Three Indicted In Scareware Scam That Netted $100M

alphadogg writes "Three men are facing federal fraud charges for allegedly raking in more than $100 million while running an illegal 'scareware' business called Innovative Marketing that tricked victims into installing bogus software. The company's products generated so many consumer complaints that in 2008 the FTC brought a civil action against Innovative Marketing and call center partner Byte Hosting, effectively putting them out of business. On Wednesday, a grand jury in Chicago handed down criminal charges, meaning the three men now face jail time if convicted." One of the men indicted is in Ohio and the others are believed to be in Ukraine and Sweden. Microsoft's Digital Crimes Unit helped out with the case.

Finally.

[Lord+Kano]

These guys can kiss the baby.

LK

Re:Finally.

You gotta come see the baby!

Re:Finally.

Having spent time on a lot of sites, slashdot trolls are still some of my favorites just because they are restricted to text so you get these wonderful monologues of fail in the middle of semi rational discussions. I'll drink a beer to you tonight AC.

Fake AVs

[DigiShaman]

Is this the same group that created all of those XP Antivirus 200X programs? Christ all mighty! That's some serious malware that's almost impossible to remove! I can only imagine how much the developers got paid.

Re:Fake AVs

[Pax681]

erm.., they are not hard at all to remove. sometimes as simple as going into safe mode, making sure that you show hidden files and then you wills ee the uninstaller in the fake antivirus install folder

i am pretty sure a simple google search would show there are a plethora of simple means of removal. i have taken this off a fair few machines over the last couple of years. and all i had to do was a google search then for a cure!

Re:Fake AVs

Do you do online banking on these machines afterwards?

Re:Fake AVs

[armanox]

Have you tried recently? More recent versions disable safe mode, have no uninstaller, and can keep me busy for an entire day.

Re:Fake AVs

[Pax681]

was just chatting to a friend about this and he then sent me this as a very effective removal tool

http://download.cnet.com/Remove-Fake-Antivirus/3000-2239_4-10915342.html

Re:Fake AVs

[sv_libertarian]

I took one off a friend's computer, and the AVG boot disc (linux based) scanned everything, but it still didn't kill it all. No safe mode, but I got lucky, it was a slow loading virus, and I was able to kill it in the task manager before it could block the antivirus software, and redirect web traffic. Then the AVG was able to work. I once again made my pitch for installing linux to no avail...

Re:Fake AVs

[lambent]

why would they bother installing linux, since they have a friend who is skilled and willing enough to clean it up for them?

i've been down this road too many times. i have now been forced to never offer "clean up" support for friends and family. it makes me sad, but it's the only way they learn : (

Re:Fake AVs

[flappinbooger]

they are getting tougher, that's for sure. But there are still tricks to get rid of them. The problem is the friends they bring with....

Re:Fake AVs

[gcatullus]

Not all of them are so easy, yes google is your friend, but many times the googled answer has been reinstall windows, which is easy I suppose except for having the person dig up all their software cds and licenses.

Re:Fake AVs

[Pax681]

yup cleaned a machine 2 weeks ago with it on.

i imagine i'll be back at that customer again very soon..lol his urge to spank the monkey of dodgy free porn sites is greater than his need for a clean running machine

Re:Fake AVs

[Peach+Rings]

I had a run-in recently from a drive-by malware install (curse you Chrome!). It immediately disabled task manager and locked me out of regedit and msconfig, and icons began to fill my desktop as I gazed on in horror... I couldn't install MalwareBytes because the malware killed the installer process immediately. I couldn't even download anything with an ad-aware-like filename since the request was hijacked and I got a scareware page instead.

A reboot into safe mode failed. Luckily, I had Process Explorer on a thumbdrive and was able to wrangle it dead with judicious use of Kill Process Tree and very fast clicking, since the processes restart each other when you kill them. Then I could use autoruns to nuke anything remotely non-Microsoft from my startup, and then I could install malware removal tools and antivirus scanners.

While it's easy to bash Windows after this privilege-escalation browser-hijacking nightmare, the tools available for defeating malicious software even when it has root are impressive. The problem of regaining control from a hostile takeover is fascinating and despite the panic it's always fun to engage in combat using your own little tricks.. it's like sitting in the computer lab on locked-down machines and trying to break free :) In middle school, there were very few icons on the desktop, nothing in the start menu, task manager was locked out, Run didn't work, none of the usual key combinations were effective... but I discovered that you could embed a hyperlink to file://c:/windows/cmd.exe in a word document and control+click it to bring up the DOS prompt!

And frankly the only reason that I was able to recover control from the malware is because XP's internal security is a wreck and there are a million different things to lock down individually. Let's face it, if somehow malicious code found a way to be executed as root on my linux system, there are no tools on earth short of going over the entire filesystem in a different OS with a text editor that can save you. Even rudimentary tools like Autoruns have no analogue in Linux.. there are rc.d scripts and .bashrc scripts and .xsession scripts and rc.conf and etc etc etc scattered all over the place, it's a mess. Well, I don't want to turn this into a unix haters rant...

Re:Fake AVs

[s122604]

Yep, I spent last weekend getting one of these fake av's off my wife's spare laptop ( an old p4 that refuses to die)..

I got the main scareware off easily, but Malwarebytes, MSE, and a few other programs could not get rid of the underlying Aleuron.h root kit

end result, gave up , blew up the xp home and didn't reinstall, its now an ubuntu machine exclusively..

Re:Fake AVs

[gcatullus]

Same issue I've seen with redirecting of web traffic it was crazy - I figured that it would only effect firefox and IE on the machine, but it even effected a new install of chrome. Browser looked fine until you googled microsoft, avg, trend micro, etc. Just plain nasty

Re:Fake AVs

[the_bard17]

Just a heads up, if they've got a router. I've seen a few bits of malware that log into a router using default credentials, then point it to a custom DNS server. It was fun finding that out after a fresh reinstall...

Re:Fake AVs

[Lumpy]

bartPE cd.. I can remove it in 10 minutes.

Then install and run a good anti malware scanner and walk away...

Upgrade your tool set, it's silly to fight with these things.

Re:Fake AVs

[nomadic]

was just chatting to a friend about this and he then sent me this as a very effective removal tool

No, no, for the best malware removal tool you need to get this one. Run it straight from the download link and give it administrator access when it installs. Don't mind the spelling errors, it's really a first-rate piece of software.

Re:Fake AVs

[oddaddresstrap]

Indeed, the new ones are bad. However, this has worked for me:
Take the drive out and put it into a fully-updated Windows box as a second drive, then run updated MS Security Essentials and updated MalwareBytes against it. It takes a while to run full scans, but it seems to work ("seems" being the operative word).

Re:Fake AVs

[Lumpy]

And is a good lesson to teach that user.

you chose to use Microsoft, you get to pay the piper......

My wifes Ubuntu box crashed when its hard drive failed... I recovered her user directory to another drive and reinstallation of all software was easy...

Same for my mac.. I can install a fresh OS and not haveto reinstall any of my apps.

Re:Fake AVs

[Whyte+Panther]

Because I would absolutely trust an unstaller app provided with a malware "virus scanner". I think I'll cut out it's heart by my self, thank you very much.

Re:Fake AVs

One word.... "Combofix"

Seems to remove it everytime I use it.

Re:Fake AVs

[Mister+Whirly]

Exactly. If you are trying to clean an infected Windows machine while running infected Windows, you are doing it wrong. BartPE or any of the bootable Live CDs are your friend. In particular, UBCD4Win works wonders and has saved me hours of frustration in the past. And I deal with at least 2 infected comupters a month of all different types of malware/virus/trojan/rootkit problems. So far have not needed to start over from scratch once. Once you learn the newest tricks the malware authors are using, it is pretty easy to clean the machines.

Re:Fake AVs

[pnewhook]

I had the same thing and luckily I had Process Explorer installed..

I'd be quite happy if the verdict came down to just shoot them. Seriously. I'm tired of this crap constantly trying to infect my computer and the crap emails I get every day. I'm careful and have only been infected twice ever, and the spam filters take care of most of the email, but seriously - how much effort is spent creating and then creating prevention for this crap??

Once convicted, summarily shoot them.

Re:Fake AVs

[spidercoz]

I've done that. Cleaned up a friend's mom's pc once, explained to her that it was because she kept going to those stupid crap game sites that popped up all over a few years ago, I forget which, the big one. Anyway, got it cleaned up, put noscript on and blacklisted the site. Couple months later found out she had disabled noscript and completely ignored everything I told her. Surprise surprise, the machine was trashed. Told her she's on her own. The work I did would've easily been $100 at a shop and she thought I would do it again for free. Bullshit, lady. You did exactly what I told you not to and got screwed because of it. Look at this as an object lesson.

I swear, Pavlov's dog was smarter than some of these people.

Re:Fake AVs

[spidercoz]

lol, dead on, man

Re:Fake AVs

[Peach+Rings]

Uh any convictions of particular criminals won't stop the flow, and shouldn't be depended on to stop the flow. In other words, there's no point in prosecuting them. The problem is a technical one not a legal one.

Re:Fake AVs

[oh-dark-thirty]

I've had good luck using combofix on variants of this malware. It works about 90% of the time to at least beat it into submission, I can then manually remove any remnants.

Re:Fake AVs

[oh-dark-thirty]

X2

Re:Fake AVs

[Xoltri]

Instead of using kill process tree you can use suspend process. That way it won't relaunch itself or other related processes. Then you can kill them all without having to click really really fast.

Re:Fake AVs

[s122604]

Fail on that: Malwarebytes and MSE both can find Aleuron.h file, indicative of a particular flavor of root kit. They both find it, but they cannot remove it.

I googled around and the consensus was, "eh, just rebuild"

not saying its not possible, just not easy....

Re:Fake AVs

[oddaddresstrap]

Not to say you're not right, but what would prevent MSE and/or MWB from removing it? We're scanning a non-boot drive from a clean machine with no malicious code running.

Re:Fake AVs

[kryliss]

On machines that I deal with regularly, I do a full install, update and patch, install all needed drivers, Turn off swap space, defrag, clear out all cache and temp files, then do a full ghost of the drive. Data such as music an pictures are kept on a separate partition/drive. The ghost usually takes about 10 minutes to restore.

Re:Fake AVs

[hairyfeet]

No shit! The only worse one I've come across is the "security tool" scareware...now that is a royal PITA to kill! Runs in safe mode, respawns processes, really nasty piece of work that one is. As for TFA while I'd love to say good riddance to bad rubbish, knowing somebody else will just pick up where they left off. No shortage of scumbags anywhere that I can see.

Re:Fake AVs

[Ihmhi]

The mistake you make is doing it for free.

Family owes me a favor. Friends and co-workers pay.

Would you honestly ask your buddy who's a landscaper to "do you a favor" and mow your lawn for free? How many landscapers would say yes?

Re:Fake AVs

[Ihmhi]

I have no idea what Process Explorer is, but considering the parent and grandparent post I'm sure as hell going to be looking into it.

Re:Fake AVs

[DDLKermit007]

Man there's a new one that I'm seeing on the bench recently that does all that, and disables anything including explorer, and task manager from running. Offline drive scans don't catch it, and I've yet to figure out where the hell it's stored (not in the usual random user's folder). I can find a whole ton of it's copies, but never the original file. I've had to wipe so many damn machines because of that one. At least with explorer running you can force a few things to happen that'll help with it's location if it's in odd spots.

Re:Fake AVs

[DigiShaman]

Process Explorer is like the Task Manager, but far more advanced. It's just a single executable, so it's very portable.

Autoruns is sorta like MSConfig or Hijackthis on steroids.

Basically, you run Process Explorer to kill the thread in question, then use Autoruns to prune the malware from bootup and other places it has it's hooks into. If successful, you've neutered the malware enough to allow a 3rd party anti-malware program to be executed.

Re:Fake AVs

[DigiShaman]

That's because the EXE file association was hijacked. Once you run an EXE, Windows makes a callback to the Malware. If you right-click on the EXE file however, I've found that you can opened it up with another option in the context menu.

The registry value that Windows should be set to

HKEY_CLASSES_ROOT\exefile\shell\open\command
The (Default) key should be set to:
"%1" %*

Re:Fake AVs

[DigiShaman]

Not sure if it's possible, but I've always wondered if a virus could be written into binary registry keys. Basically, the Windows kernel executes, loads the registry hive, then the virus is spawned from code inside it.

Re:Fake AVs

[pnewhook]

That's like saying there will always be murderers, so there's no point in trying to convict them. You should try and stop getting killed instead.

Re:Fake AVs

[sv_libertarian]

Actually I didn't do it for free. He gave me a killer deal on two .22 handguns, and a .22 rifle for my trouble.

Re:Fake AVs

[sv_libertarian]

in retrospect that sounds so bad...

Re:Fake AVs

[game+kid]

PE is a beauty. The only thing it really misses is Task Manager's Up Time clock (Performance tab), which appears to be the only way in Windows to get the total system up time exclusive of standbys and hibernates. (Other methods, and I've tried many, just count time from boot. Let me know if I missed one.)

If that makes it to PE, I'd happily let even malware delete taskmgr.

Re:Fake AVs

[Peach+Rings]

Oh, right that happened too. I had to right-click Process Explorer and hit Run As... and run it as myself.

Re:Fake AVs

[sjames]

Let's face it, if somehow malicious code found a way to be executed as root on my linux system, there are no tools on earth short of going over the entire filesystem in a different OS with a text editor that can save you.

Just boot the rescue disk, that's what it's there for.

Of course, I wouldn't praise XP too strongly, since the same holes that let you kill the malware (you think) are what let the malware in in the first place.

Re:Fake AVs

[RockDoctor]

and very fast clicking, since the processes restart each other when you kill them.

Ah, the old "Robin Hood"/ "Friar Tuck" trick. That's so 1970s.

Re:Fake AVs

[psiclops]

umm yeah, except when i had one i had redirected my web traffic making it near-impossible to google search from the infected machine.

Great news

[Zedrick]

...but hopefully only the beginning. Let's hope "Microsoft's Digital Crimes Unit" can help take down Symantec next.

Re:Great news

[dwiget001]

It would be real news of "Microsoft's Digital Crimes Unit" took down -- Microsoft!!!

Re:Great news

[maxume]

Whichever Microsoft group it is that puts together Security Essentials is working on that too.

Re:Great news

[Kjella]

Well, we already heard they have a guy to take out IE6. I think WinME is already fairly dead, but if they could put a bounty on Vista's head too... WinXP and Win7 are actually nice products, Microsoft remind me a bit of Intel. They may hit their Itanics, but they keep coming back with a vengance.

Re:Great news

[virtualonliner]

Symantec (and McAfee) is much worse. For starters, it's not inobtrusive like other scareware.

Re:Great news

[Xoltri]

Symantec and McAfee are partially responsible for this problem. They were the ones that got users used to whipping out their credit cards when their computer told them their antivirus subscription was over and needed to be renewed. No longer was it good enough to go to the store and buy a boxed antivirus solution with free lifetime updates. Now they wanted money from you every year.

Now grandma gets a popup about how her xp antivirus needs her credit card information. She doesn't know the difference. It's really a smart social engineering solution that was set in motion by the greedy major antivirus companies.

Re:Great news

[corerunner]

mod parent up

There are still more out there!!

[RPGonAS400]

I spent hours yesterday removing "AntiVirus Soft" from 2 computers at home yesterday. They are getting tougher now also by making it harder to run programs like AntiMalWareBytes and others even in "Safe Mode". This one also pops up porn sites once in a while. I have heard it lays dormant for a while.

Re:There are still more out there!!

[maxume]

Hopefully AntiMalWareBytes is a typo and not an additional source of your problems, the name of the popular malware removal tool is Malwarebytes' Anti-Malware.

Re:There are still more out there!!

[KahabutDieDrake]

HAHA, I just reformatted yesterday because of that garbage. It didn't seem worth the effort of digging it out, especially as good as it is at defeating any attempt to do so. So I just ghosted to a good install and moved on. I'm going through some log files right now to see if I can figure out where it came from, so I can block the domain/IP. It's not looking good so far.

Re:There are still more out there!!

Typically, I've had success going into safe mode after turning off "recovery mode", and running malwarebytes a few times. It's prone to making you unable to run executable files also, but there's a .reg file that will fix that. Available from microsoft.

As messed up as it may sound, I've made a fair bit of money of victims of this kind of crap.

Re:There are still more out there!!

[RPGonAS400]

Yes - I was just typing off the top of my head and got it wrong.

Re:There are still more out there!!

Yep, as an IT tech I have had to deal with multiple variations of the fake Windows antivirus 'program'. All it takes is a visit to an infected website and it will hop on and take over your machine. Malwarebytes' Anti-Malware works like a charm every time, and is free to boot.

Re:There are still more out there!!

[Lumpy]

install a blocking hosts file and privoxy. It stops 99% of all that crap. dont leave it up to the browser adblocking... stop it before it can even get to the browser.

Re:There are still more out there!!

[s122604]

Ok, I'll take one for the "knows a lot less about this stuff than my friends/relatives think I do" team

How do you do this?

Is it something you install locally, or on your router/firewall?

Re:There are still more out there!!

[h4rr4r]

Format the machines and start again. I cannot understand why windows folks bother with this. If the install has been infected you can never trust it again, wipe and start over.

Re:There are still more out there!!

Step by step Instructions:

http://www.mvps.org/winhelp2002/hosts.htm

Kills 99% of ads and other unwanted crap as well.

Re:There are still more out there!!

[spidercoz]

No, it doesn't. No one anti-crapware app is sufficient. And my personal experience w/ Malwarebytes hasn't impressed me much. You usually need at least a couple scanners to run in succession, along with using process explorer and autoruns to get a good cleaning.

Re:There are still more out there!!

[Mashiki]

Generally you need two. Malwarebytes is good for a newbie however and will catch almost anything, it's actually what I install on customer machines and then schedual an automated run for it. The other I'd suggest is Spybot S&D, besides having a nice host file it checks against known malware. I know some people like prevx, but I find it mediocre at the best.

Re:There are still more out there!!

[Jaysyn]

Download & setup Privoxy.

http://sourceforge.net/projects/ijbswa/files/
http://www.privoxy.org/user-manual/quickstart.html

Grab a decent HOSTS file & stick it in your %SystemRoot%\system32\drivers\etc\

Alternatively, you can install Spybot & let it's Immunize function generate a HOSTS file for you.

Re:There are still more out there!!

I agree with this. But how does one take backup the right way to avoid bringing malware/virus/trojan/rootkit into the new fresh installation of OS?

Re:There are still more out there!!

go to: www.google.com
Search term... "Privoxy".
Search term... 'Blocking hosts file'.

Click on the links from the above search terms, read content of the website that pops up, follow instructions that are located on that webpage, or via links found on the webpages.

Links are usually blue and underlined. Clicking means using the mouse, moving it over the blue underlined text and clicking the right button.

Equivalent to 38 murders

[mrnobo1024]

According to the Department of Transportation, one human life is worth $2,600,000, meaning that the damage of this scam was approximately equal to that of 38 deaths. To put this in perspective, the Manson family almost earned death penalties for only 27. I hope the judge takes this into account when deciding sentencing.

Re:Equivalent to 38 murders

[jank1887]

wow. loved reading that.

"This study presents a figure of $2.2 million (in 1988 dollars) as the recommended value to use in benefit-cost analyses as the willingness-to-pay to avert a fatality...The GDP implicit price deflator increased about 18 percent from its average value in 1988 through 1993. Therefore, the 1988 figure of $2.2 million dollars wasincreased 18 percent to yield a 1994 figure of $2.6 million dollars."

awesome.

Re:Equivalent to 38 murders

[Seth+Kriticos]

The article you point to writes about 1994 Dollars. Based on the CPI (consumer price index), that would be equivalent of 3,179,729.73 today's dollars.

Dividing the 100M by this amount yields around 31.45 fatalities. Still better than the Manson family, I guess..

Re:Equivalent to 38 murders

[fustakrakich]

Wonderful! Except nobody died... murder and fraud are two different things. I hope the judge takes this into account when deciding sentencing.

Re:Equivalent to 38 murders

Better?

Re:Equivalent to 38 murders

[spidercoz]

lolwut? you're saying these douchebag scammers are on the same level as mass murderers? dude, get a fucking grip

Re:Equivalent to 38 murders

[hellop2]

Well, based on my own price index, which I call the 20-Ounce Coke Index, the value of a human is worth about $6.3 million.

Why?

Because the price of a 20-ounce Coca Cola in 1994 was $0.59. Today it is $1.69. Which is a factor of about 2.865, because 0.59 * 2.865 = 1.69.

So $2,200,000 * 2.865 = $6,303,000.

Damn govm't interference

[bill_kress]

If they would just wait for the free market to kick in, this would be solved once and for all!

Re:Damn govm't interference

[Fuzzums]

Free Market already took care of the nice cinema in my town.
I'm sure Free Market also has a nice solution for scareware.

Re:Damn govm't interference

[BillX]

One of the guys is in Ukraine; civilian nukes can't travel that far :-(

Obligatory reference

[toxonix]

Digital Crimes? Sheeeeeeeeeeeeeeiiiiit

Re:Obligatory reference

[morgan_greywolf]

I agree. There's no such thing as 'digital crime': fraud is fraud, whether it's committed online or not.

This is why...

[smooth+wombat]

I tell everyone, both at work and the few who know I work in the IT field, that whenever you are asked if you to install something, the answer is always no. I don't care if it tells you your computer will explode and burn your house down, the answer is no. I don't care if it tells you that 1 million babies will be killed if you don't install the software. The answer is still no.

No, no, no, no, no!

Of course not making them admin helps in this regard, but malware can still find a way to install itself so the answer is always no when asked if you want to install "Ultimate Web Cleaner Deluxe Plus!".

Re:This is why...

[Runaway1956]

"Ultimate Web Cleaner Deluxe Plus!"

Does it run on Debian? I'd really like to clean my webs. Can you give me a link? ;^)

Re:This is why...

Problem is, since it's malware, they can easily make the No button a Yes.

Re:This is why...

[spidercoz]

real problem is all the buttons do the same fucking thing, that's why it's a SCAM

Re:This is why...

[Dex1331]

Exactly, clicking "no" doesn't do shite because the window itself is suspect, all the buttons will execute the same malware. Better to ctrl-alt-delete and kill the process instead or at least X out of the window if you can't use task mgr.

Re:This is why...

[Xoltri]

Not using an admin account is not a defense to these xp antivirus programs. It installs itself to the users profile so even if they are using a limited user account it still puts an icon in the system tray, changes the wallpaper and popups up messages about how they are infected and need to provide credit card details. So don't count on that any longer as a defense, at least not in Windows XP at least.

Re:This is why...

[cyberjock1980]

Yes, but I predict the future "no" will also install it. There's nothing that says if you click "no" it won't install anyway. For most programs, if you click "no" you'd expect some kind of EXIT command. Us sane programmers have a GUI that works as we intend. There's no reason why malware/spyware won't have a "yes" and "no" button that does the same thing, right? If I wanted to force you to install a software program, I'd make sure that if you click no it still performs the yes function.

Re:This is why...

Not using an admin account is not a defense to these xp antivirus programs.

It's not a complete defence but it's still a defence. It isolates the problem to that user and makes the infection easier to clean. Both of those are very significant to the admin of that machine.

Finally

[Adrian+Lopez]

The law does something good for a change. Hope they get convicted.

Symantec and Norton

[mangu]

You beat me to it. Symantec may have done some good stuff, but that was over twenty years ago. Same with Norton but, after they merged together, "scareware" seems the most appropriate name for what they have been doing.

I liked the "pink shirt" book, though, was of great use to me in the 1980s.

 

Re:Symantec and Norton

What about Zone Alarm? That trainwreck of a program made any other AV look like it was taking up 5kb of memory and 100kb of hard drive space!

BOO!!

[fustakrakich]

Did I scare ya? How much jail time is that worth? Sick

Scareware claiming viruses on my Linux computer

[Rick17JJ]

On several occasions over the years, I have encountered scareware which said that viruses and spyware had been detected on my Linux computer. Each time that was while I was browsing the Internet while using Linux at home. I had never heard of any Linux viruses actually circulating in the wild, so I was skeptical that they had actually detected both viruses and spyware on my computer.

On each of those occasions, it offered to scan my hard drive for viruses and spyware. Despite trying to say no and/or close their web page the advertisement reappeared and pretended to start scanning my hard drive. It said that it was scanning my drive C, with a progress bar showing that a scan was supposedly in progress. That seemed bogus, because drive letters are not used in Linux for designating hard drives or partitons.

I had a firewall enabled in both my DSL router and on my computer, with all the incoming ports and most of outgoing ports closed. So, I doubted that it was actually quite that easy to effortlessly scan my hard drive, like that.

After about 60 seconds of scanning my hard drive, they announced that several several viruses and several types of spyware had been found on drive C and also in my registry. Linux does not have a drive C and also does not have a registry, so again that seemed bogus. They then recommended that I purchase their anti-virus product to solve the problem. Not having actually noticed that I was using a Linux instead of Windows, they did not offer me a Linux version.

On at least one of those encounters with scareware over the years, it even tried to download their antivirus program to my computer just after I again tried to close the tab (or possibly a pop-up). Firefox then asked me what program it should use to open a Windows executable file. It also gave me the alternative of choosing where to save the file, or canceling the download. Of course, I did not even consider trying to download the program and see if I could get it to run under WINE.

After the most recent scareware encounter, I immediately installed the NoScript and AdBlock plug-ins for Firefox. I did that on both my Linux computer and my Windows computer. I had finally had enough of scripts and advertisements. Now, when I encounter an occasional trusted web page which requires scripting enabled, I right-click on the icon in the lower right to either temporarily or permanently allow scripts for just that web page. I am not a computer expert, but my guess is that without scripting enabled, I would probably have less trouble closing the advertisement without it instantly reappearing again.

Re:Scareware claiming viruses on my Linux computer

[pipboy9999]

Personally I like to watch those sites do there thing on my Linux Laptop. I get an odd sense of satisfaction out of it. Some times I even click 'OK' just to watch them struggle with Wine.

Re:Scareware claiming viruses on my Linux computer

[longhairedgnome]

It said that it was scanning my drive C, with a progress bar showing that a scan was supposedly in progress.

It's an animation

Re:Scareware claiming viruses on my Linux computer

[S77IM]

If you browse using Firefox with NoScript and AdBlock on Linux behind a two user-configured firewalls and are somewhat up-to-date on the state of Linux viruses, then yes, you are a computer expert.

  -- 77IM

Re:Scareware claiming viruses on my Linux computer

[spidercoz]

it took all that for you to decide it was bullshit?

Re:Scareware claiming viruses on my Linux computer

[Mashiki]

That's the reason why most malware succeeds. It fools people into believing that it's something else. Human stupidity is a great thing, it leads to technological expansions, and it also leads to self-destructive behavior.

Re:Scareware claiming viruses on my Linux computer

[Jaysyn]

Yeah, I was thinking the same thing. I'm lucky if my friends even know what a firewall is & I've given up trying to get them to use NoScript. I just charge them to clean their PCs now.

Re:Scareware claiming viruses on my Linux computer

[SheeEttin]

Right. What you were seeing was just a simulation/mockup of a virus scanner program within your browser (i.e. probably rendered with GIFs and/or Javascript), usually themed to look like the default Windows XP theme. After announcing it "found viruses", it tries to download the installer. It does this the same way every other file is downloaded, by changing the location (i.e. the page you're viewing) to the binary. This is the same behavior you get when clicking a link to a file the browser doesn't know how to handle.

I've seen these a few times myself, and because I'm running Linux, I just giggle and close the tab. ;)

Re:Scareware claiming viruses on my Linux computer

[Rick17JJ]

Well, it really did not take that long to decide it was total bullshit, but despite trying repeatedly to close the tab, it kept reappearing in my browser and continuing on. So, I was busy trying to figure out how to get my browser to stop showing the scareware advertisement. At the same time, I was noticing with some amusement the incorrect information and impossible claims that it was making. The first time it happened, I had never even heard of scareware, so I was kind of curious, yet nervous about the aggressiveness of the program.

Of course I did not even consider giving the scareware permission to scan my computer and did not even consider purchasing their product. But, after finally trying to close the tab or pop-up again, it started trying to download their program to my computer anyway.

I finally exited from Firefox and just to be safe, I unplugged my Ethernet cable. Ahead of that, I had noticed the URL where the advertisement was coming from. So, as an experiment, I added that URL to my hosts file and diverting it to my 127.0.0.1 loopback address. I then reconnected my Ethernet cable and restarted Firefox and went back to the same companies web page without the linked scareware advertisement appearing.

Despite already knowing that is was bullshit, I later looked up the names of the two viruses names it had mentioned, elsewhere on the Internet. It said they only infected certain versions of Windows.

Re:Scareware claiming viruses on my Linux computer

[Rick17JJ]

What I meant, is that for me computers are just a hobby, not an occupation. However, I have had several computer courses and computer networking courses in the past, but have never turned it into an occupation and have not stayed up to date with some of the technology changes.

Even so, I realize that my skills are way beyond what the average computer user has, so I hesitated in saying that I was not an expert.

I also noticed the URL where the scareware advertisement was coming from. Just as an experiment, I added its URL to my hosts file in a way that diverted it harmlessly to the 127.0.0.1 loopback address on my computer. When I then went back to the same companies web paged, the link to the scareware advertisement was blocked. That trick would work for either a Windows, Mac or Linux computer. Of course, the average computer user would not know how to do something like that.

There are also many important parts of computers and networking where my knowledge is lacking, so I do not really think of myself as an expert.

Re:Scareware claiming viruses on my Linux computer

[sjames]

Some of those are actually fairly amusing to watch when you're running Linux. They do a fairly good job of making the browser window look like an XP desktop running a virus scanner (which of course, finds tons of viruses).

Almost worth it

[ArchieBunker]

$100 Million split 3 ways? Now you're talking values that make a few years of jail time worth it. That or take the money and run to another country.

Re:Almost worth it

[JSBiff]

Maybe if they blew it all on coke and hookers. If they bought real estate, boats, or other valuable assets, the government will probably seize them (at least in the case of the guy in the U.S. - the guys in the other country might get away with their share of the money).

Re:Almost worth it

"Now you're talking values that make a few years of jail time worth it"

The FBI is charging the Swede and the Ukrainian with 24 counts of wire fraud and Reno (from Ohio) with 12 counts. According to the FBI press release (http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm),

"Each count of wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine and restitution is mandatory"

and

"The indictment also seeks forfeiture of approximately $100 million and any and all funds held in a bank account in Kiev"

. Now if convicted they will probably not receive the maximum sentence but they will probably be in prison for a very long time.

Re:Almost worth it

[tepples]

Maybe if they blew it all on coke and hookers.

How much Coca-Cola and how many Hercules Hooks could 100 million USD buy?

Angry scandinavian...

And this is how I #!" find out!!...

Microsoft?

[ItsJustAPseudonym]

"Microsoft's Digital Crimes Unit helped out with the case."

Oh gawd. Just watch some guy at CBS start pushing a new series called "CSI: Microsoft". That's ALL we need.

I have succesfully used this defense

[Hognoxious]

Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. "I made some mistakes, of course," he said, "however they kept us in the dark on a lot of their operation."

I have successfully used this defense. When I was six, we put doggy doodoo in Fatty Postlebridge's coat pockets. It was the other two, they maked me done it, waaagh, 's not fair!

Who helped?

MicroSoft's Digital Crime Unit...

Isn't that kind of like putting a vampire in charge of the blood bank?

So here is the sad part

I have had to remove this malware from numerous systems in the past 3 years and bottom line is, the $29.95 to by the software is less money than my time is worth. I have never bought anything but I also have NEVER spent less than hour in the removal process....

Attornies & Judges do this everyday. Sue them

I can't tell you how many times I have no paperwork in front of me alleging crimes, haven't presented any information or evidence, and am expected to answer for something I don't know anything about to an unruly "judge" and scared into some kind of plea agreement in which I pay mass amounts of money to someone outside because the repercussions of some kind of undisclosed dispute would prevail to bankrupt me if I otherwise didn't agree to what little the judge or adversary would say.

$100M is petty money compared to organized crime in courts. Just last year I had to sit everyday for a week because they wouldn't give me a straight answer on when exactly to come to court on each day. I brought a spare writing-pad and wrote down what others around me were paying for various "tickets" that amounted to no damage to others but struck as some kind of violation of sorts. Theose God-damned courts are raking about $15k to $50k every day, each room, on those "tickets" alone. Absolute bastardry!

Once you suspend the process, delete it on disk

"Basically, you run Process Explorer to kill the thread in question, then use Autoruns to prune the malware from bootup and other places it has it's hooks into." - by DigiShaman (671371) on Friday May 28, @10:49PM (#32385810) Homepage

Why stop there? Once you have suspended the malware executable (or even library being called by another parent process, such as a bad .DLL being loaded into say, explorer.exe), you can delete it on disk to stop it from running ever again, in addition to stalling out their startup entries with tools like MSConfig OR autoruns (also by Dr. Mark Russinovich of Microsoft).

That is, assuming it's NOT part of another executable, say as a hidden resource contained INSIDE another program (and yes, you can store executables of any kind inside another executable to either hide them, I have done so with .avi files inside of screensavers I have written for example, &/or, to dynamically load them too (PnP driver programs do this & in fact, I am fairly certain Dr. Mark Russinovich does it in this very program & others he writes, to extract out & load drivers of Plug-N-Play nature inside his programs based on the platform they are running on, what's called "hybrid design" (combined 32 bit/64 bit apps that need drivers do this)).

I cover how (and why) that's done here:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):

http://forums.theplanet.com/index.php?s=a3272f47031ff9e8939bf662e3a7b7fe&showtopic=89123

----

In that security guide for Windows NT-based OS' "malware removal section"... & yes, it works!

APK

P.S.=> Thus, no antispyware/antivirus/antimalware-in-general (the part of your quote above I did not quote which followed directly after it) is even required really...

That is, once you spot an odd lib or exe running & sometimes you have to use Process Explorer's "DLL VIEW" lower pane (you have to turn this feature on manually, it's NOT on by default) to determine this first!

Then, you look up the potentially offending process or library on GOOGLE (or any search engine, & I'd suggest using a few sources to be sure of what you are deleting is in fact, a malware) & after determining it is indeed, a malware executable?

You can pull what I noted with Process Explorer (or, as an alternate method of doing it, recovery console (because it allows you to get to these things before they can even startup in usermode when you logon to your machine))... apk

As I wrote to DigiShaman, try this instead... apk

"Instead of using kill process tree you can use suspend process. That way it won't relaunch itself or other related processes" - by Xoltri (1052470) on Friday May 28, @03:35PM (#32380382)

Why stop there?

See - Once you have suspended the malware executable (or even library being called by another parent process, such as a bad .DLL being loaded into say, explorer.exe), you can delete it on disk to stop it from running ever again, in addition to stalling out their startup entries with tools like MSConfig OR autoruns (also by Dr. Mark Russinovich of Microsoft).

That is, assuming it's NOT part of another executable, say as a hidden resource contained INSIDE another program!

(Yes, you can store executables (OR other types of data too) of any kind inside another executable to either hide them, I have done so with .avi files inside of screensavers I have written for example, &/or, to dynamically load them too (PnP driver programs do this & in fact, I am fairly certain Dr. Mark Russinovich does it in this very program & others he writes, to extract out & load drivers of Plug-N-Play nature inside his programs based on the platform they are running on, what's called "hybrid design" (combined 32 bit/64 bit apps that need drivers do this)).

NOW - IF the offending malware is instanced by being a library being called by another app (say Explorer.exe, I'll stick to that as an example because I've seen it actually happen & get used that way before), you sometimes also have to stall/suspend the calling parent process too (but, don't delete it, lol, especially IF it's a crucial process like explorer.exe, which IS your desktop shell) because it's maintaining a call handle to the malware lib being used too (in my example case here, explorer.exe), and then suspend the offending malware lib/dll too, and then delete it on disk (as well as any associated startup entries + registry or .ini file entries it uses too).

This is how/where Process Explorer's "DLL VIEW" lower pane view option can & IS extremely useful in fact (ferreting out "hidden" malwares that are running under another process' hWnd as a lib loaded by them - a bogus shell extension, for example, could be an example here of what I mean).

I cover how (and why) that's done here in this guide's "malware removal" section:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):

http://forums.theplanet.com/index.php?s=a3272f47031ff9e8939bf662e3a7b7fe&showtopic=89123

----

In that security guide for Windows NT-based OS' "malware removal section"... & yes, it works! Per my subject-line, I also noted this technique to DigiShaman here http://yro.slashdot.org/comments.pl?sid=1668142&cid=32388064 who was another user here commenting on the usage of Process Explorer as a tool vs. malware infestations.

NOW, additionally, IF the malware is instanced as a driver? Another tool by SysInternals/WinTernals/Microsoft that's useful is LoadOrder (it can show drivers loads) and regedit.exe also (drivers & services typically instance here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services in those keys and their subkeys iirc) or RECOVERY CONSOLE's LISTSVC, & DISABLE commands work well here also (they list drivers AND SERVICES plus their startup states, which you can control this way).

APK

P.S.=> Thus, no antispyware/antivirus/antimalware-in-general (the part of DigiShaman's quote where I replied to he here in how to use PE, that I did not quote which followed directly after it in the URL above) is even required really...

Again - That is, once you spot an odd lib or exe running