Rogue antivirus

[nathal]

Why is it that no anti virus program seems able to thwart the Rouge Antivirus viruses? lots of folks get tricked by these, and the major anti virus companies have done little to stop it. Anybody have any idea why it is so tough to prevent infection from these sorts of viruses?

 

[Keiichi25]

Rogue Anti-Virus/Hijackware use a cross-site injection method that is normally not easily handled at time, mostly it is an execution of Javascript or exploiting an vulnerability in scripts that websites have. Short of preventing installation of anything, it will still have a problem with the human factor which will override it and then still install it.

You can't make an AV be smart enough to say "Screw you, human... This is a virus and I am protecting you from yourself."

 

[Jaxryley]

Why is it that no anti virus program seems able to thwart the Rouge Antivirus viruses? lots of folks get tricked by these, and the major anti virus companies have done little to stop it. Anybody have any idea why it is so tough to prevent infection from these sorts of viruses?

Probably because as soon as most major AV's start detecting one released version of a rogue the the authors of these rogues release a new version making sure it bypasses detections by the good guys and so it goes on and on.

Below are some installers/downloaders for the one rogue "Security Tool".

 

[Keiichi25]

Why is it that no anti virus program seems able to thwart the Rouge Antivirus viruses? lots of folks get tricked by these, and the major anti virus companies have done little to stop it. Anybody have any idea why it is so tough to prevent infection from these sorts of viruses?

Probably because as soon as most major AV's start detecting one released version of a rogue the the authors of these rogues release a new version making sure it bypasses detections by the good guys and so it goes on and on.

Below are some installers/downloaders for the one rogue "Security Tool".

View attachment 98118

Actually, this is true with ANY AV... The thing is, it takes a day or two to readily identify the malware or virus without getting a false positive and inadvertently taking out something else out. False Positives still happen, but the fact is, also hackers and writers of these things will also look at HOW AV and other programs try and detect them. Any good hacker would do that.

The other thing is, people will also still be the source of security violations, because a fair deal of people don't know any better to not fall for the traps.

 

[madtownidiot]

the retail version of malwarebytes, with RT scanning enabled, will stop rogue av sites from loading

 

[SledgeDG]

since most of those rogues prevent "recue programs" like taskmanager etc. from starting my approach usually would be a boot into safe mode and a cleaning session with HijackThis. But I'll give malwarebytes a try next time (my nephew catches Rogues on a regular base

thanks madtownidiot

-DG

 

[Keiichi25]

since most of those rogues prevent "recue programs" like taskmanager etc. from starting my approach usually would be a boot into safe mode and a cleaning session with HijackThis. But I'll give malwarebytes a try next time (my nephew catches Rogues on a regular base

thanks madtownidiot

-DG

Nowadays, some of the malware finds new ways to get itself executed. HijackThis mostly covers Registry to a degree. The problem with the newer Malwares is there is a few registry components, and according to some posters, the newer ones will also do rootkits.

One of the ones I had fun fighting with was one that started inserting into HKRC, which is not normally looked at by HijackThis due to the nature of the Root Keys do change often from installation of programs that use various extensions. Trend Micro has not updated HijackThis with a Root Key registry hack. Namely, ine one malware, any .exe executed would first try and run another hidden file, which checks to see if its other executable is still on the system. If it isn't, it recreates it or the registry entry that is suppose to execute to keep it on the machine. Short of going into safe mode and removing BOTH programs from your system, the chances of removing it is very slim.

Again, HijackThis does not scan through HKRC, and the more annoying Hijacking Malware take advantage of that. Only signature based Anti-Malware programs seem to know of the possible routes these will take.

 

[SledgeDG]

Ok I must confess that I didn't know Rogues would be so sophisticated already.
So what would you recommend, Keiichi25? Would the rootkit revealer be able to sort them out?
What did you use to identify the culprits?
I guess I was just lucky not to come across one of those nasties yet.
Thanks for your info

-DG

 

[Keiichi25]

Ok I must confess that I didn't know Rogues would be so sophisticated already.
So what would you recommend, Keiichi25? Would the rootkit revealer be able to sort them out?
What did you use to identify the culprits?
I guess I was just lucky not to come across one of those nasties yet.
Thanks for your info

-DG

Never heard of Rootkit Revealer myself. The only thing I can really suggest is to be paranoid. Self-educate and most importantly, look at making sure you have a secondary account on your system.

One of the other malwares I found really annoying is that if one user is infected with the malware, unless you log in under safe mode with another account that has NOT logged in normally, you have a better chance of cleaning it out. One malware takes advantage of the User switching ability to propagate itself to other user profiles, thus rendering them infected as well.

As for not coming across one of the malware, again, depends on what kind of procedures you take when browsing the web and where you browse. Most of the times I have seen it hit, it has generally been due to people browsing weak sites (Low security) or ones with really crappy advertising banners (Cause those services are also low security weak). However, I did encounter one user who was hit through Fox Sports, which I am sure it was through the ad sites posted on it.

 

[jav]

Why is it that no anti virus program seems able to thwart the Rouge Antivirus viruses? lots of folks get tricked by these, and the major anti virus companies have done little to stop it. Anybody have any idea why it is so tough to prevent infection from these sorts of viruses?

Because in reality most rogue antiviruses do not act in a malicious way.
They don't destroy anything, they don't try to read your keystrokes, they don't try to download anything.

They just sit there and try to make user to pay for this useless software.

So, as you can see it is really hard to detect them as they don't act too aggressively.

Most real AV company have to walk on thin line, if they make their own engine aggressive in order to detect Rogue security software, they run a risk of detecting normal legitimate software (which happens to be trial, so asks money for upgrade).

That's why increase aggressiveness level in order to detect rogue AV can trigger high amounts of False Positive detection, which in some situation can be fatal to the system.

This is one of the main reasons why they are hard to detect.

 

[SledgeDG]

Rootkit Revealer was made by Marc Russinovich (Sysinternals) after he uncovered Sony's plot to install Root Kits as a drm measure Sony BMG CD copy protection scandal - Wikipedia, the free encyclopedia.
I haven't used it with W7 yet
I guess I'm paranoid then since it never happened on my system so far (knock on wood) I'm only the poor sod who's on call

-DG

 

[Corrine]

I agree with what you say, jav, that the a/v vendors need to be careful to avoid false positives. The other problem is the rapid rate the rogues are distributed. They cannot be added to detection until the vendors have the appropriate file information to add to the dat files.

Because in reality most rogue antiviruses do not act in a malicious way.
They don't destroy anything, they don't try to read your keystrokes, they don't try to download anything.

They just sit there and try to make user to pay for this useless software.

Rogues do more than just attempt to extort payment. Rogues are trojans and have been known to:

• Prevent downloading to the infected computer
• Change IE settings
• Disable Antivirus Software
• Disable the Security Center
• Download additional malware
• Add redirects to the HOSTS file (effectively blocking not only Microsoft sites but also security vendors and even security help forums)

 

[royal tyrant]

Mother In law just had this on her pc few days ago, She runs windows XP Pro, I've had this also on windows XP Pro but ( touchwood ) not on my windows seven, What a nightmare It was recovering her pc from this I can tell you, 46 Trojans In total!!

 

[madtownidiot]

The good thing is windows 7 seems to be much less susceptible to the rogue AVs

 

[Jaxryley]

since most of those rogues prevent "recue programs" like taskmanager etc. from starting
-DG

You can copy/paste taskmgr.exe (Task Manager) from the system 32 folder to desktop and rename to iexplore, explorer or firefox and it should come up if an exe killing rogue is active allowing you to use Task Manager to kill the rogue's process and get a scan going with Malwarebytes or other apps.

 

[jav]

Rogues do more than just attempt to extort payment. Rogues are trojans and have been known to:

• Prevent downloading to the infected computer
• Change IE settings
• Disable Antivirus Software
• Disable the Security Center
• Download additional malware
• Add redirects to the HOSTS file (effectively blocking not only Microsoft sites but also security vendors and even security help forums)

Yes, sorry.
I was wrong in a way.

But most functions you have mentioned has evolved in order for Rogues to protect themselves. So, it's not actually their main task but just self-protect precautions.

[*]Download additional malware

Yes, this one needs special mention.
And it is actually malicious thing they do and which happening very often.

Anyway I was wrong to say they don't do acting. Regardless what their motivation is, they really do actions you have mentioned.

 

[Keiichi25]

I wouldn't say it is self-protection, but also to 'sell' the issue to uneducated computer users who are scared into just believing the problem exists. As viruses would also try and prevent tools from removing them as well.

 

[madtownidiot]

I want to test a few different AV/anti-malware combinations on one of my computers.. If someone knows a site that's serving up a rogue av.. PM me with the link.. having a hard time finding one

 

[Keiichi25]

I want to test a few different AV/anti-malware combinations on one of my computers.. If someone knows a site that's serving up a rogue av.. PM me with the link.. having a hard time finding one

Meh... If you really want to try and get yourself infected... Try the following searches:

Search for Lyrics - Strangely enough a lot of crappy lyrics sites.
Search for MP3s - Particularly popular music MP3s you can get for free
Porn - Invariably, some really lame Porn sites will also have some form of malware.
Game Cracks - Which tend to also invariably lead to porn ads and other crap you don't need.
Avian/Swine Flu - Silly as it may seem, the latest disease scare means people worried about it will invariably look it up and get hit.

 

[madtownidiot]

There's a good reason for my wanting to do it.. I get quite a few customers with rogue AV infections (almost all of which are XP systems), and I want to find an easier way to remove them, and hopefully find a completely free AV/AM combination that stops them beforehand. Besides, I can reinstall from an image in about 20 minutes and I have several computers to work with, so I'm not really worried about it

... tried the above suggestions... took me 5 minutes to find some infected sites.. all of which were blocked by malwarebytes RT scanning