FakeAV is rapidly becoming *THE* malware of choice these days.  There’s even a new version of FakeAV that lets you select which version of FakeAV you want installed.  It makes sense, really.  If you’re going to have your personal data stolen, they may as well give you some choice in the matter!

Sophos is currently up to version “BUG” (as of 8:19am CST) for version numbers on Troj/FakeAV.  They use a base 26 system for version numbering. 

This is where the math fun comes in. 

My 14 year-old was watching me flesh this article out last night on my laptop and had no idea what “base 26” meant, so I took a few minutes to explain the concept of how base numeral systems work.  I then had him work out the basic math involved to figure out what version “BUF” represents in decimal. He struggled to wrap his head around the math involved but in time we arrived at the our final equation of (2*square(26))+(21*26)+6=1904. 

For some really fun numbers, let’s take a look at the Troj/Agent-OVN which was first detected in 2004.  It’s up to 10,726 variants as of today.  For real mind-boggling stats, the Storm email worm had over 5,000 variants in its first month alone.

So what does this tell us?

Malware authors for the most part are rather lazy, they reuse a lot of previously successful attack code with a few minor changes to slip past most anti-virus solutions until a specific virus definition has been written to detect the new version.

Storm was a great example of this with its myriad of variations, but Sophos was able to stop it with a single family trait identifier.  This is what makes Sophos such a pain in the butt for hackers.  Their fantastic Sophos Behavioral Genotype Protection is able to detect malicious behavior even before specific signature-based detection has been issued.  It’s basically as simple as this… if it looks like a duck, walks like a duck and quacks like a duck, odds are, it’s a duck.  Let’s just say, duck is always on the menu when Sophos is protecting your network. 

And if you’re interested in learning more about FakeAV and how you can stop it, check out our upcoming webinar on October 7th:

What is FakeAV and how can I stop it?
Thursday, Oct. 7th
1 p.m. CST
REGISTER

During the last year, the number of FakeAV executables has grown enormously from less than 1,000 to well over half a million. Find out how your company can use Sophos network security solutions to protect yourself against this nasty malware threat.

This webinar will teach you:
- Where FakeAV comes from
- What happens when a system is infected
- Types of FakeAV campaigns including Windows Security Updates and fake Facebook applications
- And most importantly, how to protect yourself from FakeAV attacks

Was this article helpful?

About Leigh
If RJS employed “The Most Interesting Man in the World,” one could argue our very own Network Security Engineer, Leigh Reimers, just might fit the bill. Leigh is a black-belt karate master and former United States Army tough guy. At RJS, Leigh is a “jack-of-all-trades,” assisting with network administration and support on the off-chance he isn’t solving difficult security conundrums as a certified Sophos Advanced Sales and Technology Engineer.