Fake Antivirus Overwhelming Scanners

ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."

Re:The worst offenders

[Icegryphon]

Yeah it's sad when you need a second virus protection program to be safe or have things removed.
Makes me wonder how many computers percentage wise are really infected out there with back-doors.
Very scary zombies everywhere.

Yeah, very very scary...

[Obfuscant]

Very very scary. Not.

My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".

Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".

Phhhht.

Re:The worst offenders

[jayhawk88]

McAfee is bad lately as well. Completely ignored the infection of two machines on our network the other day. We had to use Malwarebytes to find on one, and interestingly enough, Microsoft Security Essentials seemed to do a good job at finding and cleaning the other one.

McAfee not even detecting these is worrisome though. We've got like 300 CPU's, all EPO protected, and for all I know they could all be infected.

Re: Fake Antivirus Overwhelming Scanners

[ahuger]

That number in itself should not surprise anyone. Many threats which are using the web as their primary introduction vector are using server side polymorphism. The sheer volume which the APWG is calling out really only reflects that allot of people are downloading the rogue AV packages. Of course, given the nature of malware collections there is a very strong chance that many of those people already had 'real' AV which detected it, hence the sample being sent to an AV company in the first place. Of course crawling and honeynets will account for some of the sample set but not the majority. The assertion that this is only the tip of the iceberg is likely true given no AV vendor has an omnipresent view of the world but I am not convinced it's any worse than a plethora of other highly deployed threats. Bluntly, they are all out there in gut wrenching numbers. The rise in rogue AV is driven by the fact that it's gaining in popularity with malware distributors because it's a fast, proven revenue source. In some cases they may even skirt the law on whether it's even illegal. Remember, some of these things have rudimentary AV detection capabilities. -al Immunet Corp

frustrating as hell

[Ephemeriis]

What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.

Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.

This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.

Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?

Motivation

[99BottlesOfBeerInMyF]

This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.

In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?

Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.

Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?

I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.

When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.

Re:The worst offenders

[jmnugent]

In the organization I work for.. we are using Mcafee VirusScan Enterprise + AntiSpyware Enterprise 8.5.0i....... I've noticed (almost on a weekly basis).. machines infected with various kinds of spyware (antivirus2009, AlphaAV, and other names) and Mcafee seems incompetently clueless about detecting it. If I install MalwareBytes on the box.. and start a "Full Scan" (using MalwareBytes)... as it goes through touching files on the hard drive only THEN does Mcafee popup and say "Hey, you are infected with XXX " I don't know WHY that is... we seem to have the current Mcafee scan engine and dat files... I chalk it up to corporate level antivirus just not being able to keep up with the fastpaced changes to spyware. I decided to never rely on a single protection product. If I suspect a machine is acting weird (even if it does have up to date Antivirus).. I scan it with Malwarebytes and NOD32's free online scan. I don't think this is strictly a fault with Mcafee.. I think any tool used by itself will miss something... thats why a combination approach is best. (and hey.. if you do some testing and can find patterns of Mcafee not fully protecting you - that might be ammo/fodder to go back to your bosses (or Mcafee rep) and push some buttons.

Re:Pay For Full Version

[Anonymous Coward]

The best part comes when you start firefox again after killing it, it will automatically go back to the website you were on WITHOUT ASKING.

Re:Major pain

[EMCEngineer]

Yeah, except that won't neccessarily fix the problem. I got caught by a drive-by downloader on my work laptop, where I do not have admin priviledges. I didn't click on anything, or agree to download anything. I merely visited a popular webcomic - then bam, install script trying to give me AntiVirusPro2010 or something along those lines. I got rid of it easily enough with MalWareBytes, but I couldn't even use safe mode to run HiJack this because I have no admin privileges.

Re:Getting these all over the place

[Mr. DOS]

Agreed. Until very recently, I worked in a computer service shop, and MBAM proved so useful that I purchased a license for the full version just to support Malwarebytes (I wasn't running Windows at the time, so the license was essentially useless to me). Well, now I'm back running Windows (I installed 7 on my laptop Tuesday night to get a good look at it before people start bugging me with questions about it), and I must say, the real-time scanner is nice - it's very lightweight (the service is currently consuming just over 25MB memory; about half of what AVG 8.5 usually grabs), and it's successfully detected a few test cases I threw at it.

      --- Mr. DOS

Re:Try Moon Secure

[Anonymous Coward]

ClamWin doesn't do realtime though right? What use is antivirus software that doesn't scan files as you install them? I seem to remember ClamWin would happily allow you to infect your machine, then later (if the virus didn't disable ClamWin completely) you could run a full scan to tell you just how badly you've already been hosed.

Re:AV2009 To The Rescue

[alhirzel]

Can't make this up / isn't a joke / etc... At the computer repair shop I work for, we had a guy come in who actually purchased Antivirus 360 to the tune of $80. He also recommended it to some of his friends. Unfortunately, his friends work at a bank. It was a very messy situation.