​Crooks spread malware by tempting targets to disable antivirus

Criminals are posing as the vendor of free secondary malware checker to dupe victims into switching off their antivirus.

Phone scammers pose as antivirus firms to defraud consumers and web scammers trick victims into paying for antivirus products that do nothing. Then there are scams, such as the recent fake free Windows 10 upgrade that attempted lure potential ransomware targets.

A new ruse that blends all three examples aims to tempt fans of a free malware scanner product into joining a beta program that first requires the user to disable their antivirus.

Russian security firm Dr. Web issued a warning on Tuesday that some customers have received emails claiming to be from it, promising a trial of a bogus product called “Dr.Web CureIt 2”.

The security vendor’s real product “Dr.Web CureIt!” is a free ancillary malware cleanup tool that can check for and clean up malware even in the presence of existing rival antivirus products. Dr. Web promotes it as a tool to help consumers that worry about the effectiveness of an installed antivirus product. It released version 10 of the tool earlier this year, however there is no “CureIt 2”.

Dr. Web is less well known outside of Russia though it’s products are available worldwide. According to the firm, the spammers are attempting to trick victims into installing malware. After inviting them to participate in the bogus tester program, it then prompts users to switch off their antivirus because the beta — as opposed to claims by Dr. Web for its real product — can be incompatible with Dr.Web CureIt 2.

The firm detected malicious spam on September 29, noting a link from the email leads to a fraudulent website where a Trojan attempts to load onto the victim’s PC.

The malware is designed to steal passwords and other confidential information stored on the compromised computer, the security vendor noted.

“Doctor Web would like to inform users that we are not conducting any tests of “Dr.Web CureIt 2”. Moreover, we strongly advise against installing and running any applications downloaded by opening links from such email messages,” the company said.

Read more: ​Data Classification: the first step in securing your intellectual property

“Do not, under any circumstances, disable your anti-virus software,” it added.

Dr. Web’s alert was published following an unrelated report on Tuesday by security blogger Brian Krebs, who detailed a series of firebomb attacks on the security vendor’s offices in Russia and the Ukraine over the past year.

The attacks were allegedly meant to coerce the vendor into retracting details it had previously published about malware designed to skim credentials from ATMs. The firm said it had not given into the attackers' demands, which it believed were from a malware gang based in the Ukraine.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags Dr. WebRussian securityWindows 10disable antivirusransomwaremalwareCSO AustraliaCureIt 2​Crooks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place