The evils of FakeAv

As discussed at EGconf'10 - here's a few screenies of my sequinned assistant.. I mean respected colleague ;) Nile visiting a fakeAv site. Of course he was running firefox on linux at the time, so had little chance of getting infected seriously - although Wine was perfectly willing to run it!

Rather than bore you with the stuff I put together for our internal team, I'll give you guys the raw material. I suggest you use a screenshot of this, combined with your REAL av whatever you use - and let users know the difference. If you close the site before you get to the final phase, you are generally safe.

If you want to harmlessly trigger your real desktop AV in order to get a screengrab, you can use the EICAR test file: http://www.eicar.org/anti_virus_test_file.htm this is a small, harmless file that *should* trigger a positive in any AV engine. If yours doesn't complain to your vendor. I have certainly seen it trigger Clam, Kaspersky, Bitdefender and Sunbelt.

Few extra bits:

How did we find this site? Well we searched for "Rima Fakih pole dancing" - some ex-Miss USA with an.. embarrassing.. old home movie. This is how these guys operate - they pimp on popular search terms. Today you'll find some on "red dead treasure map" though the cleanup is well under way there.

The Virustotal PDF is a printout of an analysis I sent to virustotal when we were looking at aforementioned pole-dancer.. it was certainly a couple of days into the outbreak, and as you can see, the nature of the malware has rendered many of the "big names" ineffective. In fairness, running that same exe now, a couple of weeks later, gets 38/41 coverage, with Fortinet being the only relatively major casualty.