In our previous FAKEAV white paper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and followed its development behaviorwise from one generation to the next. One of the earlier generations (fourth, to be exact) in the paper comprises DLL-based FAKEAV—fake antivirus that use a .DLL file to perform all of their malicious routines to primarily avoid easy termination. A few months ago, however, we saw this particular generation again making its rounds in the wild in the form of TROJ_FAKEAV.BTV.
In terms of appearance, fourth-generation FAKEAV variants are not particularly different from earlier generations. However, in the background, fourth-generation FAKEAV varaints are characterized by the considerably big file size of their DLL components (TROJ_FAKEAV.BTV samples are around 1.50MB in size). This is because the fake pop-up warnings, GUIs, and other scareware modules are all found in the DLL.
FAKEAV as a Whole
Understanding how FAKEAV progressed over the years, it isn’t particularly surprising to see fourth-generation FAKEAV variants back in the wild. For the most part, these have been visually updated though these have not technically evolved. The bad guys knew that all it takes to maintain their steady supply of victims is to update the rogue antivirus software’s name and to redesign their GUIs—the reason why we see so many FAKEAV GUIs today.
In line with these software name updates, FAKEAV also update their registry, file, and folder names in order to evade string-based antivirus solution detection. Nevertheless, regardless of how these are updated, their strings will continue to be a weak point. From this, antivirus researchers can craft generic rules or patterns for memory, process, file, and registry scanning/cleaning.
We will continue to devote time and effort to closely monitor prominent threats like FAKEAV as well as to provide adequate solutions to users. We advise users to stay informed of the developments concerning threats such as FAKEAV as well as to familiarize themselves with the nature of related attacks. Users may refer to the guide we published last year, FAKEAV 101: How To Tell If Your Antivirus Is Fake.
Also, more information on fourth-generation FAKEAV variants as well as on other generations is available in our report, The Dangers Rogue Antivirus Threats Pose.