Malware Posing as Fake Desktop Utilities Instead of Phony Antivirus

In the past two months, fake antivirus scareware has morphed into variants pretending to be generic security products, disk utilities and the trusty defrag tool, according to researchers.

Recently, researchers at GFI Software have noticed an increase in the number of fake security software scams purporting to be disk utilities that fix disk errors. Instead of listing Trojans, these security alerts pretend to find disk fragmentation or file system integrity problems.

"Fake AV authors have added a new branch to their rogueware business," said Deepen Desai, senior researcher from SonicWALL's threats team. He expects to see more variants of both fake anti-virus and utilities in the coming months.

The rogue products initially looked like a generic security product, addressing a range of system issues with names such as HDDDDiagnostic, PCoptomizer and Privacy Corrector, according to GFI. Since then, there've been a series of "defragger clones" with names like UltraDefragger and ScanDisk that claim to find read/write errors on the hard disk drive, according to the blog.

The fake disk defrag and scanning utilities started showing up in mid-October, according to Desai. He noted that new variants are often "A/V resistant" because legitimate security products may not be able to immediately identify the files as fake. Rand Abrams, director of technical education at ESET, said these variants are "not yet as popular as they will become."

Scareware refers to software that displays legitimate looking pop-up windows and dialog boxes claiming serious problems with the user's computer. Often posing as antivirus or anti-spyware software, the messages list several malware infections and scare the user into purchasing antivirus software immediately to fix the problem. Some known variants mimic Microsoft Security Essentials or McAfee, while others have real-sounding names such as Security Tools or Pest Detector.

The downloaded software can be a dud and not do anything, "where everything is only fake and the only real thing is the fancy GUI and price," said Juraj Malcho, head of ESET's virus lab. On the other hand, "they actually break things," he said.

The fake utilities tend to mimic Windows system utilities, often using the same icons and filenames, said Desai.

Chris Larsen, a security researcher calls these variants "fake-warez," and noted that it was not entirely a new tactic, as fake registry cleaners have been around for years.

These fake software scams can be quite lucrative for cyber-criminals, who can make up to $160 million in a year just pushing fake antivirus, according to Comodo Security's CEO Melih Abdulhayoglu.

However, Larsen called fake-warez a "drop in the bucket compared to fake AV" because they lack the sense of urgency required for a successful attack. If a user is suddenly shown a message that there is a virus, or many viruses, the users get more worried than if they are shown a message that they need to clean the registry, or defrag their drive, he said.

The tools are often advertised via spam, although drive-by-downloads are possible, according to Desai. Other methods include SEO poisoning and social engineering tactics to drive users to sites where they can download the software, according to David Harley, ESET's senior research fellow.

Fake utilities are generally marketed differently from fake A/V, said Larsen. The potential victim is generally already searching for a disk utility or trying to resolve an issue when the scammer says, "'Here's what you were searching for,' and hand them a malware payload instead," said Larsen.

Users should be wary of any error messages coming from software they didn't install, and should not purchase or install any software that suggests downgrading the Web browser to an older version, according to GFI Software's researchers.

There are even some variants that detect legitimate antivirus software and prompt users to uninstall it, according to Sophos researcher Chester Wisniewski.