Fake Antivirus: ‘System Doctor 2014’

Monday, July 8, 2013 @ 06:07 PM gHale


Right now ransomware is the rage amongst attackers and more popular than fake antivirus attacks, but that does not mean there are not any fake AVs out there.

That is because the creators of Rogue:Win32/Winwebsec are spreading a bogus antivirus application called “System Doctor 2014,” said Microsoft security researchers.

RELATED STORIES
Malware Programs Feed Off Each Other
Win 8 CAPTCHA Malware
Trojan Speaks Local Languages
Trojan Takes Over Google Docs

Researchers highlight that Rogue:Win32/Winwebsec only relies on one bogus antivirus at a time. This means that System Doctor 2014 is actually replacing its predecessor, System Care Antivirus.

System Doctor 2014’s design calls for it to check infected computers for signs of System Care Antivirus. If it finds the older version, System Doctor 2014 stops running.

Besides different looks, System Doctor 2014 also acts differently. It apparently cleans some of the fake threats before asking victims to pay up.

Users get a message saying some of the threats cannot end up cleaned unless they activate the product, a process that requires the payment of a fee.

The names of the threats identified by System Doctor 2014 are from Microsoft’s malware encyclopedia.

Researches did say there were some similarities between the two variants.

“Both have used the same custom obfuscation in an attempt to avoid detection by antimalware products, both use a similar request format when sending details of their installation to the distributors’ server, and both attempt to prevent all other programs from running apart from a few that appear on a specified whitelist,” said David Wood of MMPC Melbourne.

In addition, both variants use the same activation code.

If you want to avoid falling victim to Fake AVs, make sure you only use the solutions offered by reliable vendors. However, install the product yourself, since fake antiviruses might leverage the name and reputation of legitimate applications.



Leave a Reply

You must be logged in to post a comment.