New Variants of Fake Anti-Virus Software (Aug 5, 2009)

August 5, 2009

Rogue anti-virus software comes in many different names, some of which are Antivirus Plus, Advanced Virus Remover, Secret Service, Antivirus Agent Pro, etc. However, their behavior is very similar.

Once installed, the rogue software starts to scan the user’s system immediately. After the scan, reports of non-existent threats are presented to the user as a scare tactic.

The reports usually contain many fake high risk infections that trigger the user to click the “remove threats” button on the anti-virus window. When this button is clicked, the user gets license or registration errors.

The user is forced to buy the software in order to remove the malware on the system. The licenses are sold on a website that is opened up when the user clicks the “get license” button. The websites usually offer huge discounts, lifetime support, money back guarantee, etc.

SonicWALL is blocking the 4 variants mentioned above with these signatures: GAV: SecretService_2 (Trojan), GAV: AntiVirusAgentPro (Adware), GAV: AdvancedVirusRemover.A_3 (Adware), GAV: AntiVirusPlus.KV (Trojan).

Here are screenshots of two fake AV software’s main windows:

Here’s how fake AVs report non-existent threats:

Here’s how fake AVs try to sell their licenses:

SonicWALL UTM Research team is proactively scanning domains that host fake anti-virus variants. We create signatures for each variant we find.

Here are statistics for some of those signatures:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.