The dangers of fake AntiVirus software

Quick Heal Technologies Private Limited

Agenda For the Webinar

What is a fake AntiVirus

How does a fake AntiVirus spread

Behavior of fake AntiVirus

Avoiding fake AntiVirus

How can Quick Heal help

What is a fake AntiVirus?

Fake AntiVirus is security software which pretends to find dangerous security threats—such as viruses—on your computer

The initial scan is free

If you want to clean up the reported “threats”, you need to pay

The reported “threats”, in reality do......

Not Exist

Users end up paying money

for fixing problems which do not exist.

Some Examples

How does a fake AntiVirus spread

How does a fake AntiVirus spread

• Black Hat SEO Fake music download pages require a user

to download a codec

Codec is actually an executable file of fake AntiVirus

Fake AntiVirus authors ensure that links for fake AntiVirus download sites feature prominently in search results when a user searches for 'AntiVirus' using a search engine

How does a fake AntiVirus spread

• Spam Campaigns Fake AntiVirus is often sent directly as an

email attachment or as a link in a spam message

Spam messages are generally sent through emails and instant messaging platforms or chat applications

Social engineering techniques are used in the messages to trick users into taking desired actions

How does a fake AntiVirus spread

• Some classic spam campaigns Account suspension scams

Ecard scams

Password reset scams

Package delivery scams

How does a fake AntiVirus spread

• Fake AntiVirus downloads by other malware

Fake AntiVirus can be downloaded onto a machine by other types of malware

Pay-per-download model exists where hackers are paid to infect users’ computers

How does a fake AntiVirus spread

• Drive-by download attack A website is prepared with malicious scripts

that exploit vulnerabilities in the web browser or one of its plugins

The fake AV malware is installed automatically, without the user’s knowledge or consent

Behavior of a fake AntiVirus

Behavior of a fake AntiVirus

• Registry Installation Creates a registry entry that will run the

executable on system startup

The installer is often copied into the user’s profile area or temporary files area on the system

A run key entry is then created in the registry that will run the file when the system starts up

Behavior of a fake AntiVirus

• Fake Scanning Pretends to scan the computer and find

non-existent threats

Sometimes, it even creates files full of junk that will then be detected

A run key entry is then created in the registry that will run the file when the system starts up

Behavior of a fake AntiVirus

• Register and Activate Once the fake threats have been discovered

users are told they must register or activate

Credit card details and other details are captured on the registration website

These pages look convincing with the use of logos, trademarks etc.

Behavior of a fake AntiVirus

• Other undesired actions

Process termination

Webpage redirection

Installation of more malware

How to identify a fake AntiVirus software

How to identify fake AntiVirus software

Exaggerated Notifications

Pay Per Clean

Every Scan Detects Infections

Bucket Full of Alerts and Notifications

Google is not Speaking Well About it

Threat to mobile devices

Not just desktop....

Fake AntiVirus also affects mobile devices

A few months ago, Quick Heal detected this Android malware as Android.Agent.BU. (Mobile Security)

Fake AntiVirus on mobile

Before installation, the application asks the user for administrator rights

It displays two options – ‘Cancel’ and ‘Activate’

Even if the user chooses the ‘Cancel’ option, the application gets installed and takes the administrator rights anyway

Fake AntiVirus on mobile

After the fake AntiVirus gets installed, it provides the user with multiple options for scanning the mobile device

Choosing any of these options will trigger the application to execute malicious activities in the background

Fake AntiVirus on mobile

• This malware is designed to perform the following activities in the background:

Stealing the information from the compromised phone and sending it to the attacker

Stealing text messages from the device’s inbox

Erasing user data from the compromised phone and even SD card data

Calling and sending SMS’s to premium numbers, without the user’s knowledge

Avoiding fake AntiVirus

Avoiding fake AntiVirus

Eliminate vulnerabilities by keeping your OS and applications updated

Be cautious about search engine results

Type the URL into the address bar

Beware of web surfing dangers

Don’t open unexpected attachments

Think about that link before you click it

Avoiding fake AntiVirus

• If the computer is affected

DO NOT click anywhere on the scareware message window

Press <Ctrl>-<Alt>-<Delete> (all at the same time) to bring up the Task Manager

Click on the name of the scareware program (under Applications) to highlight it and then click “End Task”

Disconnect the computer from the Internet and shut down the computer

Seek further assistance

How can Quick Heal help

Quick Heal Khareedo Gaadi Jeeto Contest

Write to us at: corporatecommunications@quickheal.co.in Follow us on: Facebook - www.facebook.com/quickhealav Twitter - www.twitter.com/quickheal G+ - www.bit.ly/QuickHealGooglePlus YouTube - www.youtube.com/quickheal SlideShare - http://www.slideshare.net/QuickHealPPTs Visit us: Website - www.quickheal.com Official Blog - blogs.quickheal.com

Thank You!

References

• http://en.wikipedia.org/wiki/Rogue_security_software

• http://blogs.quickheal.com/wp/fake-android-antivirus-alert/

• http://blogs.quickheal.com/wp/tips-to-identify-fake-antivirus/

• http://www.cs.ucsb.edu/~vigna/publications/2011_stone_abman_kemmerer_kru

egel_steigerwald_vigna_FakeAV.pdf