Fake AV software steals your passwords!

06/29/2010
G DATA Blog

The Fake AV software we discovered in combination with the reported spam wave is a very tricky one: It actually steals the user's passwords!

The Fake AV extracts the passwords from the system's so-called Protected Storage, displays them to the user and at the same time pretends to be the saviour -"Your computer is being attacked from a remote PC. [...] Process is stealing your passwords listed below." Guess what it wants you to do?! Of course: "Prevent Identity Theft" and buy the useless software.


But, actually, why should you buy the software? We were able to easily extract the "license key" from the .exe file and enter this as registration information. And, at one fell swoop, we were registered users and "protected".





Back to the password stealing mechanism, which is only implemented for Internet Explorer 6 and looks suspiciously similar to code of open-sourced IE "password recoverers", otherwise displaying only generic logins (see asterisks in the first screenshot). However, the code does not reveal any kind of transmition of credentials to an external recipient.

Besides the password feature, this Fake AV seems to be just another generic one, built with the same toolkit as e.g. Digital Protection, Dr. Guard or Paladin Antivirus. The program's behaviour after clicking the "Buy Software" button is also predictable: Credit card information is needed.


We definitely advise you not to rely onto these expensive and fake security programs! Rather make sure your protection solution is a high quality one. We do recommend G Data security solutions... not just because they are cheaper ;-)