Recently, researchers at GFI Software
have noticed an increase in the number of fake security software scams
purporting to be disk utilities that fix disk errors. Instead of
listing Trojans, these security alerts pretend to find disk
fragmentation or file system integrity problems.
“Fake AV authors have added a new branch to
their rogueware business,” said Deepen Desai, senior researcher
from SonicWALL’s threats team. He expects to see more variants of both
fake anti-virus and utilities in the coming months.
The rogue products initially looked like a
generic security product, addressing a range of system issues with
names such as HDDDDiagnostic, PCoptomizer and Privacy Corrector,
according to GFI. Since then, there’ve been a series of “defragger
clones” with names like UltraDefragger and ScanDisk that claim to find
read/write errors on the hard disk drive, according to the blog.
The fake disk defrag and scanning utilities
started showing up in mid-October, according to Desai. He noted that
new variants are often “A/V resistant” because legitimate security
products may not be able to immediately identify the files as fake.
Rand Abrams, director of technical education at ESET, said these
variants are “not yet as popular as they will become.”
Scareware refers to software that displays
legitimate looking pop-up windows and dialog boxes claiming serious
problems with the user’s computer. Often posing as antivirus or
anti-spyware software, the messages list several malware infections and
scare the user into purchasing antivirus software immediately to fix
the problem. Some known variants mimic Microsoft Security Essentials or
McAfee, while others have real-sounding names such as Security Tools or
Pest Detector.
The downloaded software can be a dud and not do
anything, “where everything is only fake and the only real thing is the
fancy GUI and price,” said Juraj Malcho, head of ESET’s virus lab. On
the other hand, “they actually break things,” he said.
The fake utilities tend to mimic Windows system utilities, often using the same icons and filenames, said Desai.
Chris Larsen, a security researcher calls these
variants “fake-warez,” and noted that it was not entirely a new tactic,
as fake registry cleaners have been around for years.
These fake software scams can be quite
lucrative for cyber-criminals, who can make up to $160 million in a
year just pushing fake antivirus, according to Comodo Security’s CEO
Melih Abdulhayoglu.
However, Larsen called fake-warez a “drop in
the bucket compared to fake AV” because they lack the sense of urgency
required for a successful attack. If a user is suddenly shown a message
that there is a virus, or many viruses, the users get more worried than
if they are shown a message that they need to clean the registry, or
defrag their drive, he said.
The tools are often advertised via spam,
although drive-by-downloads are possible, according to Desai. Other
methods include SEO poisoning and social engineering tactics to drive
users to sites where they can download the software, according to David
Harley, ESET’s senior research fellow.
Fake utilities are generally marketed
differently from fake A/V, said Larsen. The potential victim is
generally already searching for a disk utility or trying to resolve an
issue when the scammer says, “'Here’s what you were searching for,’ and
hand them a malware payload instead,” said Larsen.
Users should be wary of any error messages
coming from software they didn’t install, and should not purchase or
install any software that suggests downgrading the Web browser to an
older version, according to GFI Software’s researchers.
There are even some variants that detect
legitimate antivirus software and prompt users to uninstall it,
according to Sophos researcher Chester Wisniewski.
IT Security & Network Security News & Reviews News & Reviews 
