Slashdot Mirror
Fake Antivirus Overwhelming Scanners
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
Are AVG for a decline in detection rates and Symantec which sucks in just about every area except preventing itself from being uninstalled. (Notable exception is their corporate product)
I'm pretty sure that Antivirus 2009 has protected me from emerging threats quite reliably.
Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.
The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.
It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.
It pays to be obvious, especially if you have a reputation for being subtle.
It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.
I know, I have naively installed Symantec on my computer too...
Still I'd rather have a fake anti-virus then Norton Symantec or Windows Live Family protection. At least the fake anti-virus will let me use my PC every now an then. :)
Love many, trust a few, do harm to none.
My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".
Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".
Phhhht.
In interesting news, a fake antivirus has caused quite the riot with women in their mid-twenties. Due to unemployed data operations programmers trying to earn some money to at least pay their bills, they have created a fake antivirus much like Windows Antivirus 2009. However, this pseudo-antivirus program is smart and employs unique data mining technologies to determine which users are likely to be attractive women in their late teens to late twenties. These victims are then targeted and scammed.
The women are targeted with an algorithm that determines how much proportional web browsing is carried out on Myspace, Facebook, email, and on online clothing shopping sites. By using a modified log-normal distribution, ex-programmers were able to create a model that determined which users were of the targeted age group 86% of the time and which were hot 49% of the time. With the statistical combination, the "antivirus" program learned which users were "hot women" and instructed them to sit on their scanners with their skirts and underwear removed, or else their computers would go up in smoke. As such the demographic is generally technically illiterate, the women have been doing so, scammers have been receiving really nice butt-on-glass pictures, and the scanners themselves--especially the ones marked "HP"--have been completely overwhelmed.
I've been losing this battle with the staff where I work; they just can't seem to understand that it is itself spyware and/or viruses. I've had to remove this crap from 5 or 6 computers in the last month alone.
I've had those things pop up on Linux machines, and they report dozens of infections. Once, I couldn't kill the blasted thing, nor could I close Firefox. I had to go to the system monitor, and kill Firefox to regain control of my browser. Aggravating bit of nonsense, especially since I had several windows and tabs open.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Start chasing these guys down and giving them 10 years with no chance for parole... or better yet, look the other way when a mob hunts them down and breaks their knees...
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Use it. Love it. Marvel at its simplicity, its beauty.
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
It was a real pain to remove as I remember.
SmitFraudFix.
Posts not to be taken literally. Almost everything is sarcasm.
That number in itself should not surprise anyone. Many threats which are using the web as their primary introduction vector are using server side polymorphism. The sheer volume which the APWG is calling out really only reflects that allot of people are downloading the rogue AV packages. Of course, given the nature of malware collections there is a very strong chance that many of those people already had 'real' AV which detected it, hence the sample being sent to an AV company in the first place. Of course crawling and honeynets will account for some of the sample set but not the majority. The assertion that this is only the tip of the iceberg is likely true given no AV vendor has an omnipresent view of the world but I am not convinced it's any worse than a plethora of other highly deployed threats. Bluntly, they are all out there in gut wrenching numbers. The rise in rogue AV is driven by the fact that it's gaining in popularity with malware distributors because it's a fast, proven revenue source. In some cases they may even skirt the law on whether it's even illegal. Remember, some of these things have rudimentary AV detection capabilities. -al Immunet Corp
Comment removed based on user account deletion
I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.
First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/
After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.
So far, this combination of steps has eliminated the infections that we've come across.
What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.
Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.
This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.
Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?
"Work is the curse of the drinking classes." -Oscar Wilde
You jest, but I've heard compelling arguments for requesting that ISPs disconnect computers doing malicious stuff even if the owner is unaware of it until they clean up their act. I could even be swayed to believe that ISPs should be held partially responsible/liable for malicious traffic they're relaying just to convince them to enforce such measures. It puts an additional burden on ISPs, but where else can we stop clueless users from polluting our Interwebs?
He's getting rather old, but he's a good mouse.
I got to fight with Windows Police Pro after it got onto my Mom's computer. It pretty much makes the computer useless. It even changed the file registration for .exe's and .com's. Luckily, after fixing the registry I was able to get Malwarebyte working and got things running again.
My wife later told me about someone at work getting something similar. She asked what to do and I started rambling on about all the steps. She then asked what this non-techie should do. I had no idea. Find a geek or pay for one at Best Buy or something? It looks like that option would cost about $200! Maybe this is a good opportunity to buy a new computer? If I hadn't been able to help my Mom she would pretty much not have a usable computer now.
Anyone have advice for the average (or below average) joe on what to do when they are stuck with this? What advice is even good to avoid this? Don't install anything from the internet?
Clovis
^ Clovis, look! It's that guy you are!
You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).
Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for the enjoyment of all of us who have to clean that shit off computers.
I'm not ashamed to admit that I use three different security programs to protect my XP pc that I got from Download.com: AVG Free, Zone Alarm Free and Advanced System Care Free.
I'm sure there's some overlap in functionality and there's more stuff running in the background precipitating the need to run a ram monitor to watchdog the whole mess, but the result is that nothing yet has gotten through so I guess it's doing it's job. Something that hasn't changed with the free products is that there is a lot of user-approving that is required. I guess those are the equivelant of 'nag screens' that are designed to wear people down and get them to upgrade to the paid version.
On the AV front what I find interesting is that several years back, I recall Microsoft including an antivirus program with it's OS (I want to say DOS 6 but it could have been Win3.1) that was displayed during the install screen slideshow. Even now, when I go into Security Manager in XP, it's very clear that MS has never filled this empty space with a proprietary product. Was a true proprietary AV in Windows product merged with OneCare? To not have seen an official MS retail (or free version!) of an AV product after all these years seems like a missed opportunity.
This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.
In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?
Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.
Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?
I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.
When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.
Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.
Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
This is in a big part triggered by our increased dependence on search engine, instead of common sense and stricter ICANN regulations, that would educate us to go to something like bitdefender.com or mcafee.com
Quick case study: let's type "best antivirus software" in Google, Bing and Yahoo. First links, for all three, are not antivirus vendors but shady "review" sites like toptenreviews.com. Immediately on entry, toptenreviews tried to sell me their own "security configurator" thing. Also, all "buy now" links for the listed antiviruses go to interesting domain names like jdoqocy.com and kqzyfj.com.
Check http://anti-virus-software-review.toptenreviews.com/ for yourself, or any other similar site.
I'm wondering if anyone else has considered this: A legal agency let's this thing get installed on an isolated PC. They then pay for this trojan (ie: the extortionist fee for temporarily disabling the fake antivirus for a year), and, making good use of the powers they have, simply have the bank account receiving these funds or credit card payments frozen, the owner jailed, etc etc. Even if it's an off-shore account, surely the US could apply some pressure or invade.
No viruses. Not one, and not a single Windows computer is permitted to connect to my network. I keep one copy of windows in one box. It is a cardboard box in my closet under some books and smelly socks. It has not gotten a single virus either.
I do have to keep a frigen virus scanner on my mail and files coming from outside my network, so I don't simply pass them on to other windows computers if the files ever leave my network. It pisses me off that I have to waist time and resources on protecting windows computers that are 100% band from my office network, not to mention waisting resources on sorting spam and other security threats the all the bots turn out from those infected computers.
Why is there not a class action law suit against MS for the damage their product does to those that are not MS customers (they should get their share too)?
Living in Chile
"Who will police the police?" that's what they used to ask, in the old days.
The whole anti-virus ecosystem is amazing, come to think of it. It represents a point in our civilization where we started thinking nothing of fixing a manufacturer's product for them at our expense. When I re-image an old piece of hardware and give it to someone who can't afford a new one, I tell them to be sure and put an anti-virus on it, and they accept that as if it were the most obvious thing in the world. And having used Linux ever since my first computer, I'm the one left feeling that I was being Captain Obvious.
So how long before people accept that they have to install anti-anti-malware on their machines too?
... and less than 450,000 people have it?
SUPERAntiSpyware - yea, this one sounds like its malware, but combined with Spyware Doctor its awesome
If viruses change the way a system functions, wouldn't it just be safer to burn the OS into a chip?
Seriously, I'm happy with Windows XP. I never need to change it, and MSFT certainly isn't maintaining it anymore.
Couldn't we just burn XP to a chip and be done with the virus problem forever? Or is there always a need for external (non read only) files?
------ The best brain training is now totally free : )
for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.
You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.
I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.
yups, you get a choice of recovering session or starting a new one
not even a case of not RTFM but a case of not opening yer anonymous wee eyes!
Must be the same dimwits who see ads on the internet.
There's no -1 for "I don't get it."
Install the SessionManager extension to get finer grained control of such things.
Not a sentence!
http://www.moonsecure.com/
Open source, uses the ClamAV database. Vista/7 support pending.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Why do none of you people reinstall when you discover that a machine is compromised? You appear to be using the compromised OS to scan itself. That cannot be reliable.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'd make a headline change, sub in "users" for "scanners."
If there was ever a clearer case of PEBKAC, I'd like to hear about it. This is like trying to wall off a cliff to protect the lemmings.
If people will install random crap off the Internet without first reading a review, getting some word of mouth, and/or downloading it from a trusted source, they're going to get infected. Having an AV is useless if you're going to behave as described in TFA. There isn't a technological solution here.
An AV can't protect people who don't understand that you shouldn't "fertilize your lawn with motor oil." This is the level of dumb we are talking about here.
--
Toro
I've been using OpenDNS for a while now, and am honestly bewildered why ISP dns servers cant do alot of the same functions. One of the best features of OpenDNS is it can block ips for known malware/spyware/virus sites. No reason that ISPs cant do the same thing. Take the whole Confliker thing. We knew where it was going to call home to, and by default OpenDNS blocked those ips. If ISPs did the same thing, there would have been no *need* for all the scare reports about what was going to happen.
About a year ago, a pop-up advertisement pretended to scan my hard drive remotely (without my permission) and then claimed to find two viruses on drive C and also spyware in the registry of my Linux computer. I have encountered those scareware anti-virus advertisements several times over the last several years while using Firefox and Linux.
.EXE. Was that an attempted drive-by download of malware? They did not even attempt to make me download a Linux version of their fake anti-virus program.
Typically, a window pops up telling me that their website has detected a virus and spyware on my computer. The website suggests that I let them scan my hard drive for viruses and spyware. When I try to close the window, a window with a progress bar appears, announcing that they are scanning my drive C for viruses. After only about thirty seconds, they have supposedly finished scanning my entire 500 GB hard drive and announce that they have found two viruses on drive C, and also spyware in my registry. That seems bogus, since Linux does not designate hard drives or partitions with drive letters and also not have a registry.
The then asked me to purchase their anti-virus product, to fix the problem. Despite again attempting to close a pop-up and a tab, I soon had a pop-up from Firefox, asking me which program it should use to try to open a Windows file that ended in
I have never heard of a Linux virus successfully circulating in the wild. But, they did give the names of the two viruses my computer was supposedly infected with, so I looked those two names up on a more legitimate anti-virus website, and it listed them as both being Windows only viruses.
I have recently started using both the AdBlock Plus and NoScript extensions for Firefox on both my Linux computer and my Windows XP computer. On my Windows XP computer I have also recently started running Firefox sandboxed with Sandboxie. Hopefully, I will not be bothered by those fake anti-virus advertisements again.
Why would anyone, ever, under any circumstances click on a popup ad? For antivirus?
Who are these people, and how can I take their money somehow more legitimately?
For a modest fee, I can supply her name and number. Last crapware purge netted about 400 infections. She has got herself programmed to click ok to close any popup that appears. Surprisingly few viruses, but a fine collection of fake virus scanners that insist on starting up and displaying a comforting splash screen at boot. And she was using XP.. No UAC.
It is difficult to get a man to understand something when his job depends on not understanding it.
I wonder if the reason that most of the mainstream AV products fail to classify these fake anti-malware viruses as what they are-- viruses, is some sort of honor code that exists between thieves and extortionists. It's pathetic how the most expensive security products on the market today just refuse to expose and remove a virus that morphs into a well-known trojan when the user gives-in to the threats.
I realize that you may be fishing here - but I'll bite. What's wrong with system monitor? Granted, there are other tools that may be more fine-grained, and there are also CLI tools for the purpose. But, why don't you like system monitor? You're an old-school purist? If that's the case, I'll readily admit that I am not. I spend most of my time using GUI.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The fake AV viruses simply have a list of "threats" they "found" to bamboozle the user into paying for the "service". All paying for it does is cause the threatening popups to go away. If you stop paying, it then threatens to reinstall all the (utterly nonexistent) viruses and trojans it claims to have found. It's all a fraud wrapped-up in a tidy package of lies. The only thing the extortionware does is detect money in your bank account and remove it as soon as you provide the billing details to the operators of the scam.
IIRC you even get a page that lets you select which tabs to reload so you can specifically not revisit the particular one that killed the browser. (Maybe that's just in the newest version or two, though.)
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
The Six Dumbest Ideas in Security. In this particular case: "#5 Educating Users". A couple of choice quotes:
If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.
The real question to ask is not "can we educate our users to be better at security?" it is "why do we need to educate our users at all?"
I've already posted we need to stop blaming the user and start blaming the authors of the system (Microsoft). The problem isn't some PEBKAC thing where a user is clicking on what they think is AV software and accidentally ruining their system. The problem is that the system allows them to do it in the first place. A run of the mill, standard user shouldn't be able to this in the first place. Why is it happening at all?? What important feature is being provided by the OS by allowing user to do this?? Some feature of installing AV software so it can prevent other fake AV software from installing? This is lunacy!
A meta-problem is that industry and environment has trained users to expect the OS to be broken in a way they need protection ("Oh look a new AV program that is 1000% better than my old stuff!") but that is another thread.
At a certain point, I can't help but reach the conclusion that "computers are complicated and require intelligence and technical experience to maintain." Many average users lack intelligence and almost all lack any kind of technical experience at all.
And at a certain point, people who can't keep track of their system restore CDs and who don't maintain backups? That's not just lacking above average intelligence or experience, it's dumb along the lines of drinking and driving, buying something you can't afford, or having unprotected sex with a stranger.
I agree it is hell for regular users, but perhaps the acceptable standard for most computer users is a system restore once a year, unless they get smart enough to not get infected.
RTFA.
And yes, the summary should have included that. Using acronyms without defining them is a generally bad practice.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I had one machine with Police Pro that I spent a shitload of time cleaning. The crap that it installed disabled Task Manager, disabled safe mode, modified shell classes, disabled regedit, and disabled anything that required administrator privileges. I had to boot from a Bart PE disk and clean the registry remotely by hand. Malwarebytes wouldn't install. And when I cleaned it up enough to install, it wouldn't run. By the time Malwarebytes would run, I had already mostly cleaned it. I'd like to cut the nuts off whoever wrote that junk.
I've actually seen one that, once infected, ran your antivirus program within a wrapper!
We remove the infected hard drive, then scan it on a linux box using five different AntiVirus/Spyware programs. Then we boot in safe mode back on the original machine and scan it as a running system. Some of the new virus / spyware programs are actually running the installed avg within a wrapper and not allowing them avg to see the whole hard drive. Really pretty well written if they could have gone unobserved.
I can just imagine the phone calls after this happens. The ISP will be inundated with irate calls from customers and then they'll require assistance cleaning their systems. With the costs of having some geek squad newbie come out, they could just buy a new computer every time the ISP kicks them off the 'net.
[John]
Shit better not happen!
But it would make site operators take better care in terms of the traffic they support. Period. As if they don't, they'd get blacklisted. Sending NXDOMAINs for domains that DO actually exist wouldn't be anywhere near as problematic as the reverse (what comcast and others were/are doing). Provided that the sides are in fact garbage (and they aren't just blacklisting certian sites because someone pays them to). Oversight and regulation of blacklisted IPs at the DNS level would be problematic, however it would combat botnets, adware advertising and the like fairly well.
Well no, no it's not. Please stop spreading the fear, uncertainty, and doubt on Microsoft's behalf if you know better, please educate yourself more if you don't.
It's not FUD if it's true.
Not all default accounts that the system sets the initial end user up with are full root-level accounts which require no further authentication to modify any and all system files for the user or any processes that happen to launch under that user's credentials.
Yah; I'm talking about the *current* version of Windows, not the version that shipped almost a decade ago. Comparing 2009 Linux to 2001 Windows, now that's some FUD!
Not all OSes are closed-source that tout the notion of security-via-obscurity. Yes, I know that's one of the red herrings that Microsofties try to claim that gives Linux a security edge due to its smaller portion of desktop marketshare, but nothing is more obscure than source code that only a handful of people can see and understand its flaws. Microsoft seems to think that this is somehow more secure than open source code that has all of its flaws bared to the light of day since it was in development. But Microsoft's closed-source philosophy is obviously quite a failed model in light of how many people are able to discover flaws in it and exploit it anyway, leaving Microsoft either denying there's a problem or rushing out a fix. Sucks to be you if you're one of the people who gets infected after some ne'er-do-well discovers a flaw but before the programmers at Microsoft figure out how to fix it, because they're the only ones who can fix it for you under almost all circumstances.
As far as I can tell, this long, poorly-written rant equates to "open source is better for security." I don't see any actual evidence presented, though.
Not all OSes deny you the ability to patch your computer against security vulnerabilities and other flaws that have been discovered since it was released simply because you didn't pay for them or they merely *think* you didn't pay for them.
Except you can patch Windows versions, even if they aren't activated. More FUD!
Linux does a much better job at isolating system space from userspace.
How so? Saying don't make it so.
Look, obviously you foam-at-the-mouth hate Microsoft. Fine. You're welcome to your opinions. But if you're going to complain about FUD, it might make you look like less of a moron if your response didn't contain metric assloads of FUD. Just FYI for next time.
Comment of the year
I've been using Comodo AV for about a year, as part of their Comodo Internet Security, on several machines. It works ok, but does have a higher-than-average number of False Positives. To the extent that there's a False Positives section of their forum. I also find their HIPS "Defense Plus" more annoying than it should be, sometimes alerting after I've told it a program was OK and it should remember my choice.
But it is quite lightweight, and does the job. Price is right. Also nice to that it is not bloated with "Parental Control", "Privacy Protection", "Anti-Spam" and all kinds of other cruft.
You're right, but at the same time, I think the "buzz" keeps changing about which AV product is "best" largely because the commercial AV makers keep dropping the ball. There was once a time when Norton products had the upmost respect (back when people used MS-DOS, basically). But Symantec quickly trashed his reputation after buying the rights to put his face and name on their product boxes and proceeded to write buggy bloatware.
McAfee stepped in with a product that was less likely to screw up your whole Windows installation ... so people flocked to it, especially for corporate use. But then, they started discovering it, too, became a resource hog as they kept adding more things for it to detect and clean, and every so often, McAfee would do an update to the "engine" itself that caused instability and problems until they fixed it.
I know my workplace recently switched to Kaspersky, not because we heard it would do a "better job" detecting viruses ... but because the licensing cost about $700 less than McAfee, AND the central management tool was a little better and less likely to crash with Windows exception errors during use.
It's really not a surprise they can't detect and clean 100% of the problems out there, when they can't even seem to build their software to run in a stable, non-intrusive, and non resource-intensive fashion!
I have been using a program called avast! I have found it to be thorough, and non invasive. on top of all that it is free, only requires you to register a new code once a year. http://www.avast.com/
You could always make an interesting and realistic Internet Simulator that's supported by advertising.
Help stamp out iliturcy.
Some people should be restricted only to a Linux live CD like Knoppix.
Help stamp out iliturcy.
And so you know that the user has had unauthorized software running on the PC with administrator privileges, capturing and relaying customer login information for all their accounts, sampling files for interesting data and uploading them to unknown sites for further processing, flagging systems with system and user DSN's for special manual handling - for an unknown period of time but almost certainly across more than one reboot.
But you've killed all the evil processes and deleted the software that is known by the scanner vendor to be bad.
And now you can comfortably give that computer back to the end user to attach to your network and start processing work again because it's all better now, right? That is what you said?
/shudder.
Help stamp out iliturcy.
They showed up within 24 hours of her getting broadband. I downloaded this utility that fixed her right up. It only took 20 minutes. I did have to reinstall her Picasa though. At the same time we upgraded her printer to one of the newer HP multifunction things so she can print and upload her digital photos, and scan recipes - her old one was a broken Lexmark. The utility seems to be 100% effective against all of these things. Grandma really likes it - it's been a year and now when I visit it's only to chat, not to fix her computer.
Anyhow, the utility is called "Jackelope" for some odd reason. It's available here.
Help stamp out iliturcy.
You were right on target. Most people don't check. And while Linux doesn't have any known viruses in the wild, systems do get hacked from time to time. It's a good idea to check your logs and connections now and then, or have someone help you with that. In an org it's essential to watch what the network's doing, run honeypots and snap misbehavior off at the access port automatically and in real time.
And then you had to go say this:
Yah; I'm talking about the *current* version of Windows, not the version that shipped almost a decade ago. Comparing 2009 Linux to 2001 Windows, now that's some FUD!
Look, I was in the store today. Systems were on the shelf new, with Windows XP. As far as I know, that's the definition of a current version.
So he's right - you're just another Microsoft astroturfer like the ones who were extolling the virtues of Vista, and bashing people who were complaining about performance by saying they should try it on a "modern" computer when their computers were brand new, modern PCs that Vista just struggled with. And here we are 2 years on and more and more systems are coming out completely unable to run that crud. XP is still on the shelf, and if you want to be free of the crud in this article you can run Linux but usually I just tell people to "get a mac".
Oh, and open source adds security to Linux in the same way that peer review lends credibility to science. If your process is well documented and your results reproducible, you've come a long way towards proof.
Help stamp out iliturcy.
I can't speak for the US, but in Europe the "omfg new virus" news have been coming in shorter and shorter periods here, on prime time TV news no less. So the average user goes into headless chicken mode and realizes he needs an AV suit, anything will do. And this product is slapped in his face and it already did a scan from afar (no, he doesn't question why this should even remotely (no pun intended) work) and tells him he's infected to the brim but 50 bucks will cure this. No, the product doesn't do anything but silence that fake warning when he buys it, but he's satisfied.
He acted.
If this sounds familiar, it's similar to what our politicians do in a crisis when they have no clue what to do. Throw money at it, hope that some warning signal goes away and feel good about having done something.
One of the reasons why this is possible is simply that there is no "seal of quality" for AV suits. There's no FCC, there's no DMV, there's no FDA, there's no organization that says this or that suit is useful, this is snakeoil and this is just plain out dangerous. We're today in AV where medicine was a hundred years ago with the traveling "tonic" salesmen who sold "indian herbal remedies" and other more or less toxic waste to gullible fools.
The only thing we could do is to steer the (finally onsetting) security consciousness of the average computer user into right directions. We shouldn't squelch it just because they might end up actually buying a worse infection than they could get for free.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's not FUD if it's true.
One small problem there, bud. It's not true. You see, security is one of those things you can never prove, since it's not really possible to prove a negative. You can just do the best you can and look at results. and hope that nobody proves you wrong. HOWEVER, if you're going to make vague rhetorical remarks about the potential for proving security to be lacking, well that's FUD. You're catering to fears that you have not demonstrated have any basis in reality. You're attempting to sow uncertainty and doubts where you simply haven't made your case.
In order to MAKE it true and not just be another FUD spreader, you need to do just one simple thing...prove a compelling positive. I would like to hear you make a case for a virus, in the wild, that affects Linux. Just one. I took the bait once. Back atcha kid, it's your turn to demonstrate how your statements have any basis in reality.
I'll just point out that this article was about XP being infected, Yes, it's stale and 8 years old, but whether you appreciate this fact or not, it's still the face of Microsoft Windows as far as the computing public are concerned. Security flaws and all. The vulnerability/severity/patching-delay stats that are published all over the web tell the tale of which OSes are the most secure (for whatever reasons) and are patched the fastest when a vulnerability does come to light. And for fun, here's an interesting little research project some folks did to see how all the then-current OSes fared, including popular Linux & Unix flavors, Windows Vista Ultimate, and Mac OS X. If the results surprise you, you probably have more to learn about what elements of design make an OS secure...or not. http://www.omninerd.com/articles/2006_Operating_System_Vulnerability_Summary
So they're all running Windows then?
Help stamp out iliturcy.
If an app had enough permissions to get installed it's trivial for it to elevate it to system privileges and install a rootkit that cannot be detected. Even if you remove the drive and scan it in a known-good system, there's still a chance that the product you're scanning with doesn't recognize the particular threat yet because these threats are polymorphic and the one on the scanned system may be unique.
It's scary enough that we have to trust vendor media for these closed development operating systems. It's just malpractice to claim we can restore one that has been known to be running malware to an acceptable condition.
Wipe and reimage in the case of infection. Every time. It's quicker, too.
Help stamp out iliturcy.
If you only knew what a program could do once it has the right to install software, how easy it is to elevate from that condition to the maximum (system) privilege after the next reboot...
There's a lot of this ignorance being propagated through slashdot in this thread and I have to think some of it is deliberate.
Help stamp out iliturcy.
There's a lot of guidance in the comments to this article on how to remove malware. It's all bogus. There is no removing malware. If the software has enough privileges to install, it not only will do so but will escalate its privileges to the maximum available and install a rootkit as soon as it can (probably the next reboot).
From there you are pwned utterly and completely. Your attempts at identification and removal do nothing except educate the new owner of your PC about the specific details of your ignorance. Your only hope of restoring control of the device is to eliminate all of the software on it. In extreme cases even this is not enough. Has your desktop background .jpg downloaded with your profile been validated? If it hasn't it can compromise IE and hence your entire system - as you log in. Is the file that infested you in My Documents on your personal share as a malformed document for a popular application? You don't know. You can't know. That's the entire point of building these systems.
Please, please stop telling people they can clean this junk. The time when a system could be cleaned is past more than five years now.
Help stamp out iliturcy.
Did you write all that as a joke?
-The world would be a better place if everyone had a hoverboard
485,000 unique samples does not mean 485,000 different variants. It simply means they had that many samples with different checksums, not necessarily unique strains. The anti-phising group has been growing and getting feedback from more sources recently, which means more samples and reportings. This skews the statistics and doesn't give any solid data on how many true variants are out there, nor does it give anything meaningful about how prevalent they are.
Use the NoScript Add-on, or any other that uses white-lists for running scripts. Best security ever, just deny deny deny!
Some people should be restricted only to a Linux live CD like Knoppix.
Tempting, but I put her on Linux last year after she wiped out her Windows install. Now she does all the same stuff, but the autoclicking has no effect. I didn't install WINE for her obviously.
It is difficult to get a man to understand something when his job depends on not understanding it.
(sung to tune of camptown races)
Ctrl-Alt-Delete Format Re-install
DO Dahh,Do Dahh
Can't get this malware to uninstall
Oh De Doo-da day
The geek squad sings this song,
Doo-da, Doo-da
Even though they know it's wrong
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser highjack
Somebody bet on a service pack
Oh, the McAfees and Ad-Awares
Doo-da, doo-da
all miss detections no one cares
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser highjack
Somebody bet on a service pack
I went down there with my HDD caved in,
Doo-da, doo-da
I came back home with a pocket full of lint
Oh, de doo-da day
Goin' to run all night
Goin' to run all day
I bet my money on a browser high jack
Somebody bet on a service pack
Ctrl-alt delte format reinstall
doo-da doo-da
Security software really sucks balls
Oh De Doo-da day.
How much is your data worth? Back it up now.
I remove these things for about 50% of my living. I used to see email viruses, CoolWebSearch, and other insta-installers. Now EVERY infection is a trojan.
They use compromised web ads on legitimate sites (I've personally seen pop-ups on websites for CNN and The Washington Post) and post recompiled versions en masse. It's the Zero-Day attack, where most anti-virus can't get definitions for the first 12-24 hours. Given how these folks blanket the web with their stolen ad spaces, they can hit a lot of people. $49.95 for every sucker they catch (assuming they don't also steal the credit card info--although I have not had any reports of this from the several infected people who have paid them and later came to me).
I've seen every flavor of anti-virus compromised. McAffee and Norton most often (the bad guys obviously target the biggest marketshare--plus folks who pay those two crap-sellers are the most gullible). But nothing can really protect against a competent Zero-Day attack.
The good news about this is that XP, Vista (and I assume) Windows 7 are no longer vulnerable to automated attacks. They need a couple of user clicks in order to bypass their unwillingness to install programs with Admin privileges. That's why everything is Trojans these days, at least for auto-updating systems.
Hasn't really cut down on the amount of infections, to my jaundiced eyes, however.
I've also seen my first 'infected' Macintosh (running Leopard 10.5). The infection consisted a link in the user startup that launched Safari and sent it to a website advising the user that they were infected. The site tried to download a windows executable, but that obviously didn't accomplish much.
I still got paid for deleting the link and about 8 executables, so no complaints.
The key to fixing Windows infections is to start with an offline scan on anther computer. Use at least two and preferably three anti-malware products, including MalAwareBytes. Windows Defender does a very good custom on a slave drive.
Afterwards, boot the (still infected) machine in Safe Mode and update it with the Spybot Includes file (get that from MajorGeeks). Scan the machine in Safe Mode. Spybot might not find as many nasties as it used to, but it is still very good at detecting compromised system settings. There's quite a bit more, including repairing damaged system files and such, but the best first step is an offline scan on a clean computer, and then a Safe Mode scan with Spybot. After that, you can most likely use the computer to clean up traces on its own.
I have heard these Trojan pros are former KGB computer warfare people who lost their livelihoods when the former Soviet Union collapsed. Since they were trained messing up computers in the US, they just went ahead and kept doing what the knew best. A lot of the stuff seems to originate in poorly policed Eastern European servers.
Fundamentalism is a crime against humanity
I clean multiple infected systems every week. I do it for individuals in my little bitty computer shop. They don't have images or good backups (or even their install CD a lot of the time).
.dll if there isn't anything around to call it? Polymorphs can't be activated remotely for the same reason they are hard to detect with signatures
I have a very good record of cleaning people's machines without resorting to a wipe (sometimes, you have to, because the system is so damaged). I don't get many people coming back quickly with renewed infections (amazing what having a properly patched machine with basic anti-malware software installed can do). I don't advertise, and word of mouth keeps me working steadily.
It's partially knowing what belongs in the Root, Windows,System32 directories of a healthy system, and learning to recognized the polymorphed names of suspect files (hint--polymorphed files use random use random names, most legitimate files have vaguely recognizable titles). Anything I'm not sure of gets an all-caps "UNTRUST" in front of its name. Screws up the naughties, and it's easy to undo if it turns out (rarely) that the file is a needed one. Also, once you find one bad actor, you can use creation dates and file sizes to snag the others tucked away in more obscure places (and nuke all old System Restore points). Plus, they have to be called in order to do their wicked work. Who care if you have a hidden malware executable or
Now, I don't do big networked corporate systems, and I don't advise customers with super-secret important data (especially financial data--I've refused jobs with accounting firms) to trust that I can make them perfectly safe. That would be bullshit.
But for normal users with normal installations and standard use patterns, a cleanout is often a very good solution.
Fundamentalism is a crime against humanity
For a modest fee, I can supply her name and number. Last crapware purge netted about 400 infections. She has got herself programmed to click ok to close any popup that appears. Surprisingly few viruses, but a fine collection of fake virus scanners that insist on starting up and displaying a comforting splash screen at boot. And she was using XP.. No UAC.
According to your description, the UAC wouldn't have changed anything, she would have clicked on "yes, allow".
There is indeed a class of users that will click on "yes" or "ok" when presented with pretty much any dialog without ever reading the text. "Start disk deletion ?" yes "infect all your files ?" yes "empty your bank account ?" yes
While they're not the majority, there's quite a few of them.
They're usually the same that are the bane of tech support, being unable to read text displayed in front of them or to click on a clearly labeled item. How they ever get to use their machine in the first place is a mystery.
May contain traces of nut.
Made from the freshest electrons.
According to your description, the UAC wouldn't have changed anything, she would have clicked on "yes, allow".
I wasn't referring to it so much as a security tool as a training device to create more autoclickers.
There is indeed a class of users that will click on "yes" or "ok" when presented with pretty much any dialog without ever reading the text. "Start disk deletion ?" yes "infect all your files ?" yes "empty your bank account ?" yes
Yep. I've met plenty of them. I still try to convince them that it is a bad idea, but no luck. No matter how many ID theft horror stories, lost work stories, or anything else, no impression. One managed to clck away a warning message on the only copy of her thesis.
They're usually the same that are the bane of tech support, being unable to read text displayed in front of them or to click on a clearly labeled item. How they ever get to use their machine in the first place is a mystery.
I think it's a mixture of disinterest and loathing. As far as they are conditioned, the computer is going to mess up any way, so may as well try to get it over with as quickly as possible. And perhaps beat the gremlins.
It is difficult to get a man to understand something when his job depends on not understanding it.
Get a lawyer and have them draw up a contract with a disclaimer. Those accounting firms are probably better with you than without you. Remember there's probably a dozen guys out there that will take that job whether they're any good or not.
You might be surprised with what you can do with a budget at your disposal.
Under the influence of Post-Cyberpunk Gonzo Journalism