1. Stopping Fake
Antivirus:
How to Keep
Scareware off
Your Network
Fake antivirus is one of the most frequently encountered threats on the web today.
Also known as rogue antivirus, rogues, or scareware, fake antivirus uses social
engineering to lure users to malicious sites and scare them into paying for fake threat
removal tools.
This paper provides insight into where fake antivirus comes from and how it is
distributed, what happens when a system is infected with fake antivirus, and how to
stop this persistent threat from infecting your network and your users.
A Sophos White Paper - September 2011 1
2. Stopping Fake Antivirus: How to keep scareware off your network
What is fake antivirus? Why is fake antivirus so popular among
Fake antivirus is fake security software cybercriminals? It is a huge revenue
which pretends to find dangerous security source. Compared to other classes of
threats—such as viruses—on your malware such as bots, backdoor Trojans,
computer. The initial scan is free, but if downloaders and password stealers, fake
you want to clean up the fraudulently- antivirus draws the victim into handing
reported “threats,” you need to pay. money over directly to the malware author.
Victims typically pay around $120 via
This class of malware displays false alert credit card to pay for the junk software
messages to computer users concerning that will supposedly fix the problem.
threats on their machines (but these threats
do not really exist). The alerts will prompt Fake antivirus is also associated with
users to visit a website where they will be a thriving affiliate network community
asked to pay for these non-existent threats that makes large amounts of money by
to be cleaned up. The fake antivirus malware driving traffic toward the stores of their
will continue to send these annoying partners1. Individual affiliates can quickly
and intrusive alerts until a payment is generate income because distribution
made or the malware is removed. networks pay affiliates between $25
and $35 to simply do “lead generation”
This paper provides insight into where by infecting additional computers.
fake antivirus comes from, what happens
when a system is infected with fake
antivirus, and how users can protect
themselves from fake antivirus.
A Sophos White Paper - September 2011 2
3. Stopping Fake Antivirus: How to keep scareware off your network
At SophosLabs, we are seeing new and Typical signs of infection
different types of fake antivirus emerging. Fake antivirus usually uses a large array
Macs are now a major target, including of social engineering techniques to get
Mac-targeted social engineering being used itself installed. Campaigns have included:
from the bait to the malware. We have
Ì Fake Windows Security Updates2
been carefully tracking the developments
in the Mac OS X malware community, and Ì Fake Virus-Total pages3
have concluded that fake antivirus for
Ì Fake Facebook app4
Macs is advancing fast and taking many
cues from the Windows malware scene. Ì 9/11 scams5
Hackers are also using image and image Once on a system, there are many
search poisoning in addition to trending common themes in its behavior:
topics to infect users with fake antivirus.
In addition, SophosLabs is seeing prolific Popup warnings
rebranding of fake antivirus names to Many fake antivirus families will display
confuse users and elude detection. popup messages (see fig.1-5).
Fig.2
Fig.3
Fig.1 Fig.4 Fig.5
A Sophos White Paper - September 2011 3
4. Stopping Fake Antivirus: How to keep scareware off your network
Fake scanning Ì AntiVirus AntiSpyware 2011
The fake antivirus will typically pretend to
Ì Malware Protection
scan the computer and find non-existent
threats, sometimes creating files full of junk Ì XP Security 2012
that will then be detected6 (see fig.6-8).
Ì Security Protection
Fake antivirus uses an enormous Ì XP Antivirus 2012
range of convincing names to add to
Ì XP Anti-Spyware 2011
the illusion of legitimacy, such as:
Ì MacDefender
Ì Security Shield
Ì Mac Security
Ì Windows XP Recovery
Ì Security Tool There can be many thousands of variants
for each family as techniques such as
Ì Internet Defender
server-side polymorphism are used heavily
Ì PC Security Guardian to alter the fake antivirus executable.
This is a process whereby the executable
Ì BitDefender 2011
is re-packaged offline and a different file
Ì Security Defender is delivered when a download request is
made. This can happen many times during
Ì Antimalware Tool
a 24-hour period. One particular family
Ì Smart Internet Protection that calls itself “Security Tool”7 has been
known to produce a different file nearly
every minute. This is how a single family
can have such large numbers of samples.
Many families will also share a common
code base underneath the polymorphic
packer, where the application is simply
“re-skinned” with a different look and feel
but the behavior remains the same.
Fig.6
Fig.7 Fig.8
A Sophos White Paper - September 2011 4
5. Stopping Fake Antivirus: How to keep scareware off your network
Infection vectors Search engine optimization poisoning
A very common source of fake antivirus
How do people get infected
infection is clicking on links received from
with fake antivirus?
popular search engines while searching
Although there are many different ways
for topical terms. Fake antivirus authors
that a specific fake antivirus may get onto a
ensure that links leading to fake antivirus
system, the majority of distribution avenues
download sites will feature prominently
rely on social engineering. Ultimately, the
in search results by using Black Hat SEO
user is tricked into running the fake antivirus
techniques8. These poisoned results will
installer executable in a way similar to
redirect users to a fake antivirus-controlled
many other types of Trojans. Fake antivirus
website that displays a fake scanning
authors have used a huge range of different
page, informing them that their computer
social engineering tricks and are continuing
is infected and they must download a
to come up with new ones all the time.
program to clean it up. Alternatively, a fake
movie download page may be displayed,
In this paper, we review several main
where users are prompted to download
sources of fake antivirus infection:
a codec in order to view the movie. This
Ì Search engine optimization poisoning codec is in fact a fake antivirus installer.
Ì Email spam campaigns
Google Trends is a service provided by
Ì Compromised websites Google that highlights popular search
and exploit payloads terms entered into its search engine.
Here is an example of how search
Ì Fake antivirus downloads
terms taken from Google Trends are
by other malware
poisoned by fake antivirus authors.
Let’s do a search for pages containing
terms from Hot Searches (see fig.9).
Fig.9
A Sophos White Paper - September 2011 5
6. Stopping Fake Antivirus: How to keep scareware off your network
Picking several of the terms and Or, users are taken to a fake movie
performing a search for them will produce download page where they are told
several poisoned results (see fig.10). they need to download a codec to
view the movie (see fig.14, 15).
Clicking on these links takes users
to a fake scanning page, where they In each case, users are tricked into
are told they have multiple infections downloading and running an unknown
and need to download a program to executable, which is the fake antivirus installer.
remove the threats (see fig.11-13).
Fig.10
Fig.13
Fig.11 Fig.14
Fig.12 Fig.15
A Sophos White Paper - September 2011 6
7. Stopping Fake Antivirus: How to keep scareware off your network
Spam campaigns Ì Ecard scams: An email is received
Fake antivirus is often sent directly to purporting to be from a legitimate
the victim as an attachment or as a link ecard company. In fact, a fake antivirus
in a spam message. The message is installer is attached (see fig.17).
predominantly sent through email, but other
Ì Password reset scams: Victims receive
forms of spam have also been observed
a message supposedly from a popular
to deliver fake antivirus, such as instant
website, informing them that their
messaging applications including Google
password has been reset and the new
Talk10. The spam message itself usually uses
one is in the attached file (see fig.18).
social engineering techniques to trick users
into running the attached file or clicking on Ì Package delivery scam: Details of
the link. Specific campaigns vary and include a (fictitious) recent postal delivery
password reset, failed delivery message are included in an attached file. In
and “You have received an ecard” scams. reality, the attachment will install
fake antivirus (see fig.19).
Examples of email spam campaigns
spreading fake antivirus include:
Ì Account suspension scams: Victims
receive an email message suggesting
access to a specific account has been
terminated and they need to run the
attached file to fix the issue (see fig.16).
Fig.16 Fig.18
Fig.17 Fig.19
A Sophos White Paper - September 2011 7
8. Stopping Fake Antivirus: How to keep scareware off your network
Compromised websites Fake antivirus downloads
and exploit payloads by other malware
Users can sometimes be sent to fake Fake antivirus can be downloaded onto
antivirus websites by browsing legitimate a machine by other types of malware.
websites that have been compromised, SophosLabs maintains many honeypot
where malicious code has been injected machines that are seeded with different
into the page. This can be achieved by malware, in order to observe their behavior
penetrating the target website’s hosting and ensure protection is maintained when
server and appending (typically) JavaScript new variants are downloaded. We have seen
to HTML pages hosted there. This redirect several families install fake antivirus onto
code can be used to send the browser an infected machine, most notably TDSS,
to any type of malware hosting page Virtumundo and Waled14. The infamous
including exploit kits and fake antivirus. This Conficker worm was also observed to install
JavaScript code is almost always heavily fake antivirus onto infected computers15.
obfuscated, and Sophos detects this type In this way, a hacker that has infected
of malware as variants of Troj/JSRedir11. a computer with TDSS or Virtumundo
can extract more money from victims by
SophosLabs has also seen hackers forcing them to pay for fake antivirus.
compromise legitimate web-based
advertising feeds to ensure that malicious In addition a pay-per-install model exists
code is loaded instead. This may take the where hackers are paid to infect users’
form of an exploit that downloads and computers. In this system, a hacker
executes a fake antivirus binary as the controls a victim’s computer (using
payload or a simple iframe that redirects the TDSS or similar), and is paid by the fake
browser to a fake antivirus web page12, 13. antivirus producer to install the fake
antivirus on the infected computer.
A Sophos White Paper - September 2011 8
9. Stopping Fake Antivirus: How to keep scareware off your network
Fake antivirus families A run key entry is then created in the
We now explain in more detail the registry that will run the file when the
behavior of fake antivirus once it has system starts up. Typically, this will
made its way onto a target system. be added to one of the following:
Ì HKCUSoftwareMicrosoftWindows
Registry installation
CurrentVersionRunOnce
Fake antivirus’s typical behavior is to copy
the installer to another location on the Ì HKCUSoftwareMicrosoft
system and create a registry entry that will WindowsCurrentVersionRun
run the executable on system startup.
Ì HKLMSoftwareMicrosoft
WindowsCurrentVersionRun
The installer is often copied into the
user’s profile area (e.g., C:Documents
Examples:
and Settings<user>Local Settings
Application Data), or into the temporary HKLMSOFTWAREMicrosoftWindows
files area (e.g., c:windowstemp) with CurrentVersionRunwpkarufv
a randomly generated file name. This
makes the fake antivirus UAC-compliant c:documents and settings<user>
on Windows machines that have UAC16 local settingsapplication data
enabled, thus avoiding a UAC warning tqaxywiclchgutertssd.exe
popping up during installation. However,
some families still do not care about HKCUSoftwareMicrosoftWindows
UAC and still create their files in the CurrentVersionRunOnceCUA
Program Files or Windows folders.
c:windowstempsample.exe
HKLMSOFTWAREMicrosoftWindows
CurrentVersionRun85357230
c:documents and settingsall users
application data8535723085357230.exe
A Sophos White Paper - September 2011 9
10. Stopping Fake Antivirus: How to keep scareware off your network
Initiate a fake scan
Once fake antivirus is installed, it will
usually attempt to contact a remote
website over HTTP and will often download
the main component. This will initiate
a fake system scan, where many non-
existent threats will be discovered. The
main fake antivirus window is often very
professionally created and victims can
easily be convinced that they are using a
genuine security product (see fig.20-25).
Fig.22
Fig.23
Fig.20 Fig.24
Fig.21 Fig.25
A Sophos White Paper - September 2011 10
11. Stopping Fake Antivirus: How to keep scareware off your network
Once the fake threats have been discovered,
users are told they must register or activate
the product in order to clean up the threats.
Users are taken to a registration website
(either through a browser or through
the fake antivirus application), where
they are asked to enter their credit card
number and other registration details.
These pages are also very convincing,
occasionally featuring illegal use of logos
and trademarks from industry-recognized Fig.28
organizations such as Virus Bulletin17
and West Coast Labs18 (see fig.26-31).
Fig.29
Fig.26
Fig.30
Fig.27 Fig.31
A Sophos White Paper - September 2011 11
12. Stopping Fake Antivirus: How to keep scareware off your network
Other fake antivirus behavior Ì Installation of more malware:
Certain fake antivirus families cause Fake antivirus has been known to
further distress to the victim by interfering download other types of malware
with normal system activity. Commonly, upon installation, such as banking
this includes disabling the Task Manager Trojans, rootkits and spam bots.
and use of the Registry Editor, prohibiting
Prevent and protect
certain processes from running and even
There are many ways to stop fake
redirecting web requests. This behavior
antivirus—on the web, in email, and in your
further convinces the user that there is
endpoint security. Malware is complex, and
a problem on the system and increases
protecting the corporate IT environment
the likelihood of a purchase being made.
is a full-time job. Antivirus software is
This extra activity can take the form of:
just the beginning. A solid defense is
Ì Process termination: Certain programs needed to reduce the risk to your business
are prohibited from running by the fake by protecting all routes of attack.
antivirus, with a warning message being
displayed instead (see fig. 32, 33). The most effective defense against the fake
antivirus threat is a comprehensive, layered
The fake antivirus will generally allow
security solution. Detection can and should
Explorer and Internet Explorer to run, so
take place at each stage of the infection.
renaming an executable as explorer.exe or
iexplore.exe should allow it to be run.
Ì Reduce the attack surface
Ì Web page redirection: Some fake Ì Protect everywhere
antivirus families will redirect web
Ì Stop the attack
requests for legitimate websites to an
error message or other type of warning Ì Keep people working
message. This adds to the user’s fear
Ì Educate users
and, again, makes the user more likely to
pay for the fake antivirus (see fig.34).
Fig.32
Fig.33 Fig.34
A Sophos White Paper - September 2011 12
13. Stopping Fake Antivirus: How to keep scareware off your network
Here’s how you can create this updated downloads, or to send back
type of layered defense: a victim’s credit card information.
Reduce the attack surface – To reduce
Stop the attack – Stopping the attack involves
the attack surface, Sophos filters URLs
your anti-malware software, ongoing updating
and blocks spam to prevent fake antivirus
and patching efforts, and run-time detection.
from reaching users. By blocking the
To proactively detect the fake antivirus file,
domains and URLs from which fake
our Sophos antivirus agent delivers complete
antivirus is downloaded, the infection
protection, plus low-impact scans that
can be prevented from ever happening.
detect malware, adware, suspicious files
Sophos customers are protected by URL
and behavior, and unauthorized software.
filtering in Sophos Web Security and
Using Behavioral Genotype technology,
Control19 and the latest endpoint security
many thousands of fake antivirus files
product. Sophos Email Security and Data
can be detected with a single identity. The
Protection blocks spam containing fake
number of samples currently detected as
antivirus before a user even sees it20.
variants of Mal/FakeAV and Mal/FakeAle
is well in excess of half a million.
Protect everywhere – But, protection
needs to go further, and Sophos does
Of course, updating and patching are also
this with endpoint web protection, live
important to keep anti-malware software up
protection and firewall protection. Sophos
to date, and apply at all levels of protection.
Endpoint Security and Control detects
Antivirus software must be kept up to
web-based content, including the detection
date using automatic updating to ensure
of the JavaScript and HTML used on
that the latest protection is provided at
fake antivirus and fake codec web pages.
all times. Other software such as the
Detection at this layer prevents the fake
operating system and commonly used
antivirus files from being downloaded
applications, for example Adobe Reader,
(e.g., Mal/FakeAVJs, Mal/VidHtml).
should be patched to ensure that they do
not introduce security weaknesses. Static
In addition, Sophos Live Protection enables
defenses are not going to keep up with
the Sophos Endpoint Security and Control
the new variations, attacks change all the
product to query SophosLabs directly
time. So, it is important to allow updates
when it encounters a suspicious file in
and apply patches as they are received.
order to determine whether the file is
fake antivirus, or any other malware.
Run-time detection is important because
This enables the automatic blocking of
if a fake antivirus executable manages to
new and emerging malware outbreaks
evade the other layers of protection, the
in real time, before the malware has a
Sophos Host Intrusion Prevention System
chance to run. This immediate access
(HIPS) can detect and block the behavior
lets you close the window between the
of the fake antivirus sample when it tries
time SophosLabs finds out about an
to execute on the system21. HIPS includes
attack and when users are protected.
rules that specifically target fake antivirus.
Essentially, if the program sees the fake
Firewall protection means that the
antivirus software doing anything dangerous,
Sophos Client Firewall can be configured
it will shut the software down—a blocking
to block outgoing connections from
move by another layer of protection.
unknown programs to prevent fake
antivirus from “calling home” to receive
A Sophos White Paper - September 2011 13
14. Stopping Fake Antivirus: How to keep scareware off your network
Keep people working – Your users don’t Users should know not to click on anything
really care too much about any of this. suspicious. But, they should also be
They just want to get their work done. reminded that the IT department takes care
That’s why Sophos provides IT staff with of antivirus protection for their computers. If
visibility into fake antivirus detection, sends they are concerned about antivirus, or have
alerts to let you know when malware has strange messages popping up, they should
been stopped, and removes the malware contact IT and not try to sort it out for
from your users’ computers. You can themselves. It’s also important to religiously
choose a configuration that lets users refuse any anti-malware software which
get these notifications, or shows these offers a free scan but forces you to pay for
messages only to the security team. cleanup. Reputable brands don’t do this—an
antivirus evaluation should let you try out
Educate users – User education is an detection and disinfection before you buy.
important part of the defense as well.
Stopping Fake Anti-Virus
Complete protection against a rampant threat
e Pro
fac
ur tec
ks t ev
ac
er
t
at
yw
ce
he
du
URL Filtering Endpoint Web
re
Re
Protection
Educate Users
Web Application Live Protection
Firewall Complete
Security
Clean up Anti-malware
es
ch
Ke
ea
ep
br
pe
Visibility Patch Manager
d
le
op
an
wo ks
rk i tt ac
ng pa
S to
Fig.35
A Sophos White Paper - September 2011 14
15. Stopping Fake Antivirus: How to keep scareware off your network
Here are three additional tips of conditions. For example, malware
to help protect Mac users: on a USB key would go unnoticed, as
would malware already on your Mac.
Ì If you use Safari, turn off the open
And it only updates once in 24 hours,
“safe” files after downloading option.
which probably isn’t enough anymore.
This stops files such as the ZIP-
based installers favored by scareware Ì Install genuine antivirus software.
authors from running automatically Ironically, the Apple App Store is
if you accidentally click their links. a bad place to look—any antivirus
sold via the App Store is required by
Ì Don’t rely on Apple’s built-in XProtect
Apple’s rules to exclude the kernel-
malware detector. It’s better than nothing,
based filtering component (known
but it only detects viruses using basic
as a real-time or on-access scanner)
techniques, and under a limited set
needed for reliable virus prevention.
Conclusion
Fake antivirus is still a prevalent threat, it is a persistent
problem and the financial benefits for cybercriminals means
that fake antivirus will not go away.
Fake antivirus is already distributed through a large number
of sources. The variety and inventiveness of its distribution
will only increase.
Fortunately, users can protect themselves through a
comprehensive and layered security solution that detects and
defends against fake antivirus at every possible level.
A Sophos White Paper - September 2011 15