Security Experts:

Connect with us

Hi, what are you looking for?



Fake AV Attacks Decline as Cybercriminals Shift Tactics

Cybercrooks are not ready to give up on fake anti-virus attacks just yet and they’re even coming up with new methods to trick victims into paying up.

Cybercrooks are not ready to give up on fake anti-virus attacks just yet and they’re even coming up with new methods to trick victims into paying up.

These rogue anti-virus camapigns display numerous virus warnings on infected machines in an effort to trick users into paying a fee to have the so-called threats removed. With the emergence of ransomware, fake anti-virus has witnessed a significant decline recently. However, while such threats might not be as common as they used to be, cybercriminals continue to use them to make a profit.

Security researchers at Microsoft have been monitoring the evolution of fake AVs and they’ve noticed that pieces of malware such as Win32/Winwebsec, Win32/OneScan, Win32/FakeXPA and Win32/FakePAV, which at one point were the most prevalent of the rogue families, have been on a downward trend all over the world.

“However, since the big malware ‘players’ are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gap – luckily with small impact,” Daniel Chipiristeanu of the Microsoft Malware Protection Center explained in a blog post.

One example is the fake AV detected by Microsoft as Rogue:Win32/Defru. It’s not uncommon for such malware to prevent victims from visiting the websites of security solutions providers to ensure that the infection cannot be easily removed. However, Defru takes it even further by using the “hosts” file to redirect users to a fake antivirus website.

When the victims attempt to access sites like,,, and, they are taken to a bogus “Windows Security” page where they’re presented with a fake scan and several malware alerts. A total of more than 300 websites are targeted by Defru, including security websites, news websites, social networks and other popular online services.

After being presented with the bogus warnings numerous times, users might give in and agree to pay to have their computers “cleaned up.”

The cybercriminals behind this operation appear to be targeting Russian speaking users, with most victims being located in Russia, Ukraine and Kazakhstan.

“The rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%w1ndows_<4chars>.exe (e.g. “w1ndows_33a0.exe”). It persists at system reboot by adding itself to the registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with the value “w1ndows_<4chars>,” said Chipiristeanu.

Fortunately, it’s not difficult to remove the malware from an infected device. Users must remove the entry value from the “Run” registry key, and delete the executable file from disk and the entries from the “hosts” file.

Dodi Glenn, senior director of Security Intelligence and Research Labs at ThreatTrack Security, believes that redirecting users from good websites to malicious ones can be an effective method to siphoning money from victims.

“There has been a big decline in rogues lately. We tend to see spikes in rogue malware distribution towards September, when students are going back to school, and the holiday season begins. The miscreants will typically prey on people who are searching for hot topics, such as Christmas gifts, etc., by setting up drive by download sites, infecting machines which have vulnerabilities on them,” Glenn told SecurityWeek.

Experts say cybercriminals are moving away from fake anti-virus attacks because they’re not as profitable as they used to be.

“Fake A/V is something that we’ve been monitoring for a long time and it has been a favorite tool in the arsenal of cyber criminals given the ease with which users can be tricked into either paying for a bogus subscription, or downloading malware when presented with what looks like a legitimate anti-virus alert,” said Jayce Nichols, chief of threat analysis and innovation at iSIGHT Partners.

“The reduction in infections from Fake A/V most likely points toward a decrease in profitability for the criminal actors using it – either driven by heightened user awareness and (more likely) effective combatting techniques from anti-malware vendors. Criminal actors typically take the path of least resistance which also promises the highest return. Cyber criminals gravitate towards the most profitable options – if rogue / Fake A/V is becoming less profitable, they are going to use it less,” Nichols told SecurityWeek.

Both experts agree that ransomware is much more efficient when it comes to helping cybercrooks make a profit.

“We believe that ransomware applications, like CryptoLocker, will continue to be created, in efforts to take money from victims. It is important to know that these applications are not only targeting Windows machines, but also Android devices,” Glenn said.

“We’ve seen a rise in ransomware – primarily because unlike Fake A/V, the bad actors can actually hold the victim over a fire by encrypting their files. We reported on an active campaign using ransomware just the other day – which appears to use a new variant we dubbed ‘TorrentLocker‘ – and we think that we’ll continue to see broad use of ransomware as an alternative to Fake A/V moving forward,” Nichols noted.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.