on the case, please see:
which includes links to the:
Ex Parte Temporary Restraining Order
Complaint for Injunctive and Other Equitable Relife