Tuesday, March 8, 2011

Fake Security Software Websites – Still popular in 2011

Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software by displaying fake security warnings such as “Your computer is infected” etc. End users are clearly not educated about such attacks, as the campaigns remain highly successful. Below is a short blog analyzing a recent infection on a friend’s machine to illustrate the problem.

We continue to see numerous infected sites, which are redirecting users to fake security software campaigns. The pages display animated fake security warnings to users in order to scare them and convince them to download and install a binary, which is generally packaged as fake antivirus software. The victim will be infected with a downloader Trojan that will then download additional malware. Below are a few screenshots of animations typically used in the attacks:

After this initial load animation, the user will be prompted with another security warning:

Once a user clicks on the OK button, additional animated fake security warnings will be displayed.

At this point, the user is prompted to download the fake antivirus software.

This same campaign has been used over and over again and can be found hosted at thousands of domains.



All of the above animations are from the same malicious website. The content is randomly changed for each new visit to the site. Once installed the victim is forced to activate or buy a license key to remove these fake threats from the system. Here are some tips for users who still wants to stay away from those attacks.

1) No real Antivirus vendor displays such security warnings, animations and popups.

2) No website will scan a system when visited and display immediate warnings about threats on the system.

3) No real Antivirus vendor will force you to download an execuatble.

4) When you need AV software, go directly to the site of a reputable vendor yourself.

5) Keep an eye on address bar for the URL name and redirected URL names.

6) Keep any eye on the status bar of the browser, which is present at the bottom to spot redirection taking place.

7) If you want to download executable but are unsure that it is legitimate, it can be scaned against various antivirus vendiors by submitting it to a service such as VirusTotal If popular vendors triggers or declare the file as malicious, immedeatly delete it from the system.

8) Install a common antivirus solution and keep it updated with latest virus definitions.

9) Last but not least, never pay for such fake security software.

The VirusTotal results for the fake security software from the above example show that it was detected by only 21/42 popular AV vendors. Even now, we are still seeing a large number of fake security software websites promoting their fake products.

Stay safe

Umesh

4 comments:

Frank Jovine said...

You should also read this article that was published on 1/19/2011

http://www.techjaws.com/rogueware-and-fake-antivirus-will-dominate-in-2011/

Anonymous said...

Security companies really need to consider putting more emphasis on uncovering who is behind these Rogue AV affiliate programs -- too many just use them as a driver for sales. The public wants them gone and the security companies are in the best position to investigate and track these things.

Check out what Brian Krebs discovered:
http://krebsonsecurity.com/2011/03/chronopays-scareware-diaries/

Apparently there is a CEO of a well-known Russian company who is funding and engaged in much of it -- CRAZY!

Michelle said...

I just had this exact same malware popup tonight while doing an image search on butterfly cocoons of all things.

My first reaction when I saw the pop-up was great what did I just do? Then I looked back at my tab in Firefox and noticed everything was running from a website. That is when I got suspicious. And started searching for fake security warning pop-ups.

I consider myself moderately tech savvy and fairly cautious about things that don't quite seem right. But this looked very authentic, so much I believe an average computer user would easily fall victim to the ploy. Very, very sneaky!

Vijay said...

Mbam removes them all. You can remove fake antivirus using the free app in safe mode.