Fight scareware: Learn how your anti-virus works

Written on March 12, 2010

Wikipedia defines scareware as:

A tactic frequently used by criminals involving convincing users that a virus has infected their computer, then suggesting that they download (and pay for) antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware itself.

Scareware usually hits you when you’re browsing a website that’s controlled by a malicious user. By taking advantage of search engine optimization poisoning search engine optimization poisoning techniques, a Google search for a hot topic might actually redirect you to a malicious site. I won’t talk about SEO poisoning here, suffice it to say that an attacker can influence Google results so that his website shows up at the top of the list. This tactic is effective when people search for newly announced technologies, celebrity deaths, or natural disasters. Why should you be concerned? Because someday, searching for “new iphone 4G” might actually send you to a malicious website.

Scareware is designed to look like legitimate anti-virus software, usually a Windows based one. You’ll see a popup window with what appears to be the contents of your hard drive, a moving progress bar, and warning messages informing you that your computer is infected. You’ll be given an option to download the software or cancel the popup. I should mention that in most cases, either option will download the software.

I believe one reason scareware is so effective is that the majority of computer users don’t know what happens when their anti-virus detects malware. Almost everyone has an anti-virus solution from some well-known company, yet only a few have actually seen what happens when it goes into red-alert. The chances of being tricked by malware becomes very slim when you know what should happen when your anti-virus kicks in. So how do you test your anti-virus? Well you could infect it with a real virus, but that would be kind of irresponsible.

The solution is in the EICAR (European Institute for Computer Antivirus Research) test. The EICAR test is designed so that anti-virus companies and users can test to see if the anti-virus works. The test consists of downloading or creating a test file containing a specific set of characters designed to trigger any anti-virus to go off. The file itself is not a virus. EICAR offers several variants of the that can be downloaded here:

Any decent anti-virus scanner will immediately flag this as a virus the moment you download it. That is, before you even run it, it should be flagged and quarantined by your anti-virus. Take note of how your anti-virus warns you of the EICAR test file. This is what you need to expect when your computer is infected with a real virus. If at some point in the future you get a virus infection warning that looks nothing like what you just saw, then it’s probably scareware.

Anti-virus companies have gone to great lengths to keep their tools user-friendly, so taking a couple of minutes to see how it works is well worth the effort.

For further reading:

EICAR test file on Wikipeedia

Symantec SEO poisoning article

The register article on the booming scareware business market