Courtesy of MicrosoftThis year alone they will be responsible for infecting in excess of 25 million computers worldwide, but they could come close to compromising as much as 30 million machines. At the root of this epidemic lay simple social engineering tactics designed, through various methods, to convince victims to pay for peace of mind. Responsible for the actual infections are pieces of malicious code that the software industry refers to under a variety of monikers, including rogue antivirus, fake antivirus, scareware, etc.
Microsoft has put together a list containing no less than 114 AV rogues which are detected by the company’s antivirus products, including Microsoft Security Essentials, Forefront Client Security, etc. It is important to note that the list contains only the official label provided by the software giant. Each of the items featured below come in a variety of packages and under a plethora of brands, which actually makes the number of fake antivirus in the wild much larger.
Users that have doubts related to a security solution that is being aggressively advertised to them should first check to make sure that the offering is indeed genuine. Microsoft, but also additional members of the security industry, constantly update information on threats posed to end users, including rogue antivirus, and publish it on websites that are available to the public. These details are available to the public, and are essentially no more than a search away, at any given time.
“On page 100 of our Security Intelligence Report volume 7, we observed that rogues remained a significant threat even though they trended down to 13.4 million infected computers in 1H09 from 16.8 million in 2H08. (Internet Explorer 8 SmartScreen Filter, a browser-based security feature, contributed to part of the decline),” revealed Scott Wu, from MMPC.
Modus Operandi“Rogue security software—software that displays false or misleading alerts about infections or vulnerabilities on the victim’s computer and offers to fix the supposed problems for a price—has become one of the most common methods that attackers use to swindle money from victims. These are programs that masquerade as legitimate security programs offering protection from malware, spyware, and other threats, but actually use social engineering to obtain money from victims, and offer poor or nonexistent protection,” the Redmond company reveals in SIRv7.
Fake antivirus will take it upon itself to run a scan of computers belonging to unsuspecting users. Of course that the scan itself and the results offered are both fake. Rogue AV doesn’t actually analyze machines, nor is it capable of detecting any malware, or to remove it. It’s all smoke and mirrors, a show put on to trick users into thinking that their computers is infected with malicious code.
“Rogue security software programs typically mimic the general look and feel of legitimate security software, claiming to detect a large number of nonexistent threats and urging the user to “activate” the software to remove them. Some families emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves. Rogue security software spreads through familiar malware distribution mechanisms, like spam and exploits, and through customized tactics, like a fake Webbased security scanner. After installation, some rogue security software families take other actions to evade detection or to frighten the user into paying,” Microsoft explains.
Once installed on a Windows PC, fake antivirus programs will attempt to scare the user into believing that various infections were detected. Rogue security solutions are designed to look very similar to genuine AV products, often copying at least elements of the graphical user interface, if not the whole UI, as well as using brands and labels mimicking, or even plagiarizing valid security offerings.
And integral part of the social engineering tactics deployed is to convince the user that the rogue AV is a genuine security solution, when in fact, much to the contrary, it is only masquerading as such. The fake AV will bombard users with alerts, and annoying, repetitive, incessant notifications, reporting inexistent infections.
At the same time, the rogue AV advertises the possibility of removing the fake infections, provided that users buy the software. Once a license is acquired, the fake AV ceases from delivering fake reports, creating the illusion that whatever malware had compromised the computer, was removed. Obviously, in this scenario, the users have been scammed into paying for protection against an inexistent threat.
“Though fooling users into paying for worthless software remains the primary goal of most rogue security software, several recently released families have begun to branch out and exhibit behaviors common to other threats, such as downloading additional malware to a victim’s computer. Win32/Winwebsec has been observed to download Win32/Koobface— which itself sometimes displays pop-up advertisements for rogue security software. Win32/InternetAntivirus, which was added to the MSRT in June 2009, downloads the password stealer Win32/Chadem,” the company added.
Protection“As we have done in the past, we again encourage our readers to run a complete, up to date AV product such as Microsoft Security Essentials to protect their computers from these rogues, especially if located in English speaking countries - the regions where these rogues appear most active (as highlighted in the SIR). MSRT is a baseline tool we provide for the ecosystem to remove prevalent threats such as high profile rogues. With Security Essentials, on the other hand, you get the benefit of the complete AV signature set from the MMPC and you get the essential protection features an AV solution needs – real time, kernel mode detection, scheduled scan, complicated cleaning functionalities to address the emergent threats, etc.,” Wu stated.
114 Windows “antivirus” to avoid at all costs1. Win32/FakeXPA – Aliases: Win-Trojan/Downloader.56320.M (AhnLab), Win32/Adware.XPAntivirus (ESET), not-a-virus:Downloader.Win32XpAntivirus.b (Kaspersky), FakeAlert-AB.dldr (McAfee), W32/DLoader.FKAI (Norman), Mal/Generic-A (Sophos), XPAntivirus (Sunbelt Software), Downloader.MisleadApp (Symantec), XP Antivirus (other), Antivirus 2009 (other), Antivirus 2010 (other), Antivirus 360 (other), Total Security (other), AntivirusBEST (other), GreenAV (other), Alpha Antivirus, other), AlphaAV (other), Cyber Security (other), Cyber Protection Center (other), Nortel (other), Eco AntiVirus (other), MaCatte (other), Antivirus (other), Antivir (other), Personal Security (other).
2. Trojan:Win32/FakePowav– Aliases: Win Antivirus 2008 (other), SpyShredder (other), WinXProtector (other), Rapid Antivirus (other), Security 2009 (other), Power Antivirus 2009 (other), WinXDefender (other), SpyProtector (other), SpyGuarder (other), MSAntiMalware (other).
5. Program:Win32/DriveCleaner – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro).
7. Program:Win32/Winfixer – Aliases: DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro), Win32/Adware.WinFixer (ESET), not-a-virus:Downloader.Win32.WinFixer.o (Kaspersky), WinFixer (McAfee), Adware_Winfixer (Trend Micro), Program:Win32/DriveCleaner (other), Program:Win32/SecureExpertCleaner (other).
8. Trojan:Win32/FakeScanti – Aliases: Windows Antivirus Pro (other), Windows Police Pro (other), Win32/WindowsAntivirusPro.F (CA), FakeAlert-GA.dll (McAfee), Adware/WindowsAntivirusPro (Panda), Trojan.Fakeavalert (Symantec).
14. Trojan:Win32/FakeSmoke – Aliases: SystemCop (other), QuickHealCleaner (other), TrustWarrior (other); SaveArmor (other), SecureVeteran (other), SecuritySoldier (other), SafeFighter (other), TrustSoldier (other), TrustFighter (other), SoftCop (other), TRE AntiVirus (other), SoftBarrier (other), BlockKeeper (other), BlockScanner (other), BlockProtector (other), SystemFighter (other), SystemVeteran (other), SystemWarrior (other), AntiAID (other), Win32/WinBlueSoft.A (CA), Trojan-Downloader.Win32.FraudLoad.vtgpk (Kaspersky), WinBlueSoft (other), WiniBlueSoft (other), Winishield (other), SaveKeep (other), WiniFighter (other), TrustNinja (other), SaveDefense (other), BlockDefense (other), SaveSoldier (other), WiniShield (other), SafetyKeeper (other), SoftSafeness (other), SafeDefender (other), Trustcop (other), SecureWarrior (other), SecureFighter (other), SoftSoldier (other), SoftVeteran (other), SoftStronghold (other), ShieldSafeness (other).
19. Program:Win32/SpywareSecure – Aliases: W32/SpyAxe.AMI (Norman), SpywareSecure (Panda), SpywareSecure (Sunbelt Software), SpywareSecure (Symantec).
20. Program:Win32/IEDefender – Aliases: Win32/Burgspill.AD (CA), IEAntivirus (Symantec), Trojan.DR.FakeAlert.FJ (VirusBuster).
25. Program:Win32/Antivirus2008 – Aliases: Trojan.FakeAlert.RL (BitDefender), Win32/Adware.Antivirus2008 (ESET), not-a-virus:Downloader.Win32.FraudLoad.ar (Kaspersky), WinFixer (McAfee), W32/DLoader.HDZU (Norman), Troj/Dwnldr-HDG (Sophos), ADW_FAKEAV.O (Trend Micro), Program:Win32/VistaAntivirus2008.A (other), MS Antivirus (CA).
26. Trojan:Win32/PrivacyCenter – Aliases: Fake_AntiSpyware.BKN (AVG), Win32/FakeAV.ACR (CA), Win32/Adware.PrivacyComponents (ESET), not-a-virus:FraudTool.Win32.PrivacyCenter (other), not-a-virus:FraudTool.Win32.Agent.jn (Kaspersky), FakeAlert-CP (McAfee), Troj/PrvCnt-Gen (Sophos), SpywareGuard2008 (Symantec).
31. Win32/Winwebsec - Aliases: SystemSecurity2009 (other), System Security (other), Winweb Security (other), FakeAlert-WinwebSecurity.gen (McAfee), Mal/FakeAV-AK (Sophos), Troj/FakeVir-LB (Sophos), Adware/AntiSpywarePro2009 (Panda), Adware/UltimateCleaner (Panda), Adware/Xpantivirus2008 (Panda), Win32/Adware.SystemSecurity (ESET), Win32/Adware.WinWebSecurity (ESET), AntiVirus2008 (Symantec), SecurityRisk.Downldr (Symantec), W32/AntiVirus2008.AYO (Norman), Total Security (other), AntiSpyware Pro 2009 (other), FakeAlert-AntiSpywarePro (McAfee).
32. Trojan:Win32/FakeRemoc - Aliases: AntiMalwareSuite (other), VirusRemover2009 (other), PCAntiMalware (other), Total Virus Protection (other), SpywareRemover2009 (other), AntiMalwareGuard (other), Secure Expert Cleaner (other), Cleaner2009 Freeware (other), AVCare (other), AV Care (other).
37. Win32/FakeSecSen – Aliases: Micro AV (other), MS Antivirus (other), Spyware Preventer (other), Vista Antivirus 2008 (other), Advanced Antivirus (other), System Antivirus (other), Ultimate Antivirus 2008 (other), Windows Antivirus 2008 (other), XPert Antivirus (other), Power Antivirus (other).
38. Program:Win32/VirusRemover – Aliases: Troj/FakeVir-DR (Sophos), VirusRemover2008 (Symantec), ADW_FAKEVIR (Trend Micro).
43. Win32/FakeRean - Aliases: XP AntiSpyware 2009 (other), XP Security Center (other), PC Antispyware 2010 (other), Home Antivirus 2010 (other), PC Security 2009 (other), ADW_WINREANIMA (Trend Micro), Win32/Adware.WinReanimator (ESET), not-a-virus:FraudTool.Win32.Reanimator (Kaspersky), WinReanimator (Sunbelt Software), XP Police Antivirus (other), FakeAlert-XPPoliceAntivirus (McAfee), Adware/XPPolice (Panda), AntiSpyware XP 2009 (other), Antivirus Pro 2010 (other).
44. Program:Win32/Antivirus2009 – Aliases: Win32/Adware.XPAntivirus (ESET), FakeAlert-AB.gen (McAfee), MalwareWarrior (other), Antivirus2009 (other).
45. Program:Win32/AntiSpywareDeluxe – Aliases: Adware.Fakealert-134 (Clam AV), Win32/Adware.AntiSpywareDeluxe (ESET), FraudTool.Win32.AntiSpywareDeluxe.a (Kaspersky), AntispyDeluxe (Symantec), TROJ_RENOS.CP (Trend Micro).
49. Win32/InternetAntivirus – Aliases: InternetAntivirus (Symantec), General Antivirus (other), Personal Antivirus (other), not-a-virus:FraudTool:Win32.GeneralAntivirus.b (Kaspersky), Mal/FakeAV-AC (Sophos), TrojanDownloader:Win32/Renos.gen!Z (other), Fraudtool.GeneralAntivirus.C (VirusBuster), Internet Antivirus Pro (other).
50. Trojan:Win32/Antivirusxp – Aliases: Antivirus XP 2008 (other), Win32/Adware.WinFixer (ESET), Generic FakeAlert.a (McAfee), W32/WinFixer.BTB (Norman), Troj/FakeAV-AB (Sophos), AntiVirus2008 (Symantec), Program:Win32/Antivirusxp (other).
55. Trojan:Win32/WinSpywareProtect – Aliases: Win32/Adware.WinSpywareProtect (ESET), Trojan-Downloader.Win32.FraudLoad.aob (Kaspersky), WinSpywareProtect (Symantec), Program:Win32/WinSpywareProtect (other), Trojan.FakeAV.GP (BitDefender), Win32/Adware.MSAntispyware2009 (ESET), Packed.Win32.Katusha.a (Kaspersky), FaleAlert-BV (McAfee), Adware/MSAntiSpyware2009 (Panda), Fraudtool.MSAntispy2009.A (VirusBuster), MS Antispyware 2009 (other), AV Antispyware (other), Extra Antivirus (other).
56. Program:Win32/Fakerednefed – Aliases: WinDefender 2008 (other), Program:Win32/Defendwin (other), Program:Win32/Windefender (other).
61. Win32/FakeSpypro – Aliases: FakeAlert-C.dr (McAfee), SpywareProtect2009 (Symantec), Troj/FakeAV-LS (Sophos), Win32/Adware.SpywareProtect2009 (ESET), .Win32.FraudPack.kho (Kaspersky), Spyware Protect 2009 (other), Antivirus System Pro (other), Security Central (other), Barracuda Antivirus (other).
62. Trojan:Win32/FakeCog – Aliases: Win32/Adware.CoreguardAntivirus (ESET), not-a-virus:FraudTool.Win32.CoreGuard2009 (Kaspersky), FakeAlert-FQ (McAfee) , W32/Renos.FIP (Norman) , Mal/TDSSPack-L (Sophos), CoreGuardAntivirus2009 (Symantec), Fraudtool.CoreGuard2009.A (VirusBuster), CoreGuard Antivirus 2009 (other).
67. Program:Win32/AntiSpywareExpert – Aliases: Win32/Adware.AntiSpywareMaster (ESET), Generic.Win32.Malware.AntiSpywareExpert (other), WinFixer (McAfee), AVSystemCare (Symantec), AntiSpywareExpert (Trend Micro), not-a-virus:FraudTool.Win32.AntiSpywareExpert.a (Kaspersky).
68. Program:Win32/VirusRanger – Aliases: VirusRescue (Symantec) .
73. Program:Win32/SpySheriff – Aliases: Win32.TrojanDownloader.IEDefender (Ad-Aware), MagicAntiSpy (Sunbelt Software), Adware.SpySheriff (Symantec), SpyShredder (Symantec), IEDefender (other), Malware Destructor (other), SpySheriff (other), SpyShredder (other).
74. Program:Win32/Antispycheck – Aliases: Win32/Adware.AntiSpyCheck (ESET), AntiSpyCheck (Symantec).
75. Program:Win32/SpywareIsolator – Aliases: not-a-virus:FraudTool.Win32.SpywareIsolator.ad (Kaspersky), SpywareIsolator (Symantec).
79. Trojan:Win32/FakeVimes – Aliases: FakeAlert-CQ (McAfee), Extra Antivirus (other), Ultra Antivirus 2009 (other), Malware Catcher 2009 (other), Virus Melt (other), Windows PC Defender (other).
80. Program:Win32/PCSave – Aliases: Win-Trojan/Pcsave.339456 (AhnLab), PCSave (McAfee).
85. Trojan:Win32/FakeIA.C - Aliases: Win32/FakeAlert.RW (CA), Dropped:Trojan.FakeAv.DS (BitDefender), FakeAlert-AB (McAfee), Trojan.Fakeavalert (Symantec), not-a-virus:FraudTool.Win32.Delf.d (Kaspersky).
91. Program:Win32/AdvancedCleaner – Aliases: AdvancedCleaner (Symantec).
92. Program:Win32/FakePccleaner - Aliases: Program:Win32/Pccleaner (other), Win32/Adwrae.PCClean (ESET), Backdoor.Win32.UltimateDefender.hu (Kaspersky), PCClean (Symantec), Program:Win32/UltimateCleaner (other).
94. Program:Win32/WareOut – Aliases: WareOut (McAfee), W32/WareOut (Norman), WareOut (Sunbelt Software), SecurityRisk.Downldr (Symantec), Adware.Wareout (AVG).
97. Trojan:Win32/FakeSpyguard – Aliases: Spyware Guard 2008 (other), Win32/Adware.SpywareGuard (ESET), FakeAlert-BM (McAfee), SpywareGuard2008 (Symantec), ADW_SPYWGUARD (Trend Micro), System Guard 2009 (other), Malware Defender 2009 (other).
103. Trojan:Win32/Fakeinit – Aliases: Trojan.FakeAlert.AUW (BitDefender), Win32/FakeAV.ABR (CA), Fraudtool.XPAntivirus.BCVY (VirusBuster), Adware/AntivirusXPPro (Panda), AntiVirus2008 (Symantec), Advanced Virus Remover (other), Win32/AdvancedVirusRemover.G (CA).
109. Adware:Win32/SpyAxe – Aliases: VirusHeat (other), ControVirus (other).
110. Program:Win32/Awola – Aliases: not-virus:Hoax.Win32.Avola.a (Kaspersky), Generic FakeAlert.b (McAfee), W32/Awola.A (Norman), Awola (Symantec), JOKE_AVOLA.D (Trend Micro).
114. Program:Win32/UltimateDefender – Aliases: Ultimate (McAfee), UltimateDefender (Symantec), ADW_ULTIMATED.ME (Trend Micro), Risktool.UltimateDefender.A.Gen (VirusBuster), Adware.UltimateX-15 (Clam AV), Win32/Adware.UltimateDefender (ESET).
Microsoft Security Essentials 1.0 can be downloaded for free via this link.