Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake Antivirus Overwhelming Scanners

Posted by CmdrTaco on from the i'd-rather-be-phishing dept.

ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."

26 of 334 comments (clear)

  1. Pay For Full Version by Anonymous Coward · · Score: 0, Informative

    It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.

    1. Re:Pay For Full Version by DMUTPeregrine · · Score: 2, Informative

      Install the SessionManager extension to get finer grained control of such things.

      --
      Not a sentence!
    2. Re:Pay For Full Version by Rick17JJ · · Score: 2, Informative

      About a year ago, a pop-up advertisement pretended to scan my hard drive remotely (without my permission) and then claimed to find two viruses on drive C and also spyware in the registry of my Linux computer. I have encountered those scareware anti-virus advertisements several times over the last several years while using Firefox and Linux.

      Typically, a window pops up telling me that their website has detected a virus and spyware on my computer. The website suggests that I let them scan my hard drive for viruses and spyware. When I try to close the window, a window with a progress bar appears, announcing that they are scanning my drive C for viruses. After only about thirty seconds, they have supposedly finished scanning my entire 500 GB hard drive and announce that they have found two viruses on drive C, and also spyware in my registry. That seems bogus, since Linux does not designate hard drives or partitions with drive letters and also not have a registry.

      The then asked me to purchase their anti-virus product, to fix the problem. Despite again attempting to close a pop-up and a tab, I soon had a pop-up from Firefox, asking me which program it should use to try to open a Windows file that ended in .EXE. Was that an attempted drive-by download of malware? They did not even attempt to make me download a Linux version of their fake anti-virus program.

      I have never heard of a Linux virus successfully circulating in the wild. But, they did give the names of the two viruses my computer was supposedly infected with, so I looked those two names up on a more legitimate anti-virus website, and it listed them as both being Windows only viruses.

      I have recently started using both the AdBlock Plus and NoScript extensions for Firefox on both my Linux computer and my Windows XP computer. On my Windows XP computer I have also recently started running Firefox sandboxed with Sandboxie. Hopefully, I will not be bothered by those fake anti-virus advertisements again.

    3. Re:Pay For Full Version by clone53421 · · Score: 2, Informative

      IIRC you even get a page that lets you select which tabs to reload so you can specifically not revisit the particular one that killed the browser. (Maybe that's just in the newest version or two, though.)

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. Are we surprised? by Canazza · · Score: 5, Informative

    Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.

    The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.

    It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  3. Re:AV2009 To The Rescue by Darkness404 · · Score: 5, Informative

    Note to clueless mods, Antivirus 2009 is one of these fake antiviruses, mod them funny, not interesting....

    --
    Taxation is legalized theft, no more, no less.
  4. Major pain by zip_000 · · Score: 3, Informative

    I've been losing this battle with the staff where I work; they just can't seem to understand that it is itself spyware and/or viruses. I've had to remove this crap from 5 or 6 computers in the last month alone.

    1. Re:Major pain by Krneki · · Score: 4, Informative

      Start with removing them from local Admin group for a start.

      --
      Love many, trust a few, do harm to none.
    2. Re:Major pain by Deathlizard · · Score: 2, Informative

      Laws of computer stupidity
      1) 99% of computer users do not know what they are doing.
      2) Computer users do not read.
      3) If a computer user can click on it, they will.
      4) You can patch software, but you can't patch stupid.

      Understanding the above when making your corporate system build will pay off in the end.

      --
      In Soviet Russia, Trojan exploits YOU!
  5. Combofix by Anonymous Coward · · Score: 5, Informative

    I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Use it. Love it. Marvel at its simplicity, its beauty.

  6. Re:Yeah, very very scary... by Krneki · · Score: 4, Informative

    A classic, they are more interested in stoping you using different no-cd cracks then they are in your security.

    Uninstall this crap.

    --
    Love many, trust a few, do harm to none.
  7. Re:AV2009 To The Rescue by kimvette · · Score: 5, Informative

    See my other post on this subject. Antivirus XP (and variants) can be removed by hand but it's a tedious process. Malwarebytes removes it VERY easily though. With some Antivirus ($FOO) variants you do need to rename the Malwarebytes installer filename and then the executable filename but once you get the process launched it will fully automate the removal process. IMHO Malwarebytes is the very best ad/malware removal utility at the moment, with Spybot S&D and Superantispyware being tied for a very distant second.

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  8. Getting these all over the place by Girtych · · Score: 5, Informative

    I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
    Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.

    First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol

    Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/

    After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.

    So far, this combination of steps has eliminated the infections that we've come across.

    1. Re:Getting these all over the place by Ephemeriis · · Score: 4, Informative

      There seems to be very little response from the traditional/big/mainstream antivirus companies.

      We usually install something centrally-managed for our clients, like Panda or Symantec. They do a decent job of stopping viruses, and it makes for less work for us... But they do absolutely nothing for these new rogue things. They don't get detected, they don't get blocked, they don't get removed... Nothing at all.

      You wind up having to actually sit down at the machine and run through a battery of individual scans... Slaving the HDD to another machine, booting into safe mode, booting into normal mode... Far more time-consuming than I'd like.

      --
      "Work is the curse of the drinking classes." -Oscar Wilde
    2. Re:Getting these all over the place by Z34107 · · Score: 4, Informative

      ^This.

      I work help desk at the college I'm enrolled at, and removing this virus and its variants from student laptops is pretty much the entirety of my job description.

      I recommend running ComboFix first, because it will generally neuter a virus enough for MalwareBytes to install and remove it. If the virus keeps ComboFix from running, rename it to magickitties.exe - some kill AV processes by name.

      Anything more interesting than that, download the free Windows AIK. Make an image of the drive using ImageX. Mount the image (and the registry hives on the image) on a clean PC and do a scan on that. Reimage the PC with the clean image.

      Just creating an image with ImageX is sometimes sufficient to remove the rootkit portions. ImageX is file based, and the rootkit portions hide from the MFT. ImageX simply fails to gather the rootkit portion, because it hides too well.

      Usually, all it takes is 10 minutes of letting ComboFix run and 30 minutes of letting MalwareBytes run. Very slick.

      --
      DATABASE WOW WOW
  9. Re:The worst offenders by Deathlizard · · Score: 5, Informative

    To remove norton, Don't bother with the uninstaller. Get the Norton Removal tool from their site:

    http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    This is for ANY install of ANY norton products. It also gets rid of shared files and their registry settings.

    --
    In Soviet Russia, Trojan exploits YOU!
  10. Re:The worst offenders by Latinhypercube · · Score: 2, Informative

    AVG 8 is so bad is makes me want to puke. It chokes my system worse than a real virus. It's a shame because up until 7.5 it ran like a dream.

  11. Re:AV2009 To The Rescue by Anonymous Coward · · Score: 1, Informative

    Spybot is not that good. Get the Google pack of PC Tools Spyware Doctor or maybe the new Security Essentials and use Spybot to augment it with its immunization tools.

  12. Re:AV2009 To The Rescue by Kaeles · · Score: 2, Informative

    Combofix! Go download it and use it. it will slaughter those stupid antivirus xp 200x and all that jazz. I want to make out with whoever made it.

  13. While I always advocate full reinstall by Sycraft-fu · · Score: 3, Informative

    for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.

    You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.

    I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.

  14. Re:AV2009 To The Rescue by tunapez · · Score: 3, Informative

    I agree MalwareBytes is one of the best Win environment removal tools, but I was having about 20% re-infection rate with these entrenched AVPro infestations that were removed by MB(& Spybot). I also searched system folders for dll's newly installed and installed "BEFORE the OS" to unregister manually, then running MB and SB S&D again, in SafeMode w/ Restore Points deleted/disabled. Honestly, after all that work, it is most times easier/cheaper to image drive, nuke/repart drive(in DOS or EXT), reload OS and re-populate data & 3rds.

    Oiyve'!

    I have always used Puppy Linux LiveCD to remove stubborn files, but recently started running Linux LiveDiscs w/ Kapersky or Avira to do all removals the 1st time. Faster, easier and more effective, so far. Too soon to tell if it's the silver bullet I'm hoping for. Recently found a cool aggregate LiveCD builder on gHacks that makes one monster weapon. Still collecting all the parts, hopefully I can trade my 48 disk carrier in for 1 jewel case or a USB thumb drive.

    --
    Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
  15. Re:The worst offenders by Icegryphon · · Score: 2, Informative

    You do realize that if your running two AV's they stomp on each other and nothing works

    No always the case, You can use and Online Scanner with no problem.
    Sadly they sometimes pick up things otherones miss.
    http://housecall.trendmicro.com/
    http://security.symantec.com/
    http://www.kaspersky.com/virusscanner
    Just to Name a few online ones.

  16. Re:AV2009 To The Rescue by jmnugent · · Score: 2, Informative

    I had a system last week infected with "Windows Police Pro"... I was able to remove it in about an hour.... (not easy.. but also not difficult - just using the combination of tools I mentioned above).. and got the User back up and working. *shrug* I don't claim to be a "genius"... but I do have years of experience.. and I've been doing IT Admin/support for long enough that my intuition (about how a system is behaving) is usually correct.. and I can be pretty effective when I'm "in the zone".

  17. Re:The worst offenders by jayhawk88 · · Score: 2, Informative

    Security Essentials detected several:

    - Adware: Win32/WhenU.A (Medium Alert Level)
    - Adware: Win32/ClickAlchemy (Severe)
    - Adware: Win32/ABetterInternet.C (High)
    - Adware: Win32/SurfPlayer (High)
    - Adware: Win32/NewDotNet (High)

    To be somewhat fair to McAfee, it did detect a couple coming from one machine, MWS and SmartShopper, but this was very late in the process, well after the user had reported seeing the FakeAV pop-up and (apparently) after the machine had been infected. Perhaps these are McAfee names for some of the ones listed above and my reporting was just slow, don't know.

    Also just for the record, we run EPO 4, Agent 4.0.0.1494 (as of yesterday, latest agent patch) and VirusScan 8.7.0i, Patch 1 (Patch 2 is out as of yesterday I believe, we'll be going to that soon). The so-called "Antivirus 2009" or "Antispyware 2009" and all it's variants have slipped past McAfee at least a half a dozen times in the past 3 weeks or so on our network. These are all domain machines, EPO protected, completely managed; it's not like we just have a hodge-podge of out of date titles or whatever. Go check out the McAfee forums, there are a few topics with people complaining about this as well.

    I'm with you, I'm quite concerned about this. But outside of going around to 300 personal computer's (that's for the "CPU" nerdrage above) and scanning them individually with Malwarebytes or MSE I'm not really sure what to do. I'm kind of hopeful McAfee gets their shit, or rather their DAT's, together and can at least start alerting me on these, so we're not completely in the dark.

  18. Re:AV2009 To The Rescue by cyphercell · · Score: 2, Informative

    I've been through about 20 machines with this infection or variants there of (av360, av 2009, av2008, etc). I'm guessing I lost about four of them, the worst of course were the ones where the user went all the way through with the install, assumed they were protected and let the damn thing run for months, updates and all. One of those machines I'd just like to shoot. It powered off and wouldn't come back on for three months, then "bam!" it's running again. I'm thinking that thing won't be safe until the drive is zeroed and the bios is flashed. But, yeah, some of them are really F*ing hard.

    --
    Under the influence of Post-Cyberpunk Gonzo Journalism
  19. Re:AV2009 To The Rescue by alhirzel · · Score: 2, Informative

    I work for a computer repair shop, and we see AV20xx ridiculously often... We burned a CD with Malwarebytes 1.41 and SysInternals Process Explorer, and that's all it really takes to disable it, allowing for full removal. Make sure you rename procexp.exe to iexplore.exe and then kill the virus process, launch Malwarebytes and nuke. After that, fix any internet connectivity problems, install a trial of Sunbelt Vipre, then scan with both until clean. After that, do a final pass with the free version of PrevxCSI and remove files manually until it comes up clean. Viola!