Security software scammers riding on Conficker's coattails

Google searches for info on worm generate links to sites pushing fake removal tools

Google search results related to the Conficker worm — currently the Internet's No. 1 security threat — are being infiltrated with links to fake security software that purports to remove the malware but doesn't, according to security researchers.

Certain search terms that include Conficker as a keyword will bring up links to a host of Web pages that are offering ineffective security programs or could infect PCs with malicious software themselves, said Rik Ferguson, a senior security adviser at Trend Micro Inc.

Ferguson said he has noticed an uptick in such sites over the last couple of days as legitimate software tools have been released for detecting Conficker, which is estimated to have infected more than a million — and perhaps as many as 12 million — PCs worldwide.

For example, Ferguson found malicious links among the results when he did a search on "Nmap Conficker." Nmap is an open-source scanning tool that was recently upgraded to detect Conficker infections. Ferguson said he was surprised at how quickly scammers began manipulating Google with that as a search term.

Scammers routinely try to game Google Inc.'s search engine by creating Web sites full of popular search terms or using spamming techniques to drive their sites higher up in search rankings. Google takes steps to battle such manipulators, and Ferguson, who posted screenshots of searches that he ran late Monday night in a Trend Micro blog, said he has contacted the search engine vendor about his findings.

In many cases, Web sites pushing fake security software ask users to download a file that supposedly will scan their PCs for malware. "Once you've downloaded it, it's extremely difficult to get that stuff off your machine," Ferguson said.

Security software vendor F-Secure Corp. has also seen a number of new domain registrations for Web sites selling software that supposedly removes Conficker, according to a blog post on the company's Web site.

For example, F-Secure cited a program called MalwareRemoval Bot that costs $39.95 and purportedly will oust Conficker from PCs. But the software doesn't work, according to the blog post.

"It does not remove Conficker.c," wrote Patrik Runald, a security response manager at F-Secure. "It didn't do a thing."

Conficker is a difficult-to-remove worm that is vexing the security community. Versions of the worm are being spread by attackers who are taking advantage of a Windows flaw on unpatched PCs, as well as through infected removable media or by using brute-force methods to crack weak passwords.

Security researchers are bracing for tomorrow — April 1 — when the new Conficker.c variant is scheduled to become active. That version of the worm is programmed with an algorithm that will generate random domain names. If any of those domain names are live, the worm will go to the appropriate Web sites and try to download further instructions.

Conficker.c is programmed to generate 50,000 domain names a day and then will try to access 500 of those names on a daily basis, according to security vendor Websense Inc.

The attackers who are controlling Conficker have yet to use it for malicious purposes. But the vast number of machines that are infected means the botnet could be capable of generating devastating denial-of-service attacks, spam campaigns or widespread data theft, security researchers say.

Microsoft Corp. is offering a $250,000 reward for information leading to the arrest and conviction of Conficker's creators.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon