By Alan Lee – PC Tools Malware Research Team
With all the fake security applications out there, you’d think we’d have learned our lesson by now–but not so. Fake security applications, commonly known as FakeAVs, continue to be effective and profitable, so unscrupulous malware authors continue to churn them out at an alarming rate. PC Tools’ Malware Research Lab sees hundreds of new FakeAV samples on a daily basis.
Shockingly, the distribution methods used to spread FakeAVs have remained similar for quite some time now, yet it continues to be a profitable business. Despite the constant reminders from security vendors and the media, PC users are falling for the same traps malware authors have been using for years.
In this report, we round up the most prevalent Fake Security Applications that PC Tools’ Malware Research Lab has seen in the first quarter of 2011.
1) System Tool
System Tool first appeared on the FakeAV scene in October of 2010. System Tool appears to be a new variant from the makers of another well-known FakeAV that has plagued PC users in recent years: Security Tool and Security Shield.
Once infected, System Tool changes the wallpaper on the infected PC, disables task manager, and prevents the execution of executable files.
The screenshot below shows the file icons that have recently been used by System Tool. The top icon was the original icon that System Tool used. However, System Tool’s malware authors have started to use popular and legitimate application icons to avoid detection by security vendors and savvy users.
2) UltraDefragger family (current incarnation – Windows Safemode)
There are many incarnations of the UltraDefragger FakeAV family, but the one we’ve seen most recently is Windows Safemode.
Once the PC is infected, Windows Safemode replaces the computer’s wallpaper with one that resembles the wallpaper you see when you enter Windows Safe Mode. It then pops up various warnings to inform the user that the hard disk has a problem and will require installation of “certified” software.
It proceeds to run Windows Safe Mode and does not allow the user or other processes from accessing the PC at all.
Windows Safemode also disables Task Manager so that the user cannot terminate its processes.
3) Security Essentials
Security Essentials is another notorious FakeAV that has been prevalent as of late.
While it has multiple variants, one noticeable trait of Security Essential across variants is that the first indication of an infection comes in the form of a fake Microsoft Security Essentials Alert pop-up.
This particular FakeAV uses a fake alert to scare users into believing that their PCs have been infected. When the worried victims click on “Clean computer” or “Apply actions,” the FakeAV is installed on their machines.
The latest variant of Security Essentials that we are now seeing is called Windows Troublemakers Agent. Other well known variants include Red Cross Antivirus, Peak Protection, and Thinkpoint Antivirus.
4) Antivira AV (also known as Antivirus Monitor)
Antivirus Monitor is a new variant of FakeAV family that is similar to Antivira AV. It is capable of modifying Internet Explorer settings to prevent users from opening any websites.
5) Fake AVG Antivirus 2011
Fake AVG Antivirus 2011 is a FakeAV that tricks users into thinking that they’re downloading the popular Free AVG Antivirus offered by AVG.
Based solely on appearance, would you be able to tell the difference between the genuine AVG and the fake AVG? Most people probably would not, and that’s why more and more, FakeAVs are using Fake AVG Antivirus’ tactics. That is, they are masquerading as existing and legitimate security applications. While researching security applications on search engines like Google, users might find what appears to be a widely-used security application like AVG Free when, in fact, it’s a harmful FakeAV.
Making matters worse, FakeAV authors are releasing hundreds of new fake security applications every day. These FakeAV applications disable critical windows services and tasks and prevent legitimate anti-virus applications from functioning, often rendering PCs completely unusable. The motive behind all these FakeAVs is to scare unsuspecting victims into “paying” for the repair of their infected computers.
While it may sound passé or cliché, the best way to avoid FakeAVs is tried and true: always keep your anti-virus applications up-to-date, and never click on any suspicious links or install any applications that you’re not aware or familiar with.