Now a days it has become more common for a computer users to receive pop up from a legitimate website alerting them of a virus or trojans and offering anti-virus software to remove the virus, even though it is not. These pop us are actually created by skilled programmers turned hackers and cyber criminals for personal gain or just few extra bugs.These programs neither scan nor clean computers, and they are actually designed to persuade users that their computers are at risk and scare them into buying the “antivirus” product. They will insist us to install the solution they offer either for free or fewer bugs.
These type of fake antivirus program are widespread and are mostly used by internet criminals. According to Kaspersky labs they have identified more than 20,000 samples in the first half of 2009. Anti-virus company “Symantec” have claimed to found 250 varieties of scam security software with legitimate sounding names like Anti virus 2010 and SpywareGuard 2008, and about 43 million attempted downloads in one year but did not know how many of the attempted downloads succeeded” [Source: Symantec]
If we think how do these rouge programs end up on victim machines. Tailored Trojan horse can be used to download such rouge programs, or when a user visit a exploited website can perform a drive by download. More often either by mistake or by enticement from cyber criminals this programs get into users computer. Criminals raising this software manages to hide the IP address of the page from which malware downloads and installs.
Kaspersky Lab has recently identified a technique used for the dynamic download of rogue antivirus programs. Here’s an example: a script on ********.net/online-j49/yornt.html generated a redirect address, http://******.mainsfile.com.com/index.html?Ref=’+encodeURIComponent (document.referrer). The address generated depended on how the user arrived at the page containing the script (done with the help of document.referrer), or, in other words, which site the user had previously viewed. In this case the redirect led to http://easyincomeprotection.cn/installer_90001.exe, a page hosting a new rogue antivirus program, FraudTool.Win32.AntivirusPlus.kv.
Once after downloading the program below are some symptoms and actions made to threaten the users
- IF your computer is infected you will probably receive high number of fake warning alerts with increased pop-ups and hijack of your homepage. You can see your computer being usually slow compensating the performance.
- Sometimes, to make it more convincing, a fake infected file will be installed on the computer together with the rouge antivirus and later the same fake infected file will be detected during the scanning.
- Then the software will provide us with a recommendation to clean the virus (though you may not have one) in your computer for some money in return to their solution.
- If user by any chance click the “remove virus” button then a new window will open asking them to purchase their fake product. If you made a choice to buy that software, different payment method like paypal, Amex, Visa and bank accounts will be shown as if they were legitimate.
Some basic steps that users can take to prevent from more problem are
- Rouge antivirus infection will not damage users machine, they are used by cyber criminals to make money from inexperienced users.
- To not to get trapped, Google the antivirus name that comes up and check whether the name has an official site, technical support or phone support.
- Beware that legitimate anti-virus companies (both commercial and open source) will not scan your computer for money. Never click the button “install”if you don’t know what the pop up says.
If you choose to get rid of the problem by yourself here are some basic steps to identify the anti-virus and delete them. Uninstall the suspected anti-virus program using Add/Remove utility in the control panel. After removing the utility, restart your computer in safer mode. Then launch Microsoft security essential or firewall vendor of your choice to run a scan against system files and folders to remove the suspected applications. At situations you may need to remove it manually. Make sure to back up your important files. Press Ctrl + Alt + Del to bring up the task manager. Click on the fake anti-virus image name and choose to stop it from running. Go to Start, Run. Type regedit to start the Registry Editor, where you will drop the entries for WinAntiVirus. Browse to the Hkey_Local_Machine\Software folder from the My Computer folder and delete the series of Registry entries that are described under the fake anti-virus thread. Google and try to get as many as information about that virus and try to manually delete it from your windows folder, but make sure to stop the file processes in the task manager before you actually delete them.
PC Manufactures solution:
To protect your computer, try installing and running an up-to-date anti-virus product such as Microsoft Security Essentials, from microsoft ( look at my earlier article on Microsoft free Anti virus software), MSE provides real time protection against virus, trojan, spyware and adwares. Another option is to run a virus scan with the Windows Live OneCare safety scanner. Microsoft’s Windows defender can also be used to remove spyware and other potentially unwanted software from your computer.
Latest list of Rouge Antivirus softwares from Microsoft
Microsoft have released a list of significant threat that AV rogues had posed for our users this year. Besides the prevalent rogues covered by the MSRT, the following is a longer list of AV rogues detected by Microsoft AV products such as Microsoft Security Essentials, Forefront Client Security, etc.
FakeXPA | Winfixer | FakeSmoke | SpywareSecure |
FakePowav | FakeScanti | Spyguarder | IEDefender |
MalwareBurn | Cleanator | AntivirusGold | MalWarrior |
UnSpyPc | MalwareCrush | SystemGuard2009 | Malwareprotector |
DriveCleaner | PrivacyChampion | WorldAntiSpy | SpywareSoftStop |
DocrorTrojan | SystemLiveProtect | Yektel | AntiSpyZone |
Antivirus2008 | Winwebsec | FakeSecSen | FakeRean |
PrivacyCenter | FakeRemoc | VirusRemover | Antivirus2009 |
SpyLocked | SpywareStormer | Privacywarrior | AntiSpywareDeluxe |
Trojanguarder | SecurityiGuard | PrivacyProtector | Searchanddestroy |
MyBetterPC | DoctorCleaner | SpyBlast | AlfaCleaner |
NeoSpace | UniGray | FakeFreeAV | WebSpyShield |
InternetAntivirus | WinSpywareProtect | FakeSpypro | AntiSpywareExpert |
Antivirusxp | Fakerednefed | FakeCog | VirusRanger |
ErrorGuard | Antispyware2008 | AntiVirGear | SpyDawn |
SpyCrush | EZCatch | VaccineProgram | UltimateFixer |
Fakeav | EvidenceEraser | TrustCleaner | WinHound |
Spyaway | Vaccine2008 | SearchSpy | Spyshield |
SpySheriff | FakeVimes | FakeIA | AdvancedCleaner |
Antispycheck | PCSave | AntispyStorm | FakePccleaner |
SpywareIsolator | PSGuard | Antivirustrojan | SpywareQuake |
SpyFalcon | SpywareStrike | XDef | WareOut |
PrivacyRedeemer | Nothingvirus | AntiSpywareSoldier | Kazaap |
VirusConst | AVClean | AdsAlert | SystemDefender |
FakeSpyguard | Fakeinit | SpyAxe | |
SpyHeal | AntiVirusPro | Awola | |
VirusBurst | CodeClean | MyNetProtector | |
VirusRescue | Spybouncer | FakeWSC | |
TitanShield | MalwareWar | DoctorAntivirus | |
Easyspywarecleaner | VirusHeat | UltimateDefender |
Source: Microsoft fake security Anti virus run up
This list from Microsoft has new and recent rogues such as FakeXPA, FakeSecSen and FakeRean. It also contains some older rouges that are dated since 4 years such as Winfixer and SpySheriff.
Conclusion:
Unfortunately this programs are getting more common. Microsoft encourages PC users run a complete up to date Antivirus products such as Microsoft Security Essentials to protect their computers from these rogues. Don’t believe any pop-ups other than Google search on your own. Awareness of the threat is very important. Have a look at some of these threats, get familiar with some of the names, screen shots and pass on the word to your friends and families.