Thursday, August 25, 2011

Another day, another Rogue Antivirus

Today I have the following on my desk:


The malware usually enters your PC via a drive-by download or the user is tricked into loading the file – for example, if the user wants to see some video on the web and the page tells them that they need an additional plugin. Your Windows security center pops up and tells you that you have no antivirus, no firewall, then the "Antivirus" pops up and starts a scan – it doesn't really scan anything, but shows you a nice animation and claims to detect all kind of malicious software on you disk. If you try to start a program – no matter what, you get the information, that a virus was found and blocked – as a result, you can't run any program – but guess what, help is near and if you purchase the full version of this Antivirus it will help and protect you. Nice of them, isn't it?





In our special case the executable copies itself into the %USERPROFILE%\Local Settings\Application Data (for example: C:\Documents and Settings\username\Local Settings\Application Data) with a random, three letter name – like dpx.exe. It also adds some keys to the registry to make sure it will be started upon boot  and it also adds a key that makes sure that it will be started as soon as you start a program on you Computer. So much for the self defense.

The removal is quite easy, locate the process in the taskmanager, terminate it, run regedit, terminate the process again (yep, it started again when you started regedit), search the registry for all occurrences of the "three letter" process name. (But make sure that you enter the full path as a search string!) Delete each occurrence and then reboot you machine. After reboot you can also delete the malware executable itself. Done.

Ok, that's really nothing new – but why does it work – as we know a lot of people really click the “Buy now” button and enter their CC information – otherwise such rogue programs wouldn't be so widespread. If you want to see more data on how successful this business is, take a look at the pdf from Alain Zidouemba - it can be found here.

The problem is, that people like you and me – people that work in the computer security field –have no problem to tell the good from the bad, we know all the vendors, we know how to recognize a legit website from a fake, simply because we do this for a living or as a hobby. But what to tell the people that are targeted by such rogue software and that don't have the time, the knowledge and interest in diving into the matter and find out what AV to use and how to tell that it's a real AV and not a fraud? All they want is just “some” AV, or some firewall or whatever.

You can start to tell about various well known vendors, throw with feature lists, ssl certificates, safe browsing and much more and in the end you have someone in front of you, that is bored, confused and / or sleeping.

If you really want to give a short answer, how to make sure that a security product is really a security product and not some fraud – here it is:

Buy a box.

The not so short answer – go into a real shop, with real salesman and ask for an antivirus. Whatever you take home with you wont be a rogue antivirus – cause they are only sold on the web but none of them has ever been seen in a computer store, inside a box with a price label on it. Really.

But now, that you read this, – you can also try Immunet Protect – it's not available in stores but works really great – and is combined with ClamAV!

Tuesday, August 9, 2011

70 Percent Of Infected Consumer Machines Hit With Multiple Malware Types

An interesting article over on DarkReading highlighting one of the presentations Sourcefire gave at BlackHat 2011 last week in Las Vegas, NV by our Malware group.

http://www.darkreading.com/cloud-security/167901092/security/antivirus/231300516/70-percent-of-infected-consumer-machines-hit-with-multiple-malware-types.html

"Overall, one out of every six or seven consumer machines is infected, according to new malware statistics gathered from Sourcefire's software-based ClamAV and cloud-based Immunet customers during the first three weeks of July."
Head on over to the above link for the full article.