Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

AntiVirus Live and Netsky. Coincidence? Nope.

Created: 20 Jan 2010 11:57:32 GMT • Updated: 23 Jan 2014 18:30:10 GMT
khaley's picture
+1 1 Vote
Login to vote

AntiVirus Live, Personal Security, Malware Defense, and Desktop Defender

These are all names for different rogue security software programs. We identified 250 different “brands” of these bogus products in the Rogue Security Software Report published in October 2009. But these four—and many others—are not among those 250. They are all new since October. You can see some examples of some of the new graphic styles of these fake AVs here.

In fact, there are so many of these misleading applications that we don’t even try to write a unique definition for each one of them. We use generic signatures such as Trojan Horse, Trojan.FakeAV, and Trojan.FakeAV!gen.

While we aren’t surprised about new names, it doesn’t mean that we can’t occasionally be surprised. Take last week for example. While looking at some search trends on virus names I noticed an increase in searches for the threat Netsky.

Netsky is a mass-mailer that first appeared in 2004. Could it be possible that a Netsky outbreak was about to happen? I took a look at our Global Intelligence Network numbers to find an answer. As it turns out, the number of Netsky infections we’ve seen in the last year would fit in a thimble. So why all the interest in Netsky?

A quick call to one of our threat analysts cleared up the mystery. It’s something to do with what a group of bad guys behind certain rogue security software are currently doing. No, they aren’t infecting people’s machines with Netsky, but they are telling them that. Part of the social engineering effort behind these threats is to try and convince users that their computers are massively infected with malware. And what could be more convincing then using the name of real malware? So the users see a pop-up that tells them they are infected with known malware. If these users do a bit of research they will soon learn that it is a real threat. And therefore the bogus infection seems real.

We’re also seeing a lot of these bogus antivirus products attacking though infected media files in P2P networks. And, as written about previously, the miscreants behind poisoned search engine results piggybacking on Haiti earthquake tragedy headlines are trying to get you to open their links. So be careful out there.