Many of the affiliates do extremely well. SecureWorks, a unit of Dell, analyzed the distribution of a fake antivirus program called Antivirus XP 2008 via an outfit called Bakasoftware, which was based in Russia. According to documents provided by the hacker behind Bakasoftware, who went by the nickname Krab, one of his top affiliates was able to fool 154,825 people into installing copies of malware on their computers in 10 days, with 2,772 victims going on to enter their credit card numbers. If the documents are accurate, Krab’s affiliate scuttled away with $146,524 in that brief period.
Affiliates have spawned an impressive body of dark innovation to create new ways of infecting computers over the Web. A key tool is a legitimate website that has been surreptitiously compromised. If you visit such a site, you are often automatically redirected to a site that brings up the flashing warnings, attempting to fool you into clicking approval to download the fake antivirus program. Often, other malware is seeking unpatched holes in common software like Java and Adobe Flash—holes through which it can install other damaging payloads, like malware that steals passwords stored on your computer. This is known as a “drive-by download.”
Phony warnings similar to the one above—in dozens of languages—are a familiar sight to millions of computer users worldwide.
Remarkable technology underlies the whole process. To maintain a constant supply of infected websites, criminals write code that crawls the Web looking for known vulnerabilities in common publishing platforms like Wordpress or in Web hosting software such as cPanel, says Weinstein. (Every month, his StopBadware organization helps clean up 1,200 websites, a tiny fraction of the hundreds of thousands believed to be infected at any time.) Alternatively, the criminals can use purloined passwords to log in to websites and add malicious code. To make this job easier, botnets do much of the work automatically.
Booby-trapping websites is just one step. The malicious code must avoid detection if those sites are to remain useful to the criminals. To outwit real antivirus programs that are updated daily, the criminals make cosmetic changes to the code—often with simple and widely available encryption tricks. (The malicious code behind the Princess Di image, for example, was much the same as that used in other fake-antivirus scams but was missed by 38 out of 42 real antivirus scanners.) And to keep ahead of the blacklists that security companies and Web companies maintain to block Web addresses known to be housing malicious software, they exploit techniques for rapidly registering and changing thousands of addresses.
A look at one domain registry shows how easy this is. A company in South Korea specializes in selling millions of addresses in the national domain “.cc”—that of the Cocos (Keeling) Islands, an Australian territory. The Korean shop has registered “co.cc.” To this it can add countless numbers of names. For $1,000, in fact, it’ll give you 15,000 of them. It boasts of having 57 million co.cc sites indexed by Google, showing just how easy it can be to reach a broad swath of victims. And free Web hosting services around the world make it easy to press these sites into service.