Sign in to follow this  
uart

Problem with Rogue "AntiVirus" products.

Recommended Posts

In the past few weeks I've had three separate instances where websites have redirected me to rogue AV type sites! You may have seen these before, they pretend to make a scan of your computer and tell you that you've got loads of trojans and viruses etc. They then try to persuade you to download their very own malware riddled piece of junk rogue security software. It's not like I’m worried about being fooled by them, they're laughable, but they really irritate me and they seem to be on the rise.

BTW. I'm about as close to 100% certain that I have no malware on my computer. These instances have not been caused by existing malware on my computer causing them to pop up. Each instance has occurred when researching a topic on google and opening up dozens of web pages (some of them no doubt dubious). So each time it's happened I've had so many darn pages loaded that I wasn't sure which one was the rogue one that redirected me to bad site with the attempted malware infection.

I was just wondering if anyone else had come across similar rogue sites while "googling" random topics lately?

Share this post


Link to post
Share on other sites

In the past few weeks I've had three separate instances where websites have redirected me to rogue AV type sites! You may have seen these before, they pretend to make a scan of your computer and tell you that you've got loads of trojans and viruses etc. They then try to persuade you to download their very own malware riddled piece of junk rogue security software. It's not like I’m worried about being fooled by them, they're laughable, but they really irritate me and they seem to be on the rise.

BTW. I'm about as close to 100% certain as I can be that I have no malware on my computer. These instances have not been caused by existing malware on my computer causing them to pop up. Each instance has occurred when researching a topic on google and opening up dozens of web pages (some of them no doubt dubious). So each time it's happened I've had so many darn pages loaded that I wasn't sure which one was the rogue one that redirected me to bad site with the attempted malware infection.

I was just wondering if anyone else had come across similar rogue sites while "googling" random topics lately?

Edited by uart

Share this post


Link to post
Share on other sites

I've had to clean up a few on customers PCs. From what I've found they are mostly hosted as ads within popular websites.

Since I browse with FF w/NoScript and NoAd add-ins I don't see them... (plus the fact I don't run Windows, it'll be a bit hard to my personal PC to get infected).

Share this post


Link to post
Share on other sites
I've had to clean up a few on customers PCs. From what I've found they are mostly hosted as ads within popular websites.

Since I browse with FF w/NoScript and NoAd add-ins I don't see them... (plus the fact I don't run Windows, it'll be a bit hard to my personal PC to get infected).

Hi Chewy. Yeah I've had a friend who’s been infected with this stuff several times. I think in some cases they may get a trojan first which then auto downloads/installs this crap. It's always frustrating because their kids never ever own up to anything so it's nearly impossible to get to the root cause of why they got infected.

I was actually glad to see it the first time I got re-directed to a site that tried to infect me, because it gave me chance to see first hand what causes people to d/l this rubbish.

Basically it goes like this. I'm googling info on some topic and opening literally dozens of browser windows from whatever random websites that result. After a while I get one of the browser windows (typically after a re-direction) doing what appears to be a virus scan but what is in fact just a crude animation. It shows an "explorer like" window and a list of files being scanned etc, but the info doesn't match my actual drive letters or any real file info, so although it looks scary at first sight (as though something has really got in and is running without any permission to install or run) it's actually no more threatening than any old animated advert at this stage.

It then tells you lots of scary stuff like how many viruses and trojans it's found and that "someone is trying to steal passwords and banking details from your computer" etc. It's important to realize that at this stage you haven't actually been infected yet, really all that's happenned so far is that you've been subject to a very annoying animated advert. Of course it then offers to "fix these problems" which leads to a prompt to download their "fix it" software which is when you actually get infected (if you are gullible enough to do so).

I’m pretty confident of my security so I did actually download their rogue installer, just to see if my AV could pick it up. (with this type of thing I normally just save it to HD and rename it from whatevername.exe to whatevername.ex~ and put it in my _quarantine folder). Interestingly my AV with latest updates didn’t pick it up straight away! It was actually about two days later when my AV first got the update that let it recognize it, reporting something like : "Infection found : .. \_quarantine\whatevername.ex~ -> rogue installer". A good lesson of why you cant rely too much on signature based virus protection these days when installers like this can basically be morphed in real time on a download per download basis!

Edited by uart

Share this post


Link to post
Share on other sites
I've had to clean up a few on customers PCs. From what I've found they are mostly hosted as ads within popular websites.

Since I browse with FF w/NoScript and NoAd add-ins I don't see them... (plus the fact I don't run Windows, it'll be a bit hard to my personal PC to get infected).

Hi Chewy. Yeah I've had a friend who's been infected with this stuff several times. I think in some cases they may get a trojan first which then auto downloads/installs this crap. It's always frustrating because their kids never ever own up to anything so it's nearly impossible to get to the root cause of why they got infected.

I was actually glad to see it the first time I got re-directed to a site that tried to infect me, because it gave me chance to see first hand what causes people to d/l this rubbish.

Basically it goes like this. I'm googling info on some topic and opening literally dozens of browser windows from whatever random websites that result. After a while I get one of the browser windows (typically after a re-direction) doing what appears to be a virus scan but what is in fact just a crude animation. It shows an "explorer like" window and a list of files being scanned etc, but the info doesn't match my actual drive letters or any real file info, so although it looks scary at first sight (as though something has really got in and is running without any permission to install or run) it's actually no more threatening than any old animated advert at this stage.

It then tells you lots of scary stuff like how many viruses and trojans it's found and that "someone is trying to steal passwords and banking details from your computer" etc. It's important to realize that at this stage you haven't actually been infected yet, really all that's happenned so far is that you've been subject to a very annoying animated advert. Of course it then offers to "fix these problems" which leads to a prompt to download their "fix it" software which is when you actually get infected (if you are gullible enough to do so).

I'm pretty confident of my security so I did actually download their rogue installer, just to see if my AV could pick it up. (with this type of thing I normally just save it to HD and rename it from whatevername.exe to whatevername.ex~ and put it in my _quarantine folder). Interestingly my AV with latest updates didn't pick it up straight away! It was actually about two days later when my AV first got the update that let it recognize it, reporting something like : "Infection found : .. \_quarantine\whatevername.ex~ -> rogue installer". A good lesson of why you cant rely too much on signature based virus protection these days when installers like this can basically be morphed in real time on a download per download basis!

Edited by uart

Share this post


Link to post
Share on other sites

These things can come via malware on your machine, via exploits in the browser, or plain and simple pop ups. The guys behind the fake AV software pay bounties to those who can get them installed on machines, so you've got multiple vectors to get it onto your machine.

As you say, they may be laughable, but there are so many because a lot of people get suckered by it. Worse yet, people pay $39 or $59 for something which does nothing more than some animation and keeps real protection off their machine.

A funny and scary example of this was someone in the Windows 7 beta forums asking if Antivirus XP (a fakeAV program) was going to be windows 7 compatible.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this