Perilous virus scanners
Test Center | 24 August 2010
Perilous virus scanners
Hackers and web fraudsters make a killing with the help of spurious anti-virus programs. And distinguishing these from the real ones can be very tricky.
By CLAUDIO MÜLLER
The desktop suddenly becomes black, security warnings are flashed and an unknown virus scanner offers itself as a solution for the problem: often this is how the attacks of cyber gangsters appear. Most of the times the invader uses fake anti-virus programs (rogueware or fake antivirus), which tempts us with virus messages to purchase expensive full versions. And this trick has worked like magic for millions: This year alone, McAfee has valued total damages of over $300 million all over the world. We show how to trace rogueware and how to get rid of them. An updated Security Suite is of utmost importance, since every month thousands of new rogueware samples and millions of such websites appear over the Internet—a briskly increasing trend. Fake antivirus programs can be categorized into hundreds of families, out of which only a handful are known.
Identification: Obtrusive pop-ups
Rogueware spreads itself through primed websites. They use security loopholes in the browser or in plug-ins like Flash Player; and introduce malware over drive-by download or request the user to download fake video codecs, which contains malicious codes.
In case a fake scanner is installed on your PC, you can identify it from the symptoms. The most obvious are obtrusive pop-ups indicating apparent virus attacks followed by requests to purchase the full version. Close this window from Task Manager, because even clicking on 'Cancel' can open a perilous website or download other malware. A few variants display messages using security risks warnings in the taskbar or firewall warnings and change the desktop wallpaper or screensaver. Moreover, rogueware scans the computer much faster than an authentic virus scanner and displays unrealistic results.
Very rarely do rogueware attack alone. Once the attacker gets access to the computer, they can then further add more malware. Mostly, these fake antiviruses are accompanied by trojans that spy on the computer and forward user data using a backdoor or install programs such as keylogger. A worm subsequently connects the infected computer into a botnet, so user unknowingly contributes to spreading the rogueware. Nowadays, extortionist tools (ransomware) have also started coming along with fake antiviruses.
The various symptoms bothers the user till he/she eventually visits the website of the fake antivirus. The attacker even spreads the links to these sites through spam mails as well as over social networking websites such as Facebook and Twitter. Thus, the promoted programs are revealed often through cryptic web addresses in the mails. If you wish to install a new virus protection, you should always visit the website of the antivirus developer directly: even Google search is not secure. It is the second most popular way to spread such programs. In the process, the hackers use latest topics, and also specific search queries related to virus protection, so as to list their sites right at top of the search results. Most of the times these sites do not contain any malicious codes but they automatically direct the user to a website which eventually infects the computer.
At first glance the professionally designed websites of rogueware developers appear impressively authentic, for instance the way they feature fictitious test results and high discounts. Some of them even feature a functional telephone and email helpline service. The promoted programs costs anything between Rs 1,845 and Rs 6,000, however, soon from the price everything seems suspicious. Generally, you should stay away from such programs that scan computer for free but require a full version for removing the viruses. And in any case you should never reveal your credit card details on such websites.
However, if you have installed an updated security suite, it should be able to prevent every rogueware attack. Even if an attacker manages to slip in, for instance while the virus scanner was not updated, it is very possible that the fake antivirus blocks your Security Suite. Subsequently you should never download anymore updates and in any case do not start your virus scanner. In such a case, you should try using a malware removal tool by another manufacturer (for instance Kaspersky Virus Removal Tool).
Removal: Often only with detours
In case none of the above tips help, you must remove the worm manually. First of all, check your PC with the online scanner of an antivirus developer. You will then be able to see which rogueware has affected the computer, thereafter with help of support sites such as removeIt.info, you can find out which process you should end and which registry entries are required to be deleted. This way you can restore the system to a state in which an updated virus scanner will be able to remove traces of the rogueware.
TOP 5 PERILOUS ROGUEWARE
1. MS ANTIVIRUS
2. SECURITY TOOL
3. InTERNET SECURITY 2010
4. ANTIMALWARE DEFENDER
5. USER PROTECTION