Reference for diagram:

Step 1: Blue Shows the process at which the user will be directed to the infected website.

Step 2: Red Shows the path of the harvested information from the user to the black market.

Step 3: Green Shows the payments from the user through the malicious websites.


The amount of rogue anti-malware programs have increased every month since February of this year with the intent of infecting users computers and ultimately extorting cash from the user.  This paper will explain how some of these attacks work.

A user can be browsing the internet and start a search through a major online search engine (Google, MSN, etc.).  In certain cases, top search results have been found to point to websites that have been compromised to host and/or redirect the user to malware.  The malware creators take advantage of modern SEO optimization techniques to get a higher rank on searches (SEO Poisoning) as well as use SQL injection techniques to compromise legitimate websites.  The tainted search result will appear to be valid and show content relevant to what the user searched for.  Once clicked, it starts the process to infect the computer through some social engineering and sheer persistence.

Typically, a pop-up will appear on the users screen saying that they have been infected and that they should run a scan to clean the infection.  The page providing the pop-up however has been written in such a way that it is difficult to stop the process at this point.  Closing the pop-up messages will only bring more and more until the user proceeds with the suggested scan.

Now the user is taken to a fake anti-malware website that appears to be selling an anti-malware software product (Antivirus 2009, Virus Remover 2009, etc.).  A scan page will load and it seems as if it is scanning the computer and of course, it finds 'viruses' on the computer.  These fake scans will use well-known terminology (keylogger, trojan, spyware, etc.) to convince or the user that they are in fact infected, and need the software that is being advertised in order to remove it.  A download will automatically start and because the user is concerned about being infected, they will typically allow the download.

Once executed, the malware starts downloading all needed files from different servers that are operated by the malware creators or legitimate websites that have been compromised.  Now the rogue program starts running and will immediately scan your computer again.  As before, malware is 'found' on the system and in order to remove the infection you must purchase the software.  According to Panda Labs research, of all infected computers, approximately 3% of them, the user willfully hands over their financial information along with the $49-$69 (depending on rogue variant) for the 'purchase' of the software.  Of course, shortly after buying the software, it's obvious that the program is not legitimate because the pop-ups do not stop appearing, no infections are removed, and the rogue program cannot be removed in the conventional way (Add/Remove Programs).

Some of the payment gateways used in processing these 'orders' are usually hosted in a country that do not have laws in place to combat this type of fraud.  Additionally, most if not all of the financial information gathered from these servers may end up on the black markets for sale to the highest bidder.

The group(s) responsible for this rash of rogue-antimalware software is also using affiliate systems such as Pandora Software.  These affiliates will allow websites to 'sell' this rogue-antimalware software through Pandora Software for a small commission so anyone can get in on the game of spreading this malware.

All in all, the lengths at which these group(s) go through to steal money from people and harvest financial information, get more and more complex as each month passes.  New techniques of infecting computers have allowed them to infected computers more and more each month.  From Panda Security's statistics, the amount of infections has increased from 296,071 computers to 843,835 computers in just two months.

*Special thanks to Ryan Ash for this post.