Fake Antivirus?!

Recent spread of Rogue Antivirus infiltrations have been found on high percentage of UK and Irish computers.

They were called in AV industry as Scareware of Fakeware. They are mimicking real antivirus products with similar graphic interface and sometimes even names. Latest additions were called E-SET or even AVG. Infiltrating clients computers with pop-up messages, security warning and scan performances – usually videos, that it’s hard to believe that they are not real products.

One of the latest “XP Anti-Virus 2011″. This family exhibits the usual characteristics of Rogue AV as shown below:

Fake infection report

Fake security center warning

Online payment site (unfortunately very real)

Compare the above images with those here to notice a striking similarity, not least the presence of the string “2011″ in both.

Interestingly the “XP Anti-Virus 2011″ family also comes with malware descriptions for each of the entries in the fake infection report. Consider the following image:

The above malware description has been plagiarised verbatim, as per a Google query, from our IT security colleagues at Kaspersky.

Of course, the purveyors of Rogue AV clearly rely on expected levels of technical ignorance on the part of the victim. There is a mismatch between the reported threat name and the corresponding file type, e.g. “Macro.PPoint.ShapeShift” is highly unlikely to be found in a SYS file. It also seems very strange to find so much DOS malware on what is clearly meant to be a Windows XP system more than a decade later. However, the average victim is unlikely to pick up on these nuances, especially when reeling under the fear tactics of Rogue AV.

Many families of Rogue AV, including the “XP Anti-Virus 2011″ variety, make themselves extremely difficult to remove. They may block the running of other applications, including OS tools such as Regedit and Taskman, and common browsers such as Firefox. Unusually, “XP Anti-Virus 2011″ even blocks new instances of Microsoft Internet Explorer, generally left clear to allow victims to pay up, opting for its own IE-like interface (please see the payment page image above). Needless to say the links to alternative language content do not work.

It is important to resist panic attacks when confronted with Rogue AV. Fear leads to online payment, which subsequently gives impetus to further instances of ransomware because the incentive is maintained. Therefore please do not part with your hard-earned cash. If the river of easy money is made to try up in this way it will certainly lead to the demise of ransomware in general.

Rules of engagement for minimalizing the damage to your system:

1. Don’t click at any pop up window related to this threats or something you don’t know. This will only make the threat work harder to infiltrate your system and to disable system tools and settings able to prevent or disable the threat.

2. As soon as you find this threat on your PC, the better. Early stage infiltrations are easier to remove compared to infiltrations that were on the PC for longer period of time and were just ignored.

3. Search the web for possible clean up recommended by legitimate security vendors or websites. If you are not sure, contact your Antivirus provider for help. They should be able to assist you with clean up.

4. If you have computer administration contract with your IT company or local shop, bring your PC to them, and they will be able to remove the threat for you, however we would recommend to contact your Antivirus provider first, as this will save you lot of time and money related to PC repair.

5. Make sure that after clean up you will have your Antivirus protection working and with the latest version installed, as well as all Microsoft Windows Updates applied on your System. This will be the first stage of preventing any further infiltrations.

6. Be aware where you clicking on the web.  Don’t click on commercials that you don’t know. Especially on the Social sites such as Facebook or MySpace. Lately we have reported infiltrations caused by Google Image search. Only good antivirus will prevent infiltration in this case, so make sure you have one installed.

In addition please keep your legitimate Anti-Virus software up-to-date with dynamic protection features such as HIPS configured appropriately to provide a robust phalanx to the burgeoning number of threats out there. Prevention is better than cure.

Originally posted by:

Samir Mody
Senior Manager, K7TCL

Modified by DistroSec UK – K7 Computing UK and Irl