Authors of misleading applications have always been coming up with new techniques in order to entice or scare users into buying their fake products. Once installed on the system, a misleading application uses various social engineering techniques, some of which involve displaying fake scans, fake threats, and fake error messages. These techniques attempt to scare users into buying or activating the product in order to erase the made-up threats and remain protected. The registration usually costs $20 to $50 USD, but this is simply a huge social engineering scam.
Recently we came across a misleading application, Antivirus 2009, using a new social engineering technique. Once the latest version of Antivirus 2009 is installed on a system it registers a Browser Helper Object (BHO) called “winsystems.dll”. BHOs are plug-in extensions for Internet Explorer and are often used by malicious applications.
Now, whenever a user visits any Google pages, the BHO modifies the Google page in order to display a fake message that appears to be provided by Google. The fake message claims to be a tip from Google, advising the user to activate Antivirus 2009. If the user clicks on this fake tip, then he or she is redirected to the Antivirus 2009 payment page. The fake tip is branded as “Google Tips,” which is a non-existent service, complete with a logo in order to make it look more legitimate.
Shown below is the HTML code inserted into the webpage by the BHO. This code is responsible for displaying the fake tip as shown above.
Symantec products will detect and remediate this malicious BHO. Users should keep their security software updated and avoid clicking on suspicious looking links. An upcoming blog series explains more about misleading applications, what they are, how they get installed, and how one can protect themselves from these fake products.