It's always interesting to watch what little hooks and schemes the malware industry has cooked up in an attempt to better bait the public and the new Anti-Virus-1 package doesn't disappoint. AV-1 is a cute mixture of scareware and malware, and while we've seen XP Antivirus playing this turf for years, AV-1 adopts a few new tactics of its own. Once run, the program installs its particular Trojan of choice (Zlob and Vundo are apparently popular options), then makes certain modifications to the hosts file.

BleepingComputer.com has assembled a list of these changes, a sample of which is included below. If a user attempts to visit any of the links listed, he or she is directed to a site under the control of the botnet controllers.

a1.review.zdnet.com

www.reviews.download.com

reviews.download.com

reviews.pcadvisor.co.uk

reviews.pcmag.com

Once redirected, users are served up with what appears to be an actual, legitimate review of Anti-Virus-1 from a reputable source. These reviews appear to be thinly-veiled rips of what has been written about actual anti-virus scanners—in BleepingComputer's example image, you can see where the words "Norton Antivirus 2009" were presumably removed, with "AntiVirus2010" substituted. This leads to some odd-looking ad copy—"Win Your Own AntiVirus2010TM2008"—but the swap doesn't stand out nearly as much as we might like.

Attempting to bank off the Symantec name is a calculated risk; the authors are obviously hoping that viewers might lock on to the brand familiarity without

actually remembering the "Norton" brand. (I'd like to date myself by noting that I actually thought Norton Utilities was extremely cool back around version 2.0.

Yes, people used to like programs with the word "Norton" in them.) The fake reviews do a fair job of either copying the look/feel of the original sites or, more probably, simply

took the requisite HTML wholesale.

BleepingComputer's report doesn't specify if infected users are actually directed to the false reviews in question or are simply fed them if they happen to visit, but the Trojan serves up an array of false positives and other warnings all aimed at selling a copy of Anti-Virus-1 (or AntiVirus2010). The program is, for all intents and purposes, Antivirus XP in different clothes, and like that program, it pretends to scan the system, detect and remove dangerous software, and regularly update itself.

Both the FTC and Microsoft took steps last year to attack the scareware industry, but it's unclear whether the problem can be treated as a separate issue or only addressed as part of the wider war on malware. Meanwhile, the success of Antivirus XP may have attracted additional players to the field, including at least one scheme that targets Mac users.

Scareware's obvious Achilles' heel is the fact that money directly changes hands; consumers who believe they are buying legitimate PC protection are actually paying for infectious software. In addition, the scareware initiatives we've typically seen to-date all leverage the brand recognition of legitimate companies. Microsoft has a direct interest in protecting the "XP" brand, Symantec does not want its name associated with malware, and PC Magazine has built its reputation and reader base by providing factual reviews of products people might actually want to own.

Thus far, Microsoft is the only software vendor that has made a major push against scareware, but that would likely change if other software developers found their own names prominently slapped on a fraudulent product. Scareware is a problem, but the same characteristics that make it function may also be the seeds of its downfall.

Listing image by Flickr CC