Exposing Fake Antivirus Programs

The most pervasive Malware trend I’ve noticed lately is the proclivity for bad software to masquerade as though its antivirus software. These prompt you to confirm the popup messages in order to protect your PC, while in fact doing so will give you the very infection you were hoping to avoid. For most Overclockers and enthusiasts around here these prompts seem all too obvious, however our families and friends often still fall victim and their computer problems often become our problems to fix.

In my experience a bit of intuition, a healthy dose of google-fu, and when I really find myself in a pickle some help from our forum members always got me what I needed to fix the PC back up to good working order. Fixing the PC is only a fraction of the equation though, not even half the battle. To get to the root of the issue one must make peace with the greatest evil ever known to the PC – the user.

That’s right. The hard part is communicating with a user in a way where they understand what they did wrong and how to avoid it in the future. You may be charging a reasonable rate to fix the problem and like the repeat business, but if the problem keeps recurring then before long they are going to be very unsatisfied with your help. It is important to blame them appropriately, and in a way they are educated about avoiding the issue. In this article about the Lizamoon infection, Fred Langa of WindowsSecrets gives a great blow by blow account detailing exactly how a malware infection is acquired. Walking through the steps and providing immense detail of the infection process from start to finish, we get his first hand insight into what actually happens when you don’t run away from those pesky malware popups. From the article:

Taking yet another deep breath (and my fourth voluntary action), I clicked OK, which let the malware installer run to completion.
The malware goes active and disables my security

Immediately after I clicked OK, my system went haywire.

With the infection requiring 4 independent confirmations from the user prior to the infection becoming active, there are plenty of opportunities to wake up and smell the whiskey. To read on, and maybe even send a link to your loved ones who could benefit from the great plain english walk-through, check out the full article on WindowsSecrets.com:

“Lizamoon Infection: a blow-by-blow account” by Fred Langa

Do you think these sorts of articles could be helpful explanations for the “normal users” in your life? Let us know in the comments below.

– Matt Bidinger

10 replies

Join the discussion →

Loading new replies...

terran2k

Member

1,178 messages 0 likes

#1 Apr 07, 2011

yeah, I'd say about every personal computer i've fixed for malware infections have those fake AVs.

Reply Like

Seebs

3,412 messages 0 likes

#2 Apr 07, 2011

I am so glad I don't make a living out of fixing other people's computers... I do however get the occasional frantic call from a friend that has found him/herself in a "malware pickle". I am not a patient guy by any definition of the word and most times I will help them out while at the same time showing them that all those infections can be easily attributed to an "I-D-10-T" error. They're not too happy once they figure out what "it" means, but if you have to click through four confirmation messages to get a virus and still can't be bothered to read before you click; I think being called and idiot is the least you can expect when having your PC cleaned for the third time.

click to expand...

G33K454URU5 R3X

346 messages 0 likes

#3 Apr 07, 2011

The problem is that virus creators are getting more tricky; explotied PDF's, clickjacking, SQL injection, search poisoning...at one time, it was very easy to blame the user (and still is, to some extent - think Limewire) - however, the way some of this malicious content is being delivered is becoming increasingly tactful.

SteveLord

5,240 messages 0 likes

#4 Apr 07, 2011

Last week I cleaned this off a computer at work. And a laptop that was loaned to someone was hit as well. Had a recent image of that one though.

Been fighting these for years...

EarthDog

75,656 messages 2,517 likes

#5 Apr 07, 2011

A giant +1. Great article!

We are currently figthing a virus outbreak at my office. 450 PC's were infected with Worm:Win32/Rorpian.A, and no a conficker, and something else. Although this is only affecting print servers at the moment and causing reboots, its a lot of lost productivity.

madhatter256

2,256 messages 0 likes

#6 Apr 07, 2011

I've been dealing with these for almost 2 years now.

I had one customer who fell for one and paid for it, however, each time they put their credit card number, the program would say the number is not valid and ask for another one. The customer was gullible enough to try 3 other cards and they all said the same thing and this made him bring the PC over to me to try and fix it. After he told me what he did I told him to immediately cancel those credit cards as it obviously just took as many card numbers as much as possible.

Some programs do go away after you pay for them, but then come back a month later with the same problem. Throughout that time it just spies on you and logs your key strokes.

Really nasty ones will inject rootkits into MBR and OS systems (or something like that). I had this one PC where I did do a format/reinstall of the OS. I just did a quick format, not a low-level one via KillDisk. After installing the drivers and going to Windows Update, this pop-up came up that I needed virus protection and all I've installed were drivers, nothing else. So, obviously there was something left over even after doing the format that allowed it to detect the internet connection and reinstall itself.

Lately, I've had great success with live-CDs of Linux, especially BitDefender Rescue CD. Afterwards I would run Malwarebytes/combofix to clean up whatever bitdefender didn't find and it all works out in the end.

#7 Apr 07, 2011

This is true as I have had church ladies get infected and they barely use the Internet (some still on dial-up) and don't allow anyone else on it, but they were browsing some church site when the "pop-up" came up. So even legit sites can get overtaken with malware and spread it.

Firefox + noscript really does help, but is too advanced for the average PC user.

x509

184 messages 0 likes

#8 Apr 16, 2011

This is true as I have had church ladies get infected and they barely use the Internet (some still on dial-up) and don't allow anyone else on it, but they were browsing some church site when the "pop-up" came up. So even legit sites can get overtaken with malware and spread it.
Firefox + noscript really does help, but is too advanced for the average PC user.

I tried out noscript for a while, but it's a real hassle to work with, since legit sites all depend on scripts also. And how do you really know that any given script is bogus?

#9 Apr 17, 2011

I disable it when I'm on legit sites, like yahoo, google, and my bank site, as well as newegg, but when i surf everywhere else, i turn it on. I just don't let it load ad servers.

Daemonkin

1,033 messages 0 likes

#10 Apr 17, 2011

Seems always to be that error or a PEBKAC error. Always the worst ones. :D

Join the full discussion at the Overclockers Forums →