Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Google Technology

Fake Antivirus Peddlers Outpacing Real AV Firms 245

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
This discussion has been archived. No new comments can be posted.

Fake Antivirus Peddlers Outpacing Real AV Firms

Comments Filter:
  • There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.
    • Re: (Score:3, Insightful)

      by charliezcc ( 1144527 )
      I don't think I have to point this out, but for the sake of clarity: the point is not that the vast majority of people are straying away from known AV software providers to unknown software providers; it is that the vast majority don't know any better and believe what the computer tells them!
      • Comment removed (Score:4, Interesting)

        by account_deleted ( 4530225 ) on Tuesday April 27, 2010 @04:49PM (#32005172)
        Comment removed based on user account deletion
        • I have to disagree (Score:3, Interesting)

          by pastafazou ( 648001 )
          I deal with this stuff on a daily basis. I had a customer just the other day go home with a clean machine, with the latest version of Avira, AntiMalwarebytes, and SuperAntiSpyware installed and updated. All windows patches and updates installed. He was back two hours later. Surfing the web looking for UFC videos. Google served up a paid ad at the top of his search with his search terms. Of course he clicked it, and a with a bit of Adobe Flash magic, he had the Security Tools infection installed and hi
    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday April 27, 2010 @02:01PM (#32003200) Journal
      Because AntiVirus 2010 has just detected dozens or even hundreds of critical security threats that your existing AV has missed!

      What upgrade could be more sensible?
    • by 0racle ( 667029 ) on Tuesday April 27, 2010 @02:03PM (#32003238)
      To be nice, the average user is very naive. If they see a popup saying they need this AV, they trust it.
      • by Altus ( 1034 ) on Tuesday April 27, 2010 @02:19PM (#32003464) Homepage

        Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

        If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

        • by Fred_A ( 10934 )

          If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

          A /. reader probably not, but the general public ?

          If there was any profit in it, you could easily create a scare campaign about DHMO which could turn very messy. People can be insanely gullible when you present things the right way.

        • Re: (Score:2, Funny)

          by Tryle ( 1159503 )

          Well just for your information, my filter is working quite well thank you!

          I'm just not quite sure how it works when they never actually connected it to my water pipes but hey I'm still alive to post this thanks to my filter!

        • by 0racle ( 667029 ) on Tuesday April 27, 2010 @02:35PM (#32003644)

          Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

          Many mechanics rely on this not being true all the time. Cars and computers are magical things to many people, things that normal people aren't expected to be able to understand. These 'normal people' are simply used to trusting anyone, or anything now, that claims to be an expert on the subject.

          • Both mechanics and techs are wary that at some point they'll come across somebody who knows what they're doing but is just too lazy to do it themselves (which happens more with cars) who will out them (and potentially prosecuted them) if they try any charlatanry.
            • Yep. I can easily change brake pads, oil, oil filters...

              But it's a pain in the ass with my 50 piece Craftsman set and could take hours. I'm more than happy to take it to someone with a pneumatic wrench and a lift.

            • by 0racle ( 667029 )
              Are you suggesting that neither techs or mechanics suggest or try shady shit because of this mythical fear?

              Just had a mechanic suggest I flush the break line on a 3 year old car, 'because it's something that should be done every 3 years.' Of course the dealership was willing to to do it to just $150 or so.

              They ain't afraid of shit and heaven forbid you have a vagina but for some reason, by and large the general public believes you should just trust people calling themselves experts.
              • Yeah, I had my car in for an oil change at the dealership (I have free lifetime oil changes), 1 year ago they said I only had 1mm of brake pads left, then 3 months ago they said I had between 2-3mm of brake pads left. I think I have the *only* car that actually GROWS brake pads instead of wearing them down.

                Needless to say, I don't let them do anything to my vehicle beyond the oil change.

          • by Altus ( 1034 )

            My mechanic I already have a relationship with, he might be screwing me, but I already trust him to at least a certain extent; I let him fix my breaks after all.

            I might trust my plumber who I hired to install a hot water heater when he tells me I need some doohickey (technical name) installed but not a guy who shows up at my door, and certainly not some popup from a web site.

          • People lose all common sense when they're dealing with something they think they're incapable of understanding.

            It's not true, by and large, that people would be incapable of understanding if they sat down to take the time to figure it out, but in the cases of such an unequal informational playing field (you and your doctor, you and your mechanic, grandma and her computer tech) people are paying not just for service but for expertise, and that makes them vulnerable to this kind of exploitation.
        • by G00F ( 241765 )

          Bad analogy for your angle, the water purification market uses that exact tactic and is alive and well.

          That is exactly what the fake AV companies do (and some of the real ones)

          But the real trick is most of the time people don't know they installed anything, their compare said it had problems click here to fix, and now they have more problems . . . but those can be fixed by buying full pro version.

          • Actually there are some places where water purification is necessary. Go to Moline, IL and see how you like the tap water. Is it safe? Of course, but it's nasty. Water purification companies never say that the alternative isn't 'scary unsafe' just that the purified water tastes better, and compared to some places, it might.
            • Actually there are some places where water purification is necessary. Go to Moline, IL and see how you like the tap water. Is it safe? Of course, but it's nasty. Water purification companies never say that the alternative isn't 'scary unsafe' just that the purified water tastes better, and compared to some places, it might.

              My GF has family in some two-bit rural town in southern Missouri, and their water is TERRIBLE. I can say, even without tasting the "purified" water, that it HAS to be better than the loc

          • by Altus ( 1034 )

            Yea, but I've heard of Britta.... just like I've heard of Macafee (especially now!). They may or may not do anything, but at least they are popular and if they were total garbage, or actually bad for you, I would probably have heard of it.

            Its when Joe shows up at my house selling Joe's super duper water purifier (It gets the things that Britta misses!) that I start to get really skeptical.

        • by natehoy ( 1608657 ) on Tuesday April 27, 2010 @02:43PM (#32003734) Journal

          Oh my God! Who do I make that check out to again? No, can't wait for it to clear, let me just give you my mattress and you can take how much it is, OK, I can't number very well.

          OK, seriously...

          Remember that many of the victims of scams like this don't know any better. These aren't random people showing up at their houses, they are ads showing up on websites. But many don't even know that.

          They only know that their "computer person" has told them to make sure their AntiVirus is working correctly, and that the computer has just told them that their AntiVirus has stopped working correctly but the nice warning offered to fix it for them. Many of the newer ones look pretty legitimate, too, and have multiple URLs so when you Google them fake review sites come up and gush enthusiastically about how great the product is.

          I have a co-worker who has been hit by this. I support 2 co-workers' home computers. They are otherwise intelligent people who use the preconfigured computers here at work every day. I give them lists of free antivirus packages they can load, and the one who had the problem came in and told me that her subscription to n0d ran out, but that the computer had warned her to replace it with "AntiVirus 2010" which had a free trial, but she noticed that once she installed it the computer slowed down.

          She's not dumb, just on the low end of computer literacy. She knew that she needed to avoid popups and to run an Antivirus client, but this specific popup looked like a dialog box and she knew that her AV was running out, so she assumed it was like all the other warnings Windows Seven likes to send her about updates and such.

        • Re: (Score:3, Funny)

          by Hummdis ( 1337219 )

          You have have seen this about dihydrogen monoxide [xs4all.nl] and how it's being put in everyone's water supply! :)

          Get a few of these to circulate and people will be in a full-blown panic. Remember, a person is smart. People are dumb.

        • Re: (Score:3, Insightful)

          by RobDude ( 1123541 )

          When a person shows up to the door, people are skeptical because they don't know that person and don't have a business relationship with them.

          If you already buy an expensive product from a reputable company; you are going to be far less skeptical about things you are told about that product, by that company. If you buy a new car from Ford and the 'ABS' light comes on - provided you know nothing about cars, other than how to drive them, to believe that there is something wrong with your brakes; compared to

          • by Altus ( 1034 )

            But aren't these fake antivirus apps coming from random popups (mostly on porn sites :-).

            I would think a popup ad would make people at least as skeptical as someone coming to their door unsolicited.

        • by Kjella ( 173770 )

          Bad analogy because if you've never heard of the microbe there's something fishy, why hasn't there been any official alert? But everybody knows there are viruses on the Internet and that you have to protect yourself against them, it's a confirmed fact you should have anti-virus. If everybody had to filter their water and you offered the ultramagic superwhoopie cleanex filter 3000 for the low, low price of 199$ many people would buy it.

        • by AaxelB ( 1034884 ) on Tuesday April 27, 2010 @02:49PM (#32003828)

          Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

          If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

          A big difference is that the fake antivirus pop-ups aren't usually trying to sell you anything, they just want you to click OK! It's easy to click OK, and, for the average [clueless] user, just clicking OK doesn't feel nearly as risky as letting a stranger into your home, or buying a mysterious product.

          I think most people just do a naive, clueless sort of risk assessment. If the pop-up is telling the truth, they really need the software. If the pop-up is lying... well, they're not directly paying anything and have no idea what could go wrong, so they assume it's not a problem. Therefore, they decide to click OK to install the software. To them, it's more like some random person standing on the sidewalk telling them, "You should walk on the other side of the street; there's a dead skunk halfway up the block and you really don't want to get near it." Eventually people will learn... but it may take a few generations.

      • by khasim ( 1285 )

        The "scan" window pops up and tells them that they've been infected BUT IT IS OKAY because all they have to do is click here and the nice software from the friendly company will remove the nasty viruses for them.

        Yay!!!

        This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.

        • This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.

          Said with all the arrogance and presumption of someone who knows exactly nothing of what they speak. Speaking as someone who spent over a decade as an anti-virus researcher and anti-virus engine developer, the truth is that it is infeasible for AV companies to keep up with the flood of (generated) malware that engulfs modern PCs... and, believe me, it's not for lack of trying. Have you ever seen how aggressively they complete over the VB100%* award?

          * That award, like most AV testing is a sham (testing ag

          • Speaking as someone who spent over a decade as an anti-virus researcher and anti-virus engine developer, the truth is that it is infeasible for AV companies to keep up with the flood of (generated) malware that engulfs modern PCs... and, believe me, it's not for lack of trying.

            Why spend 10 years trying to identify all the "bad" code when it should be far easier to identify the apps that you want to allow to run on your machine?

            http://www.mcafee.com/us/about/corporate/mcafee_Solidcore.html [mcafee.com]

    • There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.

      For the same reason that "the Internet" is IE (or at least the IE icon) to some people.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        for our customers their browser is google. the internet is windows and their email doesn't work despite them typing their email address into google.

        • Re: (Score:3, Funny)

          by _Sprocket_ ( 42527 )

          Somehow, I don't think the phrase "the [internet] is the computer" was supposed to work out that way.

    • Re: (Score:2, Informative)

      I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.
      • by Nadaka ( 224565 ) on Tuesday April 27, 2010 @03:04PM (#32004032)

        I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.

        Let me guess... You work at the SEC?

    • They have a free scanner now. It's not the best AV, but it's good and no cost. I also recommend it because it is something users will trust. I mean after all, you pretty much have to trust your OS company, they could own your computer through any number of ways, they wouldn't need to use an AV program.

  • Step 1: Create a better scareware vector with a higher infection rate.
    Step 2: ?????
    Step 3: Profit!!!!

    Seriously. There are incredibly lucrative incentives inherent in this kind of scam. No surprise they're spreading and getting smarter.

  • I envision it as a desk with a computer and an infinite stack of virus infected floppies. :)
  • by IICV ( 652597 ) on Tuesday April 27, 2010 @02:08PM (#32003312)

    We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.

    The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.

    • They're like the face & fingerprint recognition software you see in movies & tv shows that display each and every face/fingerprint in its database to compare to the suspect image - looks great but completely impractical to waste CPU cycles by displaying the information it's searching through.
    • the fake AVs have Symantec beat in everything from total resource usage

      I never thought I would defend Symantec after they got out of their compiler business and started pushing garbage, but it should be pointed out that the fake AVs aren't actually doing anything, and it is thus easy to win in total resource usage.

      • by IICV ( 652597 )

        I never thought I would defend Symantec after they got out of their compiler business and started pushing garbage, but it should be pointed out that the fake AVs aren't actually doing anything, and it is thus easy to win in total resource usage.

        And Symantec isn't doing anything practical either, or else this fake AV window wouldn't be showing up on my end user computers :)

  • by oldhack ( 1037484 ) on Tuesday April 27, 2010 @02:09PM (#32003326)
    So it's like fake dope dealers are outpacing true dope dealers.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Duuuude! Your oregano is the best!

    • Except when fake dope dealers sell oregano to the wrong person they end up getting shot in the face. Fake AV companies just end up pissing off nerds on /. who get stuck fixing their mom's computer.

  • I discovered Krusnikov's Virus No-Having 2007 over three years ago and it's been running in my system tray ever since, without issue.
  • McAfee (Score:4, Informative)

    by LinuxIsGarbage ( 1658307 ) on Tuesday April 27, 2010 @02:12PM (#32003358)
    Does this include McAfee? It seems to be a fake anti-virus, holding critical system files hostage.
  • We keep ignoring the lessons the past by using discretionary access controls instead of capability based security at our own peril. The users have no way of telling what the side effects of a program are going to be, nor do we have any way of limiting them. This is a spiral downward that will eventually force everyone to learn about capabilities and cabsec.

    • by mlts ( 1038732 ) *

      As a company gets bigger, it becomes harder and harder to ensure that people are educated and don't run crapware. The only real alternative is to lock things down and pull admin rights for most users. This way, should something stupid happen, it would require another security vulnerability to escalate to root/administrator, rather than just handing the keys to the city to any malware that infects a user. Plus, it is easier for A/V software to clean up an infected user profile than a rootkitted machine.

      In

  • Oblig... (Score:4, Funny)

    by kiehlster ( 844523 ) on Tuesday April 27, 2010 @02:21PM (#32003488) Homepage
    xkcd #694 [xkcd.com] or #350 [xkcd.com].
  • by ElectricTurtle ( 1171201 ) on Tuesday April 27, 2010 @02:31PM (#32003604)
    Pardon me, sir, but I would be remiss if I didn't inform you that you have clearly contracted a rare disease that will kill you painfully in short order UNLESS you pay me to inject this substance into you. You can trust me, I'm a doctor.

    ....

    Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?
    • Re:EXCUSE ME SIR! (Score:5, Insightful)

      by 0100010001010011 ( 652467 ) on Tuesday April 27, 2010 @02:44PM (#32003736)

      Pardon me sir, but this herb root extract can lower your blood pressure. Meaning that you can live a long and healthy life. It's not FDA approved but it's certified by these doctors.

      It works just as well in meat space too.

      • it's certified by these doctors.

        grep/doctors/celebrities/

        • Doctors, celebrities, what's the difference in the consumer's mind? Case 1: Dr. Dre. Case 2: "Of course Hugh Laurie is a doctor. He plays one on House M.D." Case 3: People with a doctorate in something other than medicine or osteopathy.
    • by tibman ( 623933 )

      I've noticed something similar about words in print. If someone reads something in a book, it is taken as fact.. why else would it be in a book? When i was younger, Michael Chrichton books did that to me. Now i see it happening to other people.

      Maybe as humans we are too trusting of our tools?

    • by Machtyn ( 759119 )
      Because many people believe what they read and watch on TV, too.

      I Hope for Change! (umm, what kind of change was that again, exactly?)
      This is the greatest nation on earth. Help me change it!
    • Apparently you aren't familiar with how the "alternative" (sometimes "complementary" or "holistic") medical industry operates...
  • by Lumpy ( 12016 ) on Tuesday April 27, 2010 @02:32PM (#32003610) Homepage

    I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX. the new internet security 2010 is an evil bastard that even kills the safe mode so you have to use a Bart PE to run combifix first and then reinstall AV and run a clean.

    Screw it, I'm done. Mac mini's are as cheap as a dirt cheap dell PC. and I'll install linux for them. I am done with windows support.

    • Re: (Score:3, Insightful)

      by tepples ( 727027 )

      I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX.

      Then how do they play PC games afterward?

      Mac mini's are as cheap as a dirt cheap dell PC.

      I just went to apple.com and dell.com; what I found disagrees with you. Mac mini: $599. Dell Inspiron 560s with Pentium dual core and 4 GB RAM: $429.

      and I'll install linux for them.

      Does this include installing and configuring Wine for "that one must-have app"?

    • Re: (Score:3, Interesting)

      by Machtyn ( 759119 )
      Yeah, the AV2010 thing is extremely nasti. I've recovered 4 of these in one week-end. Fortunately, none of them required a complete reinstall of the OS. And then I had one hit by the MS update BSOD issue. I actually told them to leave their computer off, waited a couple of weeks for combofix to catch up and then fixed it.
    • Re: (Score:3, Insightful)

      I'm with you on being done with supporting home users of Windows; but minis start at $700, with 2GB of RAM and no monitor. Dell will furnish you with a (big, ugly) box with triple the RAM, a 1TB HDD(rather than 160GB), and a 20 inch flat panel for the same money...(getting a 2.8GHz Phenom X4 instead of a 2.3GHz Core2 duo is just icing).

      The mini is cuter, certainly, and if you have to have OSX you have to have OSX; but the pricing is hardly equivalent for anybody willing to run linux or shove their comput
    • Re: (Score:3, Informative)

      by Mashiki ( 184564 )

      You could simply switch them to a LUA, and solve all your problems right there.

  • by swm ( 171547 ) * <swmcd@world.std.com> on Tuesday April 27, 2010 @02:37PM (#32003676) Homepage

    My wife's machine got hit last week.
    No idea where it came from.
    Been running for years with no problem.
    (NetGear router seems to keep the baddies out.)

    All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.

    Pulled the network cable and started googling (from a linux box).
    The thing is pretty nasty.
    It scatters pieces of itself around the file system with random names.
    Then it hooks the .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.

    After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted.
    (Hint: right click -> run as).
    Then I fixed all the .exe (and related) keys by hand.
    There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
    (Removal instructions on the web don't generally find them all.)

    Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.

  • my mom's pc got one of these over the holidays while a teen cousin was surfing flash game sites. the pop-ups would not go away. at boot up pages wouldn't load because the warning box insisted on a click before progressing further. anti-malware had no effect, neither system restore nor anything else i could think of was successful.

    even the computer shop was at a loss. after ten days the os required re-installation with a resultant loss of all data.

    don't make the mistake of thinking this is merely an issue

    • by BKX ( 5066 )

      Same story here on my grandparents' PC. They got the HaxDoor virus (nasty little devil), and it made the computer randomly issue stop errors, until one day it wouldn't boot at all (more stop errors). A quick boot into Knoppix to save their pics to a portable HD, and a reinstall of XP later, and they were good to go. (In the future, remember that very few current viruses wipe or corrupt a hard drive, and it's damn near impossible to infect media files (there've been a few viruses that can do that, but all th

    • > after ten days the os required re-installation with a resultant loss of all data.

      I really do't get people's attitudes these days.

      It's windows, an OS re-instrallation is always the first choice.

      For one it cleans up the system with the installed and never removed or not correctly removed programs.

      And why would there be data loss, programs can be re-installed and your stuff can be saved unless it has been messed with, in which case it was lost anyway.

      Try the sane method of windows pc restorration.

  • Something like clamwin is sufficient for the periodic scan (infact ClamAV it's based on is rather good). Not clicking on dancing bunnies eliminates the need for on-access scanning.
    • by v1 ( 525388 )

      Not clicking on dancing bunnies

      But we can still click on the dancing puppies, right?

  • Story about malware links to PDF? Nothx.jpg!
  • They must want money at some point right? How are they expecting to get paid and why can't the cops at
    least freeze their visa account?

    The same with the online pharmacies.

  • 99%+ of scareware is from the same exact kit, and installs the same core exe program, (AV.EXE) in one of three fixed locations. (as super-hidden) This article itself is scareware. The av companies can detect every one of these every time they pop up, there's no "trying to keep up" with this. That's what happens when malware goes commercial as this has. Anyone happen to know offhand who's the source of this malware kit? (url?) I'd be curious to know how much such a kit sells for. Must be cheap if there

  • Comment removed based on user account deletion

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...