Crooks trying out new tactics to spread fake AV

Infection numbers of well-established fake AV families have reached the lowest level in years, and Microsoft researchers believe the drop is the result of the antimalware industry’s efforts and greater user awareness.

As vacuums usually tend to get filled again pretty soon, other malicious players have tried to step in. Case in point: the Defru rogue AV.

Defru’s modus operandi is simple. It modifies Windows’ hosts file – the file that tells the PC what webpage to go to when the user types a URL into the Internet browser – to redirect users to a malicious website that sports a fake infection warning:

This redirection happens if the user wants to visit one of the 300+ websites that include those of popular AV vendors, security forums, news sites, online services, social networks and search engines.

This list is currently predominantly populated with websites popular with Russian-speaking users, which should not be a surprise given that the fake warning is written in Russian.

The warning tries to convince users to buy a licence for “Windows Security,” priced at $4.75. Those who do will not have their systems cleaned, and they will continue to be redirected to the warning.

Luckily, this malware is easy to remove. “The user can clean their system by removing the entry value from the ‘run’ registry key, delete the w1ndows_.exe file from disk and delete the added entries from the hosts file,” Microsoft advises. Those who are unsure how to do all this can use free, legitimate AVs to remove the malware.

“Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one,” they added a final piece of advice.