Rogue Anti-Malware Pushes Fake PCMag Review

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

Social Engineering

[mc1138]

Spoofing of content is nothing new. Even using the hosts file like this to redirect you to fake content while an innovative use of the hosts file, is just a new trick for an old gag. The only real way to clamp down on something like this, is through the better education of the user base. So long as people still buy into these sorts of attacks, hackers and other people of ill repute will still commit them.

Re:

[disbroc]

I have to agree with you about it not being anything new. We've seen similar tricks with people spoofing ebay, paypal and the like. While we can all agree that it is clever to insert the fake reviews, surely we all should have known something like this wouldn't be too far off.

I will be interested in what these sites have to say about the fake reviews.

Re:

[Spazztastic]

How in the hell can the very first post I see be redundant? Slashdot editors, PLEASE bring the old metamoderation back! The new version is worse than useless.

Please mod me offtopic, because I am.

It's because people possibly are viewing by score rather than by post history. He was the first post that is above the 1 threshold (and is first for me), but some people don't check timestamps.

Re:

[Spazztastic]

And to follow up on something I forgot, you can report bad metamoderation.

Re:

[Paradise Pete]

And to follow up on something I forgot, you can report bad metamoderation.

As far as I can tell, there is no more actual metamoderation.

Re:

[WuphonsReach]

As far as I can tell, there is no more actual metamoderation.

There is, but it no longer shows up on the front page. Sometimes when I submit a comment, I then get offered to meta-mod.

Re:

[techno-vampire]

I do too, but I never bother any more. I used to receive mod points about twice a week. Then, just after the New! Improved! system went up, I stopped getting mod points at all. When they either give me back my mod points or go back to a real metamod system, I'll go back to metamoderating. What we have now is nothing more than a bad joke compared to the old version.

Re:

[Paradise Pete]

There is, but it no longer shows up on the front page. Sometimes when I submit a comment, I then get offered to meta-mod.

I can go to what they are now calling "metamoderation" at any time. It's just that it is no longer actual metamoderation, but rather random comments that for the most part have not been moderated. So how that is meta is beyond me.

Re:

[mc1138]

I thought that was weird too, but now it got modded up to 1 Insightful... no clue what's going on there...

Re:

[masterzora]

Generally because there is more context to a comment than the other comments in the thread. I have modded the first comment redundant many times, but only when it either served no purpose other than reiterating something from TFS/TFA, or when I've seen the same post, or one nearly identical to it, in several other discussions prior. A few times, when I'm in a foul mood, and the first post, while not even nearly identical to one I've seen before, is just simply not saying anything I haven't heard before, I

Re:

[warrigal]

I don't understand how this works. Doesn't Windows lock its hosts file? In Unix-based systems hosts is owned by root. I would think if malware can alter a locked file there is more to worry about than site redirection.

Re:

[malkir]

nope

C:\windows\system32\drivers\etc just open your host file with a text editor.

my friends computer has some clever worm that even after fixing the hosts file can still redirect traffic, for instance avast.com redirects to 127.0.0.1 and it somehow stops be from booting up hijack this, and disables the network in safe mode...

kind of has me frustrated, i could just reformat but then I would feel I gave up!

Five Stars!

[hendrix2k]

"which seems to me should just be called 'Malware'"

I dunno, this review I just read says Antivirus2010 is great!

Re:

[krenshala]

/facepalm

hijacking AV sites too

[nine-times]

I've noticed this too, particularly surrounding Antivirus 2009 [wikipedia.org]. Not only do they hijack review sites to post positive reviews about Antivirus 2009, but they reroute traffic to legitimate antivirus software. So if you go to the website for AVG or Norton or something, it will point you towards downloading Antivirus 2009.

It's a nasty little bugger.

Re:

[mc1138]

I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...

Re:hijacking AV sites too

[nine-times]

I haven't really found any single solution to be good enough. Once you're infected with one of these things, it seems like the best idea is to either (a) wipe the drive and start over; or (b) download and install every malware/spyware/virus removal program that you can get your hands on, run them serially, and remove anything that any of them find. Ideally you run each from a live CD or something that doesn't allow the virus a chance to load before you can run the remover.

And then to be really careful, run each of them again.

Re:hijacking AV sites too

[Spazztastic]

To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.

Re:

[mc1138]

I used to work as an IT consultant, and often times you run into this at small companies that are lucky to have a firewall and antivirus even installed. For a while I got pretty good at cleaning computers, 2 hours or less usually unless it was so old that each individual scan took longer than that. Real glad I'm not in that sort of pay as you go and only when you have to environment.

Re:

[nine-times]

To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the compute

To follow up on your follow-up, yes, I put, "wipe the drive and start over" first on purpose. If that's an option, it can often be much faster and safer. I've seen some antivirus packages take >5 hours to scan an entire computer, even on a new-ish computer. If you're scanning with a couple different pieces of software, you can easily end up taking a very long time trying to clean one computer.

On top of that, I've seen situations where I've scanned a computer with 5 different anti-malware packages, an

Re:

[Z34107]

To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.

Very true. I work at a college help desk, and imaging staff and faculty machines is usually what I do first. Imaging takes an hour; a single virus scan usually takes a half hour. It never takes "just" one scan to remove most malware, and half of the time you need

Re:

[jcrousedotcom]

I agree. We have images created and I can boot from the NIC, pull it down from the imaging server and have the user back in business in about 30-45 minutes. I can spend that much time running just one of these spyware tools. Unfortunately, it's made me not so good at removing them.

In a former life and a former job, I was a consultant. Having two machines in the building that were the exact same model was unlikely, at best. Re-imaging really was reloading.

Re:

[Dragonslicer]

download and install every malware/spyware/virus removal program that you can get your hands on

I read about a great one in a PCMag review.

Re:

[andytrevino]

I work at a university dorm as a network technician (UWM [uwm.edu], incase you're wondering!), and fix ten to twenty computers a week infected with malware, often exactly this strain of rogue AV software.

The utility called ComboFix [bleepingcomputer.com] almost always cleans these infections up with no hassle. If that fails, or if examination of the logfile indicates that it didn't quite get everything, MalwareBytes Anti-Malware [malwarebytes.org] should take care of the rest, and if anything gets past BOTH of those you can take note of the infected file nam

Re:

[nine-times]

That's a helpful tip. At the same time, though that may fix this particular piece of malware, the real issue is the malware that's brand new and that you might not have definitions for yet.

If I were in your position, I would probably only reinstall Windows as a last resort too-- but that's because I'm assuming you can't tell people what they can and can't run on their computers. You can't tell them where they must store their documents. When you get into a business environment, you can arrange things su

Re:

[blackest_k]

"(b) download and install every malware/spyware/virus removal program that you can get your hands on"

Hold it right there, thats probably what got you the infection in the first place.

I trust adaware and spybot S&d for malware clamav avg for virus and thats pretty much it. Also www.mywot.com and www.virustotal.com

Re:

[Quirkz]

I've had surprisingly good luck with SuperAntiSpyware. Silly name, but it's cleaned up a lot of the fake antivirus software fairly well for us. Before we found it we regularly resorted to reimaging, but this one has worked very well. We've had some other virus/spyware things that it doesn't work quite so well on, but the fake antivirus cleanup has been consistently good.

Re:

[fpophoto]

I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...

That's because the nature of PC security has changed. Old school: Viruses to destroy computers. New school: Co-opt systems in order to sell a product or pimp out for botnet needs.

It's kind of refreshing if you ask me. Not to say current malware is a giant headache, but at least the days of you getting your HD wiped are pretty much be

Re:

[Spazztastic]

Not to say current malware is a giant headache, but at least the days of you getting your HD wiped are pretty much behind us. There's just no money in it.

It's still required to reformat because if you have a paying customer and you're charging by the hour they want the fastest way. Sure, you can spend 4+ hours (On your average consumer PC) total scanning the computer, deleting registry entries, etc., or you can just reinstall windows (via the latest OEM CD) and get it back to running condition in under 2 hours.

Re:

[Zarquil]

Sure, but you also get a chance to grab data off the drive before you wipe. It's really nice to at least have the opportunity to do that - particularly in worst-case scenarios where you're waiting for the system to be responsive.

Now, granted, most of the time I'm throwing in Knoppix or some such LiveCD and yanking the data that way, but I happen to live in that lovely subset of the population that tends to frequent Slashdot and at least knows what Knoppix, Insert, Backtrack, or nUbuntu are.

My immediate bra

Re:

[mc1138]

No I can agree with that, sometimes it takes things like this to shake up the establishment. Old powerhouses like McAfee and Symantec, and even to a lesser extent CA, are getting pushed aside by free competitors. If you want a decent AV/Anti-Spyware product, check out Vipre http://www.vipreantivirus.com/ [vipreantivirus.com] nice small group of devs, all in house support, and honestly not that expensive. Great for client server environments where you need to manage lots of clients from one location.

Re:

[yoshi_mon]

A very good point. In fact I was struggling to explain all the different verbiage to an end user the other day. At a point I realized that while putting an 'anti-virus' package on her system was what most people are used to what they really need anti-malware these days.

Of course I'm sure some hacker would go 'oldschool' and write an actual virus that took out Win32 installs rather than turning them into zombies. So rather it's more these days about overall computer security than anything narrowly defined

Re:

[Vectronic]

Sad, but true... although somewhat understandable considering that an Anti-Virus primary function is to battle viruses, not ad-ware/malware.

Could just as easily say "I like that products such as Kaspersky Anti-Virus are ten times more effective at taking care of that than any anti-malware product out there"

However, the "suites" (ie: Firewall + AntiVirus + Ad/spyware, etc) are generally getting better at it.

Also, their (the nasty people) gimmick is still rather effective, because the average user doesn't kno

Re:

[DarKnyht]

Well this particular piece of work not only tells them that, but proceeds to hose their computer at random intervals to make it look like there is a problem that only they can solve.

They operate off of FUD to get people to pay for an ineffective solution.

Friends

[jetsci]

Not quite...friends don't let friends take fat chicks home when they're drunk...

Re:

[pak9rabid]

Not quite...friends don't let friends take fat chicks home when they're drunk...

Given the site this is posted on, I suppose it's the lesser of 2 evils.

Why aren't these people in jail?

[tjstork]

I mean, come on.... this is just pure fraud.

Re:

[jetsci]

I imagine most of these folks operate outside of US jurisdiction(yes, there is a world beyond your borders). Take some international law classes and you will understand. Imagine extraditing these guys from China? Goodluck!

Re:

[elrous0]

I'm pretty sure most other countries now have laws against malicious hacking, and also jails. Or are YOU implying that the U.S. is the only country technologically advanced enough to bust people for such activities?

Re:

[Spazztastic]

I'm pretty sure most other countries now have laws against malicious hacking, and also jails. Or are YOU implying that the U.S. is the only country technologically advanced enough to bust people for such activities?

I think you're making a flamebait post.

Parent said that it's hard to extradite people and not all of them will pursue it because they have more pressing matters at hand such as food shortages, natural disasters, and civil war.

Re:

[jetsci]

Flame-bait much? I do not deny most countries have such laws. However, as mentioned above, many countries may not be concerned with busting a spammer(especially if (s)he is harassing American's?) when they need to worry about food shortages, civil unrest, natural disasters or even war.

I'm CERTAINLY not implying the U.S. is the only one with the technology capable of doing this. Frankly, that's just ignorant.

Re:

[tjstork]

Places on the planet that allow for malicious attacks on the internet to take place should be excluded from it. There is no legitimate reason we should be lowering the shields of the West to appease a few Chalabis in otherwise lawless countries.

An Interesting Way to Go For Intermediate Users

[damn_registrars]

It appears that this is more of an attack on intermediate users than the usual attack that goes for newbies. After all, if a PC is infected, a newbie would not likely look to PC Magazine for antivirus information; they'd more likely bring it in to Best Buy and pay the Geek Squad an exorbitant amount of money to fix it (or they would put in the restore CD and try to start over from scratch).

An advanced user (if they were running windows for some reason) likely wouldn't look there, either, as they would have likely just run the update program for the software that they already installed for taking care of such things.

This of course follows well the old adage

A little knowledge is a dangerous thing

Re:

[disbroc]

I would think that the average computer user is a bit more intelligent than they used to be (Yes, I do work as a sys/net admin, and yes I have done desktop support before). While, intelligence might not be the right word to use, lets say more aware. After so long the newbies have to learn enough to at least have an idea on where to go to get help.

I think it was only a matter of time before we started seeing things like this happen. Although I often find myself wondering when we will start seeing more mal

Re:

[presentchaos]

This is somewhat off topic, but I was just having a conversation with someone who is about to buy a Mac. I was against it and an argument started. I said there were too few people supporting the Mac. He responded, "When was the last time you heard of a virus on a Mac?" And I said "See, even people who write viruses don't support Macs."

Not a double negative.

[fm6]

"Rogue Anti-Malware" (which seems to me should just be called 'Malware')

Uh, no. I think "bogus anti-malware" is a better description, but whatever you call it, it's not a useless term. Some malware disguises itself as anti-malware. Some disguises itself as email from your mother. Whatever it is, you need a term for the specific kind of malware, and that term doesn't deny the fact that it's malware, even if the term includes "anti-malware".

Re:

[DarKnyht]

I prefer the title of Scamware.

Re:

[fm6]

But that also includes malware that scams you in other way. "Download this program to bypass logins to porn sites!"

Re:

[InfiniteLoopCounter]

"Rogue Anti-Malware" (which seems to me should just be called 'Malware')

Uh, no. I think "bogus anti-malware" is a better description, but whatever you call it, it's not a useless term.

Too right! How else are they going to classify "anti-bogus anti-malware"?

re

[JohnVanVliet]

I guess i am going to have to buy a new " NO I will not fix your computer " t-shirt from think-geek http://www.thinkgeek.com/tshirts-apparel/unisex/itdepartment/388b/ [thinkgeek.com]

Re:

[Anonymous Coward]

I guess i am going to have to buy a new " NO I will not fix your computer " t-shirt from think-geek http://www.thinkgeek.com/tshirts-apparel/unisex/itdepartment/388b/ [thinkgeek.com]

People actually wear that stuff outside of their parent's basement? And do you say "new" because you gained weight and the old one doesn't fit?

Fake Advertizing for False Products

[Bushido Hacks]

Call it something similar to the story of the Emperior who has no clothes, but have you ever wondered when watching a commerical with a bogus product they say "We've been featured on CNN, Fox News, and Oprah"? Because they are ADVERTIZING in the commerical breaks that are on CNN, Fox News, and Oprah.

Why are we supposed to believe that just because they bought advertizing time in the commerical breaks of networks and TV shows that they were actually endorsed or had an interview featuring their product?

Whe

Re:

[gammygator]

emperior

Potential pronunciations
EEm-pear-EE-ear
ehm-pur-ree-AR
ehm-pee-rear


Or perhaps my Frenchish favorite,

ehm-pe-wah

Man, I need to get away from my desk and get some fresh air or somethin'.

PC Magazine's reputation is screwed!

[Anonymous Coward]

If PC Magazine wants to keep their reputation, they'll have to create their own malware that modifies the hosts file to redirect back to their site.

Administrators only

[A Friendly Troll]

C:\WINDOWS\system32\drivers\etc>cacls hosts

C:\WINDOWS\system32\drivers\etc\hosts BUILTIN\Users:R
BUILTIN\Power Users:R

Re:

[spikedvodka]

I see you haven't run into some things that Require admin rights to run properly.

Yes Microsoft, I'm looking at you!

Re:

[DarKnyht]

A recent study showed that 92% of critical exploits and 62% of security issues overall in Windows goes away when you remove admin rights. (Reducing the Threat From Microsoft Vulnerabilities)

Since Windows XP SP2, I have not run as admin and I have rarely come across something requiring admin rights. Those few apps that do (HP Print Drivers, Adobe Flash, and Palm Software being at the top of my list), I log into the account just to do those tasks (and nothing requiring the internet). Pretty much everything

Do you live on Earth with the rest of us?

[professorguy]

Yeah, just remove admin privileges from the user. That seems reasonable.

Then call the vendor who supplied the Emergency Room Management System and ask why the users can't run the program correctly. "Oh, they have to be administrator for that to work."

Then call the vendor who supplied the Scheduling module to the PACS system. "Oh, they have to be administrator for that to work."

Then call the vendor.... Repeat until you want to get a gun.

Maybe the real answer is to not buy software that works

Re: Yes, but...

[DarKnyht]

I guess I work at a company in some sort of pocket universe. Before any software is approved for purchase it passes by a board that the head of IT sits on.

Generally said software is evaluated before purchase by the IT Staff (for this very reason), and there is no way around this (really, who wants to purchase software incompatible with your system). Those that choose to ignore this process (read higher ups) also choose to pay for (out of their own private pockets) and support their software themselves (We

Re:

[Beltway Prophet]

Yup. I did this for my family when they first hooked their Windows PCs up to a persistent network; they don't have a password on the admin account, but they all know not to run programs there; they only use it if they can't install an app under their user accounts. It's been over a decade now, and no virus or malware issues. The only really annoying thing was that they started with XP home, and I had to configure their file perms with cacls and its bevy of ugly switches. *barf*

HOSTS file hack?

[bizitch]

Scotty the watchdog would have caught that

http://www.winpatrol.com/ [winpatrol.com]

got root?

[Gothmolly]

How does it modify your hosts file if you're not root?

Re:

[jamesmcm]

Because it's on Windows, and the attempt to hack in some sort of security (UAC), is too little, too late.

Re:

[Gadget_Guy]

I have setup limited user accounts since Windows 2000. I did have problems getting the spell check to work in Office 97 without hacking, but since then it is been surprising how many programs have worked.

Security was not a new feature in Vista, although UACs did make things easier.

Checking out the IP address and domain

[Animats]

Let's see what we can find out.

We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

eNom, a favored registrar of bottom-feeders, is the registrar.

There's an address in Kiev, but it's bogus.

WhiteDomainsOrg
Reiterska 13
Kiev Kiev
01001
UA
Phone:+380.5490567

That's a bar in Kiev, Dveri (Door) [google.com]. It's about two blocks from the old US Consulate.

The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet [www.wnet.ua] in Ukraine.

The US FBI has a local office in Kiev. [usembassy.gov]

This is something that could be cracked by motivated law enforcement.

Re:

[gad_zuki!]

We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

Is there a list of malicious sites and servers out there? I know there's the phishing list that google and MS maintain, but something that has all identified zombies and compromised servers? Id rather just block them globally so my users dont get anywhere near this stuff.

Re:

[myowntrueself]

This is something that could be cracked by motivated law enforcement.

"motivated law enforcement"?

Is that one of them thar "oxymaroons"?

Re:

[IceCreamGuy]

I just spent all morning removing this from a user's PC and tracking it back to finally arrive at globmail.org, and here I am on /. and you've already gone 5 steps past where I got done. Nice work!

A little first hand info with the actual culprit:
It did not install the way any of the online sources I checked said it would, no Add/Remove entry (duh), and no folder in program Files.
I found it in "All Users\Application Data\AV1\"
Cleaned the user's temp files and searched the PC to find several more instanc

Tea Timer

[SpectreBlofeld]

For Windows, I recommend using Tea Timer, an extension to Spybot S&D. It sits in memory and monitors system files, including the HOSTS file, and alerts the user when another program is attempting to alter it, or add processes to startup, etc.

http://www.safer-networking.org/en/faq/33.html [safer-networking.org]

Re:

[Quirkz]

TeaTimer is nice in theory, but only for people who are already technical enough to know what's going on. For anyone not that technical, you're just setting yourself up for phone calls: "I'm getting a popup!" or "something's modifying something and I don't know what it is! come quickly!"

Simple rules like "it's okay if you know what you're installing" don't seem to work well in my experience. The paranoid ones are never sure it's okay, and the rest assume it's always okay, even if they alert says "the pro

How Is This Possible?

[Bob9113]

which modifies your HOSTS file

How could that possibly happen? My hosts file (presumably like the hosts file on any rationally configured system) is owned by root and mod 644. Is this script doing privilege escalation? Or is it actually common for some computers to leave hosts modifiable by an unprivileged user?

Obviously I'm being a bit facetious, but let's give a little credit where credit is due - this rogue program is not the worst of the malware in the formula. The worst malware is the program (whether that program be an OS, an installer, or simply a set of memes running on the wetware of our society) that leaves hosts editable by unprivileged users, or which leads to privileged users running untrusted software.

This rogue program is like salmonella - it is taking advantage of poor practices like not cooking meat thoroughly. Blaming this software is like blaming salmonella. Damn you salmonella! It does not grant sufficient credit to the program (or OS, or meme, or OS installer) which is actually to blame.

Re:

[tb3]

The worst malware is the program .. that leaves hosts editable by unprivileged users
That would be Windows ©.

Ooooooh, and they've learned Grammar, too!

[Fantastic Lad]

You know malware is getting big when autistic and/or Russian hackers hire copy editors so they don't sound like, well, hackers.

-FL

Re:

[jonlandrum]

Ha, I was thinking this, too.