Fake Antivirus Overwhelming Scanners 334
ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."
AV2009 To The Rescue (Score:5, Funny)
I'm pretty sure that Antivirus 2009 has protected me from emerging threats quite reliably.
Re:AV2009 To The Rescue (Score:5, Informative)
Re: (Score:3, Insightful)
Um mods? This is a joke. It's a really bad malware that's almost impossible to remove.
Re:AV2009 To The Rescue (Score:5, Informative)
See my other post on this subject. Antivirus XP (and variants) can be removed by hand but it's a tedious process. Malwarebytes removes it VERY easily though. With some Antivirus ($FOO) variants you do need to rename the Malwarebytes installer filename and then the executable filename but once you get the process launched it will fully automate the removal process. IMHO Malwarebytes is the very best ad/malware removal utility at the moment, with Spybot S&D and Superantispyware being tied for a very distant second.
Re: (Score:2, Informative)
Re: (Score:2)
That program's saved me a lot of wipe-and-reinstall jobs at work. It removes even the most stubborn self-repairing process-hooking BHO-installing rootkits.
Whoever made it deserves a Mercedes SLK convertible and an expensive watch - the closest real thing to a FantasyGirlSexLand lifetime pass.
Re: (Score:3, Informative)
I agree MalwareBytes is one of the best Win environment removal tools, but I was having about 20% re-infection rate with these entrenched AVPro infestations that were removed by MB(& Spybot). I also searched system folders for dll's newly installed and installed "BEFORE the OS" to unregister manually, then running MB and SB S&D again, in SafeMode w/ Restore Points deleted/disabled. Honestly, after all that work, it is most times easier/cheaper to image drive, nuke/repart drive(in DOS or EXT), reload
Re: (Score:2)
I've never used malwarebytes, but Im gonna download now and look it over.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
I've been through about 20 machines with this infection or variants there of (av360, av 2009, av2008, etc). I'm guessing I lost about four of them, the worst of course were the ones where the user went all the way through with the install, assumed they were protected and let the damn thing run for months, updates and all. One of those machines I'd just like to shoot. It powered off and wouldn't come back on for three months, then "bam!" it's running again. I'm thinking that thing won't be safe until the dri
Re: (Score:2)
My sister got this on her XP system. She is pretty clueless but had never managed to get any malware on her system other than this.
Took me and her boyfriend nearly 2 hours to clean it off.
Re: (Score:3, Funny)
Av2009 sucks! Antivirus 360 is the best scanner ever! and it's only 79.95! And it also came with a great product called File Fixer Pro!
All my documents were corrupted, And this File Fixer Pro fixed them all for only $49.95! I was so relieved!
I'm also hearing great things about "Antivirus Number 1" too. After all, It's Number 1!
(Yes this is a Joke. Laugh, becaue you'd be surprised how many times I've heard something similar to this.)
Are we surprised? (Score:5, Informative)
Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.
The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.
It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.
Re: (Score:3, Insightful)
The more interesting thing is the recent development in them - they've actually started to detect small amount of threats.
Combined with that and the fact that they aren't a virus but seemingly legitimate software makes it hard in law point of view. By far the only way to have them procedured has been about misleading marketing, which is right. But for example I installed Norton Antivirus (or the quick scanner of it to see if I had viruses). It ended up being really hard one to delete, popping up its scan fr
Re: (Score:2, Funny)
[blockquote]One thing that's remarkably consistent is that fake AV peddlers seem to be systematically not native English speakers. I can't remember the last time I saw one of their sites without some kind of typo on it. It my be worthwhile to train lusers solely based on that criterion.[/blockquote]
wat r u talkng abot?
btw usa#1!!!
Re: (Score:2)
Norton (Score:5, Funny)
Yeah, very very scary... (Score:5, Interesting)
My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".
Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".
Phhhht.
Re:Yeah, very very scary... (Score:5, Informative)
Uninstall this crap.
Major pain (Score:3, Informative)
Re:Major pain (Score:5, Informative)
Re: (Score:3, Insightful)
"Start with removing them from local Admin group for a start."
I'll second that. Make sure they have no privileges outside their specific job description. If "Limited User" isn't good enough, go to group policies and restrict them there. Lock the user down tight, and he won't be able to run these scripts or install anything. No mercy - if you have to protect a dumbass from himself, protect him. You wouldn't let your toddler play in traffic, would you?
Re: (Score:2, Interesting)
Re: (Score:2)
At a guess, javascript is enabled. That's why noscript is so good, and adblockplus. Assuming you can't install Firefox, at least disable javascript in your browser. Set all of your security settings to high in IE. Hopefully, you informed the IT department of the drive-by, so that they know their machines are vulnerable. HOST file can alleviate the problem, just download some of the readily available files from the internet, and copy them over your old file. Hostess program is good for merging files.
Re: (Score:3, Funny)
You wouldn't let your toddler play in traffic, would you?
/me goes out to retrieve toddler.
Re: (Score:2)
Point taken. I'll make a counter point, though. I'm not a people person. I don't hang at the water cooler to chat with people, because I just don't give a damn about the gossip. I don't care that the secretary's daughter's cheerleading team won an award, don't care that the forklift driver just bought a new motorcycle - I'm not a people person. I'm sure as hell not going to make some eye candy presentation to teach people about the hazards involved. I'm willing to send an email, telling them how stupi
Re: (Score:3, Insightful)
Nice try. You attempt to justify the user's failure to train himself in a job for which he is paid, to my failure to suck up to that user, for which I am NOT paid. Utter phail. When you are paid to use ANY sort of equipment, it is presumed that you have the technical skills to do so. When you demonstrate that presumption to be wrong, then you must be protected from yourself. More, I have to protect other people from your ignorance.
FFS, the workplace isn't SUPPOSED to be a day care center, or a group th
Re: (Score:2)
We had users viewing, emailing and saving porn on their computers. We had chain emails. We had people installing screen savers and other third-party soft
Re:Major pain (Score:5, Insightful)
"Admin rights are required on all the computers for access to active directory and such."
BZZT!
Access to AD only requires the *user* have admin rights, not the Computer.
Try this (has worked wonders for us):
Create two accounts for each user. One for day-today use, one for AD admin tasks. (Add AD in front of their username or some such) Secure their day-to-day as a limited user account. Lock the admin account down. Don't even give them proxy access or network share access.
Create a shortcut on their desktops (to dsa.msc, or whatever) and right-click it. Under properties/advanced, set it to run with alternate credentials.
Now, when they log into their day-to-day accounts, they can still open the dsa shortcut and enter i their "admin" account credentials to manage the AD, but now neither the AD account or their mornal day-to-day account will be capable of installing "AV2009".
Seriously, try it.
Problem solved.
Re: (Score:2)
Obviously, I can't mod you up. You deserve about 20 insightful points. "Run as" has been around forever, but no one wants to use it. Your method is pretty slick, I like it.
Re: (Score:2)
Re: (Score:2)
Tell me about it. We've had to resort to sending out emails with screenshots of various Antivirus 2009 screens cribbed from ISC and other places. "Hey, see this? Don't click on it". And I know it won't do a damn bit of good.
Re: (Score:3, Informative)
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't patch stupid.
Understanding the above when making your corporate system build will pay off in the end.
Re: (Score:2)
Re: (Score:2)
Hey, breaking news! I found a patch for stupid! It works pretty well
Ok I Reiterate. There's no Legal way to patch stupid.
Re: (Score:2)
I wouldn't be so quick to blame your users. Almost all of these fake anti-malware viruses seem to exploit flaws in certain outdated versions of Sun Java or browsers.
Not to mention, the users have little choice in the matter once exploited-- and they likely did nothing to become infected other than visiting a website that happened to be infected. The AV2009 virus and others tend to hijack the system on a superficial, but widespread infection, flooding the users with threatening popups that they are unable
Combofix (Score:5, Informative)
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix [bleepingcomputer.com]
Use it. Love it. Marvel at its simplicity, its beauty.
They're well-written (Score:5, Insightful)
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.
Re: (Score:2)
Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.
It isn't that they're especially well-written... They may be, I don't know. The problem is that the mainstream anti-virus/malware stuff (like Panda, Symantec, McAfee, etc.) does basically nothing for them. You need to use tools like - as you suggest - Malwarebytes and Spybot. Of course there's some lag between when something new comes out and when definitions get updated... But that's always been the case. If you're one of the first infections of anything it will be a pain to remove.
Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.
Agreed. We used t
Re: (Score:2)
I would like to congratulate the writers of that malware. I would also like to honestly congratulate you for finding the way to removing it in 26 hours!
While I always advocate full reinstall (Score:4, Informative)
for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.
You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.
I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.
Re: (Score:2)
You can also set Deny permissions of the files the virus is trying to start at boot, once you figure out what those are. NTFS permissions are adhered to *extremely* early in the boot process, so this technique is really, really effective-- the hardest part becomes figuring out which specific files contain the virus.
I wrote a blog post on how to use this technique to get rid of Vundo on an XP machine: http://blakeyrat.com/2008/10/how-to-really-get-rid-of-the-vundo-aka-virtumonde-virtumondo-ms-juan/ [blakeyrat.com] No reason
Re: (Score:2)
Re: Fake Antivirus Overwhelming Scanners (Score:3, Interesting)
Getting these all over the place (Score:5, Informative)
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.
First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol [cnet.com]
Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/ [combofix.org]
After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.
So far, this combination of steps has eliminated the infections that we've come across.
Re:Getting these all over the place (Score:5, Informative)
There seems to be very little response from the traditional/big/mainstream antivirus companies.
We usually install something centrally-managed for our clients, like Panda or Symantec. They do a decent job of stopping viruses, and it makes for less work for us... But they do absolutely nothing for these new rogue things. They don't get detected, they don't get blocked, they don't get removed... Nothing at all.
You wind up having to actually sit down at the machine and run through a battery of individual scans... Slaving the HDD to another machine, booting into safe mode, booting into normal mode... Far more time-consuming than I'd like.
Re: (Score:2)
The ones that are truly lovely are the ones that patch the Windows Restore directory tree with binaries and source. Those are really nasty!
Re:Getting these all over the place (Score:5, Informative)
^This.
I work help desk at the college I'm enrolled at, and removing this virus and its variants from student laptops is pretty much the entirety of my job description.
I recommend running ComboFix first, because it will generally neuter a virus enough for MalwareBytes to install and remove it. If the virus keeps ComboFix from running, rename it to magickitties.exe - some kill AV processes by name.
Anything more interesting than that, download the free Windows AIK [microsoft.com]. Make an image of the drive using ImageX. Mount the image (and the registry hives on the image) on a clean PC and do a scan on that. Reimage the PC with the clean image.
Just creating an image with ImageX is sometimes sufficient to remove the rootkit portions. ImageX is file based, and the rootkit portions hide from the MFT. ImageX simply fails to gather the rootkit portion, because it hides too well.
Usually, all it takes is 10 minutes of letting ComboFix run and 30 minutes of letting MalwareBytes run. Very slick.
Re: (Score:2)
I love our campus laptop program for this very reason.
If we get one of these viruses, we swap their hard drive with a preimaged one then clean and copy "my documents", "desktop" and "favorites" from the old drive to the new one, then wipe and image the old drive for the next person.
This way we know the virus is totally dead, since so much crap these days rootkit your box right off the bat.
There is viruses that nothing truly removes. My favorite is still TDSS. There was a varient that would reside in the rec
Re: (Score:2)
A single scan isn't enough and you should scan your computers with multiple competitive scanners simultaneously. We need something stronger that can protect against many kinds of holes. Until recently, I've been quite satisfied with ESET's NOD32 and I had even considered purchasing a couple of licenses for home use, but their anti-trojan team seems to have taken a long break. Then, I realized: antivirus products protect well against viruses that look for holes in the software, not against trojans that look
Re: (Score:3, Interesting)
Agreed. Until very recently, I worked in a computer service shop, and MBAM proved so useful that I purchased a license for the full version just to support Malwarebytes (I wasn't running Windows at the time, so the license was essentially useless to me). Well, now I'm back running Windows (I installed 7 on my laptop Tuesday night to get a good look at it before people start bugging me with questions about it), and I must say, the real-time scanner is nice - it's very lightweight (the service is currently co
Re: (Score:2)
Stop letting your users run as local admins.
frustrating as hell (Score:5, Interesting)
What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.
Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.
This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.
Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?
Disaster for Regular Users (Score:2)
I got to fight with Windows Police Pro after it got onto my Mom's computer. It pretty much makes the computer useless. It even changed the file registration for .exe's and .com's. Luckily, after fixing the registry I was able to get Malwarebyte working and got things running again.
My wife later told me about someone at work getting something similar. She asked what to do and I started rambling on about all the steps. She then asked what this non-techie should do. I had no idea. Find a geek or pay for one a
Re: (Score:3, Insightful)
2. Don't install anything- ANYTHING- from the internet unless you know exactly what it is. Even then, you might want to run a quick scan on it. Most virus scanners add an option to the right-click context menu to make this simple.
3. If you see anything saying "your computer may be infected" or something along those lines while browsing the internet, ignore it. I
Re: (Score:2)
> Don't install anything- ANYTHING- from the internet unless you know exactly
> what it is.
I'd amend this to "Don't install anything- ANYTHING- from the internet even if you know do exactly what it is." Because the sort of users we are discussing here, when they "know exactly what it is", are WRONG.
Re: (Score:2)
Re: (Score:2)
I wasn't looking for a real answer. My point is that there isn't one. The two people I know didn't have disaster recovery files and they lost their system restore CDs awhile ago. I was actually prepared to install a cracked copy of Windows as a last resort. Even if they did have that stuff, it is still just way too complicated to be themselves. I'm supposed to tell the to RTFM? That ain't gonna' help.
Even advice from above is almost useless. Don't install anything from the internet unless you know it is sa
Re: (Score:2)
The last Windows PC I bought made you create your own Recovery CDs. I wonder if anyone who bought it actually went to the trouble to do that?
And the problems you mention are exactly why I break into a cold sweat whenever my mom thinks about getting a computer.
Another +1 for MalwareBytes Anti-Malware (Score:2, Insightful)
You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).
Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for t
Motivation (Score:5, Interesting)
This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.
In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?
Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.
Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?
I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.
When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.
The Flaw In "Additional Safety Software" (Score:3, Insightful)
Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.
Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
Linux is the best antivirus I have found (Score:2)
No viruses. Not one, and not a single Windows computer is permitted to connect to my network. I keep one copy of windows in one box. It is a cardboard box in my closet under some books and smelly socks. It has not gotten a single virus either.
I do have to keep a frigen virus scanner on my mail and files coming from outside my network, so I don't simply pass them on to other windows computers if the files ever leave my network. It pisses me off that I have to waist time and resources on protecting windows co
Re: (Score:2)
No viruses. Not one,
Out of curiosity, how do you know? If you had a virus, what in your system would reveal that?
Note: I'm being somewhat rhetorical here, as it's quite possible you're one of the Linux users who constantly check your firewall logs and such to actually ensure their computer isn't doing anything undesirable. I'm not even suggesting Linux is insecure, other than to say it's just as open to viruses as any other OS.
I just like commenting on the fact that the vast majority of Linux users who clai
Re: (Score:2)
This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.
The core flaws are the that Windows does not clearly provide the user with appropriate information on who is providing a given application and if that is a reputable source or an anonymous provider. Windows does not allow users to run software within a sandbox with permissions appropriate to the software, by default. Windows does not clearly provide granular controls and feedback on what a given application wants to do and what risk this entails. Further, when it comes to determining trust, MS has failed to
Re: (Score:3, Insightful)
AppLocker fixes this in properly managed environments.
But there is no way, for any OS, to fix "user willingly downloads malware and runs it".
Is a Hardware based OS the answer? (Score:2)
If viruses change the way a system functions, wouldn't it just be safer to burn the OS into a chip?
Seriously, I'm happy with Windows XP. I never need to change it, and MSFT certainly isn't maintaining it anymore.
Couldn't we just burn XP to a chip and be done with the virus problem forever? Or is there always a need for external (non read only) files?
Naive question (Score:2)
Why do none of you people reinstall when you discover that a machine is compromised? You appear to be using the compromised OS to scan itself. That cannot be reliable.
Re: (Score:2)
Huh? Why are we trying to protect lemmings? (Score:3, Insightful)
I'd make a headline change, sub in "users" for "scanners."
If there was ever a clearer case of PEBKAC, I'd like to hear about it. This is like trying to wall off a cliff to protect the lemmings.
If people will install random crap off the Internet without first reading a review, getting some word of mouth, and/or downloading it from a trusted source, they're going to get infected. Having an AV is useless if you're going to behave as described in TFA. There isn't a technological solution here.
An AV can't protect people who don't understand that you shouldn't "fertilize your lawn with motor oil." This is the level of dumb we are talking about here.
--
Toro
Honor among thieves? (Score:2)
Re:The worst offenders (Score:4, Interesting)
Makes me wonder how many computers percentage wise are really infected out there with back-doors.
Very scary zombies everywhere.
Re: (Score:3, Insightful)
Large AV suits face similar problems as viruses: They are prone to removal by their enemies. Ironically, they are each other's nemesis in this respect: Yes, malware tries to uninstall AV suits or render them useless. So what do AV suits do? They dig deeper into the system. Sometimes to the point where you, the user, are no longer sure whether the cure is more poisonous than the sickness.
My solution has been to rely more and more on "no-names" in the AV biz. They often have surprisingly good detection rates
Re: (Score:3, Informative)
You do realize that if your running two AV's they stomp on each other and nothing works
No always the case, You can use and Online Scanner with no problem.
Sadly they sometimes pick up things otherones miss.
http://housecall.trendmicro.com/ [trendmicro.com]
http://security.symantec.com/ [symantec.com]
http://www.kaspersky.com/virusscanner [kaspersky.com]
Just to Name a few online ones.
OVERWHELMING SCANNERS!! (Score:5, Funny)
In interesting news, a fake antivirus has caused quite the riot with women in their mid-twenties. Due to unemployed data operations programmers trying to earn some money to at least pay their bills, they have created a fake antivirus much like Windows Antivirus 2009. However, this pseudo-antivirus program is smart and employs unique data mining technologies to determine which users are likely to be attractive women in their late teens to late twenties. These victims are then targeted and scammed.
The women are targeted with an algorithm that determines how much proportional web browsing is carried out on Myspace, Facebook, email, and on online clothing shopping sites. By using a modified log-normal distribution, ex-programmers were able to create a model that determined which users were of the targeted age group 86% of the time and which were hot 49% of the time. With the statistical combination, the "antivirus" program learned which users were "hot women" and instructed them to sit on their scanners with their skirts and underwear removed, or else their computers would go up in smoke. As such the demographic is generally technically illiterate, the women have been doing so, scammers have been receiving really nice butt-on-glass pictures, and the scanners themselves--especially the ones marked "HP"--have been completely overwhelmed.
Re:The worst offenders (Score:4, Interesting)
McAfee is bad lately as well. Completely ignored the infection of two machines on our network the other day. We had to use Malwarebytes to find on one, and interestingly enough, Microsoft Security Essentials seemed to do a good job at finding and cleaning the other one.
McAfee not even detecting these is worrisome though. We've got like 300 CPU's, all EPO protected, and for all I know they could all be infected.
There is no cleaning (Score:3, Insightful)
If an app had enough permissions to get installed it's trivial for it to elevate it to system privileges and install a rootkit that cannot be detected. Even if you remove the drive and scan it in a known-good system, there's still a chance that the product you're scanning with doesn't recognize the particular threat yet because these threats are polymorphic and the one on the scanned system may be unique.
It's scary enough that we have to trust vendor media for these closed development operating systems.
Re: (Score:2, Interesting)
Re: (Score:3, Informative)
Security Essentials detected several:
- Adware: Win32/WhenU.A (Medium Alert Level)
- Adware: Win32/ClickAlchemy (Severe)
- Adware: Win32/ABetterInternet.C (High)
- Adware: Win32/SurfPlayer (High)
- Adware: Win32/NewDotNet (High)
To be somewhat fair to McAfee, it did detect a couple coming from one machine, MWS and SmartShopper, but this was very late in the process, well after the user had reported seeing the FakeAV pop-up and (apparently) after the machine had been infected. Perhaps these are McAfee names for so
Re:The worst offenders (Score:5, Informative)
To remove norton, Don't bother with the uninstaller. Get the Norton Removal tool from their site:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 [symantec.com]
This is for ANY install of ANY norton products. It also gets rid of shared files and their registry settings.
Re:The worst offenders (Score:5, Insightful)
Re: (Score:3, Insightful)
We'll if the AntiVirus software were to make it that easy to remove with the uninstaller, then a virus could do the same thing. The real problem I have is most of this stuff being a resource hog. With the corporate version of McAfee, you can't hardly do a save as without having to wait 5 minutes. I will be so glad when our licenses for that program expire. Maybe we will try Norton next, I don't know. We want it to work, and not be more resource intensive than video editing, you know.
Re: (Score:2, Informative)
Try Moon Secure (Score:2)
Open source, uses the ClamAV database. Vista/7 support pending.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
Re:Pay For Full Version (Score:5, Funny)
It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.
I know, I have naively installed Symantec on my computer too...
Re: (Score:2)
I've had those things pop up on Linux machines, and they report dozens of infections. Once, I couldn't kill the blasted thing, nor could I close Firefox. I had to go to the system monitor, and kill Firefox to regain control of my browser. Aggravating bit of nonsense, especially since I had several windows and tabs open.
Re: (Score:3, Informative)
Typically, a window pops up telling me that their website has detected a virus and spyware on my computer. The website suggests that I let them scan my hard drive for vir
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
not even a case of not RTFM but a case of not opening yer anonymous wee eyes!
Re: (Score:3, Informative)
IIRC you even get a page that lets you select which tabs to reload so you can specifically not revisit the particular one that killed the browser. (Maybe that's just in the newest version or two, though.)
Re: (Score:3)
I realize that you may be fishing here - but I'll bite. What's wrong with system monitor? Granted, there are other tools that may be more fine-grained, and there are also CLI tools for the purpose. But, why don't you like system monitor? You're an old-school purist? If that's the case, I'll readily admit that I am not. I spend most of my time using GUI.
Re: (Score:2)
It was a real pain to remove as I remember.
SmitFraudFix [geekstogo.com].
Re: (Score:2)
You jest, but I've heard compelling arguments for requesting that ISPs disconnect computers doing malicious stuff even if the owner is unaware of it until they clean up their act. I could even be swayed to believe that ISPs should be held partially responsible/liable for malicious traffic they're relaying just to convince them to enforce such measures. It puts an additional burden on ISPs, but where else can we stop clueless users from polluting our Interwebs?
Re: (Score:2)
Re: (Score:2)
Must be the same dimwits who see ads on the internet.
Re: (Score:2)
Why would anyone, ever, under any circumstances click on a popup ad? For antivirus?
Who are these people, and how can I take their money somehow more legitimately?
For a modest fee, I can supply her name and number. Last crapware purge netted about 400 infections. She has got herself programmed to click ok to close any popup that appears. Surprisingly few viruses, but a fine collection of fake virus scanners that insist on starting up and displaying a comforting splash screen at boot. And she was using XP.. No UAC.