Patrick, our resident rogue AV expert from the AV Labs, have his eyes set on one particular family-FakeScanti. This rogue family first appeared in the first quarter of 2010, and it has been within the radar ever since.
Enter AV Protection 2011.
This particular rogue is the latest variant in a handful of noteworthy rogues within the FakeScanti family. What’s interesting about it is that it modifies the infected system’s HOSTS file upon execution, a capability common to backdoors and worms. AV Protection 2011 directs users to 46(dot)4(dot)179(dot)109, a malicious IP in Germany where AV Secure 2012, another FakeScanti variant, is housed. It does this when users enter either google.com, yahoo.com, bing.com, or facebook.com in the Internet browser address bar.
click to enlarge
Internet users can encounter this rogue if they are led to pages via search engine optimization (SEO) technique or via a spammed link where, once visited, downloads a Blackhole exploit kit where this rogue AV is bundled with. We detect AV Protection 2011 as Trojan.Win32.FakeAV.IS (v). We can also detect and clean the modified HOSTS.
If you may recall, this isn’t the first time HOSTS files are hijacked by criminals to dupe users in so many ways. In this particular situation, phishers modified the HOSTS to direct users to fake pages of popular banks, such as Bank of America and Citibank, whenever they key in the legitimate bank URLs in the address bar.
Users are advised to be wary of clicking links in emails. If you didn’t contact the party that sent such mails, it’s always best to not bother yourself with them and delete them from your inbox. Be careful with how you do searches online as well, since the criminals behind rogue AV are still banking on the old yet very effective SEO technique.
Jovi Umawing (Thanks to Patrick)
Leave a reply