Understanding Current Trends in the Fake Anti-Virus/Scareware Ecosystem
The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.
Some groups have been arrested. Some have had and their operations and entire call support centers shut down.
Some groups attracted too much attention, picked off the low hanging fruit and eventually walked away from their botnets.
In some cases, the groups just weren't very skilled at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn't keep up with the changes in anti-malware technologies, weren't exactly dedicated to the effort, and simply fell off the map.
However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like TDSS (and its extreme complexities) or the more recent Black Internet (also known as "Trojan-Clicker.Win32.Cycler") support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.
At the same time, the commodity exploit kits that the various cyber-criminal groups use to distribute their rogueware have not become any more complex. Instead, some of the more complex kits available in online marketplaces have disappeared with simpler kits like Eleonore and Phoenix remaining. [...]
What does this tell us? For the most part, effectively delivering malware to end user systems still works with simpler, less expensive, means. Which suggests one of several things:
1. End users are not patching their machines.
2. The vulnerabilities are not known and patched quickly enough, or the automatic update utilities are not taking effect quickly enough.
3. Too many end users continue to run their system without effective security protection.
http://www.securelist.com/en/blog/2275/Understanding_Current_Trends_in_the_Fake_Anti_Virus_Scareware_Ecosystem
I'm sorry but I disagree that on #3. "Too many end users continue to run their system without effective security protection".
I've seen effective security protection to not to detect execution of those Trojans. I've seen less popular security solution or free security software... to help or assist the costly or commercial AV solution.
On item #1... I'm sorry but even patched system is not "free" from scareware or fake AV. Simply because not all rogue programs were installed by a trojan to exploit a known vulnerable. Some does exploit but again, not all of them.
What does this tell us? People need to use extra layer protection in addition to paid or free security solutions, no matter what OS they use. People need to add a hosts file or use IP Blocking or any kind of web filtering e.g. Browser add-on by Web of Trust, SiteAdvisor. Cannot depend in one security solution because not all antivirus is fast enough to catch 0-day malware or its variant. While patched systems or applications may help, it is not the reason why there's victims of rogue programs. It's distributed in email as attachments, hijacked or infected advertisements or website, social networking messages... too.