Fake Antivirus Software Uses Ransom Threats

Fake antivirus programs appear to be adopting some of the money-raising tactics of more threatening ransom malware, security company Fortinet's latest threat report has found.

The most prevalent malware variant during August was TotalSecurity W32/FakeAlert.LU!tr, a malicious program that masquerades as antivirus software in order to sell worthless licenses for non-existent malware. On its own it accounted for 37.3 percent of all malware threats detected by the company during the month.

Unlike standard fake antivirus programs, however, the new version of TotalSecurity takes the ruse a stage further by preventing any applications other than a web browser to run, claiming they are "infected." The user is invited to have the infection cleaned by buying the bogus TotalSecurity product.

Adding an extra layer of sophistication to its arsenal -- and no doubt aware how quickly bogus antivirus software is blocked by genuine security products -- TotalSecurity can now vary the downloads it feeds to target PC using server-side polymorphism. Put another way, the exact version downloaded to a victim's PC will constantly change which makes detection harder.

"This is a technique typically seen with botnets, such as Waledac, and has been picked up by the developers of TotalSecurity. This is another example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection," said Fortinet's threat research head, Derek Manky.

According to Fortinet, such attacks demonstrate the vulnerability of PC-based antivirus software. A layered defence would have a better chance of detecting TotalSecurity by either intercepting the initial spam used to spread it or by blocking the download website.

Once rare enough to be a curiosity, malware using threats and direct interference with a PC's operation have slowly become more common.

A previous report from Fortinet in March noted a sudden surge in the technique, about a year after the first aggressive use of ransomware in the form of the notorious Vundo Trojan. That particular piece of malware used crude encryption of a victim's files.

In July came news of the odd Krotten Trojan that disables a victim's PC in a variety of ways before asking for a tiny payment to be made to a Ukrainian mobile phone network. Two months before that researchers in Japan discovered the Kenzero porn blackmail Trojan that threatens to post a victim's embarrassing browsing history to a public website.

Subscribe to the Security Watch Newsletter

Comments