Slashdot Mirror
Fake Antivirus Peddlers Outpacing Real AV Firms
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
Because AntiVirus 2010 has just detected dozens or even hundreds of critical security threats that your existing AV has missed!
What upgrade could be more sensible?
I work for an IT helpdesk at a large public university and we see students come through all the time with these programs. Realistically though, the installation vector we see the most is not the installation of programs from random websites; the majority get them from clicking a link to watch a movie (still in theaters) online or even through certain ads in Facebook. These programs have simply gotten extremely clever at tricking the end user.
We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.
The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.
So it's like fake dope dealers are outpacing true dope dealers.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Does this include McAfee? It seems to be a fake anti-virus, holding critical system files hostage.
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Pardon me, sir, but I would be remiss if I didn't inform you that you have clearly contracted a rare disease that will kill you painfully in short order UNLESS you pay me to inject this substance into you. You can trust me, I'm a doctor.
....
Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
My wife's machine got hit last week.
No idea where it came from.
Been running for years with no problem.
(NetGear router seems to keep the baddies out.)
All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.
Pulled the network cable and started googling (from a linux box). .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.
The thing is pretty nasty.
It scatters pieces of itself around the file system with random names.
Then it hooks the
After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted. .exe (and related) keys by hand.
(Hint: right click -> run as).
Then I fixed all the
There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
(Removal instructions on the web don't generally find them all.)
Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.
Generally, no. Generally, the reason is that the advertisers and their site owners rarely truly care. Have you seen the utter shit, spam, fakes, frauds that masquerade as Facebook ads, however often you click "X" and report it as "misleading / deceptive". Seriously, go to apple.com/store. Look for the neon green MacBook Air. You know, the one you can "test/review then keep for free"...
It's lip service. They. Just. Don't. Care. The advertisers are paying the bills, not you.
I got hit by that myself. To date, the only virus I've ever gotten.
I went to change window focus by clicking on what I had thought was some white space in an article that I was reading, but realized it would normally be an ad spot. Another browser window opened (with the annoying OnClose warning) and I closed it. I noticed that Java loaded, and then a few minutes later Security Center lets me know my AV is turned off and all hell starts breaking loose.
Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)
The app must have exploited some Java vulnerability, but at this point I'm not really sure what one. It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy.
In the end, I was a little pissed at myself, as I try to keep software updated to avoid vulnerabilities like that, but alas I finally got hit by one. Made me feel a little more capable of believing the [usually bullshit] story of "I was just using it when all of a sudden these things started popping up!"
Fun fact: I was browsing with Chrome.
Boot Windows, Linux, and ESX over the network for free.