Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake Antivirus Peddlers Outpacing Real AV Firms

Posted by kdawson on from the catch-me-if-you-can dept.

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."

3 of 245 comments (clear)

  1. Re:This is why i love noscript and requestpolicy by plastiqueman · · Score: 5, Informative

    I work for an IT helpdesk at a large public university and we see students come through all the time with these programs. Realistically though, the installation vector we see the most is not the installation of programs from random websites; the majority get them from clicking a link to watch a movie (still in theaters) online or even through certain ads in Facebook. These programs have simply gotten extremely clever at tricking the end user.

  2. McAfee by LinuxIsGarbage · · Score: 4, Informative

    Does this include McAfee? It seems to be a fake anti-virus, holding critical system files hostage.

  3. We got hit - XP Security by swm · · Score: 5, Informative

    My wife's machine got hit last week.
    No idea where it came from.
    Been running for years with no problem.
    (NetGear router seems to keep the baddies out.)

    All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.

    Pulled the network cable and started googling (from a linux box).
    The thing is pretty nasty.
    It scatters pieces of itself around the file system with random names.
    Then it hooks the .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.

    After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted.
    (Hint: right click -> run as).
    Then I fixed all the .exe (and related) keys by hand.
    There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
    (Removal instructions on the web don't generally find them all.)

    Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.