Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > DLL-Based FAKEAV Returns, in the Wild Again

    In our previous FAKEAV white paper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and followed its development behaviorwise from one generation to the next. One of the earlier generations (fourth, to be exact) in the paper comprises DLL-based FAKEAV—fake antivirus that use a .DLL file to perform all of their malicious routines to primarily avoid easy termination. A few months ago, however, we saw this particular generation again making its rounds in the wild in the form of TROJ_FAKEAV.BTV.

    Click for larger view

    In terms of appearance, fourth-generation FAKEAV variants are not particularly different from earlier generations. However, in the background, fourth-generation FAKEAV varaints are characterized by the considerably big file size of their DLL components (TROJ_FAKEAV.BTV samples are around 1.50MB in size). This is because the fake pop-up warnings, GUIs, and other scareware modules are all found in the DLL.

    FAKEAV as a Whole

    Understanding how FAKEAV progressed over the years, it isn’t particularly surprising to see fourth-generation FAKEAV variants back in the wild. For the most part, these have been visually updated though these have not technically evolved. The bad guys knew that all it takes to maintain their steady supply of victims is to update the rogue antivirus software’s name and to redesign their GUIs—the reason why we see so many FAKEAV GUIs today.

    In line with these software name updates, FAKEAV also update their registry, file, and folder names in order to evade string-based antivirus solution detection. Nevertheless, regardless of how these are updated, their strings will continue to be a weak point. From this, antivirus researchers can craft generic rules or patterns for memory, process, file, and registry scanning/cleaning.

    We will continue to devote time and effort to closely monitor prominent threats like FAKEAV as well as to provide adequate solutions to users. We advise users to stay informed of the developments concerning threats such as FAKEAV as well as to familiarize themselves with the nature of related attacks. Users may refer to the guide we published last year, FAKEAV 101: How To Tell If Your Antivirus Is Fake.

    Also, more information on fourth-generation FAKEAV variants as well as on other generations is available in our report, The Dangers Rogue Antivirus Threats Pose.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Monday, April 25th, 2011 at 6:57 am and is filed under Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice