Slashdot Mirror
Fake Antivirus Overwhelming Scanners
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
Are AVG for a decline in detection rates and Symantec which sucks in just about every area except preventing itself from being uninstalled. (Notable exception is their corporate product)
It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.
I'm pretty sure that Antivirus 2009 has protected me from emerging threats quite reliably.
Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.
The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.
It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.
It pays to be obvious, especially if you have a reputation for being subtle.
It's amazing how many people will respond to any random pop up message and installing software they don't know. We need to issue computer permits. You can't drive on the information super highway until you have a permit!!
Why would anyone, ever, under any circumstances click on a popup ad? For antivirus?
Who are these people, and how can I take their money somehow more legitimately?
Still I'd rather have a fake anti-virus then Norton Symantec or Windows Live Family protection. At least the fake anti-virus will let me use my PC every now an then. :)
Love many, trust a few, do harm to none.
My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".
Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".
Phhhht.
In interesting news, a fake antivirus has caused quite the riot with women in their mid-twenties. Due to unemployed data operations programmers trying to earn some money to at least pay their bills, they have created a fake antivirus much like Windows Antivirus 2009. However, this pseudo-antivirus program is smart and employs unique data mining technologies to determine which users are likely to be attractive women in their late teens to late twenties. These victims are then targeted and scammed.
The women are targeted with an algorithm that determines how much proportional web browsing is carried out on Myspace, Facebook, email, and on online clothing shopping sites. By using a modified log-normal distribution, ex-programmers were able to create a model that determined which users were of the targeted age group 86% of the time and which were hot 49% of the time. With the statistical combination, the "antivirus" program learned which users were "hot women" and instructed them to sit on their scanners with their skirts and underwear removed, or else their computers would go up in smoke. As such the demographic is generally technically illiterate, the women have been doing so, scammers have been receiving really nice butt-on-glass pictures, and the scanners themselves--especially the ones marked "HP"--have been completely overwhelmed.
I've been losing this battle with the staff where I work; they just can't seem to understand that it is itself spyware and/or viruses. I've had to remove this crap from 5 or 6 computers in the last month alone.
Start chasing these guys down and giving them 10 years with no chance for parole... or better yet, look the other way when a mob hunts them down and breaks their knees...
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Use it. Love it. Marvel at its simplicity, its beauty.
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
What we need is a website that offers rewards for killing these people. Of course, it'll have to be disguised as a 'death pool' sort of thing, where people 'guess' when a particular person will die (and by what means)
That number in itself should not surprise anyone. Many threats which are using the web as their primary introduction vector are using server side polymorphism. The sheer volume which the APWG is calling out really only reflects that allot of people are downloading the rogue AV packages. Of course, given the nature of malware collections there is a very strong chance that many of those people already had 'real' AV which detected it, hence the sample being sent to an AV company in the first place. Of course crawling and honeynets will account for some of the sample set but not the majority. The assertion that this is only the tip of the iceberg is likely true given no AV vendor has an omnipresent view of the world but I am not convinced it's any worse than a plethora of other highly deployed threats. Bluntly, they are all out there in gut wrenching numbers. The rise in rogue AV is driven by the fact that it's gaining in popularity with malware distributors because it's a fast, proven revenue source. In some cases they may even skirt the law on whether it's even illegal. Remember, some of these things have rudimentary AV detection capabilities. -al Immunet Corp
Comment removed based on user account deletion
I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.
First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/
After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.
So far, this combination of steps has eliminated the infections that we've come across.
What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.
Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.
This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.
Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?
"Work is the curse of the drinking classes." -Oscar Wilde
I got to fight with Windows Police Pro after it got onto my Mom's computer. It pretty much makes the computer useless. It even changed the file registration for .exe's and .com's. Luckily, after fixing the registry I was able to get Malwarebyte working and got things running again.
My wife later told me about someone at work getting something similar. She asked what to do and I started rambling on about all the steps. She then asked what this non-techie should do. I had no idea. Find a geek or pay for one at Best Buy or something? It looks like that option would cost about $200! Maybe this is a good opportunity to buy a new computer? If I hadn't been able to help my Mom she would pretty much not have a usable computer now.
Anyone have advice for the average (or below average) joe on what to do when they are stuck with this? What advice is even good to avoid this? Don't install anything from the internet?
Clovis
^ Clovis, look! It's that guy you are!
You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).
Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for the enjoyment of all of us who have to clean that shit off computers.
I'm not ashamed to admit that I use three different security programs to protect my XP pc that I got from Download.com: AVG Free, Zone Alarm Free and Advanced System Care Free.
I'm sure there's some overlap in functionality and there's more stuff running in the background precipitating the need to run a ram monitor to watchdog the whole mess, but the result is that nothing yet has gotten through so I guess it's doing it's job. Something that hasn't changed with the free products is that there is a lot of user-approving that is required. I guess those are the equivelant of 'nag screens' that are designed to wear people down and get them to upgrade to the paid version.
On the AV front what I find interesting is that several years back, I recall Microsoft including an antivirus program with it's OS (I want to say DOS 6 but it could have been Win3.1) that was displayed during the install screen slideshow. Even now, when I go into Security Manager in XP, it's very clear that MS has never filled this empty space with a proprietary product. Was a true proprietary AV in Windows product merged with OneCare? To not have seen an official MS retail (or free version!) of an AV product after all these years seems like a missed opportunity.
This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.
In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?
Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.
Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?
I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.
When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.
Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.
Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
Your comment about the quality of malware made me think... Who benefits from these programs? What would cause a rapid migration from PC to Mac more than a rapid escalation of virus problems?
My father has a Thinkpad running XP. I am the one who advised him to get this machine about 4 years ago. It served him well, except that he falls for social engineering ploys that are common in spam and virus infected e-mail. I recently spent several hours helping him get rid of "Windows Anti-Virus Pro". It was not fun; he lives hundreds of miles away. I was on the phone advising him on how to diagnose and repair his crippled computer. His next machine will be a Mac. One more incident like this, and Dad's Thinkpad goes on Craigslist. Something tells me it won't be long. I would convert the machine to Linux, but I think it would require more training time than I currently spend on his Windows problems. On a Mac, he would be pretty much self-supporting.
Who benefits? And the stuff is high quality? Harassing the customer until he switches? This is exactly what MS would do to its competitors if they could figure out a way to pull it off.
Use a 'Buntu.
This is in a big part triggered by our increased dependence on search engine, instead of common sense and stricter ICANN regulations, that would educate us to go to something like bitdefender.com or mcafee.com
Quick case study: let's type "best antivirus software" in Google, Bing and Yahoo. First links, for all three, are not antivirus vendors but shady "review" sites like toptenreviews.com. Immediately on entry, toptenreviews tried to sell me their own "security configurator" thing. Also, all "buy now" links for the listed antiviruses go to interesting domain names like jdoqocy.com and kqzyfj.com.
Check http://anti-virus-software-review.toptenreviews.com/ for yourself, or any other similar site.
I'm wondering if anyone else has considered this: A legal agency let's this thing get installed on an isolated PC. They then pay for this trojan (ie: the extortionist fee for temporarily disabling the fake antivirus for a year), and, making good use of the powers they have, simply have the bank account receiving these funds or credit card payments frozen, the owner jailed, etc etc. Even if it's an off-shore account, surely the US could apply some pressure or invade.
No viruses. Not one, and not a single Windows computer is permitted to connect to my network. I keep one copy of windows in one box. It is a cardboard box in my closet under some books and smelly socks. It has not gotten a single virus either.
I do have to keep a frigen virus scanner on my mail and files coming from outside my network, so I don't simply pass them on to other windows computers if the files ever leave my network. It pisses me off that I have to waist time and resources on protecting windows computers that are 100% band from my office network, not to mention waisting resources on sorting spam and other security threats the all the bots turn out from those infected computers.
Why is there not a class action law suit against MS for the damage their product does to those that are not MS customers (they should get their share too)?
Living in Chile
"Who will police the police?" that's what they used to ask, in the old days.
The whole anti-virus ecosystem is amazing, come to think of it. It represents a point in our civilization where we started thinking nothing of fixing a manufacturer's product for them at our expense. When I re-image an old piece of hardware and give it to someone who can't afford a new one, I tell them to be sure and put an anti-virus on it, and they accept that as if it were the most obvious thing in the world. And having used Linux ever since my first computer, I'm the one left feeling that I was being Captain Obvious.
So how long before people accept that they have to install anti-anti-malware on their machines too?
... and less than 450,000 people have it?
SUPERAntiSpyware - yea, this one sounds like its malware, but combined with Spyware Doctor its awesome
If viruses change the way a system functions, wouldn't it just be safer to burn the OS into a chip?
Seriously, I'm happy with Windows XP. I never need to change it, and MSFT certainly isn't maintaining it anymore.
Couldn't we just burn XP to a chip and be done with the virus problem forever? Or is there always a need for external (non read only) files?
------ The best brain training is now totally free : )
for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.
You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.
I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.
http://www.moonsecure.com/
Open source, uses the ClamAV database. Vista/7 support pending.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Why do none of you people reinstall when you discover that a machine is compromised? You appear to be using the compromised OS to scan itself. That cannot be reliable.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'd make a headline change, sub in "users" for "scanners."
If there was ever a clearer case of PEBKAC, I'd like to hear about it. This is like trying to wall off a cliff to protect the lemmings.
If people will install random crap off the Internet without first reading a review, getting some word of mouth, and/or downloading it from a trusted source, they're going to get infected. Having an AV is useless if you're going to behave as described in TFA. There isn't a technological solution here.
An AV can't protect people who don't understand that you shouldn't "fertilize your lawn with motor oil." This is the level of dumb we are talking about here.
--
Toro
I wonder if the reason that most of the mainstream AV products fail to classify these fake anti-malware viruses as what they are-- viruses, is some sort of honor code that exists between thieves and extortionists. It's pathetic how the most expensive security products on the market today just refuse to expose and remove a virus that morphs into a well-known trojan when the user gives-in to the threats.
The fake AV viruses simply have a list of "threats" they "found" to bamboozle the user into paying for the "service". All paying for it does is cause the threatening popups to go away. If you stop paying, it then threatens to reinstall all the (utterly nonexistent) viruses and trojans it claims to have found. It's all a fraud wrapped-up in a tidy package of lies. The only thing the extortionware does is detect money in your bank account and remove it as soon as you provide the billing details to the operators of the scam.
The Six Dumbest Ideas in Security. In this particular case: "#5 Educating Users". A couple of choice quotes:
If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.
The real question to ask is not "can we educate our users to be better at security?" it is "why do we need to educate our users at all?"
I've already posted we need to stop blaming the user and start blaming the authors of the system (Microsoft). The problem isn't some PEBKAC thing where a user is clicking on what they think is AV software and accidentally ruining their system. The problem is that the system allows them to do it in the first place. A run of the mill, standard user shouldn't be able to this in the first place. Why is it happening at all?? What important feature is being provided by the OS by allowing user to do this?? Some feature of installing AV software so it can prevent other fake AV software from installing? This is lunacy!
A meta-problem is that industry and environment has trained users to expect the OS to be broken in a way they need protection ("Oh look a new AV program that is 1000% better than my old stuff!") but that is another thread.
At a certain point, I can't help but reach the conclusion that "computers are complicated and require intelligence and technical experience to maintain." Many average users lack intelligence and almost all lack any kind of technical experience at all.
And at a certain point, people who can't keep track of their system restore CDs and who don't maintain backups? That's not just lacking above average intelligence or experience, it's dumb along the lines of drinking and driving, buying something you can't afford, or having unprotected sex with a stranger.
I agree it is hell for regular users, but perhaps the acceptable standard for most computer users is a system restore once a year, unless they get smart enough to not get infected.
RTFA.
And yes, the summary should have included that. Using acronyms without defining them is a generally bad practice.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I had one machine with Police Pro that I spent a shitload of time cleaning. The crap that it installed disabled Task Manager, disabled safe mode, modified shell classes, disabled regedit, and disabled anything that required administrator privileges. I had to boot from a Bart PE disk and clean the registry remotely by hand. Malwarebytes wouldn't install. And when I cleaned it up enough to install, it wouldn't run. By the time Malwarebytes would run, I had already mostly cleaned it. I'd like to cut the nuts off whoever wrote that junk.
I haven't used antivirus software since Norton for DOS. Common Sense prevails.
I've actually seen one that, once infected, ran your antivirus program within a wrapper!
We remove the infected hard drive, then scan it on a linux box using five different AntiVirus/Spyware programs. Then we boot in safe mode back on the original machine and scan it as a running system. Some of the new virus / spyware programs are actually running the installed avg within a wrapper and not allowing them avg to see the whole hard drive. Really pretty well written if they could have gone unobserved.
I'm not even suggesting Linux is insecure, other than to say it's just as open to viruses as any other OS.
Well no, no it's not. Please stop spreading the fear, uncertainty, and doubt on Microsoft's behalf if you know better, please educate yourself more if you don't.
Not all OSes are created equal. Not all default accounts that the system sets the initial end user up with are full root-level accounts which require no further authentication to modify any and all system files for the user or any processes that happen to launch under that user's credentials.
Not all OSes are closed-source that tout the notion of security-via-obscurity. Yes, I know that's one of the red herrings that Microsofties try to claim that gives Linux a security edge due to its smaller portion of desktop marketshare, but nothing is more obscure than source code that only a handful of people can see and understand its flaws. Microsoft seems to think that this is somehow more secure than open source code that has all of its flaws bared to the light of day since it was in development. But Microsoft's closed-source philosophy is obviously quite a failed model in light of how many people are able to discover flaws in it and exploit it anyway, leaving Microsoft either denying there's a problem or rushing out a fix. Sucks to be you if you're one of the people who gets infected after some ne'er-do-well discovers a flaw but before the programmers at Microsoft figure out how to fix it, because they're the only ones who can fix it for you under almost all circumstances.
Not all OSes deny you the ability to patch your computer against security vulnerabilities and other flaws that have been discovered since it was released simply because you didn't pay for them or they merely *think* you didn't pay for them.
Linux does a much better job at isolating system space from userspace. Linux was developed under the assumption that it would be attacked from all sides, so it made sure to harden and protect its vital components from the everyday users. Linux is open source, so anyone can see what's wrong with it and fix it and submit their repair for the developers to review and release...and they generally seem to do so before a black hat finds and exploits the flaw. The good folks who release distributions and manage repositories don't care if you paid for Linux or not...you can fix or even upgrade your system whether or not you have the "Genuine (dis)Advantage".
I have always been pretty smug about malware, believing that because I kept Windows patched, used a legit, constantly updated, copy of McAfee, normally use Opera (use IE only for sites that don't accept Opera, run with ActiveX disable, etc.) don't visit the digital whorehouses, and generally practiced safe hex, I was too smart to get malware â" that malware was something that only happened to the clueless. Last Monday while browsing in IE I got a pop-up notification from "MS Windows Operating System" (yeah, right!) that my computer was infected: the windows showed a fake scan constantly finding malware, and a button to download Antivirus Pro 2010 to remove these infections. Clearly I was nowhere near as smart as I imagined myself, but still nowhere stupid enuf to click on that! The popup was followed by a McAfee detection and removal of three viral items in a new folder "/Program Files/Antivirus Pro 2010". I didnâ(TM)t download anything or do anything but visit a couple of sites in IE. Iâ(TM)m not sure which was the guilty site so I wonâ(TM)t cast aspersions on anything but IE. (I note that last Tuesdayâ(TM)s MS critical update had two patches for stuph that âoecould allow a web site to execute arbitrary code just by visiting the site.â *&^%$#@!)
Knowing what to look for, I deleted the new folder, plus a couple of dozen registry entries referencing âoeAntivirus Pro 2010â, rebooted, but it was back â" clearly the mothership was well hidden. Google located a recommendation for Malwarebytes Antimalware which did the job, even via simply D/Ling and installing on the infected computer. Good stuph. Iâ(TM)ll lose MaAfee (which was supplied for home use by my big-three DoD contractor employer.) Iâ(TM)ve also installed Firefox (been meaning to do for a while, but as a long-time Opera user and old dog resistant to new tricksâ¦)
I gotta maintain Windows on two of my four home machines for compatibility with outsiders (my wife does environmental consulting from the house) but damn, couldnâ(TM)t MS offer a version of Windows without all those damn automagical âoefeaturesâ that do stuph behind your back?
I find that Mandriva Linux 2010, or failing that any of the other Antivirus tools known under various other Linux names work flawlessly. If you have unprotected sex with a prostitute, you may not get what you paid for, but you can expect to get a virus.
I've been using Comodo AV for about a year, as part of their Comodo Internet Security, on several machines. It works ok, but does have a higher-than-average number of False Positives. To the extent that there's a False Positives section of their forum. I also find their HIPS "Defense Plus" more annoying than it should be, sometimes alerting after I've told it a program was OK and it should remember my choice.
But it is quite lightweight, and does the job. Price is right. Also nice to that it is not bloated with "Parental Control", "Privacy Protection", "Anti-Spam" and all kinds of other cruft.
I have had the best luck with VIPRE Rescue. It is from Sunbelt Software (Remember CounterSpy) live.sunbeltsoftware.com
See subject line above & this guide (specifically Post #20) in regards to ComboFix (& SmitFraudFix + ProcessExplorer)
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance (&, beyond):
http://www.tcmagazine.com/forums/index.php?showtopic=2662
----
Between those 3 programs?
Well - There really isn't much (heck, anything "malware" really) that you CANNOT "get rid of" (other than memory resident rootkits, because you can "blow out" bootsector originated types & that post #20 goes into that as well)...
APK
P.S.=> Another STRONG measure of defense in that guide is the HOSTS file: Using it, you can "suck in" these infectors/infestors, & not have to worry about them "getting orders from the mothership", because IF/WHEN you use an UP TO DATE HOSTS FILE? You block off their ability to even 'talk back' to mama...
How so??
WELL - IF/WHEN you add in the domainnames/hostnames of the "command & control" servers that botnets use? Then, the workstation with said newly amended HOSTS file CANNOT EVEN REACH THEM FOR NEW "ORDERS", period.
Same thing would work on servers also, no questions asked.
(There are plenty of GOOD reliable & reputable sources for that kind of information, as to getting a good currently updated HOSTS file, & my personal favs are SpyBot "Search & Destroy" via its "immunize" feature, ZDNet's Mr. Dancho Danchev's blogspot here -> http://ddanchev.blogspot.com/ & also SRI, here -> http://mtc.sri.com/ as well as other reputable & kept-up-to-date HOSTS files listed here @ wikipedia -> http://en.wikipedia.org/wiki/Hosts_file )
This technique, works... & on a VERY simple principle:
"IF YOU CAN'T GO INTO THE KITCHEN, YOU CAN'T GET BURNED..."
This can also be done via DENY commands in a routers' routing tables also, as an alternate to HOSTS file usage, but personally, I'd recommend doing it in BOTH places, for added "layered security" (if not also adding these to various browsers' "block lists", such as IE's "restricted zones" &/or Opera's urlfilter.ini-filter.ini files as well as FireFox's too)... apk
You're right, but at the same time, I think the "buzz" keeps changing about which AV product is "best" largely because the commercial AV makers keep dropping the ball. There was once a time when Norton products had the upmost respect (back when people used MS-DOS, basically). But Symantec quickly trashed his reputation after buying the rights to put his face and name on their product boxes and proceeded to write buggy bloatware.
McAfee stepped in with a product that was less likely to screw up your whole Windows installation ... so people flocked to it, especially for corporate use. But then, they started discovering it, too, became a resource hog as they kept adding more things for it to detect and clean, and every so often, McAfee would do an update to the "engine" itself that caused instability and problems until they fixed it.
I know my workplace recently switched to Kaspersky, not because we heard it would do a "better job" detecting viruses ... but because the licensing cost about $700 less than McAfee, AND the central management tool was a little better and less likely to crash with Windows exception errors during use.
It's really not a surprise they can't detect and clean 100% of the problems out there, when they can't even seem to build their software to run in a stable, non-intrusive, and non resource-intensive fashion!
I have been using a program called avast! I have found it to be thorough, and non invasive. on top of all that it is free, only requires you to register a new code once a year. http://www.avast.com/
And so you know that the user has had unauthorized software running on the PC with administrator privileges, capturing and relaying customer login information for all their accounts, sampling files for interesting data and uploading them to unknown sites for further processing, flagging systems with system and user DSN's for special manual handling - for an unknown period of time but almost certainly across more than one reboot.
But you've killed all the evil processes and deleted the software that is known by the scanner vendor to be bad.
And now you can comfortably give that computer back to the end user to attach to your network and start processing work again because it's all better now, right? That is what you said?
/shudder.
Help stamp out iliturcy.
They showed up within 24 hours of her getting broadband. I downloaded this utility that fixed her right up. It only took 20 minutes. I did have to reinstall her Picasa though. At the same time we upgraded her printer to one of the newer HP multifunction things so she can print and upload her digital photos, and scan recipes - her old one was a broken Lexmark. The utility seems to be 100% effective against all of these things. Grandma really likes it - it's been a year and now when I visit it's only to chat, not to fix her computer.
Anyhow, the utility is called "Jackelope" for some odd reason. It's available here.
Help stamp out iliturcy.
You were right on target. Most people don't check. And while Linux doesn't have any known viruses in the wild, systems do get hacked from time to time. It's a good idea to check your logs and connections now and then, or have someone help you with that. In an org it's essential to watch what the network's doing, run honeypots and snap misbehavior off at the access port automatically and in real time.
And then you had to go say this:
Yah; I'm talking about the *current* version of Windows, not the version that shipped almost a decade ago. Comparing 2009 Linux to 2001 Windows, now that's some FUD!
Look, I was in the store today. Systems were on the shelf new, with Windows XP. As far as I know, that's the definition of a current version.
So he's right - you're just another Microsoft astroturfer like the ones who were extolling the virtues of Vista, and bashing people who were complaining about performance by saying they should try it on a "modern" computer when their computers were brand new, modern PCs that Vista just struggled with. And here we are 2 years on and more and more systems are coming out completely unable to run that crud. XP is still on the shelf, and if you want to be free of the crud in this article you can run Linux but usually I just tell people to "get a mac".
Oh, and open source adds security to Linux in the same way that peer review lends credibility to science. If your process is well documented and your results reproducible, you've come a long way towards proof.
Help stamp out iliturcy.
I can't speak for the US, but in Europe the "omfg new virus" news have been coming in shorter and shorter periods here, on prime time TV news no less. So the average user goes into headless chicken mode and realizes he needs an AV suit, anything will do. And this product is slapped in his face and it already did a scan from afar (no, he doesn't question why this should even remotely (no pun intended) work) and tells him he's infected to the brim but 50 bucks will cure this. No, the product doesn't do anything but silence that fake warning when he buys it, but he's satisfied.
He acted.
If this sounds familiar, it's similar to what our politicians do in a crisis when they have no clue what to do. Throw money at it, hope that some warning signal goes away and feel good about having done something.
One of the reasons why this is possible is simply that there is no "seal of quality" for AV suits. There's no FCC, there's no DMV, there's no FDA, there's no organization that says this or that suit is useful, this is snakeoil and this is just plain out dangerous. We're today in AV where medicine was a hundred years ago with the traveling "tonic" salesmen who sold "indian herbal remedies" and other more or less toxic waste to gullible fools.
The only thing we could do is to steer the (finally onsetting) security consciousness of the average computer user into right directions. We shouldn't squelch it just because they might end up actually buying a worse infection than they could get for free.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So they're all running Windows then?
Help stamp out iliturcy.
If an app had enough permissions to get installed it's trivial for it to elevate it to system privileges and install a rootkit that cannot be detected. Even if you remove the drive and scan it in a known-good system, there's still a chance that the product you're scanning with doesn't recognize the particular threat yet because these threats are polymorphic and the one on the scanned system may be unique.
It's scary enough that we have to trust vendor media for these closed development operating systems. It's just malpractice to claim we can restore one that has been known to be running malware to an acceptable condition.
Wipe and reimage in the case of infection. Every time. It's quicker, too.
Help stamp out iliturcy.
If you only knew what a program could do once it has the right to install software, how easy it is to elevate from that condition to the maximum (system) privilege after the next reboot...
There's a lot of this ignorance being propagated through slashdot in this thread and I have to think some of it is deliberate.
Help stamp out iliturcy.
There's a lot of guidance in the comments to this article on how to remove malware. It's all bogus. There is no removing malware. If the software has enough privileges to install, it not only will do so but will escalate its privileges to the maximum available and install a rootkit as soon as it can (probably the next reboot).
From there you are pwned utterly and completely. Your attempts at identification and removal do nothing except educate the new owner of your PC about the specific details of your ignorance. Your only hope of restoring control of the device is to eliminate all of the software on it. In extreme cases even this is not enough. Has your desktop background .jpg downloaded with your profile been validated? If it hasn't it can compromise IE and hence your entire system - as you log in. Is the file that infested you in My Documents on your personal share as a malformed document for a popular application? You don't know. You can't know. That's the entire point of building these systems.
Please, please stop telling people they can clean this junk. The time when a system could be cleaned is past more than five years now.
Help stamp out iliturcy.
485,000 unique samples does not mean 485,000 different variants. It simply means they had that many samples with different checksums, not necessarily unique strains. The anti-phising group has been growing and getting feedback from more sources recently, which means more samples and reportings. This skews the statistics and doesn't give any solid data on how many true variants are out there, nor does it give anything meaningful about how prevalent they are.
I've heard ads for obscure antivirus programs over the radio. No idea if that one could be considered malware or not, but I bet that soon we will be dealing with users downloading these things because they saw a billboard on their way to work.
(sung to tune of camptown races)
Ctrl-Alt-Delete Format Re-install
DO Dahh,Do Dahh
Can't get this malware to uninstall
Oh De Doo-da day
The geek squad sings this song,
Doo-da, Doo-da
Even though they know it's wrong
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser highjack
Somebody bet on a service pack
Oh, the McAfees and Ad-Awares
Doo-da, doo-da
all miss detections no one cares
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser highjack
Somebody bet on a service pack
I went down there with my HDD caved in,
Doo-da, doo-da
I came back home with a pocket full of lint
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser high jack
Somebody bet on a service pack
Ctrl-alt delte format reinstall
doo-da doo-da
Security software really sucks balls
Oh De Doo-da day.
How much is your data worth? Back it up now.
I remove these things for about 50% of my living. I used to see email viruses, CoolWebSearch, and other insta-installers. Now EVERY infection is a trojan.
They use compromised web ads on legitimate sites (I've personally seen pop-ups on websites for CNN and The Washington Post) and post recompiled versions en masse. It's the Zero-Day attack, where most anti-virus can't get definitions for the first 12-24 hours. Given how these folks blanket the web with their stolen ad spaces, they can hit a lot of people. $49.95 for every sucker they catch (assuming they don't also steal the credit card info--although I have not had any reports of this from the several infected people who have paid them and later came to me).
I've seen every flavor of anti-virus compromised. McAffee and Norton most often (the bad guys obviously target the biggest marketshare--plus folks who pay those two crap-sellers are the most gullible). But nothing can really protect against a competent Zero-Day attack.
The good news about this is that XP, Vista (and I assume) Windows 7 are no longer vulnerable to automated attacks. They need a couple of user clicks in order to bypass their unwillingness to install programs with Admin privileges. That's why everything is Trojans these days, at least for auto-updating systems.
Hasn't really cut down on the amount of infections, to my jaundiced eyes, however.
I've also seen my first 'infected' Macintosh (running Leopard 10.5). The infection consisted a link in the user startup that launched Safari and sent it to a website advising the user that they were infected. The site tried to download a windows executable, but that obviously didn't accomplish much.
I still got paid for deleting the link and about 8 executables, so no complaints.
The key to fixing Windows infections is to start with an offline scan on anther computer. Use at least two and preferably three anti-malware products, including MalAwareBytes. Windows Defender does a very good custom on a slave drive.
Afterwards, boot the (still infected) machine in Safe Mode and update it with the Spybot Includes file (get that from MajorGeeks). Scan the machine in Safe Mode. Spybot might not find as many nasties as it used to, but it is still very good at detecting compromised system settings. There's quite a bit more, including repairing damaged system files and such, but the best first step is an offline scan on a clean computer, and then a Safe Mode scan with Spybot. After that, you can most likely use the computer to clean up traces on its own.
I have heard these Trojan pros are former KGB computer warfare people who lost their livelihoods when the former Soviet Union collapsed. Since they were trained messing up computers in the US, they just went ahead and kept doing what the knew best. A lot of the stuff seems to originate in poorly policed Eastern European servers.
Fundamentalism is a crime against humanity
I clean multiple infected systems every week. I do it for individuals in my little bitty computer shop. They don't have images or good backups (or even their install CD a lot of the time).
.dll if there isn't anything around to call it? Polymorphs can't be activated remotely for the same reason they are hard to detect with signatures
I have a very good record of cleaning people's machines without resorting to a wipe (sometimes, you have to, because the system is so damaged). I don't get many people coming back quickly with renewed infections (amazing what having a properly patched machine with basic anti-malware software installed can do). I don't advertise, and word of mouth keeps me working steadily.
It's partially knowing what belongs in the Root, Windows,System32 directories of a healthy system, and learning to recognized the polymorphed names of suspect files (hint--polymorphed files use random use random names, most legitimate files have vaguely recognizable titles). Anything I'm not sure of gets an all-caps "UNTRUST" in front of its name. Screws up the naughties, and it's easy to undo if it turns out (rarely) that the file is a needed one. Also, once you find one bad actor, you can use creation dates and file sizes to snag the others tucked away in more obscure places (and nuke all old System Restore points). Plus, they have to be called in order to do their wicked work. Who care if you have a hidden malware executable or
Now, I don't do big networked corporate systems, and I don't advise customers with super-secret important data (especially financial data--I've refused jobs with accounting firms) to trust that I can make them perfectly safe. That would be bullshit.
But for normal users with normal installations and standard use patterns, a cleanout is often a very good solution.
Fundamentalism is a crime against humanity
http://rss.uribl.com/nic/TODAYNIC_COM_INC_.html
92.86% - 13 of 14 active domains appearing in email which are registered at TODAYNIC.COM, INC. are Listed by URIBL in the last 5 days.
WARNING: The following links may contain malware, spyware, browser exploits, or other harmful code which can damage your system. URIBL strongly advises against clicking any links and/or accessing any of the sites included in these lists. URIBL.COM is not an ISP, web host, or domain registrar. We do not have any control over what is found on any of the sites linked from this page. This information is made available to the public so action can be taken by the responsible party. If you do not know how to properly put this information to good use, you should not be here. Complaints regarding information found on this page will go unanswered.
Get a lawyer and have them draw up a contract with a disclaimer. Those accounting firms are probably better with you than without you. Remember there's probably a dozen guys out there that will take that job whether they're any good or not.
You might be surprised with what you can do with a budget at your disposal.
Under the influence of Post-Cyberpunk Gonzo Journalism