Introduction
FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class of malware that displays false alert messages to the victim concerning threats that do not really exist. These alerts will prompt users to visit a website where they will be asked to pay for these non-existent threats to be cleaned up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made.
This paper provides insight into where FakeAV comes from, what happens when a system is infected with FakeAV, and how users can protect themselves from FakeAV. During the last year, the number of FakeAV executables has grown enormously. SophosLabs has seen the quantity of unique variants grow from less than 1,000 to well over half a million. This huge rise in popularity among malware writers is primarily due to the direct revenue source that FakeAV provides. Compared to other classes of malware such as bots, backdoor Trojans, downloaders and password stealers, FakeAV draws the
victim into handing money over directly to the malware author. FakeAV is also associated with a thriving affiliate network community that makes large amounts of money by driving traffic toward the stores of their partners.
Typical signs of infection
FakeAV usually uses a large array of social engineering techniques to get itself installed. Campaigns have included:
»» Fake Windows Security Updates2
»» Fake Virus-Total pages3
»» Fake Facebook app4
»» 9/11 scams5
Once on a system, there are many common themes in its behavior:
»» Popup warnings
Many FakeAV families will display popup messages in the taskbar:
»» Fake scanning
The FakeAV will typically pretend to scan the computer and find non-existent threats, sometimes creating files full of junk that will then be detected
.FakeAV uses an enormous range of convincing names to add to the illusion of legitimacy, such as:
»» AntiSpyWarePro
»» Antivirus Plus
»» Antivirus Soft
»» Antivirus XP
»» Internet Security 2010
»» Malware Defense
»» Security Central
»» Security Tool
»» Winweb Security
»» XP Antivirus
»» Digital Protector
»» XP Defender
»» CleanUp AntiVirus
There can be many thousands of variants for each family as techniques such as server-side polymorphism are used heavily to alter the FakeAV executable. This is a process whereby the executable is re-packaged offline and a different file is delivered when a download request is made. This can happen many times during a 24-hour period. One particular family that calls itself “Security Tool”7 has been known to produce a different file nearly every minute. This is how a single family can have such large numbers of samples.
Many families will also share a common code base underneath the polymorphic packer, where the application is simply “re-skinned” with a different look and feel but the behavior remains the same.
For the complete article download the attached PDF file.
Leave your comment