Slashdot Mirror
Fake Antivirus Overwhelming Scanners
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
Yeah it's sad when you need a second virus protection program to be safe or have things removed.
Makes me wonder how many computers percentage wise are really infected out there with back-doors.
Very scary zombies everywhere.
I'm pretty sure that Antivirus 2009 has protected me from emerging threats quite reliably.
Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.
The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.
It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.
It pays to be obvious, especially if you have a reputation for being subtle.
It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.
I know, I have naively installed Symantec on my computer too...
Still I'd rather have a fake anti-virus then Norton Symantec or Windows Live Family protection. At least the fake anti-virus will let me use my PC every now an then. :)
Love many, trust a few, do harm to none.
My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".
Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".
Phhhht.
In interesting news, a fake antivirus has caused quite the riot with women in their mid-twenties. Due to unemployed data operations programmers trying to earn some money to at least pay their bills, they have created a fake antivirus much like Windows Antivirus 2009. However, this pseudo-antivirus program is smart and employs unique data mining technologies to determine which users are likely to be attractive women in their late teens to late twenties. These victims are then targeted and scammed.
The women are targeted with an algorithm that determines how much proportional web browsing is carried out on Myspace, Facebook, email, and on online clothing shopping sites. By using a modified log-normal distribution, ex-programmers were able to create a model that determined which users were of the targeted age group 86% of the time and which were hot 49% of the time. With the statistical combination, the "antivirus" program learned which users were "hot women" and instructed them to sit on their scanners with their skirts and underwear removed, or else their computers would go up in smoke. As such the demographic is generally technically illiterate, the women have been doing so, scammers have been receiving really nice butt-on-glass pictures, and the scanners themselves--especially the ones marked "HP"--have been completely overwhelmed.
I've been losing this battle with the staff where I work; they just can't seem to understand that it is itself spyware and/or viruses. I've had to remove this crap from 5 or 6 computers in the last month alone.
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Use it. Love it. Marvel at its simplicity, its beauty.
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
McAfee is bad lately as well. Completely ignored the infection of two machines on our network the other day. We had to use Malwarebytes to find on one, and interestingly enough, Microsoft Security Essentials seemed to do a good job at finding and cleaning the other one.
McAfee not even detecting these is worrisome though. We've got like 300 CPU's, all EPO protected, and for all I know they could all be infected.
That number in itself should not surprise anyone. Many threats which are using the web as their primary introduction vector are using server side polymorphism. The sheer volume which the APWG is calling out really only reflects that allot of people are downloading the rogue AV packages. Of course, given the nature of malware collections there is a very strong chance that many of those people already had 'real' AV which detected it, hence the sample being sent to an AV company in the first place. Of course crawling and honeynets will account for some of the sample set but not the majority. The assertion that this is only the tip of the iceberg is likely true given no AV vendor has an omnipresent view of the world but I am not convinced it's any worse than a plethora of other highly deployed threats. Bluntly, they are all out there in gut wrenching numbers. The rise in rogue AV is driven by the fact that it's gaining in popularity with malware distributors because it's a fast, proven revenue source. In some cases they may even skirt the law on whether it's even illegal. Remember, some of these things have rudimentary AV detection capabilities. -al Immunet Corp
I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.
First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/
After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.
So far, this combination of steps has eliminated the infections that we've come across.
What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.
Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.
This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.
Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?
"Work is the curse of the drinking classes." -Oscar Wilde
To remove norton, Don't bother with the uninstaller. Get the Norton Removal tool from their site:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
This is for ANY install of ANY norton products. It also gets rid of shared files and their registry settings.
In Soviet Russia, Trojan exploits YOU!
You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).
Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for the enjoyment of all of us who have to clean that shit off computers.
1. Don't use Internet Explorer. I swear that most of the infections I've run into are from compromised websites using exploits that target IE.
2. Don't install anything- ANYTHING- from the internet unless you know exactly what it is. Even then, you might want to run a quick scan on it. Most virus scanners add an option to the right-click context menu to make this simple.
3. If you see anything saying "your computer may be infected" or something along those lines while browsing the internet, ignore it. It's a downright lie. Even if it looks legit. When in doubt, call a tech.
4. In the event that you get infected, call a tech, or if you're brave enough, follow the steps I outlined in my previous post here.
This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.
In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?
Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.
Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?
I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.
When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.
In the organization I work for.. we are using Mcafee VirusScan Enterprise + AntiSpyware Enterprise 8.5.0i....... I've noticed (almost on a weekly basis).. machines infected with various kinds of spyware (antivirus2009, AlphaAV, and other names) and Mcafee seems incompetently clueless about detecting it. If I install MalwareBytes on the box.. and start a "Full Scan" (using MalwareBytes)... as it goes through touching files on the hard drive only THEN does Mcafee popup and say "Hey, you are infected with XXX " I don't know WHY that is... we seem to have the current Mcafee scan engine and dat files... I chalk it up to corporate level antivirus just not being able to keep up with the fastpaced changes to spyware. I decided to never rely on a single protection product. If I suspect a machine is acting weird (even if it does have up to date Antivirus).. I scan it with Malwarebytes and NOD32's free online scan. I don't think this is strictly a fault with Mcafee.. I think any tool used by itself will miss something... thats why a combination approach is best. (and hey.. if you do some testing and can find patterns of Mcafee not fully protecting you - that might be ammo/fodder to go back to your bosses (or Mcafee rep) and push some buttons.
Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.
Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
AVG 8 is so bad is makes me want to puke. It chokes my system worse than a real virus. It's a shame because up until 7.5 it ran like a dream.
for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.
You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.
I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.
yups, you get a choice of recovering session or starting a new one
not even a case of not RTFM but a case of not opening yer anonymous wee eyes!
Install the SessionManager extension to get finer grained control of such things.
Not a sentence!
It's really sad when the company provides their own removal tool. It works, but it makes you wonder why they don't just fix the uninstaller...
I'd make a headline change, sub in "users" for "scanners."
If there was ever a clearer case of PEBKAC, I'd like to hear about it. This is like trying to wall off a cliff to protect the lemmings.
If people will install random crap off the Internet without first reading a review, getting some word of mouth, and/or downloading it from a trusted source, they're going to get infected. Having an AV is useless if you're going to behave as described in TFA. There isn't a technological solution here.
An AV can't protect people who don't understand that you shouldn't "fertilize your lawn with motor oil." This is the level of dumb we are talking about here.
--
Toro
ClamWin doesn't do realtime though right? What use is antivirus software that doesn't scan files as you install them? I seem to remember ClamWin would happily allow you to infect your machine, then later (if the virus didn't disable ClamWin completely) you could run a full scan to tell you just how badly you've already been hosed.
About a year ago, a pop-up advertisement pretended to scan my hard drive remotely (without my permission) and then claimed to find two viruses on drive C and also spyware in the registry of my Linux computer. I have encountered those scareware anti-virus advertisements several times over the last several years while using Firefox and Linux.
.EXE. Was that an attempted drive-by download of malware? They did not even attempt to make me download a Linux version of their fake anti-virus program.
Typically, a window pops up telling me that their website has detected a virus and spyware on my computer. The website suggests that I let them scan my hard drive for viruses and spyware. When I try to close the window, a window with a progress bar appears, announcing that they are scanning my drive C for viruses. After only about thirty seconds, they have supposedly finished scanning my entire 500 GB hard drive and announce that they have found two viruses on drive C, and also spyware in my registry. That seems bogus, since Linux does not designate hard drives or partitions with drive letters and also not have a registry.
The then asked me to purchase their anti-virus product, to fix the problem. Despite again attempting to close a pop-up and a tab, I soon had a pop-up from Firefox, asking me which program it should use to try to open a Windows file that ended in
I have never heard of a Linux virus successfully circulating in the wild. But, they did give the names of the two viruses my computer was supposedly infected with, so I looked those two names up on a more legitimate anti-virus website, and it listed them as both being Windows only viruses.
I have recently started using both the AdBlock Plus and NoScript extensions for Firefox on both my Linux computer and my Windows XP computer. On my Windows XP computer I have also recently started running Firefox sandboxed with Sandboxie. Hopefully, I will not be bothered by those fake anti-virus advertisements again.
You do realize that if your running two AV's they stomp on each other and nothing works
No always the case, You can use and Online Scanner with no problem.
Sadly they sometimes pick up things otherones miss.
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.kaspersky.com/virusscanner
Just to Name a few online ones.
I realize that you may be fishing here - but I'll bite. What's wrong with system monitor? Granted, there are other tools that may be more fine-grained, and there are also CLI tools for the purpose. But, why don't you like system monitor? You're an old-school purist? If that's the case, I'll readily admit that I am not. I spend most of my time using GUI.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Security Essentials detected several:
- Adware: Win32/WhenU.A (Medium Alert Level)
- Adware: Win32/ClickAlchemy (Severe)
- Adware: Win32/ABetterInternet.C (High)
- Adware: Win32/SurfPlayer (High)
- Adware: Win32/NewDotNet (High)
To be somewhat fair to McAfee, it did detect a couple coming from one machine, MWS and SmartShopper, but this was very late in the process, well after the user had reported seeing the FakeAV pop-up and (apparently) after the machine had been infected. Perhaps these are McAfee names for some of the ones listed above and my reporting was just slow, don't know.
Also just for the record, we run EPO 4, Agent 4.0.0.1494 (as of yesterday, latest agent patch) and VirusScan 8.7.0i, Patch 1 (Patch 2 is out as of yesterday I believe, we'll be going to that soon). The so-called "Antivirus 2009" or "Antispyware 2009" and all it's variants have slipped past McAfee at least a half a dozen times in the past 3 weeks or so on our network. These are all domain machines, EPO protected, completely managed; it's not like we just have a hodge-podge of out of date titles or whatever. Go check out the McAfee forums, there are a few topics with people complaining about this as well.
I'm with you, I'm quite concerned about this. But outside of going around to 300 personal computer's (that's for the "CPU" nerdrage above) and scanning them individually with Malwarebytes or MSE I'm not really sure what to do. I'm kind of hopeful McAfee gets their shit, or rather their DAT's, together and can at least start alerting me on these, so we're not completely in the dark.
IIRC you even get a page that lets you select which tabs to reload so you can specifically not revisit the particular one that killed the browser. (Maybe that's just in the newest version or two, though.)
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
We'll if the AntiVirus software were to make it that easy to remove with the uninstaller, then a virus could do the same thing. The real problem I have is most of this stuff being a resource hog. With the corporate version of McAfee, you can't hardly do a save as without having to wait 5 minutes. I will be so glad when our licenses for that program expire. Maybe we will try Norton next, I don't know. We want it to work, and not be more resource intensive than video editing, you know.
And so you know that the user has had unauthorized software running on the PC with administrator privileges, capturing and relaying customer login information for all their accounts, sampling files for interesting data and uploading them to unknown sites for further processing, flagging systems with system and user DSN's for special manual handling - for an unknown period of time but almost certainly across more than one reboot.
But you've killed all the evil processes and deleted the software that is known by the scanner vendor to be bad.
And now you can comfortably give that computer back to the end user to attach to your network and start processing work again because it's all better now, right? That is what you said?
/shudder.
Help stamp out iliturcy.
Large AV suits face similar problems as viruses: They are prone to removal by their enemies. Ironically, they are each other's nemesis in this respect: Yes, malware tries to uninstall AV suits or render them useless. So what do AV suits do? They dig deeper into the system. Sometimes to the point where you, the user, are no longer sure whether the cure is more poisonous than the sickness.
My solution has been to rely more and more on "no-names" in the AV biz. They often have surprisingly good detection rates while they're largely under the radar of malware writers, thus not prone to the defense mechanisms of malware.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If an app had enough permissions to get installed it's trivial for it to elevate it to system privileges and install a rootkit that cannot be detected. Even if you remove the drive and scan it in a known-good system, there's still a chance that the product you're scanning with doesn't recognize the particular threat yet because these threats are polymorphic and the one on the scanned system may be unique.
It's scary enough that we have to trust vendor media for these closed development operating systems. It's just malpractice to claim we can restore one that has been known to be running malware to an acceptable condition.
Wipe and reimage in the case of infection. Every time. It's quicker, too.
Help stamp out iliturcy.