Sophos Cloud Optix
I’ve recently wondered why we’re seeing an increase in fake anti-virus type malware and I don’t think the reason is as simple as fear-mongering and guilt. I recently analysed YAFA (Yet Another Fake Anti-virus) which upon installation immediately began to scan my computer and barraged me with warnings about how infected and unsafe my workstation was.
When I collected my samples for futher analysis I noticed that we already detected some of the components as SuperiorAds – hrm, have AdWare companies found a new market in fake security software? The first obvious place to look for AdWare components is your browsers add-ons however this list appeared to have nothing new, prompting me to look into the Add/Remove programs (accessible from the Control Panel) and discovered “Search Assistant searchsmart” and “RON Tool Mxlivemedia” had been installed.
Another way to confirm what programs or components are going to be auto-loaded upon login or reboot is to use the SysInternals tool autoruns and my findings of an installed BHO were confirmed in this way.
By now Troj/FakeVir-IK had found a number of ‘threats’ and insisted that I register (for a nominal fee of course) or risk catastrophic failure (well, not quite, but you get the idea.) If anyone had run this program then by now they’d be regretting ever having heard of it!
Ok, so having been nagged to death by endless popups about registering and being overrun by infections I decide to google some of the names and investigate a little more what the AdWare components were doing. To my surprise I got…yet another warning about how unsafe my computer was! This time in my browser (all the while my surfing queries were being redirected to the marketing servers – possibly so they can sell me another false promise now that they see how gullible I appear to have been…)
One could easily conclude that questionable AdWare has found a new means of separating people from their hard-earned money by first colluding with the malware authors and then selling a solution which is infact part of the original problem.
I guess all this just confirms the age old saying of “if it looks too good to be true, it probably is!”