Fake Antivirus Peddlers Outpacing Real AV Firms

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."

Three Findings

[idiotnot]

1. Education that Windows users need AV software has been overwhelmingly successful.
2. People are too cheap to go buy a boxed copy, and like in-your-face downloads (many ISPs offer AV, but you have to go hunt for it)
3. Internet Explorer and Windows are still terminally broken out-of-the-box.

Re:Three Findings

[TheP4st]

3. Internet Explorer and Windows are still terminally broken out-of-the-box.

Having cleaned Antivirus 2010/2009/2008 and more of the same ilk from countless XP machines running IE6 with no admin rights for the user I could not agree more. Yep, the majority of the users where I work do not have any admin rights yet these scam AV's cause me more annoyance than I can describe in words, an annoyance exponentially increased by the fact that the none of the tools I have at hand by the company are capable of dealing with them, leaving me to manually having to deal with the infection. I do have to say the latest iterations of this crap have really evolved in regards of making manual removal increasingly difficult, start task manager just to watch it choke and die a fraction of a second later, run a portable version of Ccleaner (non-approved), no luck it is reported as malware (by the real malware) and killed, msconfig nope that'l get killed too.

Re:Why use an unknown AV program?

[bit01]

F-Prot, Command, etc are all very good products

No they're not. They're fraudulent.

Scanning a potentially compromised system from inside that potentially compromised system is snake oil and it's no surprise that most anti-virus "products" don't catch a whole swathe of different viruses, trojans and root kits. Such anti-virus products are little better than placebos.

It's about time there was a class action lawsuit to bring them to justice.

At a minimum they should be booting from known good media (e.g. CDROM) and cryptographically signed tripwire style verification of files. Anything less is just wishful thinking. BIOSes should be physically write protected also and motherboard makers who don't do this share some of the blame. M$ also for deliberately not providing bootable known good media with every OS copy sold and treating non-cryptographically signed software installation as if it is some sort of daily event. Ironic that bootable Linux based CDROM's may be the best way to fix the Windows virus epidemic.

tl;dr - Running anti-virus? You've probably been had.

---

"I know that most men, including those at ease with problems of the greatest complexity, can seldom accept even the simplest and most obvious truth if it be such as would oblige them to admit the falsity of conclusions which they have delighted in explaining to colleagues, which they have proudly taught to others, and which they have woven, thread by thread, into the fabric of their lives." --Leo Tolstoy