Slashdot Mirror
Fake Antivirus Peddlers Outpacing Real AV Firms
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
I don't think I have to point this out, but for the sake of clarity: the point is not that the vast majority of people are straying away from known AV software providers to unknown software providers; it is that the vast majority don't know any better and believe what the computer tells them!
Because AntiVirus 2010 has just detected dozens or even hundreds of critical security threats that your existing AV has missed!
What upgrade could be more sensible?
To be nice, the average user is very naive. If they see a popup saying they need this AV, they trust it.
"I use a Mac because I'm just better than you are."
I work for an IT helpdesk at a large public university and we see students come through all the time with these programs. Realistically though, the installation vector we see the most is not the installation of programs from random websites; the majority get them from clicking a link to watch a movie (still in theaters) online or even through certain ads in Facebook. These programs have simply gotten extremely clever at tricking the end user.
We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.
The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.
So it's like fake dope dealers are outpacing true dope dealers.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
and no lube...
I still cannot find the droids I am looking for...
I discovered Krusnikov's Virus No-Having 2007 over three years ago and it's been running in my system tray ever since, without issue.
Does this include McAfee? It seems to be a fake anti-virus, holding critical system files hostage.
And all the floppies have their write-protect switch set the wrong way and you just clipped your fingernails so you can't get your nail to catch on that stupidly annoying little slider.
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
xkcd #694 or #350.
The "scan" window pops up and tells them that they've been infected BUT IT IS OKAY because all they have to do is click here and the nice software from the friendly company will remove the nasty viruses for them.
Yay!!!
This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.
Well just for your information, my filter is working quite well thank you!
I'm just not quite sure how it works when they never actually connected it to my water pipes but hey I'm still alive to post this thanks to my filter!
Pardon me, sir, but I would be remiss if I didn't inform you that you have clearly contracted a rare disease that will kill you painfully in short order UNLESS you pay me to inject this substance into you. You can trust me, I'm a doctor.
....
Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX. the new internet security 2010 is an evil bastard that even kills the safe mode so you have to use a Bart PE to run combifix first and then reinstall AV and run a clean.
Screw it, I'm done. Mac mini's are as cheap as a dirt cheap dell PC. and I'll install linux for them. I am done with windows support.
Do not look at laser with remaining good eye.
Many mechanics rely on this not being true all the time. Cars and computers are magical things to many people, things that normal people aren't expected to be able to understand. These 'normal people' are simply used to trusting anyone, or anything now, that claims to be an expert on the subject.
"I use a Mac because I'm just better than you are."
for our customers their browser is google. the internet is windows and their email doesn't work despite them typing their email address into google.
My wife's machine got hit last week.
No idea where it came from.
Been running for years with no problem.
(NetGear router seems to keep the baddies out.)
All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.
Pulled the network cable and started googling (from a linux box). .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.
The thing is pretty nasty.
It scatters pieces of itself around the file system with random names.
Then it hooks the
After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted. .exe (and related) keys by hand.
(Hint: right click -> run as).
Then I fixed all the
There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
(Removal instructions on the web don't generally find them all.)
Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.
It's not a scheme, it's marketing.
Oh my God! Who do I make that check out to again? No, can't wait for it to clear, let me just give you my mattress and you can take how much it is, OK, I can't number very well.
OK, seriously...
Remember that many of the victims of scams like this don't know any better. These aren't random people showing up at their houses, they are ads showing up on websites. But many don't even know that.
They only know that their "computer person" has told them to make sure their AntiVirus is working correctly, and that the computer has just told them that their AntiVirus has stopped working correctly but the nice warning offered to fix it for them. Many of the newer ones look pretty legitimate, too, and have multiple URLs so when you Google them fake review sites come up and gush enthusiastically about how great the product is.
I have a co-worker who has been hit by this. I support 2 co-workers' home computers. They are otherwise intelligent people who use the preconfigured computers here at work every day. I give them lists of free antivirus packages they can load, and the one who had the problem came in and told me that her subscription to n0d ran out, but that the computer had warned her to replace it with "AntiVirus 2010" which had a free trial, but she noticed that once she installed it the computer slowed down.
She's not dumb, just on the low end of computer literacy. She knew that she needed to avoid popups and to run an Antivirus client, but this specific popup looked like a dialog box and she knew that her AV was running out, so she assumed it was like all the other warnings Windows Seven likes to send her about updates and such.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
You have have seen this about dihydrogen monoxide and how it's being put in everyone's water supply! :)
Get a few of these to circulate and people will be in a full-blown panic. Remember, a person is smart. People are dumb.
When a person shows up to the door, people are skeptical because they don't know that person and don't have a business relationship with them.
If you already buy an expensive product from a reputable company; you are going to be far less skeptical about things you are told about that product, by that company. If you buy a new car from Ford and the 'ABS' light comes on - provided you know nothing about cars, other than how to drive them, to believe that there is something wrong with your brakes; compared to how likely you are to believe there is something wrong with your car's brakes if a stranger knocks on your door and tells you.
When people see a pop-up on their computer; they assume it's coming from Microsoft or Dell or whatever. So, they trust it.
I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.
and they're on fire.
This ain't rocket surgery.
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
A big difference is that the fake antivirus pop-ups aren't usually trying to sell you anything, they just want you to click OK! It's easy to click OK, and, for the average [clueless] user, just clicking OK doesn't feel nearly as risky as letting a stranger into your home, or buying a mysterious product.
I think most people just do a naive, clueless sort of risk assessment. If the pop-up is telling the truth, they really need the software. If the pop-up is lying... well, they're not directly paying anything and have no idea what could go wrong, so they assume it's not a problem. Therefore, they decide to click OK to install the software. To them, it's more like some random person standing on the sidewalk telling them, "You should walk on the other side of the street; there's a dead skunk halfway up the block and you really don't want to get near it." Eventually people will learn... but it may take a few generations.
Generally, no. Generally, the reason is that the advertisers and their site owners rarely truly care. Have you seen the utter shit, spam, fakes, frauds that masquerade as Facebook ads, however often you click "X" and report it as "misleading / deceptive". Seriously, go to apple.com/store. Look for the neon green MacBook Air. You know, the one you can "test/review then keep for free"...
It's lip service. They. Just. Don't. Care. The advertisers are paying the bills, not you.
Doctors, celebrities, what's the difference in the consumer's mind? Case 1: Dr. Dre. Case 2: "Of course Hugh Laurie is a doctor. He plays one on House M.D." Case 3: People with a doctorate in something other than medicine or osteopathy.
Are you sure it's a fake? Maybe you really don't have a working system32.dll on your Linux system. You need to replace it ASAP!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Concerning #3, most of these exploits use Javascript to open a phony "scanning" window. I got one of these while reading the New York Times on my Linux machine using Firefox.
I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.
Let me guess... You work at the SEC?
They simply exploit a vulnerability in your browser or plugins. I've encountered one that tries to install something using Java, presumably just requiring a user to click OK to infect them. That's something that seems like it could be done accidentally. I wouldn't be surprised if it were trying to exploit some vulnerability that would auto-install the malware on older versions of Java. They probably use exploits in Flash as well. The plugins have the advantage of not being run in the IE sandbox that's used by default on Vista/7.
"celibate for life" should make that obvious, no need for long preambles.
Somehow, I don't think the phrase "the [internet] is the computer" was supposed to work out that way.
I use Linux - the family never listens to me.
Well, then stop using Linux!
I am the richest astronaut ever to win the superbowl.
I got hit by that myself. To date, the only virus I've ever gotten.
I went to change window focus by clicking on what I had thought was some white space in an article that I was reading, but realized it would normally be an ad spot. Another browser window opened (with the annoying OnClose warning) and I closed it. I noticed that Java loaded, and then a few minutes later Security Center lets me know my AV is turned off and all hell starts breaking loose.
Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)
The app must have exploited some Java vulnerability, but at this point I'm not really sure what one. It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy.
In the end, I was a little pissed at myself, as I try to keep software updated to avoid vulnerabilities like that, but alas I finally got hit by one. Made me feel a little more capable of believing the [usually bullshit] story of "I was just using it when all of a sudden these things started popping up!"
Fun fact: I was browsing with Chrome.
Boot Windows, Linux, and ESX over the network for free.
As someone who works PC repair I can tell you that many, if not most of these "fake AV" programs are getting installed via drive by. You see what most folks don't know is that ALL of the major OEMs cripple their PCs at the factory by installing them with automatic updates turned OFF. No why they do that stupid shit, who knows, but the result is a machine that is VERY badly out of date by the time the customer gets it. And of course since they don't know it has been crippled it will NEVER get updates until it gets hosed and comes to someone like me.
So they go to Walmart, Best Buy, whatever, and buy this machine that is as much as a year out of date with NO hope of getting updated, plug it in, and start using the "big blue E" which gets pwned within a couple of days to a month if they are lucky and only surf the major sites. The next thing they know when they turn on their PC there is this new "security tool" slapping them in the face and demanding money to go away. These things are seriously nasty and a royal PITA to kill, so they have to bring them to me.
But if you want someone to blame for the spread of this crap, it ain't the users this time. It would be like buying a new car and expecting to know that the shop rigged your brakes so a certain degree of incline will fail if they aren't re-calibrated. By the time the user gets a PC from the big chains often the 30 day crapware AV has run out, it is at least 6 months behind on security updates, and of course there is the fact that auto updates has been killed dead at the factory. You think if the government was worried about cyber-warfare and cyber-terrorism they would drop the hammer on those OEMs and make them have at least halfway sane security policies.
ACs don't waste your time replying, your posts are never seen by me.
Not sure what fake AVs you've seen, but all the ones I've run across will say you're infected with X amount of viruses, but you must purchase the full version to have them removed. Two clients I know have pulled out their CC to make the purchase. Big mistake!!! Once I've informed them that they've been a victim of fraud, they agreed to contact their bank and have a new CC number issued. Obviously the original number had been now tainted.
Life is not for the lazy.
I deal with this stuff on a daily basis. I had a customer just the other day go home with a clean machine, with the latest version of Avira, AntiMalwarebytes, and SuperAntiSpyware installed and updated. All windows patches and updates installed. He was back two hours later. Surfing the web looking for UFC videos. Google served up a paid ad at the top of his search with his search terms. Of course he clicked it, and a with a bit of Adobe Flash magic, he had the Security Tools infection installed and his Avira broken.
No, none of the women of the house have developed an abrupt interest in professional golfers, but thank you, anyway.
Learning about brewing beer, by brewing beer.
That's odd. I was one of the Resident Technicians at a Staples in Nova Scotia until the 16th. At least here in Canada, the OEM systems are configured to run the factory restore image on first boot. The user then sets up the Windows update settings, language, etc. May be different where all of our systems are multilingual. As far as looking on the shelf goes, that's just a bad idea. Any yahoo walking past the system can flick over to the windows update settings and change them, or do any other number of things. One of the reasons we do a factory restore on the sale of a demo here. That, and to reset those 30 day trials.
A useful trick when task manager will not work, copy the task manager .exe from a nother machine and rename it any other name.
It will then run and allow you in to start cleaning up the crap.