In association with heise online

12 December 2008, 15:57

Daniel Bachfeld

Thieves and charlatans

Rogue antivirus products

Some unscrupulous suppliers are trying to sell their rogue antivirus products by using a gamut of false positives to frighten unsuspecting users into believing their PCs are infected. Reports even suggest that these programs have taken to carrying their own Trojans. This article from heise Security will show you how to recognise and protect yourself from these attacks.

Most of these dubious products come wrapped up in a nice package and carry an impressive name like AntiMalware Guard, AntiSpyware XP 2008, WinDefender 2008, Total Secure 2009, WinAntivirus 2008 and XP Antispyware 2009. The fact that these names closely resemble those of established security programs is an obvious ploy to convince the victim that they are trustworthy.

They are marketed via special web pages, which generally try to convince the user to have their hard disk scanned – with apparently dramatic results. The user interface of the "scanner" in the Windows browser is certainly credible enough to fool an inexperienced PC user. The fake scan carried out by AntiSpyware Expert, for example, informs the user that his Windows PC is infected with a variety of malware – including Sobig, Sdbot and Mimail – even though the system is perfectly clean. Even if you visit the page with a Linux computer, you still receive exactly the same messages.

The site then offers to solve the problem by prompting the user to download a free virus scanner. Once it has been installed, the user is informed that he must acquire a license before he can use the software. Unless he does so, the software will keep generating annoying alerts warning that the computer is infected. As the software will not normally let you uninstall it in the normal way via the Control Panel, some users eventually give in and pay to remove the aggressive messages.

Advanced Cleaner
Zoom Advanced Cleaner tries to convince the PC user that their machine is infested with viruses.
Advanced Cleaner billing
Zoom Advanced Cleaner's payment pop-up.

The flood of inquiries c't and heise Security receive from their readers on this subject, show that users are certainly taken in by this trickery. Anti-virus manufacturer Panda acknowledges that these fraudulent programs are proliferating at an astonishing rate. They already account for a considerable share of the new anti-virus signatures written each day. German manufacturer G Data has also recently observed a tremendous increase in this scareware, which offers users no real protection. This lack of protection, says G Data, is the real proof that the software has been designed simply to make money for the supplier. While approximately 30 new signatures were compiled for these rogue applications in September 2007, a year later there were nearly 2,100 – nearly seventy times as many. In view of the increasing number of attacks, Microsoft has initiated a lawsuit in the USA against manufacturers of counterfeit anti-virus products [1]..

Trojan included

By no means all of these dubious anti-virus programs are harmless. Some of them have been known to block access to the web sites of serious anti-virus software suppliers immediately after installation. Scareware often takes advantage of browser security holes to sneak into a computer via drive-by download. It then annoys the user with messages claiming that the security status of the machine has been compromised.

This business model was once used just for selling profitable, but worthless software. Now these programs often infect the PC with real malware, changing it into a bot and using it to send spam. Typical of this malware are members of the "Trojan-Downloader.FraudLoad" family, to which the AV manufacturers have already allocated signatures with a four character suffix (.vcca, and so on). It is also very likely that the scammers are targeting the credit card information used for online purchases.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit