Fake antivirus software or "scareware" is nothing new,
but these applications continue to get more sophisticated. We recently
discovered a relatively new fake antivirus application called Windows
Risk Minimizer.
The fake antivirus software was promoted through spam sent from a
popular webmail service. This is slightly unusual as normally fake
antivirus infections arrive through drive-by exploits. Spam messages
promoting the fake antivirus software contained links to compromised
domains, which then redirected users to the fake antivirus site. We
witnessed over 300 compromised domains being used in just a few hours.
When opening the fake antivirus site, the user is greeted with a
JavaScript alert message, whereby the fake antivirus (referred to here
as "Windows Secure Kit 2012") claims that your machine is infected.
When OK is clicked, a fake scan is carried out.
The page uses Flash making it look more convincing with realistic
icons, progress bars, and dialog boxes. Unsurprisingly, the fake
antivirus detects plenty of viruses. Decompressing the Flash file and
analyzing it shows a huge list of files contained within it. The Flash
movie then simply picks some of these at random and claims they are
infected (with equally random virus names).
Once the scan is complete, a Windows Security Alert dialog appears
with a summary of the scan. This dialog can be moved around the screen
and (for reasons unknown) the different infections can be selected and
unselected.
Like many fake antivirus sites, when trying to close the window or tab, the user is greeted with an alarmist message warning of dire consequences unless the infection is removed.
When clicking Remove All in the Windows Security
Alert window, the user is prompted to download a malicious executable
file that contains Windows Risk Minimizer software. When opened, the
following professional-looking screen is displayed:
Again, unsurprisingly, the fake antivirus software identifies several infections.
When this window is closed, the malware repeatedly harasses with
pop-up warnings and balloon messages in the notification area. All of
these messages are designed to convince the user an infection exists on
the computer and they should purchase the (useless) software.
One message falsely claims the Google Chrome Web browser is infected. Clicking Prevent attack opens a payment window.
Another message claims illegal BitTorrent usage has been detected and
refers to the controversial US SOPA (Stop Online Piracy Act)
legislation. In this case, there is no Prevent attack button; instead there is a Get anonymous connection button, which also opens a payment window.
The final type of alarmist message observed when analyzing this fake
antivirus software claimed that some kind of identity theft was in
progress.
All of these different types of attack make it seem like there is a
serious infection, so it is easy to understand why many users may be
unwittingly tricked into purchasing what is useless software.
At $99.90, apparently including support (see below), this useless software is not cheap.
We also recently spotted some different fake antivirus software where
JavaScript code on the page appeared to vent the author's rage against
two makers of legitimate antivirus software, including an offensive
message about a particular antivirus application. It is easy to
understand why a malware author might be unhappy about antivirus
software, but including offensive messages like this simply makes it
easier to block their malware.
To avoid getting infected with fake antivirus software, ensure you
keep your operating system, Web browser, and antivirus software up to
date with all security patches.
Courtesy Nick Johnston
No comments:
Post a Comment