Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Fake AV Infections - A rapidly growing threat


01 Jun 2011   #1

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Fake AV Infections - A rapidly growing threat

Excerpts and links to articles on this subject:

Quote:
Data released today by Microsoft showed that Windows 7's malware infection rate climbed by more than 30% during the second half of 2010, even as the infection rate of the 10-year-old Windows XP fell by more than 20%.

"Infection rates have jumped [for Windows 7]," admitted Jeff Williams, the principal group program manager with the Microsoft Malware Protection Center (MMPC). "We attribute that to the increased presence of malicious software attacks out there."
Quote:
According to Sophos, FakeAV is a rapidly growing threat on the Internet, mainly because it's profitable to the people who wrote and distributed it. Evidently, a lot of people are being tricked into sending money to these criminals to get back control of their computers. This is clearly a very advanced program. It looks exactly like the real Windows Security Center. It appears to be professionally programmed, with none of the crashes or bugs prevalent among more pedestrian malware.

Sophos says there are so many variants being released constantly that it can be difficult to detect using traditional signature-based antivirus, which is what I have. Even with the latest updates, the newest variants can get through. Some variants are also employing polymorphic code, which changes itself so frequently that the MD5 hashes used by antivirus programs cannot be effective. Well, that explains how I got it despite having a good, up-to-date antivirus product.

Earlier versions of FakeAV required the user to say "Yes" to something, such as a fake video codec installation to play a video or a fake Flash player update. Some even use the old-fashioned, tried-and-true technique of attaching the installer to a spam email notifying users of a password reset, package delivery or IRS refund, which I see a lot of at the office. But none of these is how I got infected.

I was searching on Google. Search terms are being "poisoned" on Google. When an unsuspecting victim clicks on what seems to be a legitimate page, he is brought instead to a compromised website where the malware is lurking in an image or JavaScript code. When I'm searching on Google, I use CTRL-click to open interesting results in a new tab in Internet Explorer Version 8 (fully patched). Last week, when I did this, one of the pages I opened must have contained the JavaScript or image version. It opened in a new tab, where I left it for later viewing, and it infected my system. Pop-ups appeared, all my browser sessions closed, and my antivirus programs were disabled. This is what's known as a "drive-by download."
Quote:
"This distribution component reads the client's [browser] user agent in order to discern the operating system, and then serves up a malicious application designed for that operating system," said Hamish O'Dea and Tareq Saade on the MMPC blog .

The site delivers scareware dubbed "Win32/Winwebsec," while Macs get "MacOS_X/FakeMacdef," O'Dea and Saade said, using Microsoft's labels for the OS-specific versions of the fake security software.
Quote:
As it turns out, this malware went really deep. Not only did it infect Windows, but it also inserted itself into Safe Mode. Usually, we can boot into Safe Mode to run a virus scan, but not this time. In fact, I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it.
Quote:
This is clearly a very advanced program. It looks exactly like the real Windows Security Center. It appears to be professionally programmed, with none of the crashes or bugs prevalent among more pedestrian malware.
Quote:
Nobody is safe anymore from malware, now that it's being professionally and competently developed. Make sure your backups are current, and spread the word to unsuspecting users that any unexpected "Security Scans" require immediate response.
Sources:

Not Even Security Managers Immune to FakeAV Infection | PCWorld

Microsoft Links Fake Mac AV to Windows Scareware Gang | PCWorld

http://www.computerworld.com/s/artic...mbs_XP_s_falls


My System SpecsSystem Spec
.

01 Jun 2011   #2

Windows 7 x64 Ultimate
 
 

This is why I run IE with it's "Internet zone" cranked up to maximum secutiry. So that any random web site I get accidentally redirected to or miss click or anything else has no chance in hell of executing scripts, popups, running flash or anything else.

Then I get a chance to see my mistake and correct it without the browser taking off on anything bad.

If the site IS the one I wanted, verified by looking at the URL (DON'T HIDE THE URL BAR THANKS MS, FF AND GOOGLE!!!) then I add that site to the "Trusted" list and can enable scripting for the site to work properly.

Very easy, only a small PITA, zero infections of any kind using IE since IE4 and it is the hardest hit browser of all.
My System SpecsSystem Spec
01 Jun 2011   #3
Microsoft MVP

 

Be sure to update to IE9 which has better security.

At first contact with any Security popup you don't know for sure to be legit, restart your computer from the power button, or Cntl Alt Delete. Don't click anything.

Program your Power Button to perform Shutdown in Power Options.
My System SpecsSystem Spec
.


01 Jun 2011   #4

 

best internet security package is located between the chair and the keyboard
My System SpecsSystem Spec
Reply

 Fake AV Infections - A rapidly growing threat




Thread Tools



Similar help and support threads for2: Fake AV Infections - A rapidly growing threat
Thread Forum
Memory Decreasing Rapidly Performance & Maintenance
How to Remove Win 7 Anti-Spyware 2011 (Fake Anti-Virus Infections) System Security
How to Remove Win 7 Anti-Spyware 2011 (Fake Anti-Virus Infections) System Security
Fake Spyware Blockers Are the New Internet Threat. Security News
Microphone rapidly skipping Sound & Audio
Malware Watch: Fake Patch Tuesday emails, fake MSRT tool System Security
Fake Online AV Scanner Installs Fake AV System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:36 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33