Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software by displaying fake security warnings such as “Your computer is infected” etc. End users are clearly not educated about such attacks, as the campaigns remain highly successful. Below is a short blog analyzing a recent infection on a friend’s machine to illustrate the problem.
We continue to see numerous infected sites, which are redirecting users to fake security software campaigns. The pages display animated fake security warnings to users in order to scare them and convince them to download and install a binary, which is generally packaged as fake antivirus software. The victim will be infected with a downloader Trojan that will then download additional malware. Below are a few screenshots of animations typically used in the attacks:
After this initial load animation, the user will be prompted with another security warning:
Once a user clicks on the OK button, additional animated fake security warnings will be displayed.
At this point, the user is prompted to download the fake antivirus software.
This same campaign has been used over and over again and can be found hosted at thousands of domains.
All of the above animations are from the same malicious website. The content is randomly changed for each new visit to the site. Once installed the victim is forced to activate or buy a license key to remove these fake threats from the system. Here are some tips for users who still wants to stay away from those attacks.
1) No real Antivirus vendor displays such security warnings, animations and popups.
2) No website will scan a system when visited and display immediate warnings about threats on the system.
3) No real Antivirus vendor will force you to download an execuatble.
4) When you need AV software, go directly to the site of a reputable vendor yourself.
5) Keep an eye on address bar for the URL name and redirected URL names.
6) Keep any eye on the status bar of the browser, which is present at the bottom to spot redirection taking place.
7) If you want to download executable but are unsure that it is legitimate, it can be scaned against various antivirus vendiors by submitting it to a service such as VirusTotal If popular vendors triggers or declare the file as malicious, immedeatly delete it from the system.
Install a common antivirus solution and keep it updated with latest virus definitions.
9) Last but not least, never pay for such fake security software.
The VirusTotal results for the fake security software from the above example show that it was detected by only 21/42 popular AV vendors. Even now, we are still seeing a large number of fake security software websites promoting their fake products.
Stay safe
Umesh
Related Posts
- Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - Panda unveils 2011 versions of security software
Panda Security has released new versions of its security software that features a virtual browser designed to protect PCs from malicious websites.
View full post on Network World on Security... - Improve your Security #4: Update your Software often
Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office... - Heavy obfuscation used by Fake Antivirus websites
Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting... - From RSA 2011: Security, Social Media and Spies
Like my colleagues, I also attended RSA 2011 Conference in San Francisco last week. As they have shared in their posts on the hackers and threats sessions, I would like to share some of my experiences... - RSA Conference 2011 – Live Malware Attack, and Most Educational Security Blog!
Apologies to our readers from me and from Chester Wisniewski - we haven't written anything for Naked Security for the past week or so.
That's because we've been off the air, and on our feet, for the ... - Featured Security Posts from January 2011
Now that a new month is upon us, I wanted to highlight several posts I wrote on this security blog in January 2011:
Resisting the Gentle Pull of Mediocrity - A Reminder
When Bots Chat With Social Net... - Podcast: AVG Internet Security 2011 – enhancing the power of 110 million users
AVG has just launched its latest version of its security software AVG Internet Security 2011.
I've recorded this podcast that looks into the new product in some detail. I have tried to highlight... - Security Threat Report 2011 web seminar – now online
Last month Sophos published its annual threat report, looking back over the biggest security stories of 2010 and ahead to some of the challenges companies may face in protecting their systems in the y... - Blackhat spam SEO & Fake AV: they are still there
It's quite depressing to see that Google still contains numerous links to spam pages which lead to fake AV sites. While there are fewer of them, they are still there. This, despite the fact that attac...
All of the above animations are from the same malicious website. The content is randomly changed for each new visit to the site. Once installed the victim is forced to activate or buy a license key to remove these fake threats from the system. Here are some tips for users who still wants to stay away from those attacks.
