Malwarebytes, an anti-malware company and product, has issued a warning that the product known as Malwarebiter “is actually fake Anti-Malware software that detects legitimate files as malware (i.e. False Positives) and fails to detect any real malware.” Furthermore, the malwarebiter (dot) com website delivers the “Zeus Trojan malware via a Java or PDF drive-by exploit.”
Malwarebytes plans to publish a more detailed report later this week. In the meantime, however, if Malwarebytes is correct, Malwarebiter is a serious threat. Firstly, Malwarebytes claims that only 6 out of 46 other AV products detected malwarebiter as malware according to VirusTotal. This in itself is not necessarily worrying since all it means is that other AV engines do not yet have a signature for the malware – it doesn’t mean that the AV’s other heuristic and behavioral detection won’t detect it (note that Malwarebytes itself is a primarily heuristic detection system). Having submitted the fakeAV to VirusTotal, the sample will now have been circulated to the other AV companies who will undoubtedly ensure that their products detect and mitigate this malware.
What is more worrying, again assuming that Malwarebytes is correct, is that at the time of writing this report, Google Search returns the malwarebiter website with no warning, while ‘Norton Safe Web has analyzed malwarebiter.com for safety and security problems,’ and found no issues. According to Norton, malwarebiter.com contains no threats, no viruses, no drive-by downloads – in fact no security risks at all.
Does this mean that the Java and PDF exploits mentioned by Malwarebytes are new, unknown zero-day exploits, or delivered in a new and undetectable manner – or have simply been removed following the Malwarebytes alert? We’ll have to wait for the full Malwarebytes report later this week to find out. Or does it mean, as Luis Corrons the technical director at PandaLabs told Infosecurity, maybe it is a false positive from Malwarebytes. “One of my guys just checked that website,” he said, “and it is clean, no Zeus or any kind of malware.”
Meanwhile, the Malwarebiter software does trigger alarms with other AV products. 24 out of 46 AV products now detect it. David Harley, a senior research fellow at ESET, told Infosecurity that ESET detects MalwareBiterAnti-MalwareSetup.exe as Win32/Adware.DisableSpyware. He points to the Malwarebiter FAQ that suggests the user turn off other AV products if they warn not to install Malwarebiter. “That's a classic 'support' issue,” said Harley. “Fake security sites sometimes spend serious resources on trying to play down alerts from real security programs.” He also noted, “the ‘100% free’ product requires $24 for registration to get an unlock code.”
The plot thickens.