How Prevalent Is Fake Antivirus Software?

Over the past couple of years, we've gotten a lot of calls and emails from people who've been infected by fake antivirus software.

I took a call myself from Joyce in Philadelphia late last week. She told me about how she had to wire money to India to get the viruses removed from her computer.

Their pitch to her? Her antivirus software (their fake software) had expired. When she called their so-called tech support number, they told her there was no way they could remove the virus without her making a payment by Western Union to renew the software for another year.

There were problems (of course) with her computer even after she paid the fees, so she was calling to see what the best antivirus software was because what she bought, she felt, sure wasn't very good.

Sure, some readers are going to say, "Why on Earth did she send a Western Union transfer to India?! What was the thinking??"

Let's put that aside for a while and ask the bigger question: Just how prevlent is this crap?

Funny thing is Kasperksy asked this question, too, in their survey/report Digital Consumer’s Online Trends and Risks.

A whopping 24% of users surveyed worldwide said they're encountered fake antivirus software with the worst three countries for "infection" being Russia (48%), the United States (34%), and the United Kingdom (28%).

What's the take-away message from this?

Well, there's more than just one:
  1. If you've seen fake antivirus software, you're not alone.
  2. Your chances are about 1 in 4 you will.
  3. Make sure you're running real antivirus software
  4. Familiarize yourself with what it's like and how it works
  5. If you're familiar with it, you're more likely to know a fake threat when you encounter it


Ask the Experts: Help! My PC is infected! How do I remove a virus?

Mike wrote in today asking a question on a lot of people's minds:
I was surfing the web, I use Firefox, when suddenly my antivirus software started going totally nuts.

"I got a warning that it had blocked something from infecting my system, and I thought everything was fine, but a few second later, my system ground to a halt and my desktop disappeared.

"A few seconds after that, the desktop reappeared and everything seemed to be back to normal.

"Yeah right.

"Right after that I got a pop-up from something that looked like antivirus software, but I knew it wasn't saying my PC was infected.

"The thing is, I know what my antivirus software looks like, and this thing doesn't look anything like it.

"The d##### thing has taken over my system, and they claim unless I pay for a registered version of their so-called "software", it appears I'm screwed.

"What a bunch of a#######.

"So, I've tried doing a manual scan with my current antivirus. It says everything is fine. It's not. The definitions were just updated right before it happened, so I thought everything would be fine.

"I called the company looking for help, and they want to charge me to get rid of the thing. Didn't I already pay for antivirus protection?"

"I don't know who I'm more pissed off at. The jerks who wrote this thing or the antivirus company for trying to stick it to me."

"Now, I'm out looking for an answer, and I came across your site.

"Any tips or ideas on how I can get rid of this thing?

I shot a reply back to Mike immediately with this answer,

Hi Mike,

Sorry to hear about your virus fiasco. What a pain.

Especially since you thought you were covered. Good news and bad news.

First the bad news: as you've found out, not all antivirus software is created equal.

And unfortunately even the best software sometimes has something slip through. It's cat-and-mouse between the good guys and the bad guys every day, and the things like you got are what most of the companies consider their biggest challenge: preventing rogue / fake antivirus software.

Now for the good news: there are a couple of great free rescue tools out there that are ideal for a situation like the one you have on your hands.

The three I like the most are the ones from VIPRE, BitDefender, and Kaspersky.

Here are links for their free rescue CDs:
Effective Rescue CDs for Virus Removal
Info Page Download Page
VIPRE Rescue CD Information Download VIPRE Rescue CD (.exe)
BitDefender Rescue CD Information Download BitDefender Rescue CD (.iso)1
Kaspersky Rescue CD Information Download Kaspersky Rescue CD (.iso)

To use any of them, you need access to another clean PC with a CD-ROM burner or the ability to boot from a USB thumbdrive.

I'll skip the steps to make a CD or USB version since it's a little different for each, and it's covered in detail at their respective sites linked above.

They're all pretty easy to use, but since each of them work a little differently, you'll want to read up a bit on the one you're going to use before you get started.

Any of these rescue CDs should be able to easily detect and remove the virus. If not, write us back, and we'll go into the next steps. Either way, let me know how it goes. Good luck with it.

1The BitDefender Rescue CD file is called "bitdefender-rescue-cd.iso." I didn't link to it directly so if other options appear on their site, you can see what they are.


Fake Antivirus Software Showing up on Legit Websites

For a while it seemed the fake antivirus software world was going to continue growing unchecked, but as pointed out by ZDNet's Ed Bott in his piece Who killed the fake antivirus business?
The fake-antivirus business was a big money-maker in the first half of this year.

"Then, at the end of June, fake-AV products practically disappeared from the web.

"Was it technology, or does traditional law enforcement deserve the credit?
Ironically, just two weeks after his piece, uTorrent (a company offering legitimate BitTorrent software) saw their web servers hacked into and their legitimate BitTorrent software replaced with fake antivirus software.

As it turns out, the server in question, according to the geek.com piece, was only online with the phony antivirus software/malware for an hour and 40 minutes, from 4:20AM 'til 6AM PST.

A response of under two hours to identify the breach and take the server offline, especially in the wee hours of the morning, is really quite good. (Unless, of course, you downloaded uTorrent in that block of time.)

Here's what one version of the Security Shield fake antivirus software looks like:

(Notice the bad grammar in the fake software's interface, Protect your PC in new level.)

Matthew Humphries, the geek.com writer behind the story, goes on to say,
uTorrent has now apologized and managed to get their servers back online after removing the rogue files.

"If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.
I couldn't have said it better myself.

And that, my friends, is why antivirus software is a must.

Even huge companies like Sony have suffered major break-ins in recent months, like Sony's entire Playstation Network (PSN) being taken down for weeks as a result, so even when you're downloading software from a known, trusted source, who's to say their servers haven't been compromised?


Fake Security Software Scammers Nabbed by FBI

By now most of us have seen the scareware, fake antivirus software (like MacDefender), and other scams that play on people's fears.

In nearly all cases, the ads look like legitimate error messages from our computers; in one case it was a fake hard drive failing ad that was made to look like a real error message from Windows.


Whatever the case, and whatever they look like, there will be a few less of them now since in no less than twelve countries (including the U.S. and the U.K.), the FBI and other local law enforcement folks, have raided and shut down one of these malware/scareware gangs.

The BBC has some details of the FBI raid on fake security software gang, but the FBI's own press release has even better info on how they disrupted international cyber crime rings distributing scareware.

Here are some of the best details,
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers [emphasis mine] with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

"The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

"Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129.

"An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses.

"Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership.
The most important part of this quote is, The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

Which means the bottom line is that this is not a case where a worm or virus is spreading itself onto people's computers.

Instead this is an old-school con job. Plain and simple.

And, they were good at it, too, given that nearly a million people fell for it.

This type of malware is very, very, very difficult for regular antivirus software to detect, but it is one place where Internet Security Suites and "Premium" versions can offer an advantage.

The ISS/Premium versions typically include malicious website filtering/blocking, so often if you try to go to one of the malware sites when you're running Internet Security Software, the Security Suite can often help protect your PC from infection when someone tries to trick you into installing scamware onto your PC.

No, website filters aren't perfect, but between the website filtering in an ISS and your web browser--assuming you're using a good, modern browser and it's malicious site filters are turned on--you do at least stand a fighting chance.


Firefox Users Not Safe from Scareware

Just when you thought it was safe to surf the web with Firefox, the bad guys are at it again with a new "scareware" virus.

The news is out about a brand-new piece of malware that mimics a virus attack (sometimes called "rogue antivirus"), which then prompts you to hurry up and get the latest Windows update. But the catch is, you have to pay for it or else your PC is doomed to be destroyed (hence the "scare" tactic).

But of course, you shouldn't pay anybody anything for these scareware viruses. It's all just a scam to take your money.

We've seen plenty of scareware and rogue antivirus before, so what's different about this one? This one targets Firefox users specifically.

This is the first major red-flag. Any legitimate Windows update can only be accessed through Microsoft Internet Explorer, or run in the background of Windows: a Windows prompt will never originate from Firefox like this scareware has.

The other tricky factor, is the scareware takes you to a Windows update page that looks amazingly like a real Windows update website.

It's easy for anyone to get scared into thinking their PC is about to crash and/or become highly infected, then start clicking buttons and paying someone (whom you think is legitimately Microsoft in this case) in a hurry to save your computer.

How to protect yourself?

  1. First, don't panic when you see these doomsday warnings. Take a deep breath and look at the warning carefully. If the warning is completely blocking your ability to access any part of your PC, or completely interrupting all actions on your PC, it's probably scareware.

  2. If you click the warning button, and are taken to a new site to pay for the scareware "removal" or "update," examine the website URL carefully. The site may look very real and very legitimate (it's actually very easy to design a fake webpage of any kind). But look at the URL. Does it have "update.microsoft.com/" in there somewhere?

    Be careful though, some bad guys are very tricky and will put the word "microsoft" (or some other legitimate URL) somewhere in the URL string just to make it look real. Make sure the URL says "update.microsoft.com/".

    The important part is that the URL have the real address just before the first trailing slash (a real site may still have a bunch of stuff before the final ___.com/ string, but will always have the real URL before the first trailing slash).

  3. Finally, don't give anyone your money for these scare tactics. Microsoft won't ask you for any money for a simple update if you're already using Windows OS. And if you already own antivirus software, they won't demand any money to fix your problems.

The bottom line is, Firefox users need to be just as careful as Internet Explorer users. The bad guys may not target you as often, but you're still at risk.

Be careful what you click, and make sure your antivirus software is up to date.


MacShield the Same (Trojan) Horse by a Different Name

MacDefender now showing up with yet another name, "MacShield."

Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:

  • MacDefender
  • MacProtector
  • MacSecurity
  • MacGuard
  • MacShield

Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.

We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.

So far it looks like the same-old-same-old:


MacDefender Screenshots... So Here's What it Looks Like

Joel Esler, one of the members of the Snort.org project has excellent coverage of MacDefender and its variants. It's from May, but I just came across it today, and it's so good it's worth sharing.

There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.

Joel's wrap-up to the piece is great and worth reading. To paraphrase:
  1. Buy software from reputable places you go to
  2. Buying software from a popup window just isn't smart
  3. Educate yourself on what's out there and how to tell
Think the last one is hard? Consider this:

If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.


You've educated yourself.


Apple's MacDefender Tool: Quickly Circumvented, Now Regains Upper Hand

The ongoing battle between the OSX anti-malware team and the MacDefender malware creators has taken some interesting turns this week.

Apparently about eight hours after the anti-MacDefender update (which I talked about it yesterday's blog on MacDefender removal) was released, the bad guys regained the upper hand.

CNet has some great coverage by Topher Kessler who says,

Let the cat and mouse games commence.

"Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware.


Then, earlier today (June 6, 2010), there was this update from cnet:

The cat is back in the lead.

"Apple has updated Snow Leopard's XProtect yet again to tackle the new variant, and did so in less than a day after the original update was circumvented.

"Apple is taking a very active approach to prevent this malware from being a problem for people.

Apple definitely took a bit of a pounding publicly after having taken so long to respond to the MacDefender threat initially. Now though, it looks like they're showing their willingness to take on the Mac malware creators head-on.

Regardless of how effective this strategy is long term, every step they take now will make things more secure and close more and more holes in their operating system.

And, for that Mac owners should be grateful.

Does it eliminate the need for mac antivirus software?

I don't believe so.

It's clear Windows malware is lucrative--very lucrative--or else the malware Windows malware writers would've given up long ago.

And, what the MacDefender creators appear to've shown is that the Apple OS X system, while good, does have holes. How hard they are to find, how far the bad guys are to find them, and how lucrative it is for them to do so all remain to be seen.

The question is: Will Apple's virus situation become as bad as Windows?


Mac Malware Removal: No Help from Apple Support

Even though our focus (at least for now) is on Windows antivirus software and malware removal, we've had a few people contact us asking about the malware known as Mac Defender1 (previously discussed in our blog on Mac antivirus software).

Here's the short version: it does not automatically install itself onto your Mac. It does require you to manually install it to be infected. And, the main way it's getting installed is when people are tricked into installing it.

How do you get rid of it?

Well, apparently, even though it's not that hard, you can't turn to Apple Support for help, as according to ZDNet there's No Help from Apple Support Reps Removing Mac Defender, although there is now an official Apple help article on Removing Mac Defender.

Although we've not tested the removal steps ourselves, given that the removal instructions come from Apple itself, you can be sure they work and are legit.

And, yes, all the top Mac antivirus software is already detecting and removing the malware.

MacDefender is known alternately as MacSecurity or MacProtector


What about Mac Antivirus Software?

Oooh, the debate there is around this topic.

I'm of the opinion that the time has come for those of us who run Macs--or those of us that run both Mac and Windows--to pull our collective head out of the sand and start looking at Mac antivirus software.

In case you've not heard about it, the latest Mac  malware (this one is a trojan) is known already by three different names:

  1. Mac Defender
  2. Mac Protector
  3. Mac Security 

No matter its moniker, it's 100% bull.

Adrian Kingsley-Hughes, writing for ZDNet talks about both the Mac Defender trojan and the state  of denial that most Mac users are in about Apple antivirus software, viruses and malware in his great piece at ZDNet.

Sure, there's the problem of actual viruses that sneak their way uninvited onto your system. This has long been one of the problems Windows users have suffered and those in the Mac camp have been largely unaffected by.

He hits it out of the park in describing exactly what the other problem is. (And this is why Mac antivirus software is a good idea.)

The threats posed by the bad guys are also different. Very different.

"Rather than rely on viruses which spread by using system vulnerabilities, the bad guys have turned to the Trojan.

"This is malware disguised as something desirable - a game, a software utility, a porn video - and it relies on the user choosing to install it onto their system.

"It’s hard to protect against this kind of stuff because the user chooses to override the operating system’s desire to be cautious when it comes to installing stuff.

"Getting people to install their own malware has been a popular trick used against Windows users for some time now, and there’s no reason to think that the same trick wouldn’t work against the modern Mac users, especially given how many of them were Windows users not long ago.

What it boils down to is social engineering more than software engineering. Why bother to try to trick the computer into doing something it shouldn't when it's much easier to trick the person into doing something he or she shouldn't?

Think no on is that naive? How come so many folks fall for the Nigeria 419 scams and wire their hard earned money of to Nigeria and other lands far and wide?

What are we doing about it? We've begun taking our expertise in testing antivirus software for Windows and putting it to work on the Mac.

So, if you're a Mac owner (or have family members, friends, etc who are), keep an eye on our blog, follow us on Twitter (@pcantivirus), or Like us on Facebook. We've got a lot in store right around the corner.