Fake Antivirus Forces User Uninstall of Legit A/V

Dennis Faas's picture

Hackers are running a new social engineering scheme that tricks users into uninstalling their legitimate anti-virus program protecting their computer, and using a rogue product instead.

Those behind the duping scheme have leveraged a clone of the CoreGuard (fake) Antivirus product and relabeled it as AnVi Antivirus. Both products are rogue.

Rogue antivirus products have become a reoccurring problem for security companies, though one particular security software firm, Symantec, noted that this method of attack differs from rogue antivirus products of the past.

Symantec, AVG, Microsoft Antivirus Products Targeted

Symantec stumbled upon the AnVi Antivirus scheme when hackers attempted to get them to uninstall some of their own software. Symantec employees reported that, when infected by AnVi, a "warning is displayed that the Symantec anti-virus is 'uncertified' and will hamper the system's performance." (Source: informationweek.com)

From there, the user becomes a virtual hostage within their own computer system, realizing that they have become the victim of a rogue attack.

"The user is left with no other option than clicking OK, which initiates the uninstall process. Even if the user clicks the 'close' button, the uninstaller of the anti-virus product still executes."

Symantec researchers also discovered that AnVi also attempted to download rogue anti-virus software by linking to malware-ridden websites. Once installed, users are bombarded with notifications that their system is infected and that it will cost money to fix the problem, which doesn't technically exist.

AnVi Antivirus is also attacking other big-name antivirus products, including Microsoft, AVG antivirus, Spyware Doctor, and Zone Labs. (Source: symantec.com)

Fake Antivirus, Social Engineering a Lethal Combination

Unfortunately, the combination of dubious antivirus and social engineering has become a popular method among online evildoers. Earlier this week, Panda Labs reported more than 200 fake web addresses capitalizing on the allure of teen heartthrob Justin Bieber to spread a form of rogue software called MySecurityEngine. (Source: itpro.co.uk)

As Luis Corrons, technical Director of PandaLabs, warned "When positioning websites used to distribute malware among the first results in search engines, they can be sure that numerous Internet users will inadvertently download the fake anti-virus."

Rate this article: 
No votes yet