Flash-Based Fake Antivirus Software: Windows Risk Minimizer

Fake antivirus software or "scareware" is nothing new, but these applications continue to get more sophisticated. We recently discovered a relatively new fake antivirus application called Windows Risk Minimizer.

The fake antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then redirected users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours.

When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected.

When OK is clicked, a fake scan is carried out.

The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names).

Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected.

Like many fake antivirus sites, when trying to close the window or tab, the user is greeted with an alarmist message warning of dire consequences unless the infection is removed.

When clicking Remove All in the Windows Security Alert window, the user is prompted to download a malicious executable file that contains Windows Risk Minimizer software. When opened, the following professional-looking screen is displayed:

Again, unsurprisingly, the fake antivirus software identifies several infections.

When this window is closed, the malware repeatedly harasses with pop-up warnings and balloon messages in the notification area. All of these messages are designed to convince the user an infection exists on the computer and they should purchase the (useless) software.

One message falsely claims the Google Chrome Web browser is infected. Clicking Prevent attack opens a payment window.

Another message claims illegal BitTorrent usage has been detected and refers to the controversial US SOPA (Stop Online Piracy Act) legislation. In this case, there is no Prevent attack button; instead there is a Get anonymous connection button, which also opens a payment window.

The final type of alarmist message observed when analyzing this fake antivirus software claimed that some kind of identity theft was in progress.

All of these different types of attack make it seem like there is a serious infection, so it is easy to understand why many users may be unwittingly tricked into purchasing what is useless software.

At $99.90, apparently including support (see below), this useless software is not cheap.

We also recently spotted some different fake antivirus software where JavaScript code on the page appeared to vent the author's rage against two makers of legitimate antivirus software, including an offensive message about a particular antivirus application. It is easy to understand why a malware author might be unhappy about antivirus software, but including offensive messages like this simply makes it easier to block their malware.

To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up to date with all security patches.

Symantec.cloud customers are protected from these threats through advanced link analysis. Protection is also included in Symantec's security products.