October 30, 2008
Antiviral ‘Scareware’ Just One More Intruder
By JOHN MARKOFF
SAN FRANCISCO — How much money can criminals make scaring naïve computer users? Try $5 million
That is how much a marketing associate of one Russian operation appears to be earning from its sales of
fake antivirus software through an elaborate scheme that relies on e-mail spam and indirectly controlling
thousands of unprotected PCs, according to internal company files posted online by a Russian hacker.
The company is Bakasoftware, a clandestine effort based somewhere in Russia that markets what it claims
is an antivirus program strictly to English-speaking computer users.
The program, whose name has recently been updated from Antivirus XP 2008 to Antivirus XP 2009,
lodges itself on a victim’s computer and then begins generating a series of pop-up messages warning that
the user’s computer is infected. If the user responds to the warnings, he is urged to buy a $49.95 program
for disinfecting the machine.
Although tens of millions of Windows PC users have seen these irritating programs that purport to warn
against malware infections, there are few details about the operators who develop and distribute the
software, known as scareware.
Financial details of the operation came to light recently after information posted by a computer hacker
identifying himself as NeoN was discovered on a Russian electronic bulletin board by an American
computer security researcher.
The researcher, Joe Stewart, who is director of malware research at SecureWorks of Atlanta, has tried to
understand the nature of the fake antivirus software and the way it is sold through a second tier of “bot-
herders,” people who redistribute the program through illegal “botnets” or networks of Internet-connected
The scheme was partially revealed, Mr. Stewart said, after NeoN broke into one of the computers used by
Bakasoftware for accounting. Mr. Stewart believes the hacker posted the results of just one week’s
Mr. Stewart also discovered that when the Bakasoftware program starts, it checks the language of the
computer user based on information contained in the Windows operating system. If it finds the personal
computer of a Russian language speaker, the program terminates.
Bakasoftware, which may be based in Moscow according to Internet domain name records, did not respond
to telephone and e-mail requests for comment.
This type of online scheme had recently become the target of a concerted law enforcement effort by the
Washington State attorney general’s office with the assistance of Microsoft’s computer security
investigators. Last month the attorney general, Rob McKenna, said that his office was using recently passed
state legislation aimed at companies that use scareware tactics to file seven lawsuits seeking to halt the
The attorney general’s office has received complaints about the Antivirus XP program, a spokeswoman
said, but she declined to provide information on its investigations.
“The big problem with scareware is that you have voluntarily provided personal information to a Web site
that you would not ordinarily want to have your name, address, credit card and date of birth,” Richard
Boscovich, a Microsoft lawyer who leads a group of security investigators at the company, said.
Mr. Stewart said he found that Bakasoftware’s program has some limited antivirus capabilities, but that it
was “a far cry from what a real antivirus program does.”
NeoN posted a detailed exposé of Bakasoftware’s sales scheme, which relies on a network of affiliates, on
Sept. 22. Mr. Stewart describes the affiliate program as a sophisticated, automated and highly profitable
system intended to efficiently infect millions of computers. Once an affiliate is invited to participate it is
given access to a control panel allowing it to distribute different types of mechanisms for infecting Internet-
“Affiliates can earn anywhere from 58 to 90 percent commission on sales of the software, depending on the
volume of sales,” Mr. Stewart writes. The extraordinarily high commission explains why the rogue anti-
malware products are so popular among hackers and spammers.
NeoN published a list of the ten top earners during a one-week period, with revenue ranging from $58,000
Mr. Stewart estimated that one affiliate alone was able to install 154,825 versions of the software in just 10
days and that 2,772 copies of the program were later purchased from those infected users. Based on that
conversion rate, Mr. Stewart estimated that an affiliate could expect to earn over $5 million annually by
maintaining a botnet large enough to force between 10,000 and 20,000 installations on a daily basis.
It appears that the operation involves credit card fraud and money laundering, Mr. Stewart said. One of the
affiliates sold software to 75 percent of the computers contacted. A sales rate of 1 percent or 2 percent is
more typical of the affiliates, he said, a sign that stolen credit cards were being used.
Despite recent success in convicting some scareware distributors, computer security industry executives are
skeptical about ending online fraud.
“Once the consumer is made aware of the threat and they’re educated, most consumers will take the right
course of conduct,” said Mr. Boscovich. “The problem is the scams are always changing. The minute
they’re educated about scareware something new will come up.”