Exploring the “Trust Phenomenon” – 5 million infections and rising

PRAGUE, Czech Republic, February 17, 2011 – Experts from AVAST will highlight how the “Trust Phenomenon,” combined with innovation on the part of cybercriminals, is contributing to the growth of three distinct families of malware in their presentation at the RSA Conference in San Francisco.

“The danger is in the familiar, everyday trusted places on the internet which are as much a part of a daily routine like your morning coffee,” says Jiri Sejtko, avast! senior virus analyst. “Users believe a website is safe just because it is well-known or they have repeatedly visited it over a long period of time.”

Using the “Trust Phenomenon” and these innovative malware families, cybercriminals are targeting “safe” zones on the internet, far away from the usual suspect areas of porn, warez, and download sites. The avast! Virus Lab estimates that just three malware families have been responsible for 4-5 million computer infections.

Denial is a typical response from people when their antivirus program blocks access to a familiar site or sounds a malware warning.

  • “www.***.nl is a football fan page I have been visiting for years. I don't believe it'd be an untrusted party.”
  • “Would you please stop considering this as a virus please? I don't have much time and those interruptions make me lose this time,”
  • “I very much doubt Google is sending me a Trojan...”

“These are actual user comments sent to us from users as the result of an avast! detection on each of the three malware families in our presentation,” adds Mr. Sejtko. “People send us complaints about ‘false positive detections’ and even disable their AV protection in order to reach their desired location – then they wish they hadn’t!”

The Ill* family (“port 8080” infection)

  • Redirects users to malware distribution sites
  • Technically evolved between script tags, Iframes, and obfuscation tactics
  • Encompasses more than 3,400 malware distribution domains and 200,000 infected domains

“We have identified more than 3,000 websites that have been infected with 5 or more Ill family variants. This likely means people don’t know their credentials have been stolen and that their website has been used to spread infection,” says Mr. Sejtko.


  • Self-reproducing botnet based on compromised websites and servers
  • Advanced “Indirect Cross Infection” with interchangeable components.
  • Distributes password stealers

“With Kroxxu, we have identified 300 distribution domains with a lifespan of over 3 months. This is unusually high and shows admins are likely just not aware of the infections,” points out Mr. Sejtko.


  • Used for distributing rogue antivirus programs
  • Spreads primarily through ads and search engine results
  • Affects many respected ad services
  • Over 5 million fake ads displayed

These three are technologically very different but all effective in catching people. “Bad guys move in cycles, creating new variants with the knowledge gained from previous generations,” explains Mr. Sejtko. “When you get an alert from your antivirus program, don’t ignore it.

The “Browsing Known Sites is Safe – True or False?” presentation (Session ID: HT1-303), scheduled to take place at 11:00 PST on February 17 at the RSA Conference in San Francisco, will provide more details on the prevalence of the three malware families and their technical evolution. “We are still at a point where some people assume that the antivirus scanner is wrong and that trust in a ‘good’ site is more reliable – this is an area where we as an industry need to educate more users and site administrators,” says Mr. Sejtko.