The threat landscape has been accustomed to rogues for a while now. They’ve been rampant for the past few years and there likely isn’t any end in sight to this scam. These aren’t complex pieces of malware by any means and typically don’t fool the average experienced user, but that’s because they’re aimed at the inexperienced user. We’re going to take a look at some of the improvements seen recently in the latest round of FakeAVs that lead to their success. While the images shown may have different names of A-Secure, Zorton, and AVbytes, they are identical in execution, appearance and are likely from the same author(s). Webroot users are protected from all variants of these encountered.


This is what the GUI looks like and it’s pretty standard. Well polished and full functionality of all buttons. Those “scanned files” don’t actually exist, but those directories do so this simple indexing can add some form of legitimacy of unsuspecting users.


This is probably the biggest improvement to the veil of legitimacy. These brands of FakeAV now come with an action center window that is almost identical to the real one. Right where you would normally see your legitimate security software’s status via windows they have theirs listed in all the same fashion. This is just a fake action center and the malware will prevent you from opening the real action center and will just redirect you to this window. I can see this tactic fooling even the average user at times. These rogues wouldn’t be complete without a payment “website” and these probably have the best developed so far. Here is the payment page and the home page.


Not only do these pages contain fake awards from legitimate testing companies, but they also have phony reviews and even a simulated news feed with product updates, blogs and press releases. This really is the icing on the scam cake as depending on the limited interaction you’ve had with the rogue, it could be enough to convince you that this program will actually help you and may be worth the money. Now skeptics will notice that there are some flaws like “VMworld 2011 Europe” – how would a 2015 product make it to that expo? And the image used at the top of the home page shows Win XP security when the product is for Win 7. These are all minor mistakes and could have easily been fixed. I suspect that we’re only going to see more innovation in the future and eventually might find rogues that will blur the lines between legitimate and fraudulent so well that they’ll be almost indistinguishable.

Tyler Moffitt

About the Author

Tyler Moffitt

Sr. Security Analyst

Tyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Share This