Rogue Anti-Malware Pushes Fake PCMag Review

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

Re:Why aren't these people in jail?

[jetsci]

I imagine most of these folks operate outside of US jurisdiction(yes, there is a world beyond your borders). Take some international law classes and you will understand. Imagine extraditing these guys from China? Goodluck!

Re:hijacking AV sites too

[nine-times]

I haven't really found any single solution to be good enough. Once you're infected with one of these things, it seems like the best idea is to either (a) wipe the drive and start over; or (b) download and install every malware/spyware/virus removal program that you can get your hands on, run them serially, and remove anything that any of them find. Ideally you run each from a live CD or something that doesn't allow the virus a chance to load before you can run the remover.

And then to be really careful, run each of them again.

Tea Timer

[SpectreBlofeld]

For Windows, I recommend using Tea Timer, an extension to Spybot S&D. It sits in memory and monitors system files, including the HOSTS file, and alerts the user when another program is attempting to alter it, or add processes to startup, etc.

http://www.safer-networking.org/en/faq/33.html

How Is This Possible?

[Bob9113]

which modifies your HOSTS file

How could that possibly happen? My hosts file (presumably like the hosts file on any rationally configured system) is owned by root and mod 644. Is this script doing privilege escalation? Or is it actually common for some computers to leave hosts modifiable by an unprivileged user?

Obviously I'm being a bit facetious, but let's give a little credit where credit is due - this rogue program is not the worst of the malware in the formula. The worst malware is the program (whether that program be an OS, an installer, or simply a set of memes running on the wetware of our society) that leaves hosts editable by unprivileged users, or which leads to privileged users running untrusted software.

This rogue program is like salmonella - it is taking advantage of poor practices like not cooking meat thoroughly. Blaming this software is like blaming salmonella. Damn you salmonella! It does not grant sufficient credit to the program (or OS, or meme, or OS installer) which is actually to blame.

Re:hijacking AV sites too

[andytrevino]

I work at a university dorm as a network technician (UWM, incase you're wondering!), and fix ten to twenty computers a week infected with malware, often exactly this strain of rogue AV software.

The utility called ComboFix almost always cleans these infections up with no hassle. If that fails, or if examination of the logfile indicates that it didn't quite get everything, MalwareBytes Anti-Malware should take care of the rest, and if anything gets past BOTH of those you can take note of the infected file names that couldn't be removed and delete them from Knoppix or a BART LiveCD.

I only reinstall Windows as a last resort, or if ComboFix detects an unremovable rootkit (this can be found in the logfile.)