Over the last few weeks, the amount of service calls I have received regarding malicious software infections have been a lot higher than usual. It seems like the creators of various rogueware applications that pretend to be security software are cashing in on the holiday surge in spending. This has been a real cause for concern among my customers as the future of dealing with these kinds of infections appears bleak because they get sneakier, more common, and tougher to prevent. I have been answering a lot of questions regarding these attacks and I have decided to address the most common ones in this article.
First off, a little background. Who are these people? Well, the majority of the infections seem to point back to a Russian software company called Bakasoftware. As reported on Wikipedia; in November 2008, it was reported that a hacker known as NeoN hacked the Bakasoftware’s database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned $158,000 in a week. And that’s just one of many affiliates! In this InformationWeek article, they estimate that cybercriminals are earning about $34 million per month from rogueware, which typically sells for between $49.95 and $79.95. In December of 2008, the FTC issued a temporary halt to a massive scareware scheme, and two companies were charged in that case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC, who operate using a variety of aliases and maintain offices in various countries. According to the complaint, Innovative Marketing is a company incorporated in Belize that maintains offices in Kiev, Ukraine. ByteHosting Internet Services is based in Cincinnati, Ohio.
How did you get infected? Well, the overwhelming majority of people I have helped have been running Windows XP and are using Internet Explorer as their web browser. This doesn’t mean that Windows Vista or Windows 7 are not vulnerable (I have cleaned up a handful of infections on Vista computers, but Windows 7 is still too new and I have not personally dealt with any such infections on it yet), it just means there are a whole lot more XP users out there. It does not affect Apple’s Mac OS X, so unless you are running Windows XP in Boot Camp or in a virtual machine like Parallels or VMWare’s Fusion, Mac users need not worry. This article on Wikipedia sums up the most common ways computer get infected:
Rogue security software mainly relies on social engineering in order to defeat the security built into modern operating system and browser software and install itself onto victims’ computers.
Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:
* A browser plug-in or extension (typically toolbar)
* An image, screensaver or archive file attached to an e-mail message
* Multimedia codec required to play a certain video clip
* Software shared on peer-to-peer networks
* A free online malware scanning service
Some rogue security software, however, propagate onto users computers as drive-by downloads which exploit security vulnerabilities in web browsers or e-mail clients to install themselves without any manual interaction.
I have found that Facebook has been the latest and most popular tool in socially engineering victims into infecting their computers. The most common instance is an email within Facebook’s direct messaging system that comes from a friend and asks quite generically to check out a video or photo with a link to a website outside of Facebook. After that the user will get a pop-up message that their computer is infected, and will ask if they want to install security software to clean the infections. Here’s the rub, even if they click cancel on the message, it will go ahead and install itself anyway.
Why didn’t my Anti-Virus program stop this? Battling these types of infections is an uphill battle. Security software is only as good as the latest virus definitions that are installed. The malicious software coders are putting out mutated versions of their software daily, and once they get on your machine they typically disable your anti-virus program’s ability to update itself. The only proven way to prevent these infections is to either disconnect from the Internet or not use a Windows based PC! Unfortunately, that is not possible for the majority of people out there, so there are some things you can do to avoid them.
The first step is to recognize the events that lead up to an rouge infection. Downloadsquad has a great article on
how to spot a fake anti-virus program. From their article:
Here are some things to look for:
* cheesey names – never mind the old adage, with these programs you usually CAN judge the book by its cover. Rogue antivirus programs typically use names like Antivirus 360, WinAntivirus 2009, Spyware Police, SpywareProtect, etc.
* alerts that just don’t belong – Windows will tell you if you’re not running antivirus software or the definitions are out of date, but it won’t tell you that an infection has been found. Windows Defender will pop up alerts, but not Windows itself or the Windows Security Center. Alerts that claim Windows has found infected files are pulling your leg.
* poor grammar – Windows has its weak points, but real system messages are usually very well written and clear. Alerts from rogue apps don’t have the same attention to detail.
* bogus scanning – lots of these apps pretend to scan your system and find all kinds of infected files. Watch what folders and files are being scanned and see if they match the infected files being found.
If the scan is going through c:\windows\ and infected items in folders like c:\temp or c:\documents and settings\ are popping up, it’s bogus. Real virus scanners will display infected items as soon as they find them in the folder that’s currently being scanned – not random stuff from who knows where.
The old thought on preventing viruses was to never open email from an unknown source. While that is still true, nowadays most of the time these infections come from a person you know who may have been infected and is spreading it. They also come from websites that get hacked and advertising networks that become compromised. These types of infections usually take advantage of known and patched security holes, but because of the inconsistency of many software programs proprietary updating systems, most computer users get frustrated and confused by the daily reminders to update their programs and operating system and choose to ignore them altogether. This, coupled with the knowledge that the rogue vendors use almost identical automatic update methods to infect computers make users afraid to update anything!
Another personal gripe is that there are still people out there using Internet Explorer. No matter how much I preach, there are a lot of people that just don’t care. I suspect these are the same people who re-elect corrupt politicians because they don’t know who the alternatives are, and are too lazy to learn. This gets me angry, because the alternative browsers are free. They cost you nothing, yet so many people are not using them! Furthermore, most of them are better and faster. There is no legitimate technical source that will disprove that fact, yet people are scared to change.
Who are the alternatives? Well, there are a lot, but currently the 3 most popular are Mozilla Firefox, Google Chrome, and Apple Safari.
So, there you have it. The best way to realistically prevent an infection is the ongoing knowledge of how they are spreading as well as the knowledge of how your computer and its programs update themselves. You also have to stop using Internet Explorer for all but certain sites that are too stupid/lazy to follow internet standards (such as the CTAR MLS site which mostly works as of this writing in Firefox, and a lot of local government sites). Don’t use Internet Explorer for Facebook, Myspace, Twitter, or similar social networking sites. Sorry if this comes across as harsh, but the truth hurts – especially if it involves extra effort on your part. But, if you’re reading this far into the article, you obviously care enough to learn about malicious software prevention so you are on your way!
OK, last but certainly not least, what should you do if you are infected? This varies from case to case. The latest malicious infections are downright evil. They will not let you run programs, if you start up in safe mode the computer crashes before it can even boot, and if you install a removal tool it will delete it as soon as you install it. The most current ones are really sneaky, as they will infect your computer and pester you for a day or so and then go dormant. You will believe that it just went away on its own or that your anti-virus program took care of it, but it is still there in the background collecting information such as credit card numbers and passwords. So how can you fix it?
The best thing you can do if you are not confident in your abilities to deal with an infected computer is to call a professional. I know I deal with these problems on a daily basis, so what might take a novice days to deal with will take me about an hour. If your time is valuable and you can afford it, the cost of hiring a pro will be well worth it – and we guarantee our work. The alternative is to do it yourself with the help of some great online resources. My favorite database of how to remove known infections comes from the website bleepingcomputer.com. The methods that these infections use to make your life miserable are always changing, so when it comes to computer security, you need to strap on your tinfoil hat and be weary of everything you do on the internet. Or, just buy a Mac. To date, I have never personally encountered a virus on a Mac.