Rogue security apps strike again: Fortinet 5 October, 2008 By Vanessa Ho

For the month, rogue security applications made up 61.5 per cent of total activity. In particular, the W32/Inject.GZW!tr.bdr was the most prolific variant of the rogue security Trojans.

"When we see unprecedented volume, it usually indicates that the attacks are working and cybercriminals are trying to act fast to take full advantage of the situation. It also shows the depth of resources available to this criminal organization," stated Derek Manky, security researcher for Fortinet

The last report showed an influx of activity associated with W32/Multidr.JD towards the end of the period. This activity continued throughout the beginning of this period, shifting to W32/Delf.BFC before moving on to other variants.

Rogue security malware claimed the top four positions in this months Top 10 list and also propelled the RogueSecurity family into the number one position among malware family activities for the entire month. As they were in last months report, AntiVirus XP 2008 (55.5 per cent) and XP Security Center (six per cent) were the two main applications that fronted the security scams in September.

Manky explained in last month's report that these rogue security applications look like professional security applications and when a user clicks on either AntiVirus XP 2008 or XP Security Center, they will show a progress bar as if it were scanning their computer for viruses or spyware.

"The end result is these scans are informing users that they have hundreds of these infections and malicious files on their computer. But because this is a fake, these files don't exist on the system and it becomes a tactic to scare users," he added.

Manky advised that in order for people to not fall into these traps, consumers should ensure that the source of their security application purchases are legitimate. "Consumers should look out for unsolicited system messages which typically claim to find hundreds of infections, followed by purchase requests to cleanse."

While these rogue applications were certainly the focus of this period, other malware trends observed during this period include Virut.A, a virus that infects executable files, remained strong, coming in seventh spot and bumped out of the top five for the first time in seven months. Also noted was Goldun.AXT, a new Trojan keylogger that generated heavy volume to claim the sixth position. Crypt.MV, part of the Pushdo family, clinched the final tenth spot while Netsky, which has been number one prior to the appearance of the rogue security applications, landed in fifth spot.