Recently we’ve seen a rash of people infected with official looking but entirely fake antivirus malware. In general, the user reports that they were just using a web browser, minding their own business when suddenly a window appears that looked like it came from Microsoft Windows, and which informed them that they were infected with everything under the sun. The window wouldn’t close when clicked and when they restarted their machine the fake antivirus software appeared to have become installed on their machine and couldn’t be removed, dire warnings of infections are appearing everywhere, popups to embarrassingly raunchy websites are coming up and the machine is basically unusable. Worse, the software wants you to subscribe in order to remove these “infections”. If you subscribe, now the bad guys have your credit card number.
First off, when you see one of these windows, DO NOT CLICK on anything! Immediately restart your computer.
Secondly, the primary method that these infections are getting to us is via compromised google searches. DO NOT automatically trust everything that you see in a Google search results screen. The bad guys know that people are searching for popular subjects (“Catherine’s wedding dress”) and they are setting up fast moving bogus websites just to get you to click. I’ve also just read an article that the popular Google Images website is chock full of malware linked images.
Third, the bad guys know that everyone has certain third party plugins installed in their browsers so that they can use them for work, or to view animated media. These third parties are not always entirely secure and are not updated via the usual Windows or Software update mechanism. You must update these products yourself or you risk infection. The top three examples are Adobe Flash, Adobe Reader and Sun Java VM.
The easiest method of determining what is out of date is to open Mozilla Firefox (this does not work in Internet Explorer) and go here:
The plugin check will tell you which of your plugins are out of date and provide links for downloading updated versions. Download and install, it’s as simple as that.
HOWEVER, because the third parties are also out to make a buck off you, be alert for offers to install unnecessary antivirus software (Adobe Reader) or assorted toolbars of the day (Adobe Shockwave or Sun Java). These “free” players are really ways for these companies to generate revenue by putting a vendor’s software in front of you.
Fourth, this fake antivirus software is big business. Estimates run as high as half a million people a day are infected. They change the malware configuration so quickly that antivirus software vendors are having a hard time keeping up. So do not rely on your antivirus software to protect you. Every single person that we’ve seen with one of these infections has had an active copy of ESET NOD32 running and the antivirus software was completely oblivious.
Lastly, MacOS is NOT immune to these infections. There is fake Macintosh Antivirus malware out there and we’ve seen one infection first hand already.
If you do get infected with one of these nasties, RUN don’t walk to our offices. The longer you wait, the more compromised your computer gets and the harder it is to remove the infection.
More information (kudos to Geoff Duke for these links)
Fake anti-virus hackers exploit engagement of Prince William and Kate Middleton
This is a general description of Fave AV:
SophosLabs – What is Fake Anti-Virus?
And some good detail:
How blackhat SEO and Fake Anti-Virus work