Fake antivirus

Name

FakeAV, fake antivirus or scareware

Detection names

Mal/FakeAV-IS, Mal/FakeAV-MQ, Mal/FakeAvJs-A [Sophos]

Trojan.Win32.FakeAV.dlxo, Trojan.Win32.FakeAV.kdgm, Hoax.HTML.FakeAntivirus.ak [Kaspersky]

TR/Fakealert.aklum, TR/FakeAV.aom.2, HTML/Dldr.FakeAle.A [Avira]

Generic FakeAlert.amb, Generic FakeAlert!oj JS/FakeAlert-AB.dldr.a[McAfee]

TROJ_FAKEAV.SMHH, TROJ_FAKEAV.SMUW, JS_FRAUDLOAD.SM [Trend Micro]

Rogue:Win32/Winwebsec, Rogue:Win32/FakeRean, Rogue:JS/FakePAV [Microsoft]

Trojan.FakeAV!gen39, FakeCloudAV2012, Trojan.FakeAV [Symantec]

Affected OS or software

Microsoft Windows
Mac OS X

Basic description

Fake antivirus software is a scam commonly used by malicious software creators in order to sell fake security software to unwitting victims. The scam will typically involve a webpage or pop-up that informs the user they have viruses or other malware on their computer, even though they do not. It then offers to clean the infection. When the user opts to clean up they are required to pay to obtain a version of the fake software the will perform the cleanup. After the victim pays the software may or may not cease the fake warnings.

 FakeAVSpotlight

Technical detail

Fake antivirus, also known as rogue antivirus or scareware, is one of the leading ways for malicious hackers to make money from unsuspecting Internet users. The fake antivirus software typically warns the user that they have various fictional security threats present on their computer. The warnings themselves are false but they are often backed up by believable descriptions of the supposed malware.

 FakeAVSpotlight
FakeAVSpotlight

When the user chooses to remove the threats they are asked to purchase or register the product and taken to a website that will process the payment details.
The webpages that users are taken to may look like one of these:

  FakeAV

Fake antivirus is spread using a variety of methods, all designed to draw an unsuspecting user into installing the software.

Email and messaging
Criminals send spam email and social network messages with the software installer attached, using a social engineering lure to persuade the recipient to open the attachment. Common lures include tax refund information, package delivery notifications or pictures of topical news stories.

Search engine poisoning
Hackers create pages related to common or topical search terms and design them to appear high in search engine results. This makes it likely that people will encounter the page during their usual search activity. The webpages may either display warnings about infection that encourage the user to purchase the fake antivirus, or they download a video player which is actually the fake antivirus installer.

Compromised websites
Cybercriminals often break into other websites in order to spread their software, relying on the site's popularity to draw innocent users. The hackers will then install extra code into the compromised pages, again with the goal of either displaying fake security warnings or exploiting a browser vulnerability to install their software directly. Cybercriminals will often combine these techniques to increase the effectiveness of their fraud.

The fake antivirus software makers use a variety of names for their software to make it appear legitimate. Examples of these names include:

  • AntiSpywarePro
  • Antivirus Plus
  • Antivirus Soft
  • Antivirus XP
  • Smart Internet Protection
  • Security Defender

Some will also steal the names of legitimate security software.

Related links

Naked Security blog articles about fake antivirus
Sophos whitepaper: Stopping Fake Antivirus: How to Keep Scareware Off Your Network 

Defending against the threat

New versions of fake antivirus are created daily so it is vital to ensure that your real anti-malware solution is kept up to date.

Patches

None

Sophos technologies

Up-to-date antivirus software is a key component to defending against fake antivirus because new versions are created daily.
HIPS technology in Sophos Endpoint 10 alerts the user to suspicious activity that is occurring. When set to block, HIPS is an effective tool in preventing the actions of new fake antivirus variants.
Most fake antivirus is delivered, in one way or another, from malicious or compromised websites. Web filtering technologies such as the Sophos Web Appliance, Astaro Secure Gateway or the web filtering in Sophos Endpoint 10 provide valuable defenses against malicious sites, whether their payload is fake antivirus or a different attack.