Fake Antivirus Overwhelming Scanners 334
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
The worst offenders (Score:1, Insightful)
Are AVG for a decline in detection rates and Symantec which sucks in just about every area except preventing itself from being uninstalled. (Notable exception is their corporate product)
Re:AV2009 To The Rescue (Score:3, Insightful)
Um mods? This is a joke. It's a really bad malware that's almost impossible to remove.
They're well-written (Score:5, Insightful)
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.
Re:Major pain (Score:3, Insightful)
"Start with removing them from local Admin group for a start."
I'll second that. Make sure they have no privileges outside their specific job description. If "Limited User" isn't good enough, go to group policies and restrict them there. Lock the user down tight, and he won't be able to run these scripts or install anything. No mercy - if you have to protect a dumbass from himself, protect him. You wouldn't let your toddler play in traffic, would you?
Re:Are we surprised? (Score:3, Insightful)
The more interesting thing is the recent development in them - they've actually started to detect small amount of threats.
Combined with that and the fact that they aren't a virus but seemingly legitimate software makes it hard in law point of view. By far the only way to have them procedured has been about misleading marketing, which is right. But for example I installed Norton Antivirus (or the quick scanner of it to see if I had viruses). It ended up being really hard one to delete, popping up its scan from time to time and reporting me about *tracking cookies* and that I'd have to buy the full version to secure my system. Only after that it would clean my computer. Obviously I know better than that and didn't buy it, but its somewhat the same marketing tactics.
It gets more interesting when the bad guys have actually made their software to protect against some small amount of threats too. There's no law against badly working software or if antivirus engine doesn't detect 100% of threats, because none of them do.
It's a bad problem, but theres also problems with the law about it. imo misleading advertisement should have larger fines than now - not just in scareware, but everywhere, because its about misleading the customer.
Another +1 for MalwareBytes Anti-Malware (Score:2, Insightful)
You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).
Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for the enjoyment of all of us who have to clean that shit off computers.
Re:Disaster for Regular Users (Score:3, Insightful)
2. Don't install anything- ANYTHING- from the internet unless you know exactly what it is. Even then, you might want to run a quick scan on it. Most virus scanners add an option to the right-click context menu to make this simple.
3. If you see anything saying "your computer may be infected" or something along those lines while browsing the internet, ignore it. It's a downright lie. Even if it looks legit. When in doubt, call a tech.
4. In the event that you get infected, call a tech, or if you're brave enough, follow the steps I outlined in my previous post here [slashdot.org].
The Flaw In "Additional Safety Software" (Score:3, Insightful)
Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.
Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
Re:The Flaw In "Additional Safety Software" (Score:3, Insightful)
AppLocker fixes this in properly managed environments.
But there is no way, for any OS, to fix "user willingly downloads malware and runs it".
Re:Pay For Full Version (Score:2, Insightful)
not even a case of not RTFM but a case of not opening yer anonymous wee eyes!
Re:The worst offenders (Score:5, Insightful)
Huh? Why are we trying to protect lemmings? (Score:3, Insightful)
I'd make a headline change, sub in "users" for "scanners."
If there was ever a clearer case of PEBKAC, I'd like to hear about it. This is like trying to wall off a cliff to protect the lemmings.
If people will install random crap off the Internet without first reading a review, getting some word of mouth, and/or downloading it from a trusted source, they're going to get infected. Having an AV is useless if you're going to behave as described in TFA. There isn't a technological solution here.
An AV can't protect people who don't understand that you shouldn't "fertilize your lawn with motor oil." This is the level of dumb we are talking about here.
--
Toro
Re:Major pain (Score:5, Insightful)
"Admin rights are required on all the computers for access to active directory and such."
BZZT!
Access to AD only requires the *user* have admin rights, not the Computer.
Try this (has worked wonders for us):
Create two accounts for each user. One for day-today use, one for AD admin tasks. (Add AD in front of their username or some such) Secure their day-to-day as a limited user account. Lock the admin account down. Don't even give them proxy access or network share access.
Create a shortcut on their desktops (to dsa.msc, or whatever) and right-click it. Under properties/advanced, set it to run with alternate credentials.
Now, when they log into their day-to-day accounts, they can still open the dsa shortcut and enter i their "admin" account credentials to manage the AD, but now neither the AD account or their mornal day-to-day account will be capable of installing "AV2009".
Seriously, try it.
Problem solved.
Re:Major pain (Score:1, Insightful)
Oops, you're "not a people person" but you got a job that involves dealing with people. Guess you're not really very qualified for that, huh? Better find a network no one uses to maintain.
Also, protip: nobody cares about the secretary's daughter. We just smile and nod because if she likes us she's less likely to get an e-mail from us about network security and think "oh it's just that jerk that ignores us all except to occasionally tell us we're stupid. Deleted."
Re:Major pain (Score:3, Insightful)
Nice try. You attempt to justify the user's failure to train himself in a job for which he is paid, to my failure to suck up to that user, for which I am NOT paid. Utter phail. When you are paid to use ANY sort of equipment, it is presumed that you have the technical skills to do so. When you demonstrate that presumption to be wrong, then you must be protected from yourself. More, I have to protect other people from your ignorance.
FFS, the workplace isn't SUPPOSED to be a day care center, or a group therapy session. Shut the fuck up, do your job properly, and let me do my job!! If you really need someone to stroke your ego, get a girl friend!!
Re:The worst offenders (Score:3, Insightful)
We'll if the AntiVirus software were to make it that easy to remove with the uninstaller, then a virus could do the same thing. The real problem I have is most of this stuff being a resource hog. With the corporate version of McAfee, you can't hardly do a save as without having to wait 5 minutes. I will be so glad when our licenses for that program expire. Maybe we will try Norton next, I don't know. We want it to work, and not be more resource intensive than video editing, you know.
The more you know... (Score:2, Insightful)
And so you know that the user has had unauthorized software running on the PC with administrator privileges, capturing and relaying customer login information for all their accounts, sampling files for interesting data and uploading them to unknown sites for further processing, flagging systems with system and user DSN's for special manual handling - for an unknown period of time but almost certainly across more than one reboot.
But you've killed all the evil processes and deleted the software that is known by the scanner vendor to be bad.
And now you can comfortably give that computer back to the end user to attach to your network and start processing work again because it's all better now, right? That is what you said?
/shudder.
Re:The worst offenders (Score:3, Insightful)
Large AV suits face similar problems as viruses: They are prone to removal by their enemies. Ironically, they are each other's nemesis in this respect: Yes, malware tries to uninstall AV suits or render them useless. So what do AV suits do? They dig deeper into the system. Sometimes to the point where you, the user, are no longer sure whether the cure is more poisonous than the sickness.
My solution has been to rely more and more on "no-names" in the AV biz. They often have surprisingly good detection rates while they're largely under the radar of malware writers, thus not prone to the defense mechanisms of malware.
There is no cleaning (Score:3, Insightful)
If an app had enough permissions to get installed it's trivial for it to elevate it to system privileges and install a rootkit that cannot be detected. Even if you remove the drive and scan it in a known-good system, there's still a chance that the product you're scanning with doesn't recognize the particular threat yet because these threats are polymorphic and the one on the scanned system may be unique.
It's scary enough that we have to trust vendor media for these closed development operating systems. It's just malpractice to claim we can restore one that has been known to be running malware to an acceptable condition.
Wipe and reimage in the case of infection. Every time. It's quicker, too.