How To Spot Fake AV Malware

So you’re surfing the internet, minding your own business, and suddenly a message pops up that warns “you’re infected”. It is true? Sometimes. Unfortunately, these days the fake AV software looks more real than ever.

Here’s a good example of some fake AV that looks fairly convincing:

image

At first glance, a lot of people see this and believe they’re actually infected.

To make matters worse, even if you don’t click on the “Erase infected” button, after a few moments another window pops up:

image

Sadly, many users click “Yes, protect my PC now” and then it’s too late.

How Can You Tell It’s Fake?

Other than the obvious (knowing the name of the REAL antivirus software you have installed and knowing what it looks like), there are numerous ways to spot the fake AV. Get a well known antivirus such as Zonealarm mobile Security.

Browser version:
(This machine has IE8, Fake AV says IE7)
Wrong browser version reported 

Number of drives / letters:
(This machine doesn’t have a D: drive)
Reporting infections on drives that don't exist.

Incorrect navigation bars:
(Fake AV displays a modified Vista navigation bar on Windows 7 machine)

Fake AV

Fake AV menu

 
Real Windows Vista

Real Vista menu

 
Real Windows 7

Real Windows 7 menu

 

Typos or incorrect punctuation:
(Apostrophes pointed the wrong way)

Typos in dialog boxes are a clue that the software isn't legit. 

Virus warnings that are displayed in a web page:

Web page pretending to be virus warnings

Solution:

Train your users by showing them what the REAL AV software looks like, and show examples what the fake software looks like.

The best way to show the real software in action is to trigger an actual virus alert. Then you can screenshot your current AV software. But instead of using a real virus to trip the alert, you can use the EICAR test file.

The EICAR is a harmless file that is available in several different file formats:
EICAR virus test file

Here’s what it looks like inside the eicar.com.txt file:
Inside the EICAR file

You can use the EICAR file to generate end-user documentation on what your real AV software screens look like.

Example: Microsoft Security Essentials

1) Initial “infection” (triggered by clicking on the eicar.com.txt file)

Microsoft Security Essentials - Virus found

2) After clicking Show details

Microsoft Security Essentials - Show Details

3) After clicking Clean computer

Microsoft Security Essentials - Virus removed

You can create a one-sheet “Virus Response Document” to print out and give to your users and include your phone number on the bottom. A little education up front can save lots of lost time and expense cleaning up after an infection or fake AV software removal battle.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Free Event – Trend Micro in Cincinnati Aug 21, 2010

Trend Micro is coming back to Cincinnati, Ohio again for some FREE training on the new Worry Free v7:

Event: Cincinnati SBS SIG – Trend Micro Live Training
Date: Saturday August 21, 2010
Time: 9:00 AM – 4:00 PM EDT
Venue: Max Technical Training
4900 Parkway Drive, #160
Mason, OH 45040
Map to venue: Click here
Registration URL: http://www.zoomerang.com/Survey/WEB22AY73GFTUS

This is an all-day event, and lunch will be provided courtesy of Trend.

Seating is limited so REGISTER TODAY!

VN:F [1.9.20_1166]
Rating: 10.0/10 (1 vote cast)

Free Event – Trend Micro in Cincinnati May 22, 2010

image Bill Kam of Trend Micro is coming to Cincinnati to give a FREE live in-person training on Trend’s Worry Free products – best practices for install/configure and how to protect from things like “fakeav”, and new tools for the partner/IT Pro to use as well.  He may cover some of the Worry Free 7 info shown recently in Taipei.  There are some PPT’s comparing Trend with the competition on a level playing field showing memory and CPU utilization that he will go over.  Bill will talk about all the features in Worry Free (some that many probably are not aware of). 

After the class, you can go online and take a “Certification” test (FREE) and with passing, you can get some benefits like showing up in a search on their site for a reseller in the area, website badges and marketing materials (think SBSC program).  Good stuff!

Lunch is included for this event!

Event: Cincinnati SBS SIG – Trend Micro Live Training
Date: Saturday May 22, 2010
Time: 9:00 AM – 4:00 PM EDT
Venue: Max Technical Training
4900 Parkway Drive, #160
Mason, OH 45040
Registration URL: http://cinpa20100522.eventbrite.com/

VN:F [1.9.20_1166]
Rating: 10.0/10 (1 vote cast)