Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue Anti-Malware Pushes Fake PCMag Review

Posted by CmdrTaco on from the well-now-isn't-that-clever dept.

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

90 comments

  1. Social Engineering by mc1138 · · Score: 2, Insightful

    Spoofing of content is nothing new. Even using the hosts file like this to redirect you to fake content while an innovative use of the hosts file, is just a new trick for an old gag. The only real way to clamp down on something like this, is through the better education of the user base. So long as people still buy into these sorts of attacks, hackers and other people of ill repute will still commit them.

    --
    The musings of just another geek and his junk.
    1. Re:Social Engineering by disbroc · · Score: 1

      I have to agree with you about it not being anything new. We've seen similar tricks with people spoofing ebay, paypal and the like. While we can all agree that it is clever to insert the fake reviews, surely we all should have known something like this wouldn't be too far off.

      I will be interested in what these sites have to say about the fake reviews.

    2. Re:Social Engineering by warrigal · · Score: 1

      I don't understand how this works. Doesn't Windows lock its hosts file? In Unix-based systems hosts is owned by root. I would think if malware can alter a locked file there is more to worry about than site redirection.

    3. Re:Social Engineering by malkir · · Score: 1

      nope

      C:\windows\system32\drivers\etc just open your host file with a text editor.

      my friends computer has some clever worm that even after fixing the hosts file can still redirect traffic, for instance avast.com redirects to 127.0.0.1 and it somehow stops be from booting up hijack this, and disables the network in safe mode...

      kind of has me frustrated, i could just reformat but then I would feel I gave up!

  2. Five Stars! by hendrix2k · · Score: 5, Funny
    "which seems to me should just be called 'Malware'"

    I dunno, this review I just read says Antivirus2010 is great!

    1. Re:Five Stars! by krenshala · · Score: 2, Funny

      /facepalm

      --

      krenshala

  3. hijacking AV sites too by nine-times · · Score: 4, Funny

    I've noticed this too, particularly surrounding Antivirus 2009. Not only do they hijack review sites to post positive reviews about Antivirus 2009, but they reroute traffic to legitimate antivirus software. So if you go to the website for AVG or Norton or something, it will point you towards downloading Antivirus 2009.

    It's a nasty little bugger.

    1. Re:hijacking AV sites too by mc1138 · · Score: 2, Insightful

      I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...

      --
      The musings of just another geek and his junk.
    2. Re:hijacking AV sites too by nine-times · · Score: 3, Informative
      I haven't really found any single solution to be good enough. Once you're infected with one of these things, it seems like the best idea is to either (a) wipe the drive and start over; or (b) download and install every malware/spyware/virus removal program that you can get your hands on, run them serially, and remove anything that any of them find. Ideally you run each from a live CD or something that doesn't allow the virus a chance to load before you can run the remover.

      And then to be really careful, run each of them again.

    3. Re:hijacking AV sites too by fpophoto · · Score: 2, Insightful

      I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...

      That's because the nature of PC security has changed. Old school: Viruses to destroy computers. New school: Co-opt systems in order to sell a product or pimp out for botnet needs.

      It's kind of refreshing if you ask me. Not to say current malware is a giant headache, but at least the days of you getting your HD wiped are pretty much behind us. There's just no money in it.

    4. Re:hijacking AV sites too by Spazztastic · · Score: 3, Insightful

      To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    5. Re:hijacking AV sites too by Spazztastic · · Score: 1

      Not to say current malware is a giant headache, but at least the days of you getting your HD wiped are pretty much behind us. There's just no money in it.

      It's still required to reformat because if you have a paying customer and you're charging by the hour they want the fastest way. Sure, you can spend 4+ hours (On your average consumer PC) total scanning the computer, deleting registry entries, etc., or you can just reinstall windows (via the latest OEM CD) and get it back to running condition in under 2 hours.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    6. Re:hijacking AV sites too by Vectronic · · Score: 2, Interesting

      Sad, but true... although somewhat understandable considering that an Anti-Virus primary function is to battle viruses, not ad-ware/malware.

      Could just as easily say "I like that products such as Kaspersky Anti-Virus are ten times more effective at taking care of that than any anti-malware product out there"

      However, the "suites" (ie: Firewall + AntiVirus + Ad/spyware, etc) are generally getting better at it.

      Also, their (the nasty people) gimmick is still rather effective, because the average user doesn't know the difference between malware/adware/virus/trojan/port:80/hijacker/psu... their little advertisements can say "You have malware, get this anti-virus software to fix it, it will extend the life of your PSU"... and then go "oh, ok"...

    7. Re:hijacking AV sites too by mc1138 · · Score: 1

      I used to work as an IT consultant, and often times you run into this at small companies that are lucky to have a firewall and antivirus even installed. For a while I got pretty good at cleaning computers, 2 hours or less usually unless it was so old that each individual scan took longer than that. Real glad I'm not in that sort of pay as you go and only when you have to environment.

      --
      The musings of just another geek and his junk.
    8. Re:hijacking AV sites too by mc1138 · · Score: 1

      No I can agree with that, sometimes it takes things like this to shake up the establishment. Old powerhouses like McAfee and Symantec, and even to a lesser extent CA, are getting pushed aside by free competitors. If you want a decent AV/Anti-Spyware product, check out Vipre http://www.vipreantivirus.com/ nice small group of devs, all in house support, and honestly not that expensive. Great for client server environments where you need to manage lots of clients from one location.

      --
      The musings of just another geek and his junk.
    9. Re:hijacking AV sites too by nine-times · · Score: 1

      To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the compute

      To follow up on your follow-up, yes, I put, "wipe the drive and start over" first on purpose. If that's an option, it can often be much faster and safer. I've seen some antivirus packages take >5 hours to scan an entire computer, even on a new-ish computer. If you're scanning with a couple different pieces of software, you can easily end up taking a very long time trying to clean one computer.

      On top of that, I've seen situations where I've scanned a computer with 5 different anti-malware packages, and the fifth was still finding things that the other 4 missed. I've seen it happen that I've used a couple different scanners, and they kept finding the same pieces of malware over and over again. I eventually figured out that there was a piece of malware that all the scanners were missing, and that malware was re-downloading and re-installing malware as fast as it was being removed.

      So having seen that enough times, I never quite feel sure that I've gotten everything unless I've completely wiped the drive and started over. I do that when it's an option, and when I control the situation I try to make a good image to make that process faster. I generally only try to clean a system when I'm uncertain as to what's on the computer and I'm not sure that I can actually get everything back the way the user needs it to be after a reinstall.

    10. Re:hijacking AV sites too by yoshi_mon · · Score: 1

      A very good point. In fact I was struggling to explain all the different verbiage to an end user the other day. At a point I realized that while putting an 'anti-virus' package on her system was what most people are used to what they really need anti-malware these days.

      Of course I'm sure some hacker would go 'oldschool' and write an actual virus that took out Win32 installs rather than turning them into zombies. So rather it's more these days about overall computer security than anything narrowly defined.

      --

      Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
    11. Re:hijacking AV sites too by Z34107 · · Score: 1

      To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.

      Very true. I work at a college help desk, and imaging staff and faculty machines is usually what I do first. Imaging takes an hour; a single virus scan usually takes a half hour. It never takes "just" one scan to remove most malware, and half of the time you need to mount the drive on another machine to remove some of the nastier stuff.

      On top of that, Windows updates are instantaneous. We have a caching proxy on campus, so the patches download at LAN speed.

      --
      DATABASE WOW WOW
    12. Re:hijacking AV sites too by DarKnyht · · Score: 1

      Well this particular piece of work not only tells them that, but proceeds to hose their computer at random intervals to make it look like there is a problem that only they can solve.

      They operate off of FUD to get people to pay for an ineffective solution.

      --
      Voting them all out of office, now that's change I can believe in.
    13. Re:hijacking AV sites too by Dragonslicer · · Score: 2, Funny

      download and install every malware/spyware/virus removal program that you can get your hands on

      I read about a great one in a PCMag review.

    14. Re:hijacking AV sites too by jcrousedotcom · · Score: 1

      I agree. We have images created and I can boot from the NIC, pull it down from the imaging server and have the user back in business in about 30-45 minutes. I can spend that much time running just one of these spyware tools. Unfortunately, it's made me not so good at removing them.

      In a former life and a former job, I was a consultant. Having two machines in the building that were the exact same model was unlikely, at best. Re-imaging really was reloading.

      --
      Illiterate? Write for free help!
    15. Re:hijacking AV sites too by Zarquil · · Score: 1

      Sure, but you also get a chance to grab data off the drive before you wipe. It's really nice to at least have the opportunity to do that - particularly in worst-case scenarios where you're waiting for the system to be responsive.

      Now, granted, most of the time I'm throwing in Knoppix or some such LiveCD and yanking the data that way, but I happen to live in that lovely subset of the population that tends to frequent Slashdot and at least knows what Knoppix, Insert, Backtrack, or nUbuntu are.

      My immediate brand of hell is someone who took their computer into the shop, they wiped it without telling her, and she steamed for two years over them not saving pictures of her trip to Maui with her late husband. Sometimes that 4+ hours is worth the time, even if there's no money in it.

    16. Re:hijacking AV sites too by andytrevino · · Score: 2, Informative

      I work at a university dorm as a network technician (UWM, incase you're wondering!), and fix ten to twenty computers a week infected with malware, often exactly this strain of rogue AV software.

      The utility called ComboFix almost always cleans these infections up with no hassle. If that fails, or if examination of the logfile indicates that it didn't quite get everything, MalwareBytes Anti-Malware should take care of the rest, and if anything gets past BOTH of those you can take note of the infected file names that couldn't be removed and delete them from Knoppix or a BART LiveCD.

      I only reinstall Windows as a last resort, or if ComboFix detects an unremovable rootkit (this can be found in the logfile.)

    17. Re:hijacking AV sites too by nine-times · · Score: 1

      That's a helpful tip. At the same time, though that may fix this particular piece of malware, the real issue is the malware that's brand new and that you might not have definitions for yet.

      If I were in your position, I would probably only reinstall Windows as a last resort too-- but that's because I'm assuming you can't tell people what they can and can't run on their computers. You can't tell them where they must store their documents. When you get into a business environment, you can arrange things such that re-applying an image is much faster and more secure than scanning for malware.

    18. Re:hijacking AV sites too by blackest_k · · Score: 1

      "(b) download and install every malware/spyware/virus removal program that you can get your hands on"

      Hold it right there, thats probably what got you the infection in the first place.

      I trust adaware and spybot S&d for malware clamav avg for virus and thats pretty much it. Also www.mywot.com and www.virustotal.com

      --
      Blarney Quality Restaurant, Plants
    19. Re:hijacking AV sites too by Anonymous Coward · · Score: 0

      SuperAntiSpyWare knocks it on the head and its free.
      c64web.com

    20. Re:hijacking AV sites too by Quirkz · · Score: 1

      I've had surprisingly good luck with SuperAntiSpyware. Silly name, but it's cleaned up a lot of the fake antivirus software fairly well for us. Before we found it we regularly resorted to reimaging, but this one has worked very well. We've had some other virus/spyware things that it doesn't work quite so well on, but the fake antivirus cleanup has been consistently good.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    21. Re:hijacking AV sites too by Anonymous Coward · · Score: 0

      Or simply run Windows as a VM on top of Ubuntu.

      Hit virus -> ensure data backed up -> copy fresh VM image from server onto host -> restore data

      10 mins max

  4. Friends by jetsci · · Score: 1

    Not quite...friends don't let friends take fat chicks home when they're drunk...

    --
    Bored at work? Play Game!
    1. Re:Friends by pak9rabid · · Score: 1

      Not quite...friends don't let friends take fat chicks home when they're drunk...

      Given the site this is posted on, I suppose it's the lesser of 2 evils.

    2. Re:Friends by Anonymous Coward · · Score: 0

      "Poontang's poontang"

      -Mr. Garrison

    3. Re:Friends by Anonymous Coward · · Score: 0

      Why not? Fat chicks need love too, they just gotta pay.

  5. Why aren't these people in jail? by tjstork · · Score: 3, Funny

    I mean, come on.... this is just pure fraud.

    --
    This is my sig.
    1. Re:Why aren't these people in jail? by jetsci · · Score: 2, Informative

      I imagine most of these folks operate outside of US jurisdiction(yes, there is a world beyond your borders). Take some international law classes and you will understand. Imagine extraditing these guys from China? Goodluck!

      --
      Bored at work? Play Game!
    2. Re:Why aren't these people in jail? by elrous0 · · Score: 0, Flamebait

      I'm pretty sure most other countries now have laws against malicious hacking, and also jails. Or are YOU implying that the U.S. is the only country technologically advanced enough to bust people for such activities?

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    3. Re:Why aren't these people in jail? by Spazztastic · · Score: 2, Insightful

      I'm pretty sure most other countries now have laws against malicious hacking, and also jails. Or are YOU implying that the U.S. is the only country technologically advanced enough to bust people for such activities?

      I think you're making a flamebait post.

      Parent said that it's hard to extradite people and not all of them will pursue it because they have more pressing matters at hand such as food shortages, natural disasters, and civil war.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    4. Re:Why aren't these people in jail? by jetsci · · Score: 1

      Flame-bait much? I do not deny most countries have such laws. However, as mentioned above, many countries may not be concerned with busting a spammer(especially if (s)he is harassing American's?) when they need to worry about food shortages, civil unrest, natural disasters or even war.

      I'm CERTAINLY not implying the U.S. is the only one with the technology capable of doing this. Frankly, that's just ignorant.

      --
      Bored at work? Play Game!
    5. Re:Why aren't these people in jail? by Anonymous Coward · · Score: 0

      You failed to mention the most important reason other governments won't give a shit: these guys take revenue from dumbass Americans and dump it in to their local economy. Were I a politician in Russia or China, my response to an extradition request from the US for one of these guys would be "Get bent. We're making money off your idiots. You want to stop it? Stop letting stupid people use computers."

    6. Re:Why aren't these people in jail? by tjstork · · Score: 1

      Places on the planet that allow for malicious attacks on the internet to take place should be excluded from it. There is no legitimate reason we should be lowering the shields of the West to appease a few Chalabis in otherwise lawless countries.

      --
      This is my sig.
    7. Re:Why aren't these people in jail? by Anonymous Coward · · Score: 0

      Just imagine a gun - to hell with extradition. It's all that these people deserve.

    8. Re:Why aren't these people in jail? by Anonymous Coward · · Score: 0

      The thing is, these companies (yes, they're actually registered companies in countries like ukraine, russia, belize) do know their local laws and dont cross them.

      Almost always user has agreed to install their (somewhat malicious) software and accepted eula along other official things. They dont do installs via exploits or worms, but only in ways where user agrees to it. That certainly makes them more legit, maybe even in usa. Its also why they're generally called adware, not viruses or trojans.

      Its not just some kid making a worm for fun, they're there to make profit and millions of it. Obviously they also have lawyers in the company to check whats the legal way to work. So if its legal even in usa, how do you plan to extradite them?

  6. An Interesting Way to Go For Intermediate Users by damn_registrars · · Score: 2, Funny
    It appears that this is more of an attack on intermediate users than the usual attack that goes for newbies. After all, if a PC is infected, a newbie would not likely look to PC Magazine for antivirus information; they'd more likely bring it in to Best Buy and pay the Geek Squad an exorbitant amount of money to fix it (or they would put in the restore CD and try to start over from scratch).

    An advanced user (if they were running windows for some reason) likely wouldn't look there, either, as they would have likely just run the update program for the software that they already installed for taking care of such things.

    This of course follows well the old adage

    A little knowledge is a dangerous thing

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:An Interesting Way to Go For Intermediate Users by disbroc · · Score: 1

      I would think that the average computer user is a bit more intelligent than they used to be (Yes, I do work as a sys/net admin, and yes I have done desktop support before). While, intelligence might not be the right word to use, lets say more aware. After so long the newbies have to learn enough to at least have an idea on where to go to get help.

      I think it was only a matter of time before we started seeing things like this happen. Although I often find myself wondering when we will start seeing more malware that's not in english, or aimed at english speaking peoples.

    2. Re:An Interesting Way to Go For Intermediate Users by Anonymous Coward · · Score: 0

      a newbie would not likely look to PC Magazine for antivirus information

      They'd google, and get hijacked on the way to a result. Just being a computer newb doesn't mean a person wouldn't do a little product research before going in to the local PC store.

      I google'd 'xp slow' recently to see if there was anything I could do to help my dad's machine. With Opera on Linux I kept hitting very dubious sites that would jam up the browser. Fine, kill the browser and carry on with the next result. But it underscored that looking online for help with a vulnerable Win machine these days is like telling all the lions in the savannah that you're the gazelle with a limp.

      This looks like a nasty refinement of the problem.

      (For the curious, yes after /years/ of trying I've finally got dad to install Ubuntu. He's in his eighties, so has naturally been resistant to change. Can't blame him. He had enough trouble remembering where things were on his XP. BONUS: after even more years of listening to him claim things were so much easier with DOS, he's being faced with the terminal as I pass him various "sudo" commands in answer to questions.)

    3. Re:An Interesting Way to Go For Intermediate Users by presentchaos · · Score: 2, Funny

      This is somewhat off topic, but I was just having a conversation with someone who is about to buy a Mac. I was against it and an argument started. I said there were too few people supporting the Mac. He responded, "When was the last time you heard of a virus on a Mac?" And I said "See, even people who write viruses don't support Macs."

  7. Not a double negative. by fm6 · · Score: 1

    "Rogue Anti-Malware" (which seems to me should just be called 'Malware')

    Uh, no. I think "bogus anti-malware" is a better description, but whatever you call it, it's not a useless term. Some malware disguises itself as anti-malware. Some disguises itself as email from your mother. Whatever it is, you need a term for the specific kind of malware, and that term doesn't deny the fact that it's malware, even if the term includes "anti-malware".

    1. Re:Not a double negative. by DarKnyht · · Score: 1

      I prefer the title of Scamware.

      --
      Voting them all out of office, now that's change I can believe in.
    2. Re:Not a double negative. by fm6 · · Score: 1

      But that also includes malware that scams you in other way. "Download this program to bypass logins to porn sites!"

    3. Re:Not a double negative. by InfiniteLoopCounter · · Score: 1

      "Rogue Anti-Malware" (which seems to me should just be called 'Malware')

      Uh, no. I think "bogus anti-malware" is a better description, but whatever you call it, it's not a useless term.

      Too right! How else are they going to classify "anti-bogus anti-malware"?

  8. re by JohnVanVliet · · Score: 1

    I guess i am going to have to buy a new " NO I will not fix your computer " t-shirt from think-geek http://www.thinkgeek.com/tshirts-apparel/unisex/itdepartment/388b/

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
    1. Re:re by Anonymous Coward · · Score: 1, Funny

      I guess i am going to have to buy a new " NO I will not fix your computer " t-shirt from think-geek http://www.thinkgeek.com/tshirts-apparel/unisex/itdepartment/388b/

      People actually wear that stuff outside of their parent's basement? And do you say "new" because you gained weight and the old one doesn't fit?

  9. Fake Advertizing for False Products by Bushido+Hacks · · Score: 2, Interesting

    Call it something similar to the story of the Emperior who has no clothes, but have you ever wondered when watching a commerical with a bogus product they say "We've been featured on CNN, Fox News, and Oprah"? Because they are ADVERTIZING in the commerical breaks that are on CNN, Fox News, and Oprah.

    Why are we supposed to believe that just because they bought advertizing time in the commerical breaks of networks and TV shows that they were actually endorsed or had an interview featuring their product?

    When was the last time you saw Oprah endorse the MagickJack or Vince Offer (the Sham-Wow guy) talk to Larry King in person? It is because it never happened.

    Many networks broker their commericals through an advertising firm. Which explains why alot of shady businesses (e.g. the WorkAtHome46dotcom folks and the Obama Coin scammers) are on Television.

    Had the 419 scammers been more successful, they would have had TV commericals or establish a shell business posing as a bad bank.

    The best advice would be not to buy it.

    --
    The Rapture is NOT an exit strategy.
    1. Re:Fake Advertizing for False Products by gammygator · · Score: 1

      emperior

      Potential pronunciations
      EEm-pear-EE-ear
      ehm-pur-ree-AR
      ehm-pee-rear


      Or perhaps my Frenchish favorite,

      ehm-pe-wah

      Man, I need to get away from my desk and get some fresh air or somethin'.

      --

      No Nyarlathotep, No Chaos
      Know Nyarlathotep, Know Chaos
  10. Re:Redundant? by Spazztastic · · Score: 1

    How in the hell can the very first post I see be redundant? Slashdot editors, PLEASE bring the old metamoderation back! The new version is worse than useless.

    Please mod me offtopic, because I am.

    It's because people possibly are viewing by score rather than by post history. He was the first post that is above the 1 threshold (and is first for me), but some people don't check timestamps.

    --
    Posts not to be taken literally. Almost everything is sarcasm.
  11. Re:Redundant? by Spazztastic · · Score: 1

    And to follow up on something I forgot, you can report bad metamoderation.

    --
    Posts not to be taken literally. Almost everything is sarcasm.
  12. PC Magazine's reputation is screwed! by Anonymous Coward · · Score: 1, Funny

    If PC Magazine wants to keep their reputation, they'll have to create their own malware that modifies the hosts file to redirect back to their site.

  13. Administrators only by A+Friendly+Troll · · Score: 1

    C:\WINDOWS\system32\drivers\etc>cacls hosts

    C:\WINDOWS\system32\drivers\etc\hosts BUILTIN\Users:R
                                                                                BUILTIN\Power Users:R
                                                                                BUILTIN\Administrators:F
                                                                                NT AUTHORITY\SYSTEM:F

    Stop running as an administrator, please. 99% of trojan/malware problems will simply go away. The remaining 1% will only happen if there was a serious exploit in Windows that hasn't been patched already (or if you're behind with updates), and there isn't many of those, really.

    I've converted a lot of people to regular user accounts. I set a bright red desktop background on the admin account, set all the fonts to red, and tell the people *only* to use the account if they need to install software they *trust* (as in, bought from a retailer instead of pirated). Nobody ever had problems.

    1. Re:Administrators only by spikedvodka · · Score: 1

      I see you haven't run into some things that Require admin rights to run properly.

      Yes Microsoft, I'm looking at you!

      --
      I will not give in to the terrorists. I will not become fearful.
    2. Re:Administrators only by Beltway+Prophet · · Score: 1

      Yup. I did this for my family when they first hooked their Windows PCs up to a persistent network; they don't have a password on the admin account, but they all know not to run programs there; they only use it if they can't install an app under their user accounts. It's been over a decade now, and no virus or malware issues. The only really annoying thing was that they started with XP home, and I had to configure their file perms with cacls and its bevy of ugly switches. *barf*

    3. Re:Administrators only by DarKnyht · · Score: 1

      A recent study showed that 92% of critical exploits and 62% of security issues overall in Windows goes away when you remove admin rights. (Reducing the Threat From Microsoft Vulnerabilities)

      Since Windows XP SP2, I have not run as admin and I have rarely come across something requiring admin rights. Those few apps that do (HP Print Drivers, Adobe Flash, and Palm Software being at the top of my list), I log into the account just to do those tasks (and nothing requiring the internet). Pretty much everything legitimate I run these days works with "Run As..."

      That excuse was valid in Win 2000 and the early days of XP, but it has long since become lame.

      --
      Voting them all out of office, now that's change I can believe in.
  14. HOSTS file hack? by bizitch · · Score: 1

    Scotty the watchdog would have caught that

    http://www.winpatrol.com/

    --
    ---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
  15. got root? by Gothmolly · · Score: 1

    How does it modify your hosts file if you're not root?

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:got root? by jamesmcm · · Score: 1

      Because it's on Windows, and the attempt to hack in some sort of security (UAC), is too little, too late.

    2. Re:got root? by Gadget_Guy · · Score: 1

      I have setup limited user accounts since Windows 2000. I did have problems getting the spell check to work in Office 97 without hacking, but since then it is been surprising how many programs have worked.

      Security was not a new feature in Vista, although UACs did make things easier.

  16. false advertising by slackoon · · Score: 0

    They just keep getting better at screwing us over. Rihgt now it's false advertising for false products, next it will be advertising for real products and then they will make us actually but the product. The scam artists of hte future are licking their collective chops!!

  17. Re:Redundant? by mc1138 · · Score: 1

    I thought that was weird too, but now it got modded up to 1 Insightful... no clue what's going on there...

    --
    The musings of just another geek and his junk.
  18. Checking out the IP address and domain by Animats · · Score: 4, Insightful

    Let's see what we can find out.

    We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

    eNom, a favored registrar of bottom-feeders, is the registrar.

    There's an address in Kiev, but it's bogus.

    WhiteDomainsOrg
    Reiterska 13
    Kiev Kiev
    01001
    UA
    Phone:+380.5490567

    That's a bar in Kiev, Dveri (Door). It's about two blocks from the old US Consulate.

    The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet in Ukraine.

    The US FBI has a local office in Kiev.

    This is something that could be cracked by motivated law enforcement.

    1. Re:Checking out the IP address and domain by gad_zuki! · · Score: 1

      We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

      Is there a list of malicious sites and servers out there? I know there's the phishing list that google and MS maintain, but something that has all identified zombies and compromised servers? Id rather just block them globally so my users dont get anywhere near this stuff.

    2. Re:Checking out the IP address and domain by myowntrueself · · Score: 2, Insightful

      This is something that could be cracked by motivated law enforcement.

      "motivated law enforcement"?

      Is that one of them thar "oxymaroons"?

      --
      In the free world the media isn't government run; the government is media run.
    3. Re:Checking out the IP address and domain by IceCreamGuy · · Score: 1

      I just spent all morning removing this from a user's PC and tracking it back to finally arrive at globmail.org, and here I am on /. and you've already gone 5 steps past where I got done. Nice work!

      A little first hand info with the actual culprit:
      It did not install the way any of the online sources I checked said it would, no Add/Remove entry (duh), and no folder in program Files.
      I found it in "All Users\Application Data\AV1\"
      Cleaned the user's temp files and searched the PC to find several more instances of 'AV1' and 'QWProtect'
      Found a good deal of references to 'AV1' and 'QWProtect' in the registry; QWProtect is a BHO that looks like it comes with AV1.
      Found http://www.malware-news.com/anti-virus-1-new-fake-antivirus.html, saw that TrendMicro has sigs for it, so I used Sysclean, which I think is an awesome tool (plus it's free!). Sysclean found one more instance of it and deleted it.
      Blocked 217.20.175.74 in the corporate FW and it looks like I'm all set.
      Note that the user had to have admin privileges because of some poorly written software, but this wouldn't have happened if she was able to run as a local admin.

  19. Tea Timer by SpectreBlofeld · · Score: 2, Informative

    For Windows, I recommend using Tea Timer, an extension to Spybot S&D. It sits in memory and monitors system files, including the HOSTS file, and alerts the user when another program is attempting to alter it, or add processes to startup, etc.

    http://www.safer-networking.org/en/faq/33.html

    1. Re:Tea Timer by Quirkz · · Score: 1

      TeaTimer is nice in theory, but only for people who are already technical enough to know what's going on. For anyone not that technical, you're just setting yourself up for phone calls: "I'm getting a popup!" or "something's modifying something and I don't know what it is! come quickly!"

      Simple rules like "it's okay if you know what you're installing" don't seem to work well in my experience. The paranoid ones are never sure it's okay, and the rest assume it's always okay, even if they alert says "the program EraseMyHardDrive wants to access your registry."

      Sorry for the cynicism, but a couple of years at a university has consistently shown me these tendencies.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  20. How Is This Possible? by Bob9113 · · Score: 2, Informative

    which modifies your HOSTS file

    How could that possibly happen? My hosts file (presumably like the hosts file on any rationally configured system) is owned by root and mod 644. Is this script doing privilege escalation? Or is it actually common for some computers to leave hosts modifiable by an unprivileged user?

    Obviously I'm being a bit facetious, but let's give a little credit where credit is due - this rogue program is not the worst of the malware in the formula. The worst malware is the program (whether that program be an OS, an installer, or simply a set of memes running on the wetware of our society) that leaves hosts editable by unprivileged users, or which leads to privileged users running untrusted software.

    This rogue program is like salmonella - it is taking advantage of poor practices like not cooking meat thoroughly. Blaming this software is like blaming salmonella. Damn you salmonella! It does not grant sufficient credit to the program (or OS, or meme, or OS installer) which is actually to blame.

    --
    Stop-Prism.org: Opt Out of Surveillance
    1. Re:How Is This Possible? by Anonymous Coward · · Score: 0

      This affects Windows systems, not *NIX, duh.

    2. Re:How Is This Possible? by tb3 · · Score: 1

      The worst malware is the program .. that leaves hosts editable by unprivileged users
      That would be Windows ©.

      --

      www.lucernesys.comHorizon: Calendar-based personal finance

  21. There's a fix by symbolset · · Score: 0, Offtopic

    I found an antivirus that prevents this problem from recurring. It's here. Works 100%.

    --
    Help stamp out iliturcy.
  22. Re:Redundant? by masterzora · · Score: 1

    Generally because there is more context to a comment than the other comments in the thread. I have modded the first comment redundant many times, but only when it either served no purpose other than reiterating something from TFS/TFA, or when I've seen the same post, or one nearly identical to it, in several other discussions prior. A few times, when I'm in a foul mood, and the first post, while not even nearly identical to one I've seen before, is just simply not saying anything I haven't heard before, I'll mod it redundant, but I consider that borderline at best. However, in this particular case, the first post doesn't seem to fit under either of my two legitimate criterion, so I don't know what the mods are smoking.

    Also, mod me offtopic for being offtopic as well.

    --
    Remember, open source is free as in speech, not free as in bear.
  23. Ooooooh, and they've learned Grammar, too! by Fantastic+Lad · · Score: 1

    You know malware is getting big when autistic and/or Russian hackers hire copy editors so they don't sound like, well, hackers.

    -FL

    1. Re:Ooooooh, and they've learned Grammar, too! by jonlandrum · · Score: 1

      Ha, I was thinking this, too.

      --
      \\//_ Live long and prosper.
  24. Re:Redundant? by Paradise+Pete · · Score: 1

    And to follow up on something I forgot, you can report bad metamoderation.

    As far as I can tell, there is no more actual metamoderation.

  25. Re:Redundant? by Anonymous Coward · · Score: 0

    How in the hell can the very first post I see be redundant?

    Because a later post may say the same thing, but say it better.

    The purpose of moderation isn't to "punish" posters; it's to best filter things for readers.

  26. Re:Have to love Macs by Anonymous Coward · · Score: 0

    http://secunia.com/advisories/product/96/?task=advisories

    Holy crap.. 800+ vulnerabilities. Vista has like 70-80.

    Ten times the vulnerabilities. It "just works" for hackers and crackers too.

    Go peddle your FUD somewhere else, boy.

  27. Re:Redundant? by WuphonsReach · · Score: 1

    As far as I can tell, there is no more actual metamoderation.

    There is, but it no longer shows up on the front page. Sometimes when I submit a comment, I then get offered to meta-mod.

    --
    Wolde you bothe eate your cake, and have your cake?
  28. Re:Redundant? by techno-vampire · · Score: 1

    I do too, but I never bother any more. I used to receive mod points about twice a week. Then, just after the New! Improved! system went up, I stopped getting mod points at all. When they either give me back my mod points or go back to a real metamod system, I'll go back to metamoderating. What we have now is nothing more than a bad joke compared to the old version.

    --
    Good, inexpensive web hosting
  29. Re:Redundant? by Anonymous Coward · · Score: 0

    That's funny, I get mod points at least once a week and never metamoderate.

  30. Re:Redundant? by Paradise+Pete · · Score: 1

    There is, but it no longer shows up on the front page. Sometimes when I submit a comment, I then get offered to meta-mod.

    I can go to what they are now calling "metamoderation" at any time. It's just that it is no longer actual metamoderation, but rather random comments that for the most part have not been moderated. So how that is meta is beyond me.

  31. Do you live on Earth with the rest of us? by professorguy · · Score: 1

    Yeah, just remove admin privileges from the user. That seems reasonable.

    Then call the vendor who supplied the Emergency Room Management System and ask why the users can't run the program correctly. "Oh, they have to be administrator for that to work."

    Then call the vendor who supplied the Scheduling module to the PACS system. "Oh, they have to be administrator for that to work."

    Then call the vendor.... Repeat until you want to get a gun.

    Maybe the real answer is to not buy software that works that way, but that assumes that buying decisions are based on obscure technical details like this. Not bloody likely.

  32. Re: Yes, but... by DarKnyht · · Score: 1

    I guess I work at a company in some sort of pocket universe. Before any software is approved for purchase it passes by a board that the head of IT sits on.

    Generally said software is evaluated before purchase by the IT Staff (for this very reason), and there is no way around this (really, who wants to purchase software incompatible with your system). Those that choose to ignore this process (read higher ups) also choose to pay for (out of their own private pockets) and support their software themselves (We will happily re-image said computer back to the company standard, loss of non-work related stuff is their problem).

    What you describe to me is exactly why we stopped supporting/using WordPerfect near the end. They were too lazy to update their code and it threw a fit with the proper way of running in an Enterprise Environment. It would run, but required a hell of a lot of registry permission changes and security permissions to work, it is wasn't worth it when it's competitor worked properly from the start.

    I would likewise guess that all the software described above would likewise work with proper registry changes to correct the laziness of the programmers.

    So in the end whose fault is it... The programmer for writing insecure software, the suit that purchased it without having IT evaluate it, or the IT department not doing it's job to secure the system (despite what is required to run on it)?

    --
    Voting them all out of office, now that's change I can believe in.