How to Recognize and Analyze a Fake Anti-Virus Message
I was surfing the web the other day looking for photos and received this error when clicking on an image in Google:
Wow, I thought, this can’t be good, Windows Security has found some critical issues on my system and needs to do a system scan. Something must be very wrong. Thank goodness that this helpful website is offering to scan my system for me.
Actually, nothing could be further from the truth.
Okay I knew right away that this was a fake message. How? I click on a photo and ended up at a completely different website that showed this security alert. This is not how Google normally behaves when you click on an image. It usually takes you to a webpage and shows the image you clicked on in the foreground, while the picture source page is shown in the background.
Also, Windows does not show alerts like this. Windows 7 uses a little red “x” on the white flag at the bottom right side of your desktop when there is a security alert. In addition, the message looks nothing like a standard alert from my anti-virus software, so I knew that this online scan was bogus.
It would have been more believable too if I was actually running Windows at the time, which I was not, but what the heck, let’s see what happens when we click “OK”
(Never click on these messages by the way, just close the whole browser window with the red “X”. Run your own anti-virus program to do a scan, never an online one).
Right away the “helpful” program comes up and runs a system scan. It isn’t really doing a scan by the way, it just builds the page with html and scripts to make it look believable. It does seem to look like a legit Windows screen, except it all shows up in a browser window, and again, I am not even running Windows on this system!
It then wants me to click on the “Remove All” button, which I did not. Doing so will usually prompt you to download and install the bogus anti-virus program. Allowing the program to run will install the virus to your system. This particular brand of malware when installed will bring up a very believable anti-virus screen and tell you that you need to purchase a license to use it. It also asks for your credit card.
When trying to figure out how I was redirected to this fake AV site from clicking on a Google image, I found something interesting. Hovering over the picture, I noticed that the website that showed up under the image looked legit, but when looking at the image url (which displays if you hover over the image) it pointed to a completely different website. The Google Imgrefurl tag was a mile long, and contained random upper and lower case letters. Clicking on the image immediately took me to the bogus site and kicked off the fake anti-virus message.
So what can we do to see what the fake site is really doing?
(Just a warning – Don’t play with malware sites, especially on production systems, doing so could get your system infected!)
There are several free malware analysis websites available. For this one, I chose Anubis. Anubis is backed by Secure Business Austria and is developed by the International Secure Systems Lab. It is an open framework for malware analysis and the nice thing is it allows you to submit sites by URL name. From the Anubis home page, just paste in the suspicious target website address and it will examine the webpage with a simulated Internet Explorer interface. Anubis acts like a IE Honeypot and records everything the page tries to do.
After you submit the page, it takes a few minutes for Anubis to preform the analysis. When it is finished it provides you with an indepth report of what it finds.
Submitting this suspicious URL to Anubis resulted in a 9 page report. Below is an abbreviation of what Anubis found that the website code tries to do:
- Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. RISK-MEDIUM
- Performs Registry Activities: The executable creates and/or modifies registry entries. RISK – LOW
– Further on in the report under Registry Activities, Anubis reported that the website code tries to modify 3 windows registry settings, and tries to read in over 50 more settings.
Finally it tries to read your Internet history and monitors the use of 6 keyboard keys and all three mouse buttons.
This is just what one of the Malware anaylsis programs found on the malicious website alone. Allowing the site to download the full malware to your system would bring in another level of problems.
With the rash of fake online anti-virus type attacks, including the most recent LizaMoon attack, it is important to remember to not allow any programs to run from unknown websites.