Fake Antivirus Peddlers Outpacing Real AV Firms 245
Posted
by
kdawson
from the catch-me-if-you-can dept.
from the catch-me-if-you-can dept.
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
Re:This is why i love noscript and requestpolicy (Score:5, Informative)
McAfee (Score:4, Informative)
We got hit - XP Security (Score:5, Informative)
My wife's machine got hit last week.
No idea where it came from.
Been running for years with no problem.
(NetGear router seems to keep the baddies out.)
All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.
Pulled the network cable and started googling (from a linux box). .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.
The thing is pretty nasty.
It scatters pieces of itself around the file system with random names.
Then it hooks the
After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted. .exe (and related) keys by hand.
(Hint: right click -> run as).
Then I fixed all the
There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
(Removal instructions on the web don't generally find them all.)
Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.
Re:Why use an unknown AV program? (Score:4, Informative)
Oh my God! Who do I make that check out to again? No, can't wait for it to clear, let me just give you my mattress and you can take how much it is, OK, I can't number very well.
OK, seriously...
Remember that many of the victims of scams like this don't know any better. These aren't random people showing up at their houses, they are ads showing up on websites. But many don't even know that.
They only know that their "computer person" has told them to make sure their AntiVirus is working correctly, and that the computer has just told them that their AntiVirus has stopped working correctly but the nice warning offered to fix it for them. Many of the newer ones look pretty legitimate, too, and have multiple URLs so when you Google them fake review sites come up and gush enthusiastically about how great the product is.
I have a co-worker who has been hit by this. I support 2 co-workers' home computers. They are otherwise intelligent people who use the preconfigured computers here at work every day. I give them lists of free antivirus packages they can load, and the one who had the problem came in and told me that her subscription to n0d ran out, but that the computer had warned her to replace it with "AntiVirus 2010" which had a free trial, but she noticed that once she installed it the computer slowed down.
She's not dumb, just on the low end of computer literacy. She knew that she needed to avoid popups and to run an Antivirus client, but this specific popup looked like a dialog box and she knew that her AV was running out, so she assumed it was like all the other warnings Windows Seven likes to send her about updates and such.
Re:Why use an unknown AV program? (Score:2, Informative)
Re:Fake AV installs on piratebay! (Score:4, Informative)
They simply exploit a vulnerability in your browser or plugins. I've encountered one that tries to install something using Java, presumably just requiring a user to click OK to infect them. That's something that seems like it could be done accidentally. I wouldn't be surprised if it were trying to exploit some vulnerability that would auto-install the malware on older versions of Java. They probably use exploits in Flash as well. The plugins have the advantage of not being run in the IE sandbox that's used by default on Vista/7.
Re:Why use an unknown AV program? (Score:3, Informative)
Re:and after my rounds this past week..... (Score:3, Informative)
You could simply switch them to a LUA, and solve all your problems right there.
Re:Why use an unknown AV program? (Score:3, Informative)
Not sure what fake AVs you've seen, but all the ones I've run across will say you're infected with X amount of viruses, but you must purchase the full version to have them removed. Two clients I know have pulled out their CC to make the purchase. Big mistake!!! Once I've informed them that they've been a victim of fraud, they agreed to contact their bank and have a new CC number issued. Obviously the original number had been now tainted.
Re:Why use an unknown AV program? (Score:2, Informative)
Rated interesting for what? He's using known tech (Score:1, Informative)
"Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)" - by RulerOf (975607)
on Tuesday April 27, @05:03PM (#32004704)
This bloke obviously only read what was written in this guide for securing Windows, and its virus removal section in post point #20 http://www.tcmagazine.com/forums/index.php?s=610624dd0ca744a1833203a79296f8ee&showtopic=2662&st=0 [tcmagazine.com] or in the other forums where it's posted. The bloke who posted it did it all over the bloody web and though that's rather gauche, it's good he did. I say that because others are starting to realize the value of its points, such as the usage of Process Explorer for hunting and killing off malware. Use that guide, and Bob's your Uncle.
(This is not new news on that guide though, it is many years old now, and others are learning by it in how to use Process Explorer for malware removals. Nothing interesting whatsoever in what RulerOf did or used, because the information's been out there on it for years now).
Bloody hell, the way RulerOf's using Process Explorer could be done with taskmgr.exe instead (killing first level executables).
The true value of Process Explorer in these cases is to use it to find processes that hide themselves under other running processes (such as libs/dlls loaded in other apps like Explorer.exe, which taskmgr.exe will not show) or underneath services (like svchost.exe, which does not expose what its running beneath itself in taskmgr.exe in Windows 2000, XP, Server 2003 at least).
"It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy." - by RulerOf (975607)
on Tuesday April 27, @05:03PM (#32004704)
Bloody hell, perhaps you did not read that guide in that url above for how to secure windows after all. It covers securing the AT command, by its usage of the CIS Tool (this damn tool's incredible in that capacity and many more). Then again, once a bloke knows what CIS Tool covers, it's cake to put it into your regedit.exe favorites or to make custom MMC.exe for policy settings and again, Bob's your Uncle.