Fake Desktop Utilities

SonicWALL UTM Research team has been monitoring fake desktop utilities since mid October. While we continue to see new variants of Fake Antivirus every day, this is a new approach adapted by Fake AV authors to target unwitting users. These fake utilities may arrive by spammed e-mails or via drive-by downloads from compromised sites similar to Fake AV.

We have received multiple variants of fake desktop utilities till now that includes - Disk Doctor, Windows Defrag, Disk Scanner, Control Panel, Utility Manager etc. The agenda is pretty much similar to the Fake AV - infect the computer, scare the user with fake errors, and make them purchase a product to fix the errors.

As you can see above they use fake icon and file information to masquerade as legitimate utilities. Below are some screenshots showing the fake desktop utilities in action:

In addition to the above activity, some of the newer variants were randomly generating "hard drive problem" alerts whenever user attempts to open any application post infection.

If the user falls for the trap and attempts to buy the software, it loads a fake address bar image containing SSL certificate information and the secure lock image in the same product window further assuring user of a safe legitimate transaction. In the background it attempts to connect to the landing site which has been taken off at the time of writing this alert.

SonicWALL Gateway AntiVirus provided protection against these fake utilities via following signatures:

GAV: Suspicious#fakeav_17 (Trojan) [ ~900,000 hits ]
GAV: Suspicious#fakeav_16 (Trojan) [ ~5,000 hits ]