Rogue antivirus: a growing problem.

[JMH]

During the past two years we've written many times about programs which pretend to be something that they are not. The most notorious are rogue antivirus solutions – programs which display messages saying the victim machine is infected, even though it is not. These programs neither scan nor clean computers, and they are actually designed to persuade users that their computers are at risk and scare them into buying the "antivirus" product. Such programs are often referred to as "scareware": Kaspersky Lab classifies them as FraudTool, a subset of the RiskWare class.

FraudTool.Win32.SpywareProtect2009: the main window​

Such programs are extremely widespread and are increasingly used by cybercriminals. Whereas Kaspersky Lab detected about 3,000 rogue antivirus programs in the first half of 2008, more than 20,000 samples were identified in the first half of 2009.

More -
Viruslist.com - Rogue antivirus: a growing problem

 

[fillup]

I ran into 3 of those last night while searching google. The very first link I clicked on popped up a fake antivirus scan and then tried to download a file to my computer. The problem is getting very bad!

 

[Qdos]

Never install anything which isn't well known to you, simple.

If it's unfamiliar, and you're uncertain - Google it...

 

[Jacee]

This stuff installs it'self .... you get it (if you're not properly secured) whether you want it or not!

 

[Carbonyl]

This stuff installs it'self .... you get it (if you're not properly secured) whether you want it or not!

How does it execute without user consent?

 

[Jacee]

"They are spread using the same methods use to distribute other malware: for instance, a Trojan-Downloader can secretly download such programs, or vulnerabilities in compromised/ infected sites can be exploited to perform a drive-by download." Viruslist.com - Rogue antivirus: a growing problem

 

[Carbonyl]

"They are spread using the same methods use to distribute other malware: for instance, a Trojan-Downloader can secretly download such programs, or vulnerabilities in compromised/ infected sites can be exploited to perform a drive-by download." Viruslist.com - Rogue antivirus: a growing problem

Wow. That's scary, to be sure! Do drive-by downloads execute the downloaded programs automatically?

So, for instance, does this mean that if you view a trusted website that is unwittingly hosted malvertizement (i.e. compromised banner-ad on New York Times website a few weeks ago) you're done for? Is it impossible to prevent this kind of attack now, even from sites you trust?

 

[Jacee]

You want prevention before the fact .... You need a good Hosts file and and a program that prevents automatic Active X from downloading.
I use SpywareBlaster and SpywareGuard. Download and tutorials:
SpywareBlaster and SpywareGuard:
http://www.javacoolsoftware.com/products.html
Spyware Guard is a real-time malware scanner
SpywareBlaster tutorial:
http://www.bleepingcomputer.com/forums/Using_SpywareBlaster_to_protect_your_computer_from_Spyware_Hijackers_and_Malware-tut49.html
SpywareGuard tutorial:
http://www.bleepingcomputer.com/forums/Using_SpywareGuard_to_protect_your_computer_from_Spyware_and_Hijackers-tut50.html

You also need an active firewall program along with an updated antivirus and anti-spyware program.

 

[Qdos]

Installs itself my@r$e... the sort of product being talked about is something like, say, 'Anti-virus 2009' which fools unsuspecting users into clicking on it and installing the file they download... these type of things are most definitely not 'driveby' malware...

 

[Jacee]

Malicious code is inserted .... even if you click on the 'X' to close the pop-up window, a file has been dropped on the computer.
anti-virus rants: what is a drive-by download?

Virus Bulletin : Glossary - Drive-by download

One person mentioned to me that when a Rogue antivirus pop-up appeared on his machine, instead of closing it...he opened Task Manager and ended the process from there. We inspected his machine with a number of special malware tools and found that nothing malicious was installed. He was lucky!

 

[Creer]

Installs itself my@r$e... the sort of product being talked about is something like, say, 'Anti-virus 2009' which fools unsuspecting users into clicking on it and installing the file they download... these type of things are most definitely not 'driveby' malware...

Antivirus 2009 and MS AntiSpyware 2009 (msas2009.exe) - they work very similar.
Few months ago I uploaded on YT video with MSAS2009 infection on my VM, it is available here: http://www.youtube.com/watch?v=LRcxMhiHXGQ
As you can see it's step by step (DefenseWall HIPS, Online Armor HIPS and Firewall communicates) , how this rogue application infected systems, also please take it into account that this app do fake scan and shows fake "malware threats found" list - also you can clean/remove them but you have to paid and buy MSAS2009... lol. In fact this is very clever from malware writers side, and many people can be cheated by this type of fake security application.

 

[belikexp]

I ran into 3 of those last night while searching google. The very first link I clicked on popped up a fake antivirus scan and then tried to download a file to my computer. The problem is getting very bad!

I've come across many of these from legal sites. I emailed the sites with the link and told them to fix the links. Very nasty.

 

[Jacee]

http://www.youtube.com/watch?v=LRcxMhiHXGQ[/URL]
As you can see it's step by step (DefenseWall HIPS, Online Armor HIPS and Firewall communicates) , how this rogue application infected systems, also please take it into account that this app do fake scan and shows fake "malware threats found" list - also you can clean/remove them but you have to paid and buy MSAS2009... lol. In fact this is very clever from malware writers side, and many people can be cheated by this type of fake security application.

This is a video by Creer ... the video has information and is not infected