14 DAY TRIAL // Security researchers have identified a new piece of scareware which abuses the name of a popular data packet analysis tool used by industry professionals. The new rogue application is called Wireshark Antivirus and, as most programs of its kind, tries to trick users into paying money by displaying fake security alerts.
The new scareware variant was intercepted by security researchers from Avira, who at first glance thought they might be dealing with a false positive detection. "This morning we stumbled over a file called 'Wireshark.exe' which was detected as being malicious by Avira. This was a bit irritating as this is a regular file name which got detected. We use Wireshark on a daily base because it’s a very helpful packet analyzer so we took a deeper look at the file," Thomas Wegele, a virus researcher with the German antivirus company, explains.
A more careful analysis revealed that the file was packed, which isn't necessarily suspicious, except for the fact that the real Wireshark executable does employ runtime packers. After unpacking it and performing a string dump, the analysts noticed a reference to a registry key called "Wireshark Antivirus", which was clearly not something the real packet analysis tool should contain.
When executed, the file installs a scareware application purposely named Wireshark Antivirus to distract the attention of security researchers and piggyback on the legitimacy of the real Wireshark program. However, it's not clear how efficient this approach is for infecting users, since the people who are likely to know about the packet analysis tool have enough technical knowledge to protect themselves from such threats. Even if we stop to consider that some average users might have heard about it from security articles, the number of potential victims to be tricked by the name alone is still pretty low.
You can follow the editor on Twitter @lconstantin
