Today by testing new malware and fake antivirus samples a great idea came to my mind. Remember that trick when you hit CTRL+A and ENTER on your friends computer? When all the programs, files, shortcuts and everything else that are on a desktop are executed at the same time and probably the only way to get back to normal work is restarting your computer.
The Idea - What if we do the same with lots of various fake antiviruses?
This was totally blowing my mind all day and at last I decided to take the challenge and do the test. I prepared my old Intel P4 computer with 512M of ram, restored it to fresh install and checked if everything works perfectly.
Meet the participants - Fake antiviruses
After spending some time when searching for various fake antivirus samples I selected 14 participants. All of them are fake antiviruses that tries to scare user into buying full versions by displaying fake warnings and errors. Some of them are old versions, some are recent. Before starting a test I scanned all samples with AVG Antivirus free edition and one of them is even not detected by this antivirus with very recent updates.
So the participants are:
- Internet Security
- Internet Security 2012
- System check
- System Fix
- Security Sphere 2012
- Windows Diagnostic
- XP Antivirus 2012 and other variants of this multi-named threat
- Windows Attacks Preventor
- Security Shield
- Smart Protection 2012 and some other variants of this fake av family
- Security Monitor 2012
Ready! Set! GO!
When everything was set up, I selected all the files and pressed ENTER. Before doing this I opened task manager. You can see that CPU usage is almost 0 percent.
When fake antivirus samples were executed task manager was closed immediately and there was no possibility to monitor CPU and memory load changes. But having in mind that hard drive sound was terrible and mouse cursor almost didn't move, CPU load average was near 100 percent.
After about a minute the first error came out, saying "Unable to open script file" and Fake antivirus samples started to disappear one by one.
After another few minutes Internet Security malware window showed up but quickly disappeared. Also Internet security icon appeared on the desktop and there was also a system tray icon of the same Internet security, saying that some other fake antivirus sample cannot be executed because it is infected. It may be the first time when this rogue program is saying truth :)
Another weird thing is that in fake antivirus folder a new .exe file appeared with a name "filesystemscan.exe". At this point 8 fake antivirus samples were left out of all 14 before the test. And one new executable file was created by one of these fake programs.
After about 5 minutes the situation was stable, hard drive sound was still terrible, but mouse moved and I was able to work with computer, but it was VERY slow. After clicking Internet Security icon Windows told me that the shortcut is broken and file isecurity.exe is missing. I tried to run task manager again and was surprised that it was not disabled and none of the running malware processes killed it. CPU load was spiking from 10% to 100% all the time.
My test was about coming to disappointment. None of the fake antiviruses showed up and none of them tried to scan my computer for errors. So, I decided to repeat the test with the remaining samples on my fake antivirus folder and with this newly created one. When all files were selected and ENTER was pressed, task manager showed permanent CPU load of 100% and after about half a minute blue screen of death appeared and my computer restarted by itself.. :(
And finally.. the winner is.... Security Sphere 2012!
When my old PC was trying to boot Windows again, I thought why none of the fake antiviruses showed up. But when I heard that windows start-up sound and saw that my desktop background was changed to blue solid color, there was a little hope that nonetheless we will have the winner of fake antivirus competition. And YES. Security Sphere 2012 showed up scanning my PC and displaying fake errors. The test came to success and now i know, that the most scaring and "best" fake antivirus is Security Sphere 2012.