Thursday, February 24, 2011

The Life of a FakeAV

 FakeAV's bring in lots of money to Malware creators. The creators of the FakeAV AntivirusXP had to pay the FTC $8.2 Million dollars. So that shows creating an app that does nothing can pull in lots of money.

 1. The life of a FakeAV starts by someone creating an app that basically locks a user of their machine and then shows alerts saying if their computer is infected and they need to pay to get it cleaned. FakeAV's can be grouped in familys because most of them are the same except for the name. The FakeAV is created so it locks you out of your machine and only allows itself and the internet browser launch.

  You may be wondering why FakeAV's normally have such low detection rates from Antivirus products. When each one is about to be launched the malware writers change the code around just enough that a majority of the AV products will not detect it and by the time a majority is detecting it the FakeAV will just be changed again.

 2. Next its time for it to get distributed. In my own personal lab research (and live experience) FakeAV's displaying a fakescan page saying your pc is infected and you need to download (FakeAV name) to clean the problems They normally take over your page from an infected ad or a hacked ad. For about a day or two a site a member in my family normally goes to got hit with a hacked ad. I finally just decided I would install an ad blocker on every PC in the house so they can use the site peacefully and I won't have to worry about cleaning up after the fakeav.

    Another thing some FakeAV's have in common is the URL layout. I was doing my quick check over some Malware URL sites and noticed a very common layout for the SecurityMaster FakeAV family. Each security master url looks life this: someurl/masterav2/avmast(numbersgohere) exe. And a major amount of the the FakeAVs in the SecurityMaster family follow that pattern.

3. The life of a FakeAV is always changing, by the time the creation of a FakeAV is down and its out infecting other machines the next one is already being created. Its a cycle that keeps going on day after day. So I highly recommend you have a layered security setup to stay safe from the quick changing FakeAVs.
 Some suggestions:

  Anti-Malware DNS services: Anti-Malware DNS services (Like Sunbelt ClearCloud) prevent the fake av before it even gets on your machine. It also can update instantly in the cloud to protect you against new threats.

  Ad Blockers: When browsing a new site I highly recommend the use of Ad blockers. Now some say Ad blockers are bad because they prevent the website you are going to from making money, however I saw use them till you trust the site enough. I keep ad blocker on all the time but I white-list the sites I can trust.

  Anti-Virus: Use an Antivirus, if you can't buy one lots of free ones exist for you to use. Make sure you keep it updated and if its paid keep the subscription active.

No comments:

Post a Comment