Fake AV malware is nasty stuff. It’s harder to get rid of then freshly chewed gum stuck to the bottom of your shoes. Worst of all Fake AV can extort money from you if you believe its phony security scans and then pay it to get rid of nonexistent threats to your computer system. And let’s not forget, if you are duped into paying for Fake AV, the bad guys steal your credit card number in the process.
If you’ve ever experienced Fake AV up close and personally, then you will be happy to hear that security industry experts saw a sharp decline in the number of reported Fake AV incidences during the month of August. But don’t relax just yet.
Fake AV remains a persistent security threat on the Internet landscape due to the number of malware variants that continue to be produced and backed by criminal industry that has a viable long-term monetization scheme.
The Business of Fake AV
In the article “The Big Business Behind Rogue AV,” Trend Micro Senior Threat Researcher Nart Villaneuve points out very interesting and scary aspects of the Fake AV industry.
Fake AV is hard to detect because, like cold viruses, new and different variants are being produced all the time. According to Villaneuve, “Fake AV distributors produce modified binaries that are checked against popular antivirus software to ensure low detection rates or even non-detection.”
Cybercriminals use affiliate networks that collaborate with each other to distribute Fake AV malware. These affiliates work with different groups that develop and distribute Fake AV malware then get paid according to the number of users they are able to infect. The more victims they rack up, the more money they make.
Fake AV Malware Delivery
Your system can pick up Fake AV malware when you visit malicious sites that you think are legitimate. You can be led to these sites through the use of a technique known as Search Engine Optimization (SEO) poisoning.
The process of SEO poisoning involves the use of SEO kits – usually a set of PHP scripts – that create web pages filled with popular keywords and phrases that will be consumed by web crawlers used by Google and other search engines. Instead of containing links to the sites normally associated with the keywords, these pages actually contain redirects to other SEO poisoned web pages that ultimately redirect to websites hosting Fake AV malware.
When you search for any of these toxic keywords, you can easily end up at a malicious website rather than where you thought you were going. Without any indication that you are being redirected, you will have no idea that you are being led astray until it’s too late.
How to Protect Yourself against Fake AV
There are two main components to protecting your computer systems from Fake AV malware.
First, you need a URL filtering mechanism that analyzes links listed in web search results and tells you whether the URLs they contain point to safe or malicious web sites. Second, you need to be able to detect Fake AV packages, if and when you inadvertently try to download them.
Trend Micro™ Titanium™ Security 2012 software provides you both of these essential components.
When you do a web search in your browser, Titanium will mark each link with a green, yellow, or red marker indicating whether the link in question points to a safe, questionable, or malicious website respectively. But this capability is not limited to searches. Any page containing links will be marked in this fashion.
If you were using Titanium and happened to download a Fake AV package, it would be tagged as malware and quarantined or deleted.
I work for Trend Micro and opinions expressed here are my own.