Fake Antivirus Peddlers Outpacing Real AV Firms 245
Posted
by
kdawson
from the catch-me-if-you-can dept.
from the catch-me-if-you-can dept.
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
Re:Why use an unknown AV program? (Score:5, Interesting)
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
We have these all over the school I work for (Score:1, Interesting)
Re:Why use an unknown AV program? (Score:1, Interesting)
And sometimes the production values of the fake AV are pretty high. Never underestimate how a few nice gradients, some fancy fonts and a bunch of multi-syllabic techno-words can convince Grampa to keep clicking that "Press here to scan" button. Particularly when crappy pop-ups and fake websites that it pretends to defend you from are obviously scum.
The problem I usually see is that the person clicks a link in an email or instant message that is from a known friend that did the same thing. The user gets taken to a site and realizes that they've been duped and all of a sudden some antivirus thing (that sits in the background, they never see it actually working) is all of a sudden telling them what they already know - they're infected. The fake site used to induce fear is clearly shady and looks like crap, and the shiny antivirus has leapt to your rescue.
Re:Why use an unknown AV program? (Score:4, Interesting)
Many mechanics rely on this not being true all the time. Cars and computers are magical things to many people, things that normal people aren't expected to be able to understand. These 'normal people' are simply used to trusting anyone, or anything now, that claims to be an expert on the subject.
Re:and after my rounds this past week..... (Score:3, Interesting)
Re:We got hit - XP Security (Score:1, Interesting)
try rkill. If you can, I suggest getting a copy of Chrome on the infected PC. Seems to have much better luck downloading tools required for removal.
There is also a reg file out there that defaults the exefile key and many sub keys to "factory state" so you can run programs before the bug intercepts the call.
These things usually run in a very fast cycle when you terminate their process. You can actually watch it/see it if you play long enough. In-between this cycle fire off rkill. presto. clean with favorite cleaner.
This doesn't work every time but quite often in on remote systems.
Re:Fake AV installs on piratebay! (Score:5, Interesting)
I went to change window focus by clicking on what I had thought was some white space in an article that I was reading, but realized it would normally be an ad spot. Another browser window opened (with the annoying OnClose warning) and I closed it. I noticed that Java loaded, and then a few minutes later Security Center lets me know my AV is turned off and all hell starts breaking loose.
Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)
The app must have exploited some Java vulnerability, but at this point I'm not really sure what one. It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy.
In the end, I was a little pissed at myself, as I try to keep software updated to avoid vulnerabilities like that, but alas I finally got hit by one. Made me feel a little more capable of believing the [usually bullshit] story of "I was just using it when all of a sudden these things started popping up!"
Fun fact: I was browsing with Chrome.
Re:Why use an unknown AV program? (Score:4, Interesting)
As someone who works PC repair I can tell you that many, if not most of these "fake AV" programs are getting installed via drive by. You see what most folks don't know is that ALL of the major OEMs cripple their PCs at the factory by installing them with automatic updates turned OFF. No why they do that stupid shit, who knows, but the result is a machine that is VERY badly out of date by the time the customer gets it. And of course since they don't know it has been crippled it will NEVER get updates until it gets hosed and comes to someone like me.
So they go to Walmart, Best Buy, whatever, and buy this machine that is as much as a year out of date with NO hope of getting updated, plug it in, and start using the "big blue E" which gets pwned within a couple of days to a month if they are lucky and only surf the major sites. The next thing they know when they turn on their PC there is this new "security tool" slapping them in the face and demanding money to go away. These things are seriously nasty and a royal PITA to kill, so they have to bring them to me.
But if you want someone to blame for the spread of this crap, it ain't the users this time. It would be like buying a new car and expecting to know that the shop rigged your brakes so a certain degree of incline will fail if they aren't re-calibrated. By the time the user gets a PC from the big chains often the 30 day crapware AV has run out, it is at least 6 months behind on security updates, and of course there is the fact that auto updates has been killed dead at the factory. You think if the government was worried about cyber-warfare and cyber-terrorism they would drop the hammer on those OEMs and make them have at least halfway sane security policies.
I have to disagree (Score:3, Interesting)
Re:Why use an unknown AV program? (Score:2, Interesting)
Hey morons, how exactly is this a troll? want proof, here you go-Walk into ANY Best Buy, walmart, Staples, Office Depot,click on action center and choose "Windows Updates", and look for yourself, it'll be under "update history". Just had to clean one today that was bought less than two weeks ago and was the RTM Windows 7, not a SINGLE update since then had been applied and auto updates was...drum roll...turned off!
Can they get infected other way? Sure they can, as another reader points out Adobe Flash leaves a hole you can drive a truck through, which is why I give my customers Firefox with Adblock and flashblock along with Filehippo update checker. But in case y'all ain't up on current events malware writers tend to go for the path of least resistance. ANYONE who has spent ANY time in the trenches knows a week after MSFT puts out updates malware writers reverse engineer them to make exploit code. This ain't exactly a trade secret folks.
So unless you can point to ONE source that says keeping Windows unpatched is a good thing I rest my case. Sure you get the grannies that get spooked by a pop up, or the kid that'll click on anything, but I have watched with my own two eyes as an unpatched IE got pwned by a malicious webpage. They loaded the page and BOOM...shit everywhere. Here is the definition at wikipedia [wikipedia.org] in case you need a refresher. Please note #3, which is exactly what I described in my post.
Now considering I clean around 4-6 of these rogue AV programs every. damned. week. including finishing up a case of "Security Tool 2010" [securitytoolremoval.net] less than 3 hours ago, I think I may know a little bit more about it than the moron who wasted his points modding me down. For those that aren't as retarded, here is my findings on most to least ways folks get slammed with rogue AV---1.-drive by from unpatched IE...2.-drive by from unpatched Adobe Flash flaw..3.-Email link, usually exploits either 1,2, or Adobe Reader flaws...4.-User is fooled into thinking it is an update and installs it.
Re:Three Findings (Score:3, Interesting)
A useful trick when task manager will not work, copy the task manager .exe from a nother machine and rename it any other name.
It will then run and allow you in to start cleaning up the crap.