+ Post New Thread
Results 1 to 1 of 1
Internet Related/Filtering/Firewall Thread, The evils of FakeAv in Technical; As discussed at EGconf'10 - here's a few screenies of my sequinned assistant.. I mean respected colleague Nile visiting a ...
  1. #1


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,487
    Thank Post
    867
    Thanked 855 Times in 675 Posts
    Rep Power
    197

    Angry The evils of FakeAv

    As discussed at EGconf'10 - here's a few screenies of my sequinned assistant.. I mean respected colleague Nile visiting a fakeAv site. Of course he was running firefox on linux at the time, so had little chance of getting infected seriously - although Wine was perfectly willing to run it!

    Rather than bore you with the stuff I put together for our internal team, I'll give you guys the raw material. I suggest you use a screenshot of this, combined with your REAL av whatever you use - and let users know the difference. If you close the site before you get to the final phase, you are generally safe.

    If you want to harmlessly trigger your real desktop AV in order to get a screengrab, you can use the EICAR test file: http://www.eicar.org/anti_virus_test_file.htm this is a small, harmless file that *should* trigger a positive in any AV engine. If yours doesn't complain to your vendor. I have certainly seen it trigger Clam, Kaspersky, Bitdefender and Sunbelt.

    Few extra bits:

    How did we find this site? Well we searched for "Rima Fakih pole dancing" - some ex-Miss USA with an.. embarrassing.. old home movie. This is how these guys operate - they pimp on popular search terms. Today you'll find some on "red dead treasure map" though the cleanup is well under way there.

    The Virustotal PDF is a printout of an analysis I sent to virustotal when we were looking at aforementioned pole-dancer.. it was certainly a couple of days into the outbreak, and as you can see, the nature of the malware has rendered many of the "big names" ineffective. In fairness, running that same exe now, a couple of weeks later, gets 38/41 coverage, with Fortinet being the only relatively major casualty.
    Attached Files Attached Files
    Last edited by tom_newton; 3rd June 2010 at 01:59 PM. Reason: EICAR info

  2. 2 Thanks to tom_newton:

    azrael78 (3rd June 2010), OverWorked (17th June 2010)



SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •