Introduction to Rogue Anti-Virus

[JMH]

Millions of users have been duped into installing malicious software, also known as malware onto their systems allowing cybercriminals to steal money and other personal details. Here’s how the attack works:

Step One: Get the user to the malicious website

First, the group or groups behind these attacks first post large numbers of links to some new domain by spamming community forums, blog comments, and by putting the links inside hidden elements on compromised websites in a technique known as Blackhat SEO (Search Engine Optimization). In this way, they are able to get the target website high up in search results for common or recently trending search terms. Right now, for example, search results on Wimbledon and the World Cup are actively being poisoned in this manner.

The above technique is usually seen in conjunction with one or more of the following:

• Redirects from compromised websites that are otherwise legitimate
• Spam emails that are often sent via other compromised computers
• Malvertisements where attackers pay for an ad in a legitimate ad network, but use the ad to send people to the malicious website. In the past year, reputable sites like the New York Times, White Pages, Tech Crunch and others have been caught hosting such malvertizements.

Step Two: The con game

Once on the website, social engineering tricks are invoked to convince a user to fall for this modern Internet con. Computer users are conditioned with constant reminders to keep their computer free from virus and malware by running anti-virus software and keeping their virus definitions up to date. These websites use this conditioning against the user, using visual elements to establish authority and trust and then causing a sense of danger and urgency when notifying the user that their computer is infected with viruses and that their data personal computer is under someone else’s control.

Rogue anti-virus malware comes in many different forms and will take different approaches to fool a user, but at the most basic level, rogue anti-virus scams convince the user that they have a problem and that they need to download some software to fix the problem.

The screenshots below are just a few examples of fake scanners. These specially crafted pages are made with great detail to look exactly like Windows XP, Vista, or Windows 7 system alerts.

​

​

​

Fake scans like these are very believable for uneducated users and lead to a very high success rate for cybercriminals.

Source -
Threat Center Live Blog: Introduction to Rogue Anti-Virus

 

[gladson1976]

The images look really scary

 

[madtownidiot]

They're not exactly easy to remove either because the first thing they do is stop the user from starting any programs, including task manager.

 

[DeaconFrost]

If I have access to the system, the easiest way to remove these is to boot and run the Recovery Disc from Avira. Then follow it up with a Malwarebytes Anti-malware scan. Another option, is to remove the drive, and connect it externally to another system running MSE. Both remove the virus quickly and easily.

 

[madtownidiot]

Unfortunately the average home user doesn't even know which way to turn a screwdriver, let alone remove a HDD from a laptop, connect it to another computer and run a virus scan. It's a bit of a challenge without the proper skill set.

 

[stormy13]

Unfortunately this sort of thing has been around for years,

Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

and equally unfortunate is that they won't be going away any time soon.

 

[Tepid]

They're not exactly easy to remove either because the first thing they do is stop the user from starting any programs, including task manager.

This will fix that.

Re-Enable Task Manager and Open It due to malware infection

 

[alphanumeric]

what are the odds?

Lol while I was reading this thread a Microsoft Security Essentials pop up appeared telling me their was a new version and I should upgrade now. Knowing it was just a coincidence I did it. It still creep-ed me out a little bit because while it updated I got a "Microsoft Security essentials is turned off, you should turn it on" message followed by a "Find an anti-virus program" security prompt. A couple of seconds latter the green tent with the check mark was back though. What are the odds that it should pick this very moment to do that? :shock:

 

[gladson1976]

Lol while I was reading this thread a Microsoft Security Essentials pop up appeared telling me their was a new version and I should upgrade now. Knowing it was just a coincidence I did it. It still creep-ed me out a little bit because while it updated I got a "Microsoft Security essentials is turned off, you should turn it on" message followed by a "Find an anti-virus program" security prompt. A couple of seconds latter the green tent with the check mark was back though. What are the odds that it should pick this very moment to do that? :shock:

I too got the same thing today morning :huh:

 

[DeaconFrost]

Unfortunately the average home user doesn't even know which way to turn a screwdriver

True, but these forum boards aren't typically for the average user, and are littered with people who provide support, whether it be professionally, on the side, or both.

It still creep-ed me out a little bit because while it updated I got a "Microsoft Security essentials is turned off, you should turn it on" message

That's normal, because the program itself was being updated, not just the definitions. As with most software, the old version had to be yanked out before the new version could be applied.

 

[merkat106]

Oh, those screenshots take me back to when I first encountered this type of threat. They were the most fun to clean off of client computers. A poor client said he suckered into this scam and entered his credit card to buy it. No clue if he ever got his money back or if he was a victim of id theft.

I think I even got one of those on one of my computers years ago. I think I had opened a website that was hacked.

Back then, I manually cleaned the malware off. Now, I use Malwarebytes.

 

[baarod]

Boot safe mode with network in 7, download malwarebytes and do a full scan. That will clean up the easy stuff. Then go to live.sysinternals.com and get
http://live.sysinternals.com/autoruns.exe and
http://live.sysinternals.com/procexp.exe
Examine each user in autoruns and delete suspicious entries. Then examine all processes in procexp. Use Verify Image Signatures for more info.

 

[MacGyvr]

RKill and ComboFix are all you need to remove these little buggers. Google for ComboFix and you'll find both. I clean 4-5 machines per week.

 

[Tepid]

Well,, be careful using ComboFix, there is a warning to using it, take head of it and back up your system prior to using it. It can and has blown up systems in the past.

But, when it works, it is great, and I am not saying don't try it, just be ready for the worst.

 

[CarlTR6]

Jan, somehow I missed this thread. Thanks for posting it. It is good information.

 

[Petey7]

Ah, rouge antivirus's. I had to give a speech on these at school last semester (speech classes are mandatory for my degree). The teacher was 50, hated computers, and most speeches about technology. I managed to get an A on that speech....

But enough about that. I take care of these for people all the time and when its not a dirt poor college student I'm doing it for, I charge about $30 bucks to do it. Great way to make some extra cash. I don't care for MalwareBytes and a lot of these rouge anti-viruses come with programming to prevent the instillation or running of it anyways. Since there are so many that know how to make it run even if this programming exist, I can usually find a list of files and registry entries online and remove everything manually via safe mode. I then install MSE or AVG and let that remove any part of it I missed. I only know one person that actually paid for the program and it definitely installed something like it said it would. Too bad the stuff it installed was a bunch of adware. Made it harder to get the job done but made me feel justified in charging $50.

 

[CarlTR6]

Congratulations on the A. I would like to have heard the speech.

 

[profdlp]

Not exactly a rogue "Anti-Virus", but definitely a rogue:

ZeuS Trojan Learns How to Spoof Credit Card Security Popups | Maximum PC

 

[Petey7]

Thats definately something to watch out for profdlp. Thanks for the info.

 

[Jacee]

So many of these "Rogue" (anti) Viruses include a Rootkit Rootkit - Wikipedia, the free encyclopedia
I won't even try to clean up a rootkit because the OS will remain unstable. This really requires a 'wipe' and "clean installation" of the Windows operating service.