Architecture, Network security, Threats, Malware

AV company, heal thyself

March 24, 2011

Security companies have become all too familiar with fake anti-virus, fake support scams and so on. Unfortunately, so have our customers. Just this week I've been following (and cautiously posting to) a thread on a specialist list complaining that anti-virus (and I mean the genre as a whole, not any particular company's product) doesn't do a great job of detecting it. In fact, AV detects an awful lot of it, but the guys who push this stuff are all too proficient at frequently tweaking malware to evade the scanners that cause them most problems. That's not the only issue, of course. While the primary motive here is, as ever, profit, this is also (just) one aspect of an ongoing attack on an industry that represents a threat to those profits.

One of the more interesting (if irritating) aspects of this campaign is the occasional instance of out-and-out impersonation. Of course, we're talking here of an entire black hat industry based on impersonation – fake security software, fake support desks, fake websites, fake product certifications and so on – but it's less common to see phishing-like impersonation of a brand or product. (Well, in the fake AV marketplace, anyway: fake Adobe or Microsoft products are all too common.)

ESET has been blessed with that sort of attention more than once. In the instance described by my colleague Tasneem Patanwala here, the impersonation is largely restricted to borrowing a product name. Not that this is the first borrowing of course. We've derived a bleak amusement in the past from seeing our genuine malware descriptions used verbatim by a fake AV product.

A more recent attack goes the other way. ESET doesn't have a product called Anti-virus 2011, but apparently E-Set does. I can't wait to see if ESET gets a cease & desist letter from E-Set about the misuse of E-Set's name. (I assure, stranger things have happened.)

As the screen shots here show, this is not a serious attempt at an ESET lookalike, but a typical fake AV boilerplate job. It's rather like substituting a Lego automobile for a real Rolls-Royce, except that Lego is more use than Anti-virus 2011.

That doesn't mean that if it looks like real AV, it's legitimate, though. Those fake support scams – where someone cold-calls to tell you that you have a virus problem – often lead to an offer to install a “lifetime” version of a legitimate AV product onto your system, which often turns out to be a cracked version of the real product that simply stops working. Ironically, this sometimes leads to support calls to a genuine vendor support desk. Perhaps the industry should be grateful for the sales leads.

ESET detects known variants of E-Set's “product” as Win32/RogueAV.E, Win32/Kryptik.LSH or Win32/Kryptik.LVC. And future “cease & desist” letters are unlikely to put a stop to that.

prestitial ad