Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.
Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.
None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.
Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.
Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.
Fake diagnostic tools may arrive via several different infection vectors:
- Users visit malicious sites and manually download and install malicious files.
- Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.
The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.
System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.
Its installer uses the same icon as Windows Update.
Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.