About Me

Lokesh Kumar

Lokesh Kumar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Fake antivirus and a real threat

Tuesday, January 20, 2009 at 7:18am by Lokesh Kumar
Lokesh Kumar

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal – extorting money from an innocent victim – these scareware applications have added a new class of malware to their armory – rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

  1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
  2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

  1. Install a backup software, which can revert your system to a previous known uninfected state
  2. Browse the Internet from sandbox software
  3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services – companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • debt December 4, 2009 10:59PM

    Antispyware XP 2009 is a rogue spyware it is a clone of ANTIVIRUS 2009. Antivirus 2009 is an unwanted program, from the authors of Antivirus 2008 . These applications have resembling interface and “features”. After stealth installation, Antivirus 2009 will show tonns of fake spyware\adware detection messages and offers to remove reported threats (after you purchase commercial version). But in real Antivirus 2009 is not a spyware cleaner, it’s just an imitation of spyware remover. Antivirus 2009 can also slow your computer and cause system errors and crashes. I equally had the same problem and there is an easy way of removing it . First of all do CTRL+ALT+Delete then go to processes . Disable AntispywareXP 2009. After that the program was probably stored by default at C:/program files/AntispywareXP 2009

    So go to your computer then click on C: Then on program files and find AntispywareXP delete the hole folder and it should disappear. Go on add or remove program it will be there just press remove and it will completely disappear.

    Reply
  • Concerned Novice January 25, 2009 9:32AM

    Why didn’t McAfee detect and prevent the install of “AntiSpywareXP2009 ” on one of my computers? My version of McAfee on that computer is up todate.

    Today within 15 mins of downloading McAfee on a new machine the “AntiSpywareXP2009″ popped up. How do I prevent this?

    Reply
  • Bhaskar January 22, 2009 10:56AM

    Nice blog Lokesh but Is this threat perceptible under McAfee rootkit detective radar?

    Reply