What is Fake-AV malware?


Fake Anti-Virus style malware or rogue security ‘software’ has been growing in popularity since around 2007, but was seen in the wild in smaller numbers prior to this. It is Trojan based, and therefore does not self-replicate, but instead propagates in a multitude of ways – via known infected websites, spam runs, mal-vertising (otherwise clean websites where the 3rd party advertising stream has been compromised), email attachments, file sharing/p2p etc. Basically if you can think of any potential malware infection method you can guarantee the authors of this type of malware are already making use of it.


Once a machine is infected, the user sees a pop-up window purporting to be security software which has found genuine malware detections, and they are prompted to purchase the software in order to remove these infections. Attempts to close the pop-up window frequently result in further pop ups appearing, and more often than not the real security software installed on the machine is then disabled.

Users who are tricked into parting with their credit card details are incredibly likely to find their information is soon passed to criminals. Regardless of being duped or otherwise into parting with credit card information often find that their machines are unstable, with any attempt to launch a program being met by yet another fake-av pop-up window, and commonly routes to security or OS vendor websites are blocked or re-routed. Frequently further malware is also downloaded onto the machine which could potentially have spreading capabilities, so what initially starts life as a single machine issue can easily have wider implications for a home or corporate network.


Fake-AV is server-side polymorphic, which in simpler terms means the files that infect machines are rapidly changed in order to evade basic signature type detection which looks for file fingerprints (MD5 hashes). You could look at two machines which on the surface appear to be infected with the same malware – what you see on the screen looks identical, even the infected file names could well be the same, but from a fingerprint perspective the files are actually very different.


So the model used by the authors of this malware is very simple but effective – pretend to be software that everyone knows they need to have on their machine, that in most cases will annually require renewing via credit card, utilize as many infection methods as possible, ensure the infected files are changed rapidly to evade detection from the very same type of software that it’s masquerading as, whilst disabling the genuine article in the process, and whilst you’re there also download more malware with further capabilities to compromise machines, steal data and make money for the criminal underworld. 


And that’s the bottom line – Money – the people behind these scams are full blown software vendors, they are far from the script kiddies of yesteryear and are operating real businesses. With this in mind it’s clear that these types of infections are not going to go away any time, and the true security vendors are in a constant battle to keep up with the waves of new variants being produced 24x7x365.


How can I remove Fake AV from my machine?


Please start by ensuring your genuine AV software is up to date and that you have run a full scan. If you are still having an issue, or your machine has been rendered almost inoperable by the infection (most commonly that .exe files won't run due to broken file associations) please download our free Fake Alert Stinger tool, which is updated every week day. Instructions for use can be found on the web link. Should you stil be having a problem please submit any potential samples to us and provide details of your submission ID in the Top Threats community. One of our security experts will be on hand to assist as soon as they are able to.

My anti-virus software is up to date – why did I get infected with Fake-AV?


Due to the ever-changing nature of this malware having up-to-date software is not always enough to fully protect a machine; in fact even with the strongest defenses if you are a user of e-mail and internet there is every chance your machine could still get infected. A good AV solution, personal firewall, host IPS and local web reputation software are strongly recommended to protect again both fake-AV and other types of threats.


I only ever visit genuine websites – why did I get infected with Fake-AV?


In recent months a common delivery method of fake-av malware has been to poison 3rd part advertisement streams which are part of an otherwise clean website. The hosting webserver itself is not infected, and commonly has strong security measures in place to prevent it from being compromised. However, as many site owners often utilize 3rd party advertisements as a revenue generator the bad guys have used this as a doorway to infecting unsuspecting users who believe they are surfing safely.



I read on the internet that the infection I got has been around for months – why didn’t my anti-virus software detect it?


A family of fake-av malware may have been in existence for months, but the files infecting a machine today may only have had a life-span of a few days, hours or even merely minutes.

McAfee detect literally millions of different fake-av files, and are adding new detections on both a daily basis in the traditional DAT files, and in near real-time via GTI file reputation technology. Our GTI web reputation software also blocks many known bad sites and has the capability to block poisoned ad streams. However, as new variants are created - from minute to minute in some cases - there will always be new undetected infected files so a holistic approach to endpoint protection is necessary – not forgetting the all important user education.



I used a free version of MalwareBytes to clean up the infection, why do I need to pay for anti-virus software?


MalwareBytes is not a full endpoint security solution, or even an anti-virus solution.  Nor is it even vaguely scalable for an enterprise from a installation, reporting, manageability, or updating perspective. It is however good at removing very specific types of malware, and they themselves recommend on their forums running AV software (and a firewall, and URL filtering etc etc) as well as their software.

The free version of Malwarebytes anti-malware is an on-demand scanning tool – it does not offer on-access scanning.  It’s important to note that having two on-access scanning tools on one machine can cause instability as there is much potential for both scanning engines to fight over a file as it is accessed. In worst cases this can cause blue screens and file corruption.

Unfortunately no AV vendor in the world will offer 100% protection, sometimes you may be unlucky enough to get infected, but follow good security online practices and you can lessen this risk considerably.  If you do fall foul of a fake AV infection McAfee recommend running our Fake Alert Stinger tool as a first port of call, and should you need to submit potential fake alert samples to us here's how.