1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting fake antivirus in computers.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, technology for detecting malicious codes is also generally referred to as “antivirus.” Malicious codes have become so widespread that experienced computer users have some form of antivirus in their computers.
Fake antivirus, also referred to simply as “Fake AV,” comprises malicious code disguised as an antivirus. Fake antivirus typically mirrors the layout and behavior of legitimate (i.e., non-malicious) antivirus, and is relatively difficult to detect using conventional antivirus technology. For example, conventional pattern matching algorithms may be employed to detect program icons and keywords in program shortcuts, registry, and files employed by fake antivirus. However, icons and keywords are easily changed by fake antivirus programmers, making fake antivirus difficult to detect by conventional pattern matching. Worse, fake antivirus may also be packed (i.e., compressed) as an executable file and use a legitimate-looking graphical user interface (GUI).