Perilous virus scanners

Hackers and web fraudsters make a
killing with the help of spurious
anti-virus programs. And
distinguishing these from the real
ones can be very tricky.
BY CLAUDIO MÜLLER
The desktop suddenly becomes
black, security warnings are flashed
and an unknown virus scanner
offers itself as a solution for the
problem: often this is how the
attacks of cyber gangsters appear.
Most of the times the invader uses
fake anti-virus programs
(rogueware or fake antivirus),
which tempts us with virus
messages to purchase expensive
full versions. And this trick has
worked like magic for millions: This
year alone, McAfee has valued total
damages of over $300 million all
over the world. We show how to
trace rogueware and how to get rid
of them. An updated Security Suite
is of utmost importance, since
every month thousands of new
rogueware samples and millions of
such websites appear over the
Internet—a briskly increasing
trend. Fake antivirus programs can
be categorized into hundreds of
families, out of which only a
handful are known.
Identification: Obtrusive pop-ups
Rogueware spreads itself through
primed websites. They use security
loopholes in the browser or in
plug-ins like Flash Player; and
introduce malware over drive-by
download or request the user to
download fake video codecs, which
contains malicious codes.
In case a fake scanner is installed
on your PC, you can identify it
from the symptoms. The most
obvious are obtrusive pop-ups
indicating apparent virus attacks
followed by requests to purchase
the full version. Close this window
from Task Manager, because even
clicking on 'Cancel' can open a
perilous website or download other
malware. A few variants display
messages using security risks
warnings in the taskbar or firewall
warnings and change the desktop
wallpaper or screensaver.
Moreover, rogueware scans the
computer much faster than an
authentic virus scanner and
displays unrealistic results.
Very rarely do rogueware attack
alone. Once the attacker gets
access to the computer, they can
then further add more malware.
Mostly, these fake antiviruses are
accompanied by trojans that spy
on the computer and forward user
data using a backdoor or install
programs such as keylogger. A
worm subsequently connects the
infected computer into a botnet,
so user unknowingly contributes to
spreading the rogueware.
Nowadays, extortionist tools
(ransomware) have also started
coming along with fake antiviruses.
The various symptoms bothers the
user till he/she eventually visits
the website of the fake antivirus.
The attacker even spreads the links
to these sites through spam mails
as well as over social networking
websites such as Facebook and
Twitter. Thus, the promoted
programs are revealed often
through cryptic web addresses in
the mails. If you wish to install a
new virus protection, you should
always visit the website of the
antivirus developer directly: even
Google search is not secure. It is
the second most popular way to
spread such programs. In the
process, the hackers use latest
topics, and also specific search
queries related to virus protection,
so as to list their sites right at top
of the search results. Most of the
times these sites do not contain
any malicious codes but they
automatically direct the user to a
website which eventually infects
the computer.
At first glance the professionally
designed websites of rogueware
developers appear impressively
authentic, for instance the way
they feature fictitious test results
and high discounts. Some of them
even feature a functional telephone
and email helpline service. The
promoted programs costs anything
between Rs 1,845 and Rs 6,000,
however, soon from the price
everything seems suspicious.
Generally, you should stay away
from such programs that scan
computer for free but require a
full version for removing the
viruses. And in any case you should
never reveal your credit card
details on such websites.
However, if you have installed an
updated security suite, it should be
able to prevent every rogueware
attack. Even if an attacker manages
to slip in, for instance while the
virus scanner was not updated, it
is very possible that the fake
antivirus blocks your Security
Suite. Subsequently you should
never download anymore updates
and in any case do not start your
virus scanner. In such a case, you
should try using a malware
removal tool by another
manufacturer (for instance
Kaspersky Virus Removal Tool).
Removal: Often only with
detours
In case none of the above tips
help, you must remove the worm
manually. First of all, check your
PC with the online scanner of an
antivirus developer. You will then
be able to see which rogueware has
affected the computer, thereafter
with help of support sites such as
removeIt.info, you can find out
which process you should end and
which registry entries are required
to be deleted. This way you can
restore the system to a state in
which an updated virus scanner
will be able to remove traces of the
rogueware.