14 DAY TRIAL // Security researchers from cloud security provider Zscaler warn that some scareware distribution sites are using code randomization for both their pages and the malicious binaries they serve.
Spreading fake antivirus programs, collectively known as scareware or rogueware, is one of the most profitable cyber criminal activities.
These programs target less technical people whom they scare into paying for licenses to clean fictitious threats.
Scareware is distributed in various ways, as email attachments, by pay-per-install trojans or most commonly, via the web.
Web-based distribution is done through specially crafted pages that mimic antivirus scans and warn visitors that malware was detected on their computers. They then offer fake security programs for download.
According to Umesh Wanve, senior security research engineer at Zscaler, scareware pushers have begun randomizing certain aspects of their pages in order to avoid detection.
"The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns," the researcher writes.
But web code is not the only thing randomized. The malicious binary files served by these sites are also modified on the fly.
Mr. Umesh points out that newly generated binaries have a low detection rate on Virus Total, apparently confirming that the method is working.
It's worth keeping in mind though that Virus Total only performs on-demand scans, which are based on signatures and heuristics. However, most modern antivirus products also have on-access protection layers that detect and block malware when users try to execute it.
Of course, randomizing binaries is not new. The technique dates back to the polymorphic viruses of the '90s, which mutated their code with every new infection in an attempt to avoid antivirus detection.
The presence of such techniques in scareware enforces the idea that user education is much more important than relying on security solutions to block everything.