​Crooks spread malware by tempting targets to disable antivirus

Criminals are posing as the vendor of free secondary malware checker to dupe victims into switching off their antivirus.

Phone scammers pose as antivirus firms to defraud consumers and web scammers trick victims into paying for antivirus products that do nothing. Then there are scams, such as the recent fake free Windows 10 upgrade that attempted lure potential ransomware targets.

A new ruse that blends all three examples aims to tempt fans of a free malware scanner product into joining a beta program that first requires the user to disable their antivirus.

Russian security firm Dr. Web issued a warning on Tuesday that some customers have received emails claiming to be from it, promising a trial of a bogus product called “Dr.Web CureIt 2”.

The security vendor’s real product “Dr.Web CureIt!” is a free ancillary malware cleanup tool that can check for and clean up malware even in the presence of existing rival antivirus products. Dr. Web promotes it as a tool to help consumers that worry about the effectiveness of an installed antivirus product. It released version 10 of the tool earlier this year, however there is no “CureIt 2”.

Dr. Web is less well known outside of Russia though it’s products are available worldwide. According to the firm, the spammers are attempting to trick victims into installing malware. After inviting them to participate in the bogus tester program, it then prompts users to switch off their antivirus because the beta — as opposed to claims by Dr. Web for its real product — can be incompatible with Dr.Web CureIt 2.

The firm detected malicious spam on September 29, noting a link from the email leads to a fraudulent website where a Trojan attempts to load onto the victim’s PC.

The malware is designed to steal passwords and other confidential information stored on the compromised computer, the security vendor noted.

“Doctor Web would like to inform users that we are not conducting any tests of “Dr.Web CureIt 2”. Moreover, we strongly advise against installing and running any applications downloaded by opening links from such email messages,” the company said.

Read more: ​Data Classification: the first step in securing your intellectual property

“Do not, under any circumstances, disable your anti-virus software,” it added.

Dr. Web’s alert was published following an unrelated report on Tuesday by security blogger Brian Krebs, who detailed a series of firebomb attacks on the security vendor’s offices in Russia and the Ukraine over the past year.

The attacks were allegedly meant to coerce the vendor into retracting details it had previously published about malware designed to skim credentials from ATMs. The firm said it had not given into the attackers' demands, which it believed were from a malware gang based in the Ukraine.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Join the CSO newsletter!

Error: Please check your email address.

Tags Dr. WebRussian securityWindows 10disable antivirusransomwaremalwareCSO AustraliaCureIt 2​Crooks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts