Malware Posing as Fake Desktop Utilities Instead of Phony Antivirus

In the past two months, fake anti-virus scareware has morphed into variants pretending to be generic security products, disk utilities and the trusty defrag tool, according to researchers.

Recently, researchers at GFI Software have noticed an increase in the number of fake security software scams purporting to be disk utilities that fix disk errors. Instead of listing Trojans, these security alerts pretends to find disk fragmentation or file system integrity problems.

“Fake AV authors have added a new branch to their rogueware business,” Desai said. He expects to see more variants of both fake anti-virus and utilities in the coming months.

The rogue products initially looked like a generic security product, addressing a range of system issues with names like HDDDDiagnostic, PCoptomizer and Privacy Corrector, according to GFI. Since then, there’ve been a series of “defragger clones” with names like UltraDefragger and ScanDisk that claim to find read/write errors on the hard disk drive, according to the blog.

The fake disk defrag and scanning utilities started showing up in mid-October, according to Deepen Desai, senior researcher from SonicWALL’s threats team. He noted that new variants are often “A/V resistant” because legitimate security products may not be able to immediately identify the files as fake. Rand Abrams, director of technical education at ESET said these variants are “not yet as popular as they will become.”

Scareware refers to software that displays legitimate looking pop-up windows and dialog boxes claiming serious problems with the user’s computer. Often posing as anti-virus or anti-spyware software, the messages list several malware infections and scare the user into purchasing anti-virus software immediately to fix the problem. Some known variants mimic Microsoft Security Essentials or McAfee, while others have real-sounding names such as Security Tools or Pest Detector.

Fake utilities are generally marketed differently from fake A/V, said Larsen. The potential victim is generally already searching for a disk utility or trying to resolve an issue when the scammer says, “’Here’s what you were searching for,’ and hand them a malware payload instead,” said Larsen.

Users should be wary of any error messages coming from software they didn’t install, and should not purchase or install any software that suggests downgrading the Web browser to an older version, according to GFI Software’s researchers.

There are even some variants that detect legitimate anti-virus software and prompt users to uninstall it, according to Sophos researcher Chester Wisniewski.