Published by Javier Guerrero, November 2010
Many people think that when antivirus companies talk about the vast number of malware threats that exist, they are exaggerating in order to sell their software. In other words, they are scaremongering to frighten users into buying their products. That’s why when I write articles about malware, I like to refer to first-hand experiences, as I am going to do in this post.
Some time ago a friend called me, concerned because his computer displayed a window notifying him that it had been infected by malware; specifically 42 examples of all types of malware: viruses, spyware, adware, Trojans… This was a bit of a shock, as his anti-malware solution had only detected a couple of threats, which in theory it had deleted. What’s more, these warnings did not come from the antivirus, and neither would they let him eliminate the infection.
As I guessed his antivirus might’ve been out of date, I suggested he looked for a second opinion, and used our Panda ActiveScan free online scanner.
However, my friend was unable to install the ActiveScan scan module, neither with Internet Explorer nor with Firefox; something was stopping it. In fact, it had become virtually impossible to use the computer, so he couldn’t browse the Web, install or uninstall applications. It seemed that his computer had been hijacked by this application.
My suspicions were confirmed when (on going round to his house) I could see the window in question. It belonged to a (supposed) security product called “Personal Security”:
However, the problems I mentioned before suggested there was something dubious about this software. Also, my friend was quite sure he had not installed this product, at least not in the way one normally installs a product in Windows. It was also highly suspicious that his antivirus had not detected all the malware displayed in the window.
The conclusion was obvious: This was a fake or rogue antivirus.
What is a Rogue Antivirus?
This is a malicious application which, in the guise of a trial version of a normal antivirus, tries to trick users into believing that their computers have been infected by numerous examples of malware.
What’s the aim?
Money, of course. Users are then forced to buy a ‘full version’ of the application if they want to ‘disinfect’ their computers. Many people fall for this, either unwittingly, or because they want the system to return to normal.
The rogue antivirus we are talking about today displays the following window:
And obviously, there is a form in which victims are prompted to enter their personal and bank details.
This type of malware is now widespread, largely because it is successful in tricking many people, as the graphic interfaces used (windows, buttons, etc.) are often very professionally crafted.
For example, this particular fake antivirus displays a warning which is similar in appearance to the Windows Security Center:
How to avoid them
The careful and professional design of many of these programs make them particularly dangerous, as they will fool many users with little knowledge of IT security.
Although much of the usual advice we offer (use a good up-to-date antivirus, don’t download unknown programs, take care with USB devices, etc.) is just as valid in these cases, it is particularly important to be careful with the websites you visit.
One of the most common techniques used for spreading these fake programs is known as “Blackhat SEO” (we will talk about this in the next post), which basically manipulates Web search results, including links to malicious pages used to infect users. These pages provoke false infection warnings, prompting the user to click a button to download or install the product.
You should never click on any part of these windows, as this will start installation. In these cases try closing all windows using the ALT-F4 key combination, although the infection may have already taken place.
So, What happened to my friend?
We managed to resolve the problem by starting up in safe mode and manually deleting all files and registry entries corresponding to the fake antivirus. Of course we had to get this information through another computer, as the system had been completely hijacked by the intruder.
To end this post, I would just like to answer the question set out at the beginning: Yes, the threat of malware is real. We are not exaggerating it in the slightest.
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: the first Panda Platinum, Panda Security and Panda Security for Networks, firewall and TruPrevent technologies, file permanent protection modules, Shield and the Cloud AV interception layer, etc. He is currently part of the interception unit and is responsible for the file and process interceptors in Panda Cloud Antivirus.