Fake Antivirus Peddlers Outpacing Real AV Firms 245
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
Why use an unknown AV program? (Score:2, Insightful)
Re: (Score:3, Insightful)
Comment removed (Score:4, Interesting)
I have to disagree (Score:3, Interesting)
Re:Why use an unknown AV program? (Score:5, Funny)
What upgrade could be more sensible?
Re: (Score:2)
Actually, that's a good point. Most viruses today are tested against the big brands before release.
Re: (Score:2)
Re:Why use an unknown AV program? (Score:4, Insightful)
Re:Why use an unknown AV program? (Score:5, Interesting)
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
Re: (Score:2)
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
A /. reader probably not, but the general public ?
If there was any profit in it, you could easily create a scare campaign about DHMO which could turn very messy. People can be insanely gullible when you present things the right way.
Re: (Score:2, Funny)
Well just for your information, my filter is working quite well thank you!
I'm just not quite sure how it works when they never actually connected it to my water pipes but hey I'm still alive to post this thanks to my filter!
Re:Why use an unknown AV program? (Score:4, Interesting)
Many mechanics rely on this not being true all the time. Cars and computers are magical things to many people, things that normal people aren't expected to be able to understand. These 'normal people' are simply used to trusting anyone, or anything now, that claims to be an expert on the subject.
Re: (Score:2)
Re: (Score:2)
Yep. I can easily change brake pads, oil, oil filters...
But it's a pain in the ass with my 50 piece Craftsman set and could take hours. I'm more than happy to take it to someone with a pneumatic wrench and a lift.
Re: (Score:2)
Just had a mechanic suggest I flush the break line on a 3 year old car, 'because it's something that should be done every 3 years.' Of course the dealership was willing to to do it to just $150 or so.
They ain't afraid of shit and heaven forbid you have a vagina but for some reason, by and large the general public believes you should just trust people calling themselves experts.
Re: (Score:2)
Yeah, I had my car in for an oil change at the dealership (I have free lifetime oil changes), 1 year ago they said I only had 1mm of brake pads left, then 3 months ago they said I had between 2-3mm of brake pads left. I think I have the *only* car that actually GROWS brake pads instead of wearing them down.
Needless to say, I don't let them do anything to my vehicle beyond the oil change.
Re: (Score:2)
My mechanic I already have a relationship with, he might be screwing me, but I already trust him to at least a certain extent; I let him fix my breaks after all.
I might trust my plumber who I hired to install a hot water heater when he tells me I need some doohickey (technical name) installed but not a guy who shows up at my door, and certainly not some popup from a web site.
Common sense. (Score:2)
It's not true, by and large, that people would be incapable of understanding if they sat down to take the time to figure it out, but in the cases of such an unequal informational playing field (you and your doctor, you and your mechanic, grandma and her computer tech) people are paying not just for service but for expertise, and that makes them vulnerable to this kind of exploitation.
Re: (Score:2)
Bad analogy for your angle, the water purification market uses that exact tactic and is alive and well.
That is exactly what the fake AV companies do (and some of the real ones)
But the real trick is most of the time people don't know they installed anything, their compare said it had problems click here to fix, and now they have more problems . . . but those can be fixed by buying full pro version.
Re: (Score:2)
Re: (Score:2)
My GF has family in some two-bit rural town in southern Missouri, and their water is TERRIBLE. I can say, even without tasting the "purified" water, that it HAS to be better than the loc
Re: (Score:2)
Yea, but I've heard of Britta.... just like I've heard of Macafee (especially now!). They may or may not do anything, but at least they are popular and if they were total garbage, or actually bad for you, I would probably have heard of it.
Its when Joe shows up at my house selling Joe's super duper water purifier (It gets the things that Britta misses!) that I start to get really skeptical.
Re:Why use an unknown AV program? (Score:4, Informative)
Oh my God! Who do I make that check out to again? No, can't wait for it to clear, let me just give you my mattress and you can take how much it is, OK, I can't number very well.
OK, seriously...
Remember that many of the victims of scams like this don't know any better. These aren't random people showing up at their houses, they are ads showing up on websites. But many don't even know that.
They only know that their "computer person" has told them to make sure their AntiVirus is working correctly, and that the computer has just told them that their AntiVirus has stopped working correctly but the nice warning offered to fix it for them. Many of the newer ones look pretty legitimate, too, and have multiple URLs so when you Google them fake review sites come up and gush enthusiastically about how great the product is.
I have a co-worker who has been hit by this. I support 2 co-workers' home computers. They are otherwise intelligent people who use the preconfigured computers here at work every day. I give them lists of free antivirus packages they can load, and the one who had the problem came in and told me that her subscription to n0d ran out, but that the computer had warned her to replace it with "AntiVirus 2010" which had a free trial, but she noticed that once she installed it the computer slowed down.
She's not dumb, just on the low end of computer literacy. She knew that she needed to avoid popups and to run an Antivirus client, but this specific popup looked like a dialog box and she knew that her AV was running out, so she assumed it was like all the other warnings Windows Seven likes to send her about updates and such.
Re: (Score:3, Funny)
You have have seen this about dihydrogen monoxide [xs4all.nl] and how it's being put in everyone's water supply! :)
Get a few of these to circulate and people will be in a full-blown panic. Remember, a person is smart. People are dumb.
Re: (Score:3, Insightful)
When a person shows up to the door, people are skeptical because they don't know that person and don't have a business relationship with them.
If you already buy an expensive product from a reputable company; you are going to be far less skeptical about things you are told about that product, by that company. If you buy a new car from Ford and the 'ABS' light comes on - provided you know nothing about cars, other than how to drive them, to believe that there is something wrong with your brakes; compared to
Re: (Score:2)
But aren't these fake antivirus apps coming from random popups (mostly on porn sites :-).
I would think a popup ad would make people at least as skeptical as someone coming to their door unsolicited.
Re: (Score:2)
Bad analogy because if you've never heard of the microbe there's something fishy, why hasn't there been any official alert? But everybody knows there are viruses on the Internet and that you have to protect yourself against them, it's a confirmed fact you should have anti-virus. If everybody had to filter their water and you offered the ultramagic superwhoopie cleanex filter 3000 for the low, low price of 199$ many people would buy it.
Re:Why use an unknown AV program? (Score:4, Insightful)
Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.
If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?
A big difference is that the fake antivirus pop-ups aren't usually trying to sell you anything, they just want you to click OK! It's easy to click OK, and, for the average [clueless] user, just clicking OK doesn't feel nearly as risky as letting a stranger into your home, or buying a mysterious product.
I think most people just do a naive, clueless sort of risk assessment. If the pop-up is telling the truth, they really need the software. If the pop-up is lying... well, they're not directly paying anything and have no idea what could go wrong, so they assume it's not a problem. Therefore, they decide to click OK to install the software. To them, it's more like some random person standing on the sidewalk telling them, "You should walk on the other side of the street; there's a dead skunk halfway up the block and you really don't want to get near it." Eventually people will learn... but it may take a few generations.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
It's not a scheme, it's marketing.
Even easier than that. (Score:3, Insightful)
The "scan" window pops up and tells them that they've been infected BUT IT IS OKAY because all they have to do is click here and the nice software from the friendly company will remove the nasty viruses for them.
Yay!!!
This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.
Re: (Score:2)
This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.
Said with all the arrogance and presumption of someone who knows exactly nothing of what they speak. Speaking as someone who spent over a decade as an anti-virus researcher and anti-virus engine developer, the truth is that it is infeasible for AV companies to keep up with the flood of (generated) malware that engulfs modern PCs... and, believe me, it's not for lack of trying. Have you ever seen how aggressively they complete over the VB100%* award?
* That award, like most AV testing is a sham (testing ag
Ummm, okay. (Score:2)
Why spend 10 years trying to identify all the "bad" code when it should be far easier to identify the apps that you want to allow to run on your machine?
http://www.mcafee.com/us/about/corporate/mcafee_Solidcore.html [mcafee.com]
Re: (Score:2)
There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.
For the same reason that "the Internet" is IE (or at least the IE icon) to some people.
Re: (Score:2, Funny)
for our customers their browser is google. the internet is windows and their email doesn't work despite them typing their email address into google.
Re: (Score:3, Funny)
Somehow, I don't think the phrase "the [internet] is the computer" was supposed to work out that way.
Re: (Score:2, Informative)
Re:Why use an unknown AV program? (Score:4, Funny)
I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.
Let me guess... You work at the SEC?
Re: (Score:3, Informative)
Or Microsoft (Score:2)
They have a free scanner now. It's not the best AV, but it's good and no cost. I also recommend it because it is something users will trust. I mean after all, you pretty much have to trust your OS company, they could own your computer through any number of ways, they wouldn't need to use an AV program.
Isn't this kind of expected? (Score:2)
Step 1: Create a better scareware vector with a higher infection rate.
Step 2: ?????
Step 3: Profit!!!!
Seriously. There are incredibly lucrative incentives inherent in this kind of scam. No surprise they're spreading and getting smarter.
There is a special place in hell for these people (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Re:There is a special place in hell for these peop (Score:4, Funny)
Re:There is a special place in hell for these peop (Score:2, Funny)
We've had a couple of these (Score:5, Funny)
We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.
The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.
Re: (Score:2)
Re: (Score:2)
the fake AVs have Symantec beat in everything from total resource usage
I never thought I would defend Symantec after they got out of their compiler business and started pushing garbage, but it should be pointed out that the fake AVs aren't actually doing anything, and it is thus easy to win in total resource usage.
Re: (Score:2)
And Symantec isn't doing anything practical either, or else this fake AV window wouldn't be showing up on my end user computers :)
Fake dope dealers (Score:5, Funny)
Re: (Score:2, Funny)
Duuuude! Your oregano is the best!
Re: (Score:2)
Except when fake dope dealers sell oregano to the wrong person they end up getting shot in the face. Fake AV companies just end up pissing off nerds on /. who get stuck fixing their mom's computer.
They aren't all bad... (Score:2, Funny)
Re: (Score:3, Funny)
FLAGRANT SYSTEM ERROR
Computer over.
Virus = Very Yes.
McAfee (Score:4, Informative)
Impending doom... right on schedule (Score:2)
We keep ignoring the lessons the past by using discretionary access controls instead of capability based security at our own peril. The users have no way of telling what the side effects of a program are going to be, nor do we have any way of limiting them. This is a spiral downward that will eventually force everyone to learn about capabilities and cabsec.
Re: (Score:2)
As a company gets bigger, it becomes harder and harder to ensure that people are educated and don't run crapware. The only real alternative is to lock things down and pull admin rights for most users. This way, should something stupid happen, it would require another security vulnerability to escalate to root/administrator, rather than just handing the keys to the city to any malware that infects a user. Plus, it is easier for A/V software to clean up an infected user profile than a rootkitted machine.
In
Oblig... (Score:4, Funny)
EXCUSE ME SIR! (Score:5, Funny)
Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?
Re:EXCUSE ME SIR! (Score:5, Insightful)
Pardon me sir, but this herb root extract can lower your blood pressure. Meaning that you can live a long and healthy life. It's not FDA approved but it's certified by these doctors.
It works just as well in meat space too.
Re: (Score:2)
it's certified by these doctors.
grep/doctors/celebrities/
Doctors and celebrities (Score:3, Insightful)
Re: (Score:2)
I've noticed something similar about words in print. If someone reads something in a book, it is taken as fact.. why else would it be in a book? When i was younger, Michael Chrichton books did that to me. Now i see it happening to other people.
Maybe as humans we are too trusting of our tools?
Re: (Score:2)
I Hope for Change! (umm, what kind of change was that again, exactly?)
This is the greatest nation on earth. Help me change it!
Re: (Score:2)
Re: (Score:2)
and after my rounds this past week..... (Score:3, Insightful)
I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX. the new internet security 2010 is an evil bastard that even kills the safe mode so you have to use a Bart PE to run combifix first and then reinstall AV and run a clean.
Screw it, I'm done. Mac mini's are as cheap as a dirt cheap dell PC. and I'll install linux for them. I am done with windows support.
Re: (Score:3, Insightful)
I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX.
Then how do they play PC games afterward?
Mac mini's are as cheap as a dirt cheap dell PC.
I just went to apple.com and dell.com; what I found disagrees with you. Mac mini: $599. Dell Inspiron 560s with Pentium dual core and 4 GB RAM: $429.
and I'll install linux for them.
Does this include installing and configuring Wine for "that one must-have app"?
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
The mini is cuter, certainly, and if you have to have OSX you have to have OSX; but the pricing is hardly equivalent for anybody willing to run linux or shove their comput
Re: (Score:3, Informative)
You could simply switch them to a LUA, and solve all your problems right there.
We got hit - XP Security (Score:5, Informative)
My wife's machine got hit last week.
No idea where it came from.
Been running for years with no problem.
(NetGear router seems to keep the baddies out.)
All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.
Pulled the network cable and started googling (from a linux box). .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.
The thing is pretty nasty.
It scatters pieces of itself around the file system with random names.
Then it hooks the
After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted. .exe (and related) keys by hand.
(Hint: right click -> run as).
Then I fixed all the
There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
(Removal instructions on the web don't generally find them all.)
Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.
getting worse (Score:2)
my mom's pc got one of these over the holidays while a teen cousin was surfing flash game sites. the pop-ups would not go away. at boot up pages wouldn't load because the warning box insisted on a click before progressing further. anti-malware had no effect, neither system restore nor anything else i could think of was successful.
even the computer shop was at a loss. after ten days the os required re-installation with a resultant loss of all data.
don't make the mistake of thinking this is merely an issue
Re: (Score:2)
Same story here on my grandparents' PC. They got the HaxDoor virus (nasty little devil), and it made the computer randomly issue stop errors, until one day it wouldn't boot at all (more stop errors). A quick boot into Knoppix to save their pics to a portable HD, and a reinstall of XP later, and they were good to go. (In the future, remember that very few current viruses wipe or corrupt a hard drive, and it's damn near impossible to infect media files (there've been a few viruses that can do that, but all th
Re: (Score:2)
> after ten days the os required re-installation with a resultant loss of all data.
I really do't get people's attitudes these days.
It's windows, an OS re-instrallation is always the first choice.
For one it cleans up the system with the installed and never removed or not correctly removed programs.
And why would there be data loss, programs can be re-installed and your stuff can be saved unless it has been messed with, in which case it was lost anyway.
Try the sane method of windows pc restorration.
I now tell people not to use anti-virus (Score:2)
Re: (Score:2)
Not clicking on dancing bunnies
But we can still click on the dancing puppies, right?
PDF? Um, hello (Score:2)
How are they getting PAID??? (Score:2)
They must want money at some point right? How are they expecting to get paid and why can't the cops at
least freeze their visa account?
The same with the online pharmacies.
is it so hard to look for "av.exe"? (Score:2)
99%+ of scareware is from the same exact kit, and installs the same core exe program, (AV.EXE) in one of three fixed locations. (as super-hidden) This article itself is scareware. The av companies can detect every one of these every time they pop up, there's no "trying to keep up" with this. That's what happens when malware goes commercial as this has. Anyone happen to know offhand who's the source of this malware kit? (url?) I'd be curious to know how much such a kit sells for. Must be cheap if there
Re: (Score:2)
Re:This is why i love noscript and requestpolicy (Score:5, Informative)
Re: (Score:2)
Re:This is why i love noscript and requestpolicy (Score:5, Insightful)
Generally, no. Generally, the reason is that the advertisers and their site owners rarely truly care. Have you seen the utter shit, spam, fakes, frauds that masquerade as Facebook ads, however often you click "X" and report it as "misleading / deceptive". Seriously, go to apple.com/store. Look for the neon green MacBook Air. You know, the one you can "test/review then keep for free"...
It's lip service. They. Just. Don't. Care. The advertisers are paying the bills, not you.
Re: (Score:2)
Pirated movies? Facebook? How about the New York Times [slashdot.org]?
In this case the software was distributed through one of the on-line advertising systems that feeds ads to the Times. The fact that serious, reputable publications like the New York Times don't automatically scan all third-party content like these advertisements and block those that contain scriping is just unconscionable to me. Ads with text, graphics, hell even animated GIFs, are okay in my book; scripts, no thank you.
Re: (Score:2)
Re:Fake AV installs on piratebay! (Score:4, Informative)
They simply exploit a vulnerability in your browser or plugins. I've encountered one that tries to install something using Java, presumably just requiring a user to click OK to infect them. That's something that seems like it could be done accidentally. I wouldn't be surprised if it were trying to exploit some vulnerability that would auto-install the malware on older versions of Java. They probably use exploits in Flash as well. The plugins have the advantage of not being run in the IE sandbox that's used by default on Vista/7.
Re:Fake AV installs on piratebay! (Score:5, Interesting)
I went to change window focus by clicking on what I had thought was some white space in an article that I was reading, but realized it would normally be an ad spot. Another browser window opened (with the annoying OnClose warning) and I closed it. I noticed that Java loaded, and then a few minutes later Security Center lets me know my AV is turned off and all hell starts breaking loose.
Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)
The app must have exploited some Java vulnerability, but at this point I'm not really sure what one. It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy.
In the end, I was a little pissed at myself, as I try to keep software updated to avoid vulnerabilities like that, but alas I finally got hit by one. Made me feel a little more capable of believing the [usually bullshit] story of "I was just using it when all of a sudden these things started popping up!"
Fun fact: I was browsing with Chrome.
Re: (Score:3, Funny)
Are you sure it's a fake? Maybe you really don't have a working system32.dll on your Linux system. You need to replace it ASAP!
Re: (Score:3, Insightful)
Concerning #3, most of these exploits use Javascript to open a phony "scanning" window. I got one of these while reading the New York Times on my Linux machine using Firefox.
Re: (Score:2)
In each case, the advertisement offered to do a free scan on my hard drive. Despite trying to say no or close the tab, it started to pretend to scan my drive C with a progress bar showing the progress. About a minute later, it had finished and announced that it had found several viruses and als
Obligatory (Score:2)
Re: (Score:2)
I've found that the majority of fake AV programs I've run across are fairly easy to remove -- boot the system in safe mode and login as a different user and you can generally run something like Sysinternals Autoruns and delete all the startup hooks and the programs they point to. Afterwards I've found that a scan by Malwarebytes and a quick check of the infected user's personal "Startup" folder in their profile is enough to ensure the stuff is deleted.
A couple will bluescreen the machine if it is booted in
Re: (Score:3, Interesting)
A useful trick when task manager will not work, copy the task manager .exe from a nother machine and rename it any other name.
It will then run and allow you in to start cleaning up the crap.
Re: (Score:2)
Give this place a shot man: http://www.onguardonline.gov/ [onguardonline.gov]
We use http://iase.disa.mil/eta/index.html#onlinetraining [disa.mil] and have to maintain the certs yearly.
Re: (Score:2)
I still think there should be a course given for an Internet License. This way if you don't base(pass?), you're not allowed to go on the internet. Well, at least in large corporations/government facilities.
What really scares me is that this might really reflect the "upper crust" of today's government employee.
Re: (Score:2)
Architecturally, whitelisting is a great solution. In closed environments with fairly static requirements(eg. corporate) you can do it Right Now, if you want. And, while it won't save you from truly subtle attacks on the kernel or services, it blocks a fair percentage of common stuff good and hard.
The trouble begins when you try to implement it in the real world. Being the "they" who gets to bless all good programs is both a gigantic pain in the ass(requiring a massive staff of
Do I have to solve everything for you? (Score:3, Funny)
I use Linux - the family never listens to me.
Well, then stop using Linux!