Fake Antivirus

What is Fake Antivirus?


Having antivirus software as part of a total security package is one of the best way to keep computers safe from malware and other intrusions. However, even the best protections money can buy can not prevent people from being duped by tricks cybercriminals use to circumvent these protections.

One of the fastest-growing methods cybercriminals are using of disseminating malware is through fake antivirus software. Fake antivirus software can either be a program that claims to be antivirus software that does little or no work, or it can actually be a Trojan horse, disguised to actually implant malware onto a computer. The purpose of it is to scare a user and get the payment out.

Cnet.com recently reported that 15 percent of all malware is currently fake antivirus software. One of the major reasons is because real antivirus software is increasingly becoming so advanced, that in some cases they’re able to detect browser and operating system installed on the PC and adjust to the current interface. For the new yet undetected versions of fake antivirus malware, Norton AntiVirus download features SONAR Behavioral Protection, which tracks a file to see if it behaves suspiciously, and Norton Reputation Service, which looks at clues, such as when a file was created and where it was located, to determine if it’s a threat.


Social engineering

The reason why fake antivirus software can get around powerful protection is because of social engineering. Social engineering is the term used to describe the act of tricking an unsuspecting person into giving up information or money. Specifically, this is done in the context in the digital world where the trick is done remotely.

By its nature, cybercriminals are depending upon a computer-using public that knows enough to realize they need antivirus software to help keep their computers safe, but ignorant enough to not understand how malware works.

For instance, there’s absolutely no way a paid advertisement on a Web site (whether a display ad or a pop-up ad) can determine if a single computer has a virus. However, people will still click on an ad that says “Your computer needs to run a scan immediately! Click here to download our antivirus software!” This type of social engineering is known as “scareware.” It’s not just happening on disreputable sites, either. One day in 2009, NYTimes.com readers complained that just such a pop-up ad was appearing on their Sunday online edition, according to Cnet.com.

Cnet.com also reported the staggering statistic that half of all malware from online advertising was being delivered onto computers in this fashion.


Trojan horses

There’s also the Trojan horse method of delivering this type of rogue security software. The Trojan horse method involves delivering the malware in a package that seems to be either beneficial or desired, and the computer user freely accepts it.

In these methods, the offending program is brought onto the computer and acts as a true antivirus software, giving the user warnings about malware on the computer. Some of these programs have become so advanced that they can determine the operating system of the targeted computer and mimic the innate antivirus software.

Other types of Trojan horse methods include:

  • Attached to software shared on peer-to-peer download sites;
  • As part of an archive file, an image, or a screensaver attached to an e-mail;
  • A Web site browser extension or plug-in (usually downloaded from a toolbar);
  • Slipped in through free online malware scanners;
  • An add-on required to play a video clip.

Other ways fake malware can be deposited onto a computer include “drive-by downloads,” which occur when there is weak or no firewall protection, and SEO poisoning, which pushes infected Web sites to the top of search engine results.


Other tricks

Once this type of malware is imbedded onto a computer, the following may occur:

  • The offending program may disable parts of the operating system software to prevent it from being uninstalled. At this point, it could also block access to real antivirus Web sites, disable automatic updates, and prevent real antivirus software from running.
  • Changing security settings and registries, then “notifying” the user.
  • Displaying a mock-up that looks like the computer has crashed and rebooted.
  • Alerting the user that there is malware (such as virus, spyware, Trojan), when there is none.
  • Naming the fake antivirus software similar to trustworthy titles, such as MS Antivirus (similar to Microsoft Antivirus) and Antivirus 2008 or Anti Virus 2010 (similar to Norton AntiVirus 2008 and 2010).

How Fake Antivirus Looks Like?

Below are images of some fake antivirus malware pieces. By looking into these images you'll see how different scare techniques have been used in order to convince users to go down the path of accepting the malware's claim.


Fake Antivirus 2008 system scan showing non-existing malware on a user's computer:


Fake Antivirus 2008 Scan



Fake XP AntiSpyware 2009 installer:


Fake XP AntiSpyware 2009 Installation


Fake XP AntiSpyware 2009 shows non-existing registry items and some adware:


Fake XP AntiSpyware 2009 scan


Then, fake XP AntiSpyware 2009 shows a warning about files that should be cleaned, and it offers it through the paid registration. All is invented to scare a user and gets the payment happen:


Fake XP AntiSpyware 2009 pushing for a payment



As the time passed, fake antivirus makers got their scareware better. Here is fake Antivirus 2010 pop-up reminding about update as it pretends being regular antivirus software:


Fake Antivirus 2010 Alert


Then, it falsely shows how Windows operating system warns a user about registering Antivirus 2010 in order to get protected:


Fake Antivirus 2010 Claim


Here, fake Antivirus 2010 alerts about non-existing spyware and tries to scare a user by pointing to passwords stealing and mentioning online banking:


Fake Antivirus 2010 Spyware Alert



Fake Antivirus 360 showing non-existing spyware and Trojan on a system:


Fake Antivirus 360



There are many more examples of fake antivirus and antispyware malware. It is very important to be vigilant and remember to think twice before falling into their scareware traps. In some cases, fake antivirus will not even show like user's system is infected, but will just prompt for a payment to get it registered, just like a regular antivirus software would do.


Avoiding fake antivirus software

There are two main ways to prevent being fooled by fake antivirus software. The first is to learn the tricks. Cybercriminals who use this method rely on ignorance to make it successful. The only way to counteract that is to become educated.

The other way is to start off by buying reputable, subscription-based antivirus software, such as Norton AntiVirus. As mentioned earlier, some false antivirus software may disable real forms of software, but a quality program will prevent the attacks from happening to begin with.

At the end, the best is to combine the two – have your own knowledge, and use the knowledge of companies that do just computer security and make software like antivirus.



<< Back to article index