Fake Infection Warnings Can Be Real Trouble

Michael Vana knew something was up when he saw the pop-up from "Antivirus 2009" in the middle of his screen. The former Northwest Airlines avionics technician guessed that the dire warning of a system infection was fake, but when he clicked on the X to close the window, it expanded to fill his screen. To get rid of it, he had to shut down his PC.

Sound familiar? Dirty tricks like these, designed to get you to install and buy fake antivirus products, are more common than ever. (For advice on how to proceed if you've installed a phony antivirus on your PC, see "Antivirus 2009: How to Remove Fake AV Software.") But while you might recognize such warnings as bogus, you might not know that the fake warning could be a red alert about an underlying bot malware infection. Knowing the difference is key.

"It's not something you even blink at anymore," says Christopher Boyd, senior director of malware research for communications security company FaceTime Communications, of requests for help in dealing with these warning pop-ups.

The increased incidence of these pop-ups is due to more crooks going after easy money from shady affiliate programs, which pay a huge cut of the profits--up to 90 percent--for every person who mistakenly forks over money for a fake program, regardless of what in­­duced them to pay. Often, the inducement comes from a malicious Web site that uses JavaScript tricks to toss up a bunch of pop-ups, or even resize the viewer's browser window, to create something that looks like a real antivirus scan.

You might reach such a site by using a bad search link, like the one Boyd clicked for a free online Batman game. He got redirected to a site that took over his browser to display a fake AV scan, which then found (fictitious) critical infections that could be fixed by purchasing the rogue antivirus program.

If a site merely hijacks your browser, you don't have to worry too much: The pop-ups or fake scanner windows don't cause lasting damage, Boyd says. You might be prevented from closing the window, as Michael Vana was, but you can usually bring up the Windows Task Manager with Ctrl-Alt-Delete and close your browser that way. Sometimes just hitting Alt-F4 will shut it down.

"To do this, [the fake site] uses real code, and doesn't generally exploit a hole," Boyd says. As long as you don't pan­ic and install the pushed program, no real harm occurs.

Bot-Based Fake Antivirus

Unfortunately, the other way you might en­­counter a fake antivirus program is far worse.

Joe Stewart, a director of malware research with SecureWorks, a security services company for businesses, tracks bot malware for a living. Criminals use bot-infected computers, sometimes gathered into huge networks (called botnets) of a hundred thousand or more systems, to send spam across the globe. But they also use bots to download rogue antivirus programs and other malware onto a victim's PC.

"It's a proven way of monetizing a botnet," says Stewart. "Just about anybody with an already-deployed botnet is potentially looking at this as a way to make extra money."

According to Stewart, crooks make that money either by getting someone to download a supposed trial version of the rogue AV--co-opting a legitimate software sales technique--or by installing that software behind-the-scenes with a bot.

Once installed, the rogue typically uses highly aggravating techniques, such as changing the Windows desktop background to warn of a supposed infection and displaying constant other warnings, to push you to buy the full version of the software.

You might know not to download rogue AV in response to a spurious browser pop-up. But when instructed to download it by a malicious controller, a hidden bot will never give you the chance to apply your good sense.

If you follow basic security precautions, such as keeping your bona-fide antivirus software up-to-date and being careful with e-mail attachments and downloads, you can significantly reduce the odds of getting infected with a bot or other malware. But if you do see pop-ups or other fake warnings from rogue AV on your computer, it's a good idea to try to determine whether it's from a site or from actual software installed by a bot (or by someone else who uses the PC).

Possibilities Endless

There are many variations on the fake software scam, and crooks' tactics vary, so there is no universal indicator that one is present. But watch out for warnings that persist after you reboot your PC, especially if you see them before you open your browser. Seeing an unfamiliar warning icon in your system tray is another bad sign, particularly if you can't right-click it and make it go away. And if your desktop background has changed, you're definitely infected with the rogue antivirus, says Boyd.

As to the source of this garbage, here's a clue. One variety that Stewart examined, then called "Antivirus XP 2008," would first check the PC's system configuration to see whether it was located in a country with many ethnic Russians. It would also examine the user's Internet Explorer for visits to the Russian version of Google. If it encountered any such evidence, the installer would immediately quit without afflicting the potential victim. According to Stewart, that's "enough to pretty much guarantee that Russian-speaking users will not ever see an Antivirus XP 2008 install." But Internet users outside of the former Eastern Bloc had better watch out.

Subscribe to the Security Watch Newsletter

Comments