12.05.2011,

Author:  SB

FakeAV scams do not stop

Rogue „System Tool“ hides behind new domains, over and over again

Top AV software vendors are constantly researching and developing new techniques to improve their products and enhance the malware detection capabilities.
In contrast to this, people behind FakeAV only pretend to secure the PC with their FakeAV software and disguise their criminal activity behind colorful animations with numerous frightening alerts, infection warnings and, what a coincidence, an alleged solution. Their constant work is the repacking and restructuring of program code and registration of new domains to spread their FakeAV software.

By enabling quick, large-scale infection of web surfers, scareware attacks are much appreciated by cyber criminals. All that is required is to inject malicious code into a web page and the attack is in place. This infection can take place on any official web page with poor security. In this case, the cyber criminal profits from the high position of this page in search engine results. Of course, it is also possible to insert the malicious code in a web page created from scratch. Where this approach is adopted, the page generally contains terms which are optimised to link to the latest news, thus allowing them to rise quickly in the results of the search engines. The cyber criminal can also distribute the page on highly frequented microblogging threads. All methods which allow contact with several thousand web surfers in just a few minutes.


The huge amount of FakeAV or RogueAV programs comes with more or less the same functionalities and tries to imitate actual AV software products in terms of the look and feel.  To avoid detection by real AV software, the scamsters spreading the FakeAV software try to produce a vast variety of variants of the malware, e.g. by repacking the code again and again.

The G Data SecurityLabs constantly detect various new websites which spread the FakeAV “System Tool” and want to use the recent wave of detections to explain the typical sequence of actions of a FakeAV attack, highlight signals to make you see the red light and provide an exclusive tool to remove the FakeAV “System Tool” from your computer in case you fell for it.

Here is a small selection of created domains related to the recent FakeAV “System Tool” appearances which use AV business related key words to simulate credibility:

  • Antivirscanxp
  • antivirus-download-free
  • antivirus-free-removal
  • antivirus-microsoft-windows
  • antivirusonlinetest
  • best-xp-antivirus
  • buy-antivirus-tools
  • desktopantivirusmicrosoft
  • euroantivirus
  • protection-virus-free
  • self-defense-free
  • testscanantivirus
  • usantivirus

 

 

FakeAV “System Tool”

Step 1: Pretending to scan
A user visits an infected website and a first warning is displayed with the help of JavaScript. This warning alone is not malicious but serves as a trigger for further actions.
You might already realize the missing full stop, the double spaces between words and the rather odd phrasing in this pop-up warning.

If you click the button, a web browser window opens which simulates your Windows Explorer. Allegedly, there is a scan going on within your Windows Explorer.

Step 2: Pretending to offer help
The report of the bogus scan show alarming threats and a number of infections. The self-proclaimed “Windows Web Security” offers its help.

Up to this point, all actions shown were only simulations in the web browser – There has not been any infection, yet.

Step 3: The infection
As soon as the user clicks anything on this web page, an .EXE file is offered for download – This executable file includes a variant of the scam software “System Tool”.

After the installation process, the “System Tool” remains hidden in the background for a while but it is not inactive: It establishes various connections to web servers. After a few minutes, a system tray popup appears:

This particular and many other similar warnings appear regularly to scare the user. Furthermore, the launch of various programs is disabled and the “System Tool” immediately shuts down all user processes on the pretext of detecting these programs as infected (see system tray warning in the screenshot below).

To “remove all threats now” you only need to click the button, the scam suggests:

Step 4: The fraudsters want your money and even more
“System Tool” prompts you to buy the software using your credit card and lures with weird and huge discounts.

By entering your credit card details the scamsters are not only able to charge the amount displayed but to use your personal and banking information for further criminal activities!

Apart from this, the software you are buying is useless in the fight against computer malware and it cannot and will not “protect your pc” digital data at all!


Step 5: Scamsters insist on securing you
“System Tool” insists on showing you how insecure your pc is and uses yet another technique to scare computer users - This wallpaper with spelling mistakes and other bugs appears on the user’s desktop and this, at last, should call a user’s attention to the fact that something is going wrong.

Even a system crash with a blue screen of death is initiated and forces the computer to restart. This behavior, changing the desktop wallpaper and initiating a system crash, are serious interventions that affect the user’s work routine.


How to protect yourself from FakeAV in general

  • Use a genuine and comprehensive AV product with current virus signatures, http-filter etc. to really protect your pc and all digital data.
  • If you download software from the internet, download it from the software’s vendor’s web page or from download websites with a good reputation only.
  • Always maintain the operating system and browser updated to the latest version and regularly install updates.
  • Do not click hyperlinks thoughtlessly. The list of domain examples at the beginning of this text show that the domains used for this kind of scam try to lure users with a combination of key words related to the software and AV business.
  • Analyze the style of language and the orthography of the pop-ups and warnings displayed. Too many mistakes or odd phrasing hint at scam.
  • Furthermore, e.g. a genuine Windows system tray pop-up would be displayed in your system language – If you are using a non-English Windows system, the real messages will appear in these non-English languages.



How to remove “System Tool” in case you got infected
A manual disinfection is very complicated and not recommended! The G Data SecurityLabs programmed a tool that will remove the FakeAV “System Tool” from your computer.

  1. Download the tool: G Data FakeAVCleaner “System Tool” to the infected Windows.
    The file is available at the bottom of this text.
  2. In case you download the tool from another computer, transfer the .exe-file to the infected Windows.
  3. Run the G Data FakeAVCleaner, named svchost.exe
  4. You need to restart your computer after the successful removal.


Attention:
The G Data FakeAVCleaner “System Tool” has to be executed with the Windows user account that is infected. As the FakeAV “System Tool” shuts down all user initiated programs which do not have any kind of ‘reserved’ name, like explorer.exe, winlogon.exe or svchost.exe and many more, the file name for the G Data FakeAVCleaner is svchost.exe

Download

 

Search