Windows 7: Rogue antivirus

Why is it that no anti virus program seems able to thwart the Rouge Antivirus viruses? lots of folks get tricked by these, and the major anti virus companies have done little to stop it. Anybody have any idea why it is so tough to prevent infection from these sorts of viruses?

Rogue Anti-Virus/Hijackware use a cross-site injection method that is normally not easily handled at time, mostly it is an execution of Javascript or exploiting an vulnerability in scripts that websites have. Short of preventing installation of anything, it will still have a problem with the human factor which will override it and then still install it.

You can't make an AV be smart enough to say "Screw you, human... This is a virus and I am protecting you from yourself."

Probably because as soon as most major AV's start detecting one released version of a rogue the the authors of these rogues release a new version making sure it bypasses detections by the good guys and so it goes on and on.

Below are some installers/downloaders for the one rogue "Security Tool".

Actually, this is true with ANY AV... The thing is, it takes a day or two to readily identify the malware or virus without getting a false positive and inadvertently taking out something else out. False Positives still happen, but the fact is, also hackers and writers of these things will also look at HOW AV and other programs try and detect them. Any good hacker would do that.

The other thing is, people will also still be the source of security violations, because a fair deal of people don't know any better to not fall for the traps.

the retail version of malwarebytes, with RT scanning enabled, will stop rogue av sites from loading

since most of those rogues prevent "recue programs" like taskmanager etc. from starting my approach usually would be a boot into safe mode and a cleaning session with HijackThis. But I'll give malwarebytes a try next time (my nephew catches Rogues on a regular base

thanks madtownidiot

-DG

Nowadays, some of the malware finds new ways to get itself executed. HijackThis mostly covers Registry to a degree. The problem with the newer Malwares is there is a few registry components, and according to some posters, the newer ones will also do rootkits.

One of the ones I had fun fighting with was one that started inserting into HKRC, which is not normally looked at by HijackThis due to the nature of the Root Keys do change often from installation of programs that use various extensions. Trend Micro has not updated HijackThis with a Root Key registry hack. Namely, ine one malware, any .exe executed would first try and run another hidden file, which checks to see if its other executable is still on the system. If it isn't, it recreates it or the registry entry that is suppose to execute to keep it on the machine. Short of going into safe mode and removing BOTH programs from your system, the chances of removing it is very slim.

Again, HijackThis does not scan through HKRC, and the more annoying Hijacking Malware take advantage of that. Only signature based Anti-Malware programs seem to know of the possible routes these will take.

Ok I must confess that I didn't know Rogues would be so sophisticated already.
So what would you recommend, Keiichi25? Would the rootkit revealer be able to sort them out?
What did you use to identify the culprits?
I guess I was just lucky not to come across one of those nasties yet.
Thanks for your info

-DG

Never heard of Rootkit Revealer myself. The only thing I can really suggest is to be paranoid. Self-educate and most importantly, look at making sure you have a secondary account on your system.

One of the other malwares I found really annoying is that if one user is infected with the malware, unless you log in under safe mode with another account that has NOT logged in normally, you have a better chance of cleaning it out. One malware takes advantage of the User switching ability to propagate itself to other user profiles, thus rendering them infected as well.

As for not coming across one of the malware, again, depends on what kind of procedures you take when browsing the web and where you browse. Most of the times I have seen it hit, it has generally been due to people browsing weak sites (Low security) or ones with really crappy advertising banners (Cause those services are also low security weak). However, I did encounter one user who was hit through Fox Sports, which I am sure it was through the ad sites posted on it.

Because in reality most rogue antiviruses do not act in a malicious way.
They don't destroy anything, they don't try to read your keystrokes, they don't try to download anything.

They just sit there and try to make user to pay for this useless software.

So, as you can see it is really hard to detect them as they don't act too aggressively.

Most real AV company have to walk on thin line, if they make their own engine aggressive in order to detect Rogue security software, they run a risk of detecting normal legitimate software (which happens to be trial, so asks money for upgrade).

That's why increase aggressiveness level in order to detect rogue AV can trigger high amounts of False Positive detection, which in some situation can be fatal to the system.

This is one of the main reasons why they are hard to detect.