Malware, Network Security

AV company, heal thyself

Security companies have become all too familiar with fake anti-virus, fake support scams and so on. Unfortunately, so have our customers. Just this week I've been following (and cautiously posting to) a thread on a specialist list complaining that anti-virus (and I mean the genre as a whole, not any particular company's product) doesn't do a great job of detecting it. In fact, AV detects an awful lot of it, but the guys who push this stuff are all too proficient at frequently tweaking malware to evade the scanners that cause them most problems. That's not the only issue, of course. While the primary motive here is, as ever, profit, this is also (just) one aspect of an ongoing attack on an industry that represents a threat to those profits.

One of the more interesting (if irritating) aspects of this campaign is the occasional instance of out-and-out impersonation. Of course, we're talking here of an entire black hat industry based on impersonation – fake security software, fake support desks, fake websites, fake product certifications and so on – but it's less common to see phishing-like impersonation of a brand or product. (Well, in the fake AV marketplace, anyway: fake Adobe or Microsoft products are all too common.)

ESET has been blessed with that sort of attention more than once. In the instance described by my colleague Tasneem Patanwala here, the impersonation is largely restricted to borrowing a product name. Not that this is the first borrowing of course. We've derived a bleak amusement in the past from seeing our genuine malware descriptions used verbatim by a fake AV product.

A more recent attack goes the other way. ESET doesn't have a product called Anti-virus 2011, but apparently E-Set does. I can't wait to see if ESET gets a cease & desist letter from E-Set about the misuse of E-Set's name. (I assure, stranger things have happened.)

As the screen shots here show, this is not a serious attempt at an ESET lookalike, but a typical fake AV boilerplate job. It's rather like substituting a Lego automobile for a real Rolls-Royce, except that Lego is more use than Anti-virus 2011.

That doesn't mean that if it looks like real AV, it's legitimate, though. Those fake support scams – where someone cold-calls to tell you that you have a virus problem – often lead to an offer to install a “lifetime” version of a legitimate AV product onto your system, which often turns out to be a cracked version of the real product that simply stops working. Ironically, this sometimes leads to support calls to a genuine vendor support desk. Perhaps the industry should be grateful for the sales leads.

ESET detects known variants of E-Set's “product” as Win32/RogueAV.E, Win32/Kryptik.LSH or Win32/Kryptik.LVC. And future “cease & desist” letters are unlikely to put a stop to that.

Related

Rootkit capabilities likely with Windows bugs

Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.

Abusing GitHub flaw could compromise GitLab

Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.