FakeAV exploits GreyMatter vulnerability

Filed Under: Malware, SophosLabs

With all the recent media flutter about Conficker [1,2,3,4] and the advice by security software vendors to patch and update, it's no wonder that the FakeAV crowd are doing good business, as detailed by Paul Ducklin.

Playing on the media hype and the sometimes exagarated infection reports the FakeAVers need no spam runs to peddle their wares. A few compromised websites, a tantalising YouTube video, a long lost friend on FaceBook or the latest celebrity gossip are all excellent vehicles of penetration. Once visited or downloaded, the FakeAV window appears, be it flash, javascript or an actual executable, and warns you of the impending doom if you do not make the small investment of $29.95 to rid your apparently infected computer of the nasty malware the media has been talking about. And let's face it, for that warm fuzzy feeling of knowing you're once again safe and protected in this world of Trojans, worms, viruses and malware, $29.95 isn't a king's ransom.

It is no surprise, then, that users, tech savvy or otherwise believe the fake warnings (and they are often quite believable) and polished interfaces, and give the latest AntiVirus2009 a chance. After all, they are just following "good security practice"!

So where has it all gone wrong? Are our fears of an unsafe net being exploited by the malware authors to their own financial gain? Do the computer users among us need our own patch for the old grey-matter?

Here is a good start to hot-patching the old noggin. Let's first start with addressing the "is this even a legitimate security product" issue - VirusTotal (who provide a malware scanning service by utilizing a number of anti-virus products) have a reasonable list of the major players (free and otherwise) available on their website. If the FakeAV's name isn't on their list of vendors it's probably not worth the bandwidth.

If its name looks like it wants to draw your undivided attention, consider why it may be doing this. All that glisters is not gold!

If it claims to find lots of malware yet requires a fee to eradicate it, consider this suspicious (evaluation versions should allow evaluating the cleanup and disinfection facility as well).

If it nags you for a registration more than your significant other nags you to take the garbage out, its probably time to trash it.

Generally practice safe hex and avoid spreading malware by unsafe removable media.

Consider these rules of thumb as a hot-patch to your brain and avoid getting pwned by the latest FakeAV as it exploits your sense of doing the right thing - or you could be driving away with those brand new square wheels :-P

You might like