Fake Antivirus Overwhelming Scanners 334
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
Pay For Full Version (Score:0, Informative)
It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.
Are we surprised? (Score:5, Informative)
Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.
The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.
It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.
Re:AV2009 To The Rescue (Score:5, Informative)
Major pain (Score:3, Informative)
Combofix (Score:5, Informative)
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix [bleepingcomputer.com]
Use it. Love it. Marvel at its simplicity, its beauty.
Re:Yeah, very very scary... (Score:5, Informative)
Uninstall this crap.
Re:AV2009 To The Rescue (Score:5, Informative)
See my other post on this subject. Antivirus XP (and variants) can be removed by hand but it's a tedious process. Malwarebytes removes it VERY easily though. With some Antivirus ($FOO) variants you do need to rename the Malwarebytes installer filename and then the executable filename but once you get the process launched it will fully automate the removal process. IMHO Malwarebytes is the very best ad/malware removal utility at the moment, with Spybot S&D and Superantispyware being tied for a very distant second.
Re:Major pain (Score:5, Informative)
Getting these all over the place (Score:5, Informative)
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.
First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol [cnet.com]
Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/ [combofix.org]
After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.
So far, this combination of steps has eliminated the infections that we've come across.
Re:The worst offenders (Score:5, Informative)
To remove norton, Don't bother with the uninstaller. Get the Norton Removal tool from their site:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 [symantec.com]
This is for ANY install of ANY norton products. It also gets rid of shared files and their registry settings.
Re:Getting these all over the place (Score:5, Informative)
There seems to be very little response from the traditional/big/mainstream antivirus companies.
We usually install something centrally-managed for our clients, like Panda or Symantec. They do a decent job of stopping viruses, and it makes for less work for us... But they do absolutely nothing for these new rogue things. They don't get detected, they don't get blocked, they don't get removed... Nothing at all.
You wind up having to actually sit down at the machine and run through a battery of individual scans... Slaving the HDD to another machine, booting into safe mode, booting into normal mode... Far more time-consuming than I'd like.
Re:Major pain (Score:3, Informative)
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't patch stupid.
Understanding the above when making your corporate system build will pay off in the end.
Re:Getting these all over the place (Score:5, Informative)
^This.
I work help desk at the college I'm enrolled at, and removing this virus and its variants from student laptops is pretty much the entirety of my job description.
I recommend running ComboFix first, because it will generally neuter a virus enough for MalwareBytes to install and remove it. If the virus keeps ComboFix from running, rename it to magickitties.exe - some kill AV processes by name.
Anything more interesting than that, download the free Windows AIK [microsoft.com]. Make an image of the drive using ImageX. Mount the image (and the registry hives on the image) on a clean PC and do a scan on that. Reimage the PC with the clean image.
Just creating an image with ImageX is sometimes sufficient to remove the rootkit portions. ImageX is file based, and the rootkit portions hide from the MFT. ImageX simply fails to gather the rootkit portion, because it hides too well.
Usually, all it takes is 10 minutes of letting ComboFix run and 30 minutes of letting MalwareBytes run. Very slick.
Re:The worst offenders (Score:2, Informative)
Re:AV2009 To The Rescue (Score:1, Informative)
Spybot is not that good. Get the Google pack of PC Tools Spyware Doctor or maybe the new Security Essentials and use Spybot to augment it with its immunization tools.
Re:AV2009 To The Rescue (Score:2, Informative)
While I always advocate full reinstall (Score:4, Informative)
for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.
You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.
I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.
Re:Pay For Full Version (Score:3, Informative)
Re:AV2009 To The Rescue (Score:3, Informative)
I agree MalwareBytes is one of the best Win environment removal tools, but I was having about 20% re-infection rate with these entrenched AVPro infestations that were removed by MB(& Spybot). I also searched system folders for dll's newly installed and installed "BEFORE the OS" to unregister manually, then running MB and SB S&D again, in SafeMode w/ Restore Points deleted/disabled. Honestly, after all that work, it is most times easier/cheaper to image drive, nuke/repart drive(in DOS or EXT), reload OS and re-populate data & 3rds.
Oiyve'!
I have always used Puppy Linux LiveCD to remove stubborn files, but recently started running Linux LiveDiscs w/ Kapersky or Avira to do all removals the 1st time. Faster, easier and more effective, so far. Too soon to tell if it's the silver bullet I'm hoping for. Recently found a cool aggregate LiveCD builder on gHacks [ghacks.net] that makes one monster weapon. Still collecting all the parts, hopefully I can trade my 48 disk carrier in for 1 jewel case or a USB thumb drive.
Re:Pay For Full Version (Score:3, Informative)
Typically, a window pops up telling me that their website has detected a virus and spyware on my computer. The website suggests that I let them scan my hard drive for viruses and spyware. When I try to close the window, a window with a progress bar appears, announcing that they are scanning my drive C for viruses. After only about thirty seconds, they have supposedly finished scanning my entire 500 GB hard drive and announce that they have found two viruses on drive C, and also spyware in my registry. That seems bogus, since Linux does not designate hard drives or partitions with drive letters and also not have a registry.
The then asked me to purchase their anti-virus product, to fix the problem. Despite again attempting to close a pop-up and a tab, I soon had a pop-up from Firefox, asking me which program it should use to try to open a Windows file that ended in
I have never heard of a Linux virus successfully circulating in the wild. But, they did give the names of the two viruses my computer was supposedly infected with, so I looked those two names up on a more legitimate anti-virus website, and it listed them as both being Windows only viruses.
I have recently started using both the AdBlock Plus and NoScript extensions for Firefox on both my Linux computer and my Windows XP computer. On my Windows XP computer I have also recently started running Firefox sandboxed with Sandboxie. Hopefully, I will not be bothered by those fake anti-virus advertisements again.
Re:The worst offenders (Score:3, Informative)
You do realize that if your running two AV's they stomp on each other and nothing works
No always the case, You can use and Online Scanner with no problem.
Sadly they sometimes pick up things otherones miss.
http://housecall.trendmicro.com/ [trendmicro.com]
http://security.symantec.com/ [symantec.com]
http://www.kaspersky.com/virusscanner [kaspersky.com]
Just to Name a few online ones.
Re:AV2009 To The Rescue (Score:2, Informative)
Re:The worst offenders (Score:3, Informative)
Security Essentials detected several:
- Adware: Win32/WhenU.A (Medium Alert Level)
- Adware: Win32/ClickAlchemy (Severe)
- Adware: Win32/ABetterInternet.C (High)
- Adware: Win32/SurfPlayer (High)
- Adware: Win32/NewDotNet (High)
To be somewhat fair to McAfee, it did detect a couple coming from one machine, MWS and SmartShopper, but this was very late in the process, well after the user had reported seeing the FakeAV pop-up and (apparently) after the machine had been infected. Perhaps these are McAfee names for some of the ones listed above and my reporting was just slow, don't know.
Also just for the record, we run EPO 4, Agent 4.0.0.1494 (as of yesterday, latest agent patch) and VirusScan 8.7.0i, Patch 1 (Patch 2 is out as of yesterday I believe, we'll be going to that soon). The so-called "Antivirus 2009" or "Antispyware 2009" and all it's variants have slipped past McAfee at least a half a dozen times in the past 3 weeks or so on our network. These are all domain machines, EPO protected, completely managed; it's not like we just have a hodge-podge of out of date titles or whatever. Go check out the McAfee forums, there are a few topics with people complaining about this as well.
I'm with you, I'm quite concerned about this. But outside of going around to 300 personal computer's (that's for the "CPU" nerdrage above) and scanning them individually with Malwarebytes or MSE I'm not really sure what to do. I'm kind of hopeful McAfee gets their shit, or rather their DAT's, together and can at least start alerting me on these, so we're not completely in the dark.
Re:Pay For Full Version (Score:3, Informative)
IIRC you even get a page that lets you select which tabs to reload so you can specifically not revisit the particular one that killed the browser. (Maybe that's just in the newest version or two, though.)
Re:AV2009 To The Rescue (Score:3, Informative)
I've been through about 20 machines with this infection or variants there of (av360, av 2009, av2008, etc). I'm guessing I lost about four of them, the worst of course were the ones where the user went all the way through with the install, assumed they were protected and let the damn thing run for months, updates and all. One of those machines I'd just like to shoot. It powered off and wouldn't come back on for three months, then "bam!" it's running again. I'm thinking that thing won't be safe until the drive is zeroed and the bios is flashed. But, yeah, some of them are really F*ing hard.
Re:AV2009 To The Rescue (Score:2, Informative)