Microsoft expert: "viruses aren’t worth money, but scareware is"
Fake antivirus software, also known as scareware or rogue AV, is the main reason for most of the calls to Microsoft's telephone antivirus hotline according to Redmond's chief virus hunter Vinny Gulloto. He says that the log files of Forefront installations, Microsoft's antivirus software for enterprises, contain much evidence of scareware infections.
Employees apparently use their company PCs to download the supposedly protective software. Gulloto says he does not know how often payments were made to activate these scareware installations, but he does have an explanation for the popularity of scareware: "Viruses are not worth money, but rogue AV is". He says a lot of developers are now focusing on this lucrative type of malware.
In addition to his company's own Forefront logs, Gullotto has access to a quite large data set to get a better picture of the current threat situation – Microsoft's Malicious Software Removal Tool (MSRT) examines more than 690 million PCs worldwide and reports the findings back to Redmond. In a recent scan, the tool found that Conficker, a superworm that appeared on the scene at the beginning of 2009, was still spreading, partly to help propagate the installation of scareware. The statistics also revealed that most PCs have multiple infections. On average, Gullotto found two or three malware samples on infected machines.
He and his team also took a look at attacks launched by targeted phishing (spear phishing). This kind of attack made headlines when Google, among others, became a victim. While such attacks are often considered technical masterpieces, Gullotto takes the wind out of their sails: "In my opinion, the only thing that is really tailor-made in the attacks we looked at is the original e-mail. In contrast, the malware that was sent out is off-the-shelf or out-of-the-box, not created for a special target." But Microsoft's virus hunter admitted that in this case even his data set is small; few victims of such attacks are willing to provide details of the attack.
(Uli Ries / djwm)