Fake antivirus software—designated as FAKEAV malware by Trend Micro—may have somewhat fallen out of the spotlight of late but it still remains a significant concern for many users. For example, in a poll of users at Trend Micro’s TrendWatch information portal, almost half of them indicated that they viewed FAKEAV as an issue of great concern.
It’s a legitimate concern, as FAKEAV malware continues to use the tactics that made it a problem for users. For example, the recent 9/11 anniversary was hit by malicious search results:
This follows the well-worn tactic of abusing news events to spread rogue antivirus malware. Using blackhat SEO techniques, which put malicious links among the search results for popular search phrases, has been extensively documented here at the Malware Blog in the past.
Of course, the FAKEAV “software” itself is becoming more sophisticated as well. Some of the latest variants are now multilingual and this can help them get wider coverage around the world and therefore affect more victims:
In general, new FAKEAV variants are becoming increasingly sophisticated and subtle. This past August, a fake Microsoft Malicious Software Removal Tool (MSRT) was found and detected as TROJ_FAKEAV.MSRT.
More recently, a very sophisticated FAKEAV variant detected as TROJ_FAKEAV.KAX was found. While the behavior of these new variants remained largely identical to previous variants, the amount of effort that went to create user interfaces (UIs) that look legitimate was considerable:
In the face of all these threats, however, the best practices for avoiding FAKEAV remain the same. Users should avoid clicking on suspicious-looking links in search results. Keeping software updated is also a must, as many exploits have payloads that end up downloading FAKEAV malware.
Trend Micro users are continuously protected from rogue antivirus malware by the Trend Micro™ Smart Protection Network™. New variants are continuously found and detected and the sites that host these are constantly being discovered and blocked as well.
For more in-depth information on the FAKEAV threat, you can consult the following papers and articles: