We have recently received queries from customers about the official exclusion list recommendations from Microsoft. It seems that they have published a Knowledge Base entry that lists down recommendations to improve performance in Windows when running antivirus scanners.

This list recommends customers to exclude certain extensions and folders from antivirus scanning. Now, although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly.

This is an overview of these recommendations from Microsoft:

• Certain files in the SoftwareDistribution folder
• Certain specific file name (e.g., edb.chk)
• A small extension list in certain specific folder (*.log)

Plus, some other similar lists for the Group Policy.

Following the recommendations does not pose a significant threat as of now but it has a very big potential of being one. Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list.

We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from antivirus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.

In line with this, we advise users to educate themselves fully about these recommendations before taking any action. We recommend users not to exclude any file unless there is a critical reason to do so and be aware of the risks entailed by such an action.

Tricking users into downloading rogue AV is an age-old cybercriminal tactic that still works. Hence the continuous rise in the number of rogue AV pushed to unwitting scam victims up to this day. In fact, the FBI just recently warned the public about the threat that rogue AV software poses, saying this has resulted in more than US$150 million in losses to victims.

The earliest rogue AV ploys relied on scareware tactics that resorted to warning users of supposed infections. The shift toward a more profit-driven threat landscape, however, also prompted cybercriminals to employ more devious and cunning techniques. Today, they often use search engine optimization (SEO) techniques that infected users just by visiting certain sites, seemingly mimicking the manner by which real-time antivirus products protect systems.

Some rogue AV employ “ransomware” tactics. They encrypt files, taking them hostage so users cannot use them. To recover the files, a user has to download a paid version of the program but just like its predecessors, this is all just a scam. In reality, however, the paid version of the program fixes the problem that it created in the first place but only after the user has been forced to pay up.

Cybercriminals use several social engineering techniques to spread rogue AV among computer users. Spammed messages containing URLs that lead to sites where rogue AV can be downloaded are very common. Some, however, are more imaginative, rigging search engine results with links to downloadable, seemingly legitimate antivirus applications.

Another ingenious social engineering ploy to spread rogue AV involves the use of codecs. As several media files require codecs for playback, users who want to stream videos are often victimized by downloading rogue AV posing as video codecs. Celebrity deaths (e.g., Corazon Aquino) and tragic events (e.g., tropical storms) have also become unwitting participants in rogue AV scams.

Social networking sites such as Twitter and Facebook have also become unwilling sources of rogue AV, thanks to the KOOBFACE botnet’s dedicated FAKEAV installer component.

TrendLabs has observed that rogue AV authors, sellers, and resellers now employ enhanced social engineering tactics, taking advantage of trendy topics in popular search engines. They have also been found to use GeoIP tracking. These attacks employ similar techniques as blackhat SEO campaigns albeit in a more targeted sense.

Cybercriminals will really stop at nothing just to further their profiteering schemes. And though users have been warned time and again of staying away from links that come from unknown users—whether in emails or tweets—it seems curiosity will still get the better of them, allowing cybercriminals to continue infecting them with the great mass of available rogue AV on the Web.

Fortunately, Trend Micro Smart Protection Network protects users against all these kinds of rogue AV and other similar malware threats.

In an article by Dancho Danchev, he illustrated Trend Micro’s prediction that cloud hosting services such as Amazon EC2M can be easily used for fail-over command and control (C&C) botnet services.

Just recently, Trend Micro had an issue with some IP ranges from the Amazon EC2 data centers. Based on the procedures of our email reputation database, active spamming IP addresses are automatically blocked.

Hosting, as always, can be used as a platform for malware distribution. It does not really matter if it is a really small hosting provider with a few racks of hardware boxes or huge infrastructure with tons of hardware offering services in the cloud.

The legitimate IP addresses of the cloud pool enables cybercriminals to use the malware services as abuse free hosting. If we take EC2 as an example, a client can reserve the pool of IP addresses and can easily manipulate this list by assigning the virtual instance of the existing IPs from the pool or by adding new ones.

Fraudulent activities in the hosting cloud are difficult to trace. This makes perfect sense for cybercriminals who are trying to take advantage of a reputable organization by using it to hide their malicious business model. With that in mind, it is likely that in 2010, we will see a significant growth in the misuse of cloud hosting services.

Old trends never die, they just resurface from time to time. Case in point, spammed messages that have .MP3 file attachments, which were last seen two years ago, made their presence felt once again today.

Trend Micro researchers were alerted to the discovery of spammed messages that bore no subject and body content. The email messages only contained an .MP3 file that when executed, a voice advertising Viagra and other sexual enhancement pills is heard. The said “voice” also entices users to visit a certain URL, which points to the all-too-familiar Canadian pharmacy sites.

In the past, Trend Micro has blogged about how cybercriminals utilized .MP3 files or files that purport as such to proliferate their malicious activities in the following posts:

• Storm Pump-and-Dump: The Musical
• Music Unleashes the Malware Beast

Users are strongly advised not to open and execute attached files from unknowing users. Trend Micro secures users from this attack via the Smart Protection Network, which blocks the said spammed messages.

Everything exists for a purpose.

Malware, for all the crazy things they do, exist because their creators want them to. Malware can be the product of a bored mind, of an experiment, of inspiration, or, as it is becoming increasingly common nowadays, as a means for profit.

No one bothers to create a botnet as complicated as KOOBFACE just for fun, so the question that begs for an answer is, “What is KOOBFACE for?”

In the third (and hopefully last) installment of our KOOBFACE research papers, we examined the various mechanisms KOOBFACE employed to monetize its botnet, offering a peek at the ways modern cybercriminals operate and the challenges these pose.

For those interested, “Show Me the Money! The Monetization of KOOBFACE” can be downloaded here.