ANATOMY OF A MALWARE SCAM

Jesper Johansson has been working in information security for more than 20 years and has earned a good reputation for doggedly identifying and chasing the bad guys. He’s written a fascinating article about his attempt to track down the details of a bit of malware. It starts as a simple link in a blog comment but leads to IP addresses in Singapore, servers in Kuala Lumpur, domains registered in the Ukraine, and payment centers in Barbados.

He picked this malware at random. It’s the variety that presents warnings that your computer is at risk and insists that you purchase its antivirus software. The dialogs and screens are professionally done and the grammar is correct – there is nothing obvious that gives away that every single thing is faked – the “scan,” the progress bar, the lists of infected files, and the dialogs purporting to give you options but in fact leading always to a demand for payment.

There are even phony coverups for the Windows XP Security Center, designed so that every link will bring you to another payment demand. (Real one on the left, phony on the right. If you click through to the full-size version of the phony one, you’ll see the first place where some grammatical errors creep in. There are also some shockingly well-designed web pages and dialogs.)

In this case, the bad guys appear only to want the $49.95 and your credit card number – Johansson didn’t detect any other evil payload, although he mentions ways it could have been disguised.

Your security software – OneCare, AVG, or the rest – probably update themselves several times a day. OneCare gets virus updates every four hours, I think. Understand this carefully: the bad guys change things so fast that they see four hours as an opportunity. Johanssen found hundreds of variations on the software payload for this scam alone, just one of the many malware scams out there, and he spotted changes happening literally while he was writing the article.

Your daily reminders:

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don’t click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don’t click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!