Massive Profits Fueling Rogue Antivirus Market

In the cyber underworld, more and more individuals are generating six-figure paychecks each month by tricking unknowing computer users into installing rogue anti-virus and security products, new data suggests.

One service that exemplifies a very easy way these bad guys can make this kind of money is TrafficConverter.biz, one of the leading "affiliate programs" that pays people to distribute relatively worthless security software. Affiliates are given a range of links and Javascript snippets they can use to embed the software in hacked and malicious Web sites, or tainted banner advertisements online.

Unsuspecting users who view one of these hacked sites or ads see a series misleading warnings saying their computers are infected with malware, and offering a free scan. Those who agree are prompted to download a program that conducts a bogus scan and warns of non-existent threats on the user's system. The software also blocks the user from visiting legitimate security Web sites. The user is then pestered with increasingly deceptive and incessant prompts to purchase the software (see the screen shots above and below for some of the more subtle examples).

The user's system remains in this state until he or she figures out how to remove the software or relents and pays for a license. At that point, the affiliate responsible for generating that installation is paid by TrafficConverter.biz about $30. The software is sold for between $50 and $75 per license.

Whether the distribution of this software violates the law may depend on how it is distributed. The Federal Trade Commission has taken civil actions against purveyors of this rogue anti-virus software for unfair and deceptive trade practices. If, however, affiliates are distributing this software via Web sites or PCs that they have hacked, that would be illegal by almost any standards.

TrafficConverter.biz was dismantled on Nov. 29, 2008, most likely because the same domain was referenced deep inside the guts of the Conficker worm, a family of malware that is estimated to have infected at least 10 million Microsoft Windows systems.

Prior to site's demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program. While that data set is incomplete, the information available on the top-earning affiliates helps explain why so many consumers are reporting infections from rogue anti-virus products: Successful affiliates are making money hand over fist with these programs.

The graphics below show the Top 10 earners in the TrafficConverter program, broken out by earnings over two-week periods from mid-June to mid-August 2008. Some of the biggest earners made more than $330,000 a month in commissions.

June 16, 2008 - June 30, 2008

July 1, 2008 - July 15, 2008

July 16, 2008 - July 31, 2008

Aug. 1, 2008 - Aug. 15, 2008

Joe Stewart, senior malware researcher for SecureWorks, published research late last year showing similarly large profits made by affiliates of Baka Software, another rogue anti-virus distribution program.

Stewart said his analysis of the TrafficConverter affiliate earnings suggests that some of the highest-grossing affiliates declined to have their names and incomes listed on the top stats pages.

"Some of these people also choose to not be on the 'top earners' list. I'm guessing they are earning way too much so it would be discouraging to the lower-level affiliates," Stewart said. "They might also be doing money laundering of stolen credit cards instead of relying on victim software installs, which we suspected was going on in the Baka program as well."

TrafficConverter.biz was also sought by Microsoft Windows systems infected with the first variant of the Conficker worm. Conficker infected systems were instructed to visit that domain and download a specific file name that suggested it would attempt to install rogue anti-virus software.

By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.

At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site -- perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.

And flood the site it did. According to Stewart's review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.

The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.

Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.

TrafficConverter.biz was forced offline at the end of November, but it was resurrected just a few days later at TrafficConverter2.biz. The site to this day boasts at least 500 active affiliates, all pushing a new rogue product called Antivirus360. What's more, a new contest -- for luxury goods, including a Mercedes S-Class -- is already underway.

One final observation: As we noted last month, Microsoft has issued a $250,000 reward for information leading to the arrest and conviction of the individual(s) responsible for unleashing the Conficker worm. I wonder, though, if that amount is at all enticing to any of these affiliates if they know who was responsible, since apparently that kind of money can already be earned in a little more than a month's time.