The Latest in IT Security

FakeAV online scanner scam still in the wild – Let’s have a look at the possible evolution of some famous FakeAV scanner scams


The FakeAV business faced a decrease in the last few months. Due to federal law enforcement activities against the FakeAV industry and some major search engine optimizations to prevent blackhat seo poisoning, less infections of FakeAV programs were reported in the last five months. Despite those measures, FakeAV is still a serious threat to everyone who surfs the Internet. Once again, this fact makes the point because the G Data SecurityLabs have recently detected FakeAV online scanner scams that deceived many users once more.
Those scams are, individually seen, no new kind of scanner scams, but examined in a cross-border context, some interesting details about the evolution of scanner scams come to light.

During the last three weeks we observed FakeAV online scanner scams that try to lure users into installing malware when they open specially prepared websites that try to impersonate a virus scanner. Those websites themselves are not malicious, but their purpose definitely is. Over that period of time we downloaded various scanner pages and examined their code in detail.
Basically, most of these popular scanner pages try to simulate the Microsoft Windows Explorer layout and present a bogus malware scan to trick users into installing fake antivirus software. Although their behavior has been described numerous times, they are obviously still very popular with criminals because of their social engineering approach. The user’s fear of his/her system being infected still is enough to trick users into installing the rogue software that can seemingly offer help.

The types of scanners we discovered tried to impersonate the layout of Windows XP and Windows 7. The procedure when a user opens the scanner website is always the same, only the websites’ layouts differ. However, a user doesn’t normally visit those websites on purpose. Most of the time, the user reaches it after a chain of redirections, which is triggered by clicking a harmless link on a website the user originally visited. Those harmless websites are sometimes exploited and existing links are then edited in a way that a user gets redirected to the evil scam site. The redirection happens, not visible for the user, and the original visited websites’ reputation is abused to make the scam appear credible. The following section provides an overview of the examined types of scanner pages.


Step 1: Bogus warning
When a user opens a compromised website, a JavaScript warning is displayed.
These warnings just differ in syntax and web layout in terms of the used browser.

 Picture of a fake Antivirus warning

Step 2: Fake system scan
This is the main part of the scanner page. After the user has clicked the OK button on the initial warning, a bogus scan presents several infections on the user’s system. These scans are plain JavaScript. The scanned files, file extensions and also the found threats are randomly generated by the script from a fixed set of values. Have a look at the examples below:

 A picture of FakeAV showing alleged infections, generated from a fixed set of values

The examined code indicates that all scanner pages were probably initially coded by a small group of people or a single person only, because many used code fragments were basically identical. Also, the Cascading Style Sheets, that were used to recreate the Windows Explorer look, had a consistent structure. Even the used names for the CSS items were almost the same in each scanner version.

The pictures embedded in the CSS are also worth a comment. While the pictures in some XP style versions have meaningful names like “hdd” or “progressbar”, in some later versions of the Windows 7 style scanners, those pictures have random names and it can be assumed that the pictures were renamed by an automated mechanism to evade detection.
When it comes to a dynamic adjustment of the sites’ layout, none of the discovered sites takes the trouble to check the User Agent to set the site’s layout accordingly to the used operating system.
Since when do we have a Microsoft Windows layout under Linux?

 Picture of a FakeAv scan result in Win7 design in a Linux system

It can be assumed that criminals don’t bother with that because the vast majority of users have a Microsoft Windows operating system anyway. The only method of an adjustment we found was a server that hosted both Windows layouts and checked the User Agent to load the correct Windows layout.

Some of the sites we found used different simple base64 encoding techniques to obfuscate the JavaScript, while other pages used the same code without obfuscation.
These obfuscation techniques mentioned are used to hamper a manual code inspection from a security analyst, as well as an automated inspection with a tool. The fact that some pages use obfuscation while others don’t, hardens the assumption that these pages were created by a small group of people that sold their code to other criminals who then subsequently added techniques to obfuscate their code the raised the bar for analysts When we deobfuscated the different scripts, all scripts were basically identical with the ones we found in plain text.

 A picture showing obfusctaed JavaScript code in FakeAV

Step 3: Fake scan results and bogus software
After the fake scan is finished, all seemingly discovered threats are presented and a "solution" is offered. When we examined the code, we observed another evolution in the code. While the scan results in the Windows XP version consisted of a picture only, the results in the Windows 7 version were generated dynamically by JavaScript and allowed user interaction with the listed results in a scrollable window.

 A picture of scrollable FakeAv scan results in Win7 design

The discovered fake scanner pages were exclusively hosted on fast living free domain hosting sites, with an average lifetime of one day. One of the scanner pages was only accessible with Microsoft IE. In the case that this page is visited with Firefox, the user is directed to websites that contain adult content.


Step 4: Attempted Infection
After the scan, a binary is offered for download. The websites are configured in a way that a user is almost not able to refuse the download because closing the browser window and clicking the “back” button in the browser is disabled via JavaScript. Every time a user is trying such actions, the download dialog is showing up again and again. At this point of time, no infection took place, yet.

Picture of the FakeAV website offering

How to avoid the download?
Although closing the browser directly is disabled, the JavaScript code cannot restrict any actions outside the browser context. This means: To end the scan fraud, a user should open the Windows Task Manager and terminate the browser process. The termination can be done by clicking STRG-ALT-DEL, opening the Task Manager and then ending the respective browser application (eg. Firefox, Internet Explorer or Chrome) by clicking the “End Task” button.


How to protect yourself from FakeAV in general

  • Use a genuine and comprehensive AV product with current virus signatures, http-filter etc. to really protect your pc and all digital data.
  • If you download software from the internet, download it from the software’s vendor’s web page or from download websites with a good reputation only.
  • If a website shows you a download dialogue, check whether this actually is a file you intend to download. Those automatic pop-ups can also provide fake software.
  • Always maintain the operating system and browser updated to the latest version and regularly install updates.
  • Do not click hyperlinks thoughtlessly.
  • Analyze the style of language and the orthography of the pop-ups and warnings displayed. Too many mistakes or odd phrasing hint at scam.
  • Furthermore, e.g. a genuine Windows system tray pop-up would be displayed in your system language – If you are using a non-English Windows system, the real messages will appear in these non-English languages.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments