Today, whilst testing new malware and fake antivirus samples, a 'great' idea occurred to me. Remember that trick when you hit CTRL+A and ENTER on your friend's computer? All programs, files, shortcuts, and everything else on the desktop are executed simultaneously. When this occurs, the only way to return the system to normal is to restart the computer.
The Idea - What if we do the same with many fake antivirus programs?
This was blowing my mind all day, so I finally decided to take the challenge and do the test. I prepared my old Intel P4 computer with 512 MB of RAM, restored it with a fresh install, and checked that it was in perfect working order.
Meet the participants - Fake antiviruses
After spending some time searching for various fake antivirus samples, I selected 14 participants. These were fake antivirus programs that attempt to scare users into buying full versions by displaying bogus warnings and errors. Some were old versions, some more recent. Before starting the test, I scanned all samples with AVG Antivirus Free Edition. One fake antivirus was not detected by AVG, despite ensuring AVG was running with the latest updates.
The participants are as follows:
- Internet Security
- Internet Security 2012
- System check
- System Fix
- Security Sphere 2012
- Windows Diagnostic
- XP Antivirus 2012 and other variants of this multi-named threat
- Windows Attacks Preventor
- Security Shield
- Smart Protection 2012 and some other variants of this fake av family
- Security Monitor 2012
Ready! Set! GO!
When everything was set up, I selected all files and pressed ENTER. Before doing this I opened the Task Manager. You can see that the CPU usage is almost at zero percent.
When the fake antivirus samples were executed, Task Manager was closed immediately, leaving no possibility to monitor CPU and memory load fluctuations. The hard drive noise was terrible and the mouse cursor was virtually impossible to move; not surprising, then, that the CPU load average was near 100 percent.
After about a minute, the first error appeared: "Unable to open script file". Fake antivirus samples started to disappear one by one.
After another few minutes, an Internet Security malware window appeared, but disappeared soon after. In addition, the 'Internet Security' icon appeared on the desktop and a system tray icon of the same name reporting that some other fake antivirus sample could not be executed, since it was infected. Perhaps the first time this rogue program reported the truth!
Another rather weird observation was that within the fake antivirus folder, a new '.exe' file appeared with the name 'filesystemscan.exe'. At this point, just eight fake antivirus samples remained from the fourteen at the outset of the test. A new executable file was created by one of these fake programs.
After approximately 5 minutes, the situation was relatively stable. Although the hard drive sound remained terrible, the mouse moved and I was able to work with computer. It was, however, VERY slow. After clicking the Internet Security icon, Windows reported that the shortcut was broken and the file isecurity.exe was missing. I managed to run the Task Manager, surprised that it was not disabled by the running malware processes. The CPU load was continually spiking from 10% to 100%.
My test was about to reach a disappointing conclusion. None of the fake antiviruses appeared and none of them attempted to scan my computer for errors. Undeterred, I decided to repeat the test with the remaining samples within my fake antivirus folder and with the newly-created one. When all files were selected and ENTER pressed, Task Manager displayed a permanent CPU load of 100% and after approximately 30 seconds, a blue screen of death appeared. My computer restarted itself.. :(
And finally.. the winner is.... Security Sphere 2012!
When my old PC was trying to boot Windows again, I wondered why none of the fake antiviruses had appeared. When I heard the Windows start-up sound and observed that my desktop background had been changed to a solid blue color, I realized there was hope. Despite my reservations, we would have a winner of the Fake Antivirus Competition! And sure enough, Security Sphere 2012 appeared - scanning my PC and displaying fake errors. Finally, the test was a success and I can confirm that the most scary and 'best' fake antivirus program is... Security Sphere 2012!