NEWSFakeMBAM: The Malware That Disguise It Self as antivirus


NEWSFakeMBAM: The Malware That Disguise It Self as antivirus

The story of FakeMBAM reminds me of a personal experience: many years ago I took a business trip to an international presentation organized by a major European security company, a meeting attended by no less than a hundred tech media editors. 

One of the sessions focused on FakeAV, you know, those pathogens that pretended to be a security solution, subjected your system to a supposed analysis and, after detecting multiple (and nonexistent) threats, they offered to clean your system for a modest price. It goes without saying that the only malware that entered the system in this operation was the supposed antivirus.

The interesting thing about that experience was that, by surprise, they gave us an examination of the attendees: with only 24 interface screenshots (one for each program), we had to find out which ones corresponded to legitimate security solutions and which ones were FakeAV. If there were 100 people in the room, only five or six of us were able to detect the impostors. And I'm not saying this to give me flowers, watch out, but as an example of how difficult it can sometimes be to detect threats like FakeMBAM, even for experts.

Cybercriminals have been searching for a way to circumvent the growing culture of cybersecurity for many years. And what better than to impersonate a security solution to try to deceive the user? That's what FakeAVs "played" a decade ago, and that is what FakeMBAM intends today: to impersonate a legitimate and recognized security solution, thus gaining the trust of users. The problem, of course, is that not only does it not protect the system from threats, but it also installs a Trojan on the system.

As you may have already guessed from its name, FakeMBAM pretends to be Malwarebytes Antimalware, a popular security solution that, admittedly, has been quite well emulated by the creators of this malware. And this is something we know today thanks to the technical analysis carried out by Avast researchers who, after detecting the pathogen at the end of August, have already been able to dissect it and gather a lot of intelligence about it.

The main dissemination technique of FakeMBAM is to be distributed in conjunction with a Download Studio version, a Bittorrent client quite popular in Eastern Europe (not to be confused with Conceiva software, which is a legitimate application). In addition, although to a lesser extent, it also does so through three ad blockers: NetShield Kit, My AdBlock and Net AdBlock. In all cases, the installation of the Trojan went hand in hand with that of these applications.

Once on the system, to appear legitimate, it copies some legitimate files from the Malwarebytes security solution, in an attempt to impersonate what it is not. However, and despite its efforts in this regard, FakeMBAM is already identified by security manufacturers and, therefore, their security solutions (the real ones, including Malwarebytes Antimalware) detect this Trojan and eliminate its threat.

Previous Post Next Post

Found this article interesting? Follow Hackers Review on Facebook, Twitter  and Telegram to read more exclusive content we post.