Fake antivirus programs appear to be adopting some of the money-raising tactics of more threatening ransom malware, security company Fortinet's latest threat report has found.
The most prevalent malware variant during August was TotalSecurity W32/FakeAlert.LU!tr, a malicious program that masquerades as antivirus software in order to sell worthless licenses for non-existent malware. On its own it accounted for 37.3 percent of all malware threats detected by the company during the month.Unlike standard fake antivirus programs, however, the new version of TotalSecurity takes the ruse a stage further by preventing any applications other than a web browser to run, claiming they are "infected." The user is invited to have the infection cleaned by buying the bogus TotalSecurity product.
Adding an extra layer of sophistication to its arsenal -- and no doubt aware how quickly bogus antivirus software is blocked by genuine security products -- TotalSecurity can now vary the downloads it feeds to target PC using server-side polymorphism. Put another way, the exact version downloaded to a victim's PC will constantly change which makes detection harder.
"This is a technique typically seen with botnets, such as Waledac, and has been picked up by the developers of TotalSecurity. This is another example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection," said Fortinet's threat research head, Derek Manky.
According to Fortinet, such attacks demonstrate the vulnerability of PC-based antivirus software. A layered defence would have a better chance of detecting TotalSecurity by either intercepting the initial spam used to spread it or by blocking the download website.
News 1 year ago
