Fake Antivirus

 

Introduction
A sudden injection of fear is a very useful tool for getting people to do what you want. While surfing the Web you must have seen the above pop-up message or similar advertisements. A free PC scan or an offer to clean your computer which it claims to be infected, is usually an attempt by fraudulent person to install malicious software(malware) such as Trojan horse, keylogger , or spyware. Such software is referred to as Fake Antivirus also known as Rogue Antivirus. Google analysis of 240 million web pages over the 13 months of study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains detected on the web.

Possible names
Antivirus XP, Antivirus 2009, Antivirus 2010, Security scan 2010, Winfixer, DriveCleaner, Internet security 2010, XP Antivirus Pro, XP-shield, PC Clean Pro, Data Protection, etc

Possible Images
There are many variations of Fake Antivirus from nano to pro till defenders and some alerts and warnings. You can see them all below.

How can a system get infected?
The most common way Fake Antivirus software gets on your system is the result of you clicking on  malicious link in an advertisement or similar pop-up message. The advertisement or the pop-up is usually alarming, made to get your attention and attempt to convince you to scan your PC or clean it immediately with the given tool. The given tool is mostly very cheap and sometimes free too hence making the user to use it. If you click to a link you might link to a website similar to one in the image to the left . As you see in the image above this is on a web browser, it is not on screen from my computer but the website designer makes it look like my computer. You will also notice that it shows 100% scanning for Virus, but when you want to do scan using online scanner, then it must install some

component in your PC, usually Active X, but here it did not ask you to install anything and scanner cannot detect Malware when nothing is installed inside the PC. Mostly user will get tricked and press start protection to remove the threats which actually do not exist. Then the browser will pop up a message that says program wants to install do you wants to continue, then the user again tends to say yes and hence falling into the trap.

Infection Vectors

1. Exploit kits
There are exploit kits which are released targeting pdf vulnerabilities. One of the recent one is Phoenix. The Fake Antivirus spread is made through Phoenix Exploit's kit. Phoenix Exploit’s kit spreads a Trojan downloader exe.exe which establishes a connection to a particular host from which it downloads and executes the fake antivirus.

 

2. Spam emails
Fake Antivirus is usually sent to the victim as a attachment or a link in a spam message. The spam messages use social engineering techniques such as "password reset", "your wife photos", "you have received an ecard" ,etc to trick the users to run the attachment or click on the link.

3. Search engine optimization poisoning
Search Engine Optimization is a process of improving the visibility of the website to improve its ranking and traffic thus appearing among the top search results. The attackers target the popular search terms and when the users search for these terms the results will redirect users to malicious website.

4. legitimate looking websites
While searching for a genuine Antivirus, the Fake AV may appear in the search result which looks like a legitimate one.

5. Social Networking Sites
Social Networking sites such as Orkut, Facebook, Twitter, etc can also be used to post the link to the users like a post saying After checking out the reviews of many professionals I decided to use the following AV: http:// _____ AV.com and thus giving out link which leads to Fake AV website.

6. Fake Codecs
Codecs are often designed to emphasize certain aspects of the media, or their use, to be encoded. Thus codecs are needed to play media files some types of media files. Attacker use this method by Making fake codecs which infact is a Fake AV installer and thus trick the users to install Fake AV.

7. compromised websites
Users can sometimes be redirected to Fake AV websites by browsing legitimate websites which have been compromised, where IFRAME codes have been injected or even some malicious advertisement in compromised websites may lead to the installation of Fake AV.

Effects of Fake Antivirus on your computer
Fake Antivirus can affect your computer in various ways, It makes changes to the system on which it is installed by installing malwares hence controlling and monitoring the user’s actions and steal the user credentials like credit card details, passwords, etc. The malware may also use the user's system as a platform for compromising other systems in your network. It may flood your system with pop-up windows with false or misleading alerts. It may also slow down your system, corrupt files, disable updates of windows, disable legitimate antivirus and block some websites hence preventing the victim to visit legitimate antivirus websites. It may also alter system files and registry entries so that even if you remove the Fake AV some of the infected files and the registry entries may remain and due to this after reboot the Fake AV may again be activated.