I came across something interesting while chasing up a fake antivirus lead the other day. As we often do here when looking for new threats, I visited the malicious URL and ran through the standard steps to download and install the risk. (Video of the threat follows below.)
It was one of those run-of-the-mill fake codec sites. You go to a page to watch a video, only it tells you that you don’t have the correct codec to watch it. You’re prompted to install a “codec”, but then bam!—an unexpected antivirus scan starts running on your computer.
In this case, while I was presented with a typical installation routine, an error message appeared at the end. This is also not uncommon, often meant to make the user think the codec failed to install, which they might believe is why they still can’t watch the video afterwards.
What was interesting was that no fake security scan appeared afterwards. However, I noticed the all-too-familiar red shield in the notification area of my taskbar. I initially thought it was the Windows Security Center, altering me to the fact that this threat had disabled something. I double-clicked the icon and sure enough, up popped the Security Center with a big, red warning about my antivirus software. If I clicked the Recommendations button, it directed me to a Web site to buy a fake antivirus product.
So at first glance it looked like the threat had forgone installing any sort of scan and went straight for the jugular that is the Windows Security Center, setting a notification about antivirus software missing, and then suggesting a place where the user can purchase the threat.
To find out for sure, I opened up the Control Panel and launched the Security Center from there:
The Security Center is currently unavailable because the “Security Center” Service has not started or was stopped. Please close this window, restart the computer (or start the “Security Center” service), and then open the Security Center again.
It turns out that the threat had installed a misleading application after all—only one that is much more covert than its fake-scanning cousins. Looking back at the installation “error message”, it turns out that it is a legitimate error produced by the installer that the threat’s authors chose to use. The question is, was this a mistake, or was it deliberate? The installer erroring out would explain why no fake antivirus scan appeared. At the same time, the timing matched perfectly with the appearance of a fake codec not “installing”.
Either way, it was a tricky and elegant way to go. Here is a video of it in action: