Technofriends

Fake AV is a rogue security software which is a variant of Troj/FakeAv-AAL, the software in addition to the trojan also installs a packet sniffer Troj/Sniffer-R. The software is known to be capturing FTP Credentials. As per the report from Sophos

The trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21 — the FTP control port number. It captures the host name, user name and password for any outgoing FTP connections, and checks the user and password combo are valid by parsing incoming FTP traffic for the ‘login success’ status code. Only the credentials which result in a login success are subsequently reported to a remote server — which currently maps to a known malicious domain associated with rogue security software.

The people behind Fake AV are constantly registering new domains and also shifting the existing domains to the new IP ranges, in order to avoid blacklisting by networks. This tactic does work for a short time, but it definitely causes a lot of harm to all those users who end up going to the bogus pages created by the trojan creators. The people behind such software fake their webpages with bogus keywords and drive search engine users to their malicious sites.

If you are a website administrator, ensure that your softwares and operating systems are patched and updated to the latest version.

As an end user, ensure that you have a good anti-virus software and an anti-spyware software installed on your computer. As always, ensure you have the virus and spyware definitions updated.

You can follow me on Twitter at http://twitter.com/vaibhav1981

Related posts:

1. [Security] 10 FTP Clients Malwares Bet Their Money On
2. Troj/Qhost-AC Trojan Blocking Access to Pirate Bay and Mininova
3. [Security] Online ‘Monopoly’ is the new hotbed for Spammers and Scammers
4. [Security] 3 Times More Malware Reported in 2009 than 2008
5. Flush.M Trojan can fake DHCP Server