Typical Malware Popup (Image Courtesy WindowsSecrets.com)

Exposing Fake Antivirus Programs

Add Your Comments

The most pervasive Malware trend I’ve noticed lately is the proclivity for bad software to masquerade as though its antivirus software. These prompt you to confirm the popup messages in order to protect your PC, while in fact doing so will give you the very infection you were hoping to avoid. For most Overclockers and enthusiasts around here these prompts seem all too obvious, however our families and friends often still fall victim and their computer problems often become our problems to fix.

Typical Malware Popup (Image Courtesy WindowsSecrets.com)

Typical Malware Popup (Image courtesy of WindowsSecrets.com)

In my experience a bit of intuition, a healthy dose of google-fu, and when I really find myself in a pickle some help from our forum members always got me what I needed to fix the PC back up to good working order. Fixing the PC is only a fraction of the equation though, not even half the battle. To get to the root of the issue one must make peace with the greatest evil ever known to the PC – the user.

That’s right. The hard part is communicating with a user in a way where they understand what they did wrong and how to avoid it in the future.  You may be charging a reasonable rate to fix the problem and like the repeat business, but if the problem keeps recurring then before long they are going to be very unsatisfied with your help. It is important to blame them appropriately, and in a way they are educated about avoiding the issue.  In this article about the Lizamoon infection, Fred Langa of WindowsSecrets gives a great blow by blow account detailing exactly how a malware infection is acquired. Walking through the steps and providing immense detail of the infection process from start to finish, we get his first hand insight into what actually happens when you don’t run away from those pesky malware popups.  From the article:

Taking yet another deep breath (and my fourth voluntary action), I clicked OK, which let the malware installer run to completion.

The malware goes active and disables my security

Immediately after I clicked OK, my system went haywire.

With the infection requiring 4 independent confirmations from the user prior to the infection becoming active, there are plenty of opportunities to wake up and smell the whiskey.  To read on, and maybe even send a link to your loved ones who could benefit from the great plain english walk-through, check out the full article on WindowsSecrets.com:

Lizamoon Infection: a blow-by-blow account” by Fred Langa

Do you think these sorts of articles could be helpful explanations for the “normal users” in your life? Let us know in the comments below.

– Matt Bidinger

Leave a Reply

Your email address will not be published. Required fields are marked *

Discussion
  1. xXSebaSXx
    I am so glad I don't make a living out of fixing other people's computers... I do however get the occasional frantic call from a friend that has found him/herself in a "malware pickle". I am not a patient guy by any definition of the word and most times I will help them out while at the same time showing them that all those infections can be easily attributed to an "I-D-10-T" error. They're not too happy once they figure out what "it" means, but if you have to click through four confirmation messages to get a virus and still can't be bothered to read before you click; I think being called and idiot is the least you can expect when having your PC cleaned for the third time.


    Seems always to be that error or a PEBKAC error. Always the worst ones. :D
    I disable it when I'm on legit sites, like yahoo, google, and my bank site, as well as newegg, but when i surf everywhere else, i turn it on. I just don't let it load ad servers.
    madhatter256
    This is true as I have had church ladies get infected and they barely use the Internet (some still on dial-up) and don't allow anyone else on it, but they were browsing some church site when the "pop-up" came up. So even legit sites can get overtaken with malware and spread it.

    Firefox + noscript really does help, but is too advanced for the average PC user.


    I tried out noscript for a while, but it's a real hassle to work with, since legit sites all depend on scripts also. And how do you really know that any given script is bogus?
    G33K454URU5 R3X
    The problem is that virus creators are getting more tricky; explotied PDF's, clickjacking, SQL injection, search poisoning...at one time, it was very easy to blame the user (and still is, to some extent - think Limewire) - however, the way some of this malicious content is being delivered is becoming increasingly tactful.


    This is true as I have had church ladies get infected and they barely use the Internet (some still on dial-up) and don't allow anyone else on it, but they were browsing some church site when the "pop-up" came up. So even legit sites can get overtaken with malware and spread it.

    Firefox + noscript really does help, but is too advanced for the average PC user.
    I've been dealing with these for almost 2 years now.

    I had one customer who fell for one and paid for it, however, each time they put their credit card number, the program would say the number is not valid and ask for another one. The customer was gullible enough to try 3 other cards and they all said the same thing and this made him bring the PC over to me to try and fix it. After he told me what he did I told him to immediately cancel those credit cards as it obviously just took as many card numbers as much as possible.

    Some programs do go away after you pay for them, but then come back a month later with the same problem. Throughout that time it just spies on you and logs your key strokes.

    Really nasty ones will inject rootkits into MBR and OS systems (or something like that). I had this one PC where I did do a format/reinstall of the OS. I just did a quick format, not a low-level one via KillDisk. After installing the drivers and going to Windows Update, this pop-up came up that I needed virus protection and all I've installed were drivers, nothing else. So, obviously there was something left over even after doing the format that allowed it to detect the internet connection and reinstall itself.

    Lately, I've had great success with live-CDs of Linux, especially BitDefender Rescue CD. Afterwards I would run Malwarebytes/combofix to clean up whatever bitdefender didn't find and it all works out in the end.
    A giant +1. Great article!

    We are currently figthing a virus outbreak at my office. 450 PC's were infected with Worm:Win32/Rorpian.A, and no a conficker, and something else. Although this is only affecting print servers at the moment and causing reboots, its a lot of lost productivity.
    Last week I cleaned this off a computer at work. And a laptop that was loaned to someone was hit as well. Had a recent image of that one though.

    Been fighting these for years...
    The problem is that virus creators are getting more tricky; explotied PDF's, clickjacking, SQL injection, search poisoning...at one time, it was very easy to blame the user (and still is, to some extent - think Limewire) - however, the way some of this malicious content is being delivered is becoming increasingly tactful.
    I am so glad I don't make a living out of fixing other people's computers... I do however get the occasional frantic call from a friend that has found him/herself in a "malware pickle". I am not a patient guy by any definition of the word and most times I will help them out while at the same time showing them that all those infections can be easily attributed to an "I-D-10-T" error. They're not too happy once they figure out what "it" means, but if you have to click through four confirmation messages to get a virus and still can't be bothered to read before you click; I think being called and idiot is the least you can expect when having your PC cleaned for the third time.