Now, there is FakeAV

Before, we only used to hear fake bags, fake shoes, fake movies, fake music and even fake identity. Now, there is this thing called as FakeAV. What is this new IT security lingo?

FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class of malware that displays false alert messages to the victim concerning threats that do not really exist. These alerts will prompt users to visit a website where they will be asked to pay for these non-existent threats to be cleaned up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made. 

During the last part of 2010, the number of FakeAVs has really grown. In fact, IT security experts have determined the quantity of these FakeAV variants from less than 1,000 late last year to around 500,000 today.  The reason for the increasing popularity of FakeAVs is because of the direct revenue source that FakeAV provides.  Compared to other malware variants, FakeAV is somewhat associated with some network communities that make large amounts of money by driving traffic toward the stores of their partners.

How will I know if I am dealing with FakeAVs?

FakeAVs use social engineering techniques to get it self installed. Normally, it goes through the routes of Windows Security updates, fake anti-virus pages and fake social network engineering applications.  Once installed, there could be several behaviors like popup messages, fake virus scanning where it usually reflects make believe files. FakeAVs usually use high-tech names so that it may sound valid like “security central”, “malware database”, etc.

How do we get FakeAVs?

There are may ways a FakeAV can get into your system, but the majority of which is that a user can be tricked into running installer executable in a way similar to how Trojans work. But the following are the most popular techniques:

  • E-mail spam campaigns
  • Infected websites
  • FakeAV downloads by other malware

Initiating a Fake Scan

Once a FakeAV is installed, it will usually attempt to contact a remote website and download the main component or a main program. This will initiate a fake system scan, where may non-existent threats will be discovered and reflected. A main FakeAV window is usually professionally created and victims can be convinced that they are using a genuine security product.

Once the fake threats have been discovered, users are told that they must register or activate the program to clean up the threats. Users are taken to a registration website where they are asked to enter their credit card number and give other confidential information. These pages are convincing, sometimes featuring the illegal use of logos and industry-recognized organizations. 

Other FakeAV behavior

Most FakeAVs also cause further effects to the victim by interfering with normal systems processes and runtime. Sometimes, this includes disabling of the task manager and use of the Registry Editor, prohibiting processes from running and even web site redirection. This behavior further convinces the victim that there is a problem on the system and increases the likelihood of a purchase being made.

Prevention and Protection

The most effective defense against FakeAVs is a comprehensive security as well as literacy. For network administrators, a layered security can and should take place at each stage.

URL Filtering : by blocking the domain and the URLs from which FakeAV is downloaded, infection can be prevented from ever happening.

Detection of Web-based Content:  it should include detection of Javascript and HTML used on FakeAV and fake webpages.

Runtime Detection: if a FakeAV executable manages to evade the other layers of protection, you should be able to detect and block the behavior of the FakeAV as it tries to execute on a system.

Spam blocking: self-explanatory, the network should recognize, detect and eliminate spam.


FakeAV is a fast growing threat. The direct financial benefit gained from this threat will not go away in just one snap, in fact, it will be more widespread. FakeAVs are already being distributed via several sources and the variety and inventive distribution will only increase.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s