The Rise of Fake Anti-Virus

Wednesday, April 14, 2010 8:55 AM

For years, we have detected malicious content on the web and helped protect users from it. Vulnerabilities in web browsers and popular plugins have resulted in an increased number of users whose systems can be compromised by attacks known as drive-by downloads. Such attacks do not require any user interaction, and they allow the adversary to execute code on a user’s computer without their knowledge. However, even without any vulnerabilities present, clever social engineering attacks can cause an unsuspecting user to unwittingly install malicious code supplied by an attacker on their computer.

One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action. Visiting a malicious or compromised web site — or sometimes even viewing a malicious ad — can produce a screen looking something like the following:

At Google, we have been working to help protect users against Fake AV threats on the web since we first discovered them in March 2007. In addition to protections like adding warnings to browsers and search results, we’re also actively engaged in malware research. We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, “The Nocebo Effect on the Web: An Analysis of Fake AV distribution” is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th. While we do not want to spoil any surprises, here are a few previews. Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.

Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly:

In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


Math said...

I've had a fair share of experience with Fake AVs which inspired me to write about it here - which I'm sure many readers will benefit from. said...

Thank you Google for using your reach to help bring the dangers of this blight to more people. I have been on my soap box for almost daily on my web site and to my clients about this.

Josh Kirschner said...

Thank you for your research on rogue security software. It's a big issue and one that we hear about from our readers all the time.

We put together an overview for the novice on how to spot - and stop - rogue security software that may be of help to the less-techie folks out there:

Akinity said...

Colour me a cynic, but when I see an article about fake AV software with just three comments each promoting a blog with, presumably, links to 'recommended solutions' - I wonder whether the fox is already in this particular hen-house.

Balaji Baskar said...

i have had similar pop-ups opened up before (as shown in this post), but is there a way we can report the sites (ip address, url) to someone?

Josh Kirschner said...


Your concern is valid. However, this Google post doesn't help you identify or remove rogue security software; we thought we'd provide some information on how to do so.

Most of our recommendations come from Symantec and other (real) security companies, and we echo Google's advice to only purchase software from known providers.

Our articles are written by professional tech journalists.
Unfortunately, as your comment shows, it is very difficult in the Internet world to differenitate between real advice and scams.

Josh Kirschner

triv said...

The biggest problem I've found in dealing with and removing these types of malware is:

There are so many variants that it seems no blog post ever covers the particular variant you are dealing with.

Also, the blog posts are generally out of date by the time you need them. For the most part, if you are in the business of ridding computers of these sorts of nasties, you just need to grab as many tools as possible and hope that the variant you are dealing with can't block them all!

For instance, my father just got hit with one called "Anti-virus Suite". All the usual apps, autoruns, rootkit revealer, ComboFix (and many others) were unable to even see it. By complete luck, it didn't disable Microsoft Security Essentials, which was able to remove it in just a minute once I realized this.

If it was anyone else besides my father (or a well-paying customer), I would just do a clean install on the system and be done with it.

Brian said...

I am most interested in how they are able to get their malware sites so high in the Google search pages. Can you blog more on how and what you are doing to prevent them from appearing in your searches?

Travis said...

Thanks Google!!! This blog is very helpful to alot of people because more and more everyday computers are being attacked by FAKE anti-viruses. I hope that this reaches as many people as possible before it happens to them as well.

I had the same probelm not to long ago but finally decided to buy Norton AntiVirus and everything is back great now!

Secured Tao said...

Like "Math" Post, my kids and I had many hits of these fake Anti-Virus programs during our browsing.

I also wrote a post to give details about my experiences.

I am glad that Google is trying to fight against these pesky malwares. But I think Google really needs to work on their search results to prevent those malware sites ranked so high.

Michael Searles said...

I am a victim of the current fake Internet Security Tool pop-up virus which sabotages my browsing among other things.
Interestingly, I think I have the IP address and the script for the pop-up part of the virus, which clearly includes a hosting URL/domain, which on searching WhoIs shows it was registered to an owner in the Bahamas.
For your interest here is what I discovered -

WhoIs Lookup Details -


Date Registered: 2010-4-21
Date Modified: 2010-4-21
Expiry Date: 2011-4-21


URL/IP address of (I believe) hosted source code:

I have sent an email to the registrar and hosting company of the above domain - Corp.

any comments or feedback would be appreciated.

Pepin said...

If you realy want to make sure you and your loved ones dont get hit by these sorts of programs again. Kill them from the source tell everyone you can contact to never under any circumstances pay these guys. The one thing I can see in common with all of these programs is they require you to pay with your credit card to remove them. If no one pays them their will be no incentive to hold peoples computer hostage anymore. Put this up on your myspace, facebook, hell even your twiter. If we spread the idea like a virus to dry these guys out no one will take the risk again to make these programs again.

udoyen said...

I am personally grateful I recently even discovered another trick. I signed on to a website I thought was for socializing only to discover it was merely a means to gather e-mail adds for spamming campaigns. So that's another way they operate.

Thanks Google I followed your advice and will continue to do so..


Thomas said...

Really there are many fake antivirus on the net and it is diffcult for the user who are using free virus protection software for their computer's and laptop.
All we do is spend some dollar and buy a branded antivirus like kaspersky or McAfee.