A couple of months ago, a neighbor was chatting with me about a new miracle antivirus application that he got from a friend. He told me that it works great and frequently captures a lot of viruses on his computer. His only complaint was that he had to pay every time the software purged his computer of the malware.
I almost didn’t have the heart to tell him that the magical virus eliminator he was referring to is in fact, what is known in the security industry as fake AV or Rogue AV.
There are many versions of fake AV currently circulating on the Internet today. While there are different variations, styles and names, they all share a common feature set, including:
A professional-looking graphical user interface (GUI) that resembles a legitimate antivirus application. Once fake AV is running on a user’s computer system, it launches the GUI and displays a fake scanning activity for the computer
After the fake scan is complete, the software typically reveals that the system is infected with malicious software
The fake AV then asks for payment in order to “clean” the system. Once an unsuspecting user enters their credit card information, they immediately become a candidate for identity theft
FortiGuard Labs recently encountered a new variant of a fake AV, which Fortinet detects as W32/FakeAV.RA!tr.
Once the malware is installed, an infected user receives a warning message that reads the software has discovered a spyware infection (Figure 1). When a user clicks on this warning message, a new application window that resembles a legitimate antivirus application appears, starts “scanning” the system and begins displaying detected infections (Figure 2).
Once the detection phase is complete, a new window appears that displays the number of infections the software has discovered (Figure 3). The window also includes an option for the user to remove the detected threats or “Continue unprotected.” Common sense dictates a user selects “Remove all threats now”.
After clicking on “Remove all threats now,” a credit card transaction window appears where the user can enter their credit card information (Figure 4).
In a variation of the above fake AV example, a user selects the “Recommended” option (Figure 5), which immediately takes the user to the checkout window shown in Figure 4.
This version of fake AV displays a warning message whenever a user tries launching a program (Figure 6) and is particularly nasty, as it doesn’t allow a user to launch any applications from their computer. What’s worse, in addition to taking your cash, fake AV can log key strokes, steal documents, infect other files and networks and install additional malicious malware.
How you get it
There are actually a number of ways fake AV can appear on a user’s system. It could come in through an infected email attachment, it could be a link within an email or Web 2.0 application such as a social media site that leads a user to a malicious Website that automatically downloads the fake AV, or the software could be downloaded onto a system by malware (such as a botnet) that already resides on the user’s system.
How You Know you got it
The first thing users should do occurs BEFORE infection. If not already, all computer users should familiarize themselves with the antivirus solution that’s currently running on their system. Know the vendor name. And, while making a note of the antivirus software maker on the system, make sure the software is updated with the latest versions and patches. If the user doesn’t have an antivirus software client on their machine, then they can download one from an AV vendor’s Website. Fortinet makes a free one that can be downloaded from here: http://download.cnet.com/FortiClient-Lite/3000-2239_4-75532356.html?tag=mncol;1
Now that the user knows which antivirus software is on their system, it should be pretty clear to spot if the computer has come under attack from fake AV, as most of the time the fake AV makers fail to put a legit AV company’s logo in their popup windows. If the software does put a logo in the pop up window and it’s not from the AV Company that you already have installed, then it’s most likely fake AV. If there’s still a question whether or not fake AV is on the system, the tip off should come when the credit card window opens. No reputable AV software maker will make an end user pay to scan their system if they already have the latest updates installed on their machines.
How You Get Rid of It
If fake AV is on the system, the user should scan the system using their legitimate antivirus software. If the fake AV is preventing the legitimate AV software from loading, then the user should restart their system in “safe mode” and then scan the system using a valid AV. In addition, it is advised to do an “offline scan.” This means a computer should to be scanned and cleaned outside of the full operating system to complete remediation. This requires a restart into the Windows Pre-installation Environment (WinPE) to run a scanning utility, such as Windows Defender Offline scan tool.
The Windows Defender Offline scan tool is a free tool available for download as a bootable Windows Imaging Format (WIM) file, which can be put onto media (USB or DVD) and inserted into the infected computer.
What to do if You’ve Given them your Credit Card Number
If you think you’ve been a victim of fake AV fraud, know that you’re not alone. If fake AV was easy to spot, we wouldn’t feel compelled to write a paper on the topic. It should be noted that Rogue AV is a billion dollar a year business. Some criminal gangs have been caught, but others are still operating with impunity. The first thing you should do if you think you’ve been a victim of fake AV is call your credit card company as soon as possible and scrutinize all charges from the day you entered your credit card number into the application. Second, you’ll want to ask for a new credit card. Just because they haven’t charged anything on your card, doesn’t mean you’re safe, cybercriminals may be bundling your number with others they’ve collected and then selling them to a 3rd party criminal organization.
Always update your antivirus software from the valid sources
Do not run applications coming from emails or downloaded from the Internet if you are not sure they are clean
Do not give away your financial information by entering them into suspicious Website
Always scan your system using your legitimate antivirus software
Another variant of FakeAV detected as W32/FakeAV.KL!tr is briefly discussed below:
Figure A1 shows the main screen of W32/FakeAV.KL!tr, a professional looking Antivirus software complete with menu and scanning window. In a normal clean computer, it will show that you are infected by at least 14 threats.
If you want to remove the infection, by clicking the “Remove” button, you will be asked to activate the FakeAV software as shown in Figure A2.
Selecting “Yes”, you will be redirected to the payment window shown in Figure A3, which you will be required to enter your account information.
Or, if you refuse to activate your account, you will receive a warning message as shown in Figure A4.
If you ignore or forget about this FakeAV, you will be reminded by constant windows pop-up as shown in Figure A5.
As we can see, W32/FakeAV.KL!tr may have a different display as W32/FakeAV.RA!tr, but it is clearly doing the same thing. It will show you that you are infected and will ask you for your credit card information to remove the infection.
If you need more convincing, let’s take a look at a more familiar looking fakeAV.
This FakeAV looks like it came from Microsoft Windows itself, with the familiar menu on the left and a familiar display on the right side of the main display window shown in Figure B1. It doesn’t show any scanning activity but it displays that there are alerts for your computer.
If you click the “Clean Now” button, the software will tell you that it is only a trial version and you need to activate the FakeAV as shown in Figure B2.
If you want to activate it, it will show you a different window asking for your bank account (See Figure B3). It is interesting to note that, Microsoft’s security and AV software can be installed for FREE.
If you ignore this, warning messages will pop-up like those shown in Figure B4 and B5.