Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Spoof anti-virus software
New Posts  All Forums:Forum Nav:

Spoof anti-virus software

post #1 of 92
Thread Starter 
Hey guys,

I work for a small PC repair shop dealing with new builds, upgrades, hardware and software diagnostics and troubleshooting.

In the last year or so we have been getting slammed with PC's infected with spoof anti-virus software (System Tool variants, Trojan Fake Alerts, WinAnti-virus etc.) and it's driving me crazy trying to track where this stuff is coming from.

Now, i'm all for taking peoples money to remove this stuff, and can remove it with ease most of the time (some exceptions with windows vista machines, but thats another story) but these people (esp. repeat customers) understandably want to know where it is coming from and why their anti-virus isn't stopping it.

Norton, McAfee, AVG, Security Essentials, Webroot...all the same, this stuff gets around them and starts causing trouble.

thing is, if i plug their hard drive into my work PC, Security Essentials grabs this crap almost immediately and removes it.

my question is this: what is going on with these machines that this stuff is bypassing their anti-virus software and being allowed to run, yet on my machine SE grabs it and deals with it with no problems?

i have setup a VM running Windows XP Pro. with all the tools we would install on a fresh windows install (security updates, flash, java, newest version of IE and security essentials) and for the life of me i can not get it infected with anything yet these people get this stuff daily.

i understand the cases where they never update their AV, or let it expire (Norton, McAfee) but what about the machines with Security Essentials that i can see has been scanning daily and is up to date, yet the machine is still infected.

i understand that it can come in with illegal software, music, movies etc. and i explain this to people who's machines have frostwire, bearshare or some other P2P client installed, and that a lot of "adult" sites aren't always honest about their content. i know some flash content can install this crap, but why isn't the AV catching any of it, yet i plug the drive into a machine running the same version of security essentials and it catches it right away.

doesn't seem to matter what the host OS is either, Windows XP home/pro, Windows Vista x32 or x64 or even Windows 7 x32 / x64.

Like i said, i can remove it without issue, but why isn't it being prevented in the first place.

anyone with any info on the subject? someone know any tricks?

thanks guys, sorry for the long post, just trying to give as much info as i can.
Big Black Box
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6550 Asus P5K-E EVGA GTX 260 4GB DDR2 800 
Hard DriveOptical DriveOSMonitor
2x 320gb SATA in raid 0 and 2x 1tb WD Black DVD-RW x3 Windows 7 Ultimate x64 Samsung SyncMaster 940bw 19 inch 
KeyboardPowerCaseMouse
Logitech G15 BFG Tech. 650 watt SLI NZXT Logitech G9x 
Mouse Pad
Allsop gamer pad 
  hide details  
Reply
Big Black Box
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6550 Asus P5K-E EVGA GTX 260 4GB DDR2 800 
Hard DriveOptical DriveOSMonitor
2x 320gb SATA in raid 0 and 2x 1tb WD Black DVD-RW x3 Windows 7 Ultimate x64 Samsung SyncMaster 940bw 19 inch 
KeyboardPowerCaseMouse
Logitech G15 BFG Tech. 650 watt SLI NZXT Logitech G9x 
Mouse Pad
Allsop gamer pad 
  hide details  
Reply
post #2 of 92
My previous job (PC tech at a small computer shop) This virus has been around since 2008 and I just cleaned it off of someones machine this morning and its getting worse.

Now the stupid virus makes the pop ups stay on top of eveyrthing else and it also infects IE8 and interrupts its safe browsing plugin and makes it block you from going to any sites.

I was even not able to Login to the domain since it got so bad.

This virus has so many variants and different faces.


In regards to Virus scan run and updated, but computer still infected

A virus like this changes very often and its hard to make signatures to capture something like this when its running on the same OS as the scanner. (It hides)

Why is it bypassing the scanner

A virus like this tends to come straight at the user...and with vista and seven UAC has become more of a hindrance than a helper.

People get used to that beep and the continue button and then just click away and never read what is actually happening.

with XP, well its older and most of the time I have seen it attack the AV first and then it just walk in.

The computer above had AVAST Pro Running on it. (I Don't know if the web filter was working and was bypassed by user or not)

Damn virus was still all over the computer.



My assumptions are simplistic and I have found them to be 90% true:

Average computer users are not computer savvy enough to navigate past these issues which will encounter said virus...

They click on pop ups or in some cases and I have seen this

They click the X to close the window on a pop up and that initiates a download of said virus

They click on this virus and sometimes even pay for the product which may lead to identity theft or loss of funds in account.

They continue to download questionable material and bypass warnings given to them by their Anti-virus program

They only run an anti-virus program or they run inferior virus programs that have been known to be proven to be vulnerable to said virus.

They run IE -_-

Ideally to protect themselves the best they should have an Anti-Virus, Anti-Spyware (Manual scanner) anything other than IE, and just common sense.

I remember when I had repeat customers with this same virus. We even had one accuse us of reinfecting the machine on purpose to make a profit.

I turned on his computer at the front desk.

I launched Malware-Bytes (Which we installed) I checked to see the last time he updated the database...found that he never did (same date as the day the machine last left our shop) I found he never even ran a scan with it.

Now I know people cannot be expected to do things on their own...even after I walk them through it before they leave and ask them do you understand.

My basic speech...

I understand that some of this may sound above your head or may be difficult to learn. I know that you cannot be expected to understand computers completely. I try not to talk down to people, and when they say that they are stupid or they are just not good enough for this computer stuff and praise me I tell them

"hey, I am sure there are a multitude of things that you have a greater understanding for in your field of work. This is my job and my passion,I am here to help you with this issue."

That usually makes them pay attention a little more.

Anyway getting back to the long post here...

After I walk them through how to use the malware scanner/anti-virus how to properly close a pop up. I point them to this Text document I put on their desktop

"Do This At Least Twice a month"

It basically walks them through how to do all I just taught them in detail.

As far as this virus is concerned, I effin hate this virus!

It continues to become an annoyance and it just gets worse and worse. to the point that in some instances I cannot even boot into safe mode without a blue screen.

I know I have been out of the profession for over a year now, but I felt like this was related since I just cleaned this virus off a computer this morning less than 40 minutes ago (Combofix did it! -_-).

Anyway to be simple

This virus occurs due to user error

They are clicking on pop ups that then download something

or they install bad programs or download bad music

Bad meaning infected

There are two things that are held true in the computer world

How to make a computer never die
Never use it

How to keep you computer virus free
Never put it on the internet and never put in external media.

Not likely to happen anytime soon.

Good luck Hope I was useless(ful)
Edited by NitroNarcosis - 4/1/11 at 9:56am
post #3 of 92
Thats a good question. it seems most FK-AV programs can easily sneak through most well known anti virus programs. Malwarebytes Pro (by far the best anti virus on the market) is the only one iv seen snag them up with ease (along with SE sometimes).
It def comes in as a trojan and downloads in friends. Its good at making the anti virus think its a legit program, and that is why so many Av programs fail.
It can also disable the users AV without the user knowing (alerts showing disabled protection blocked).
I am referring to "it" as the common Fake Anti-Virus programs out there.
From FX to i7
(15 items)
 
  
CPUMotherboardGraphicsRAM
I7-7700K 5ghz delid MSI Z170A Gaming M7 1080Ti 32GB Trident Z @ 3600 
Hard DriveHard DriveOptical DriveCooling
Samsung PM961 M.2 850 Evo LG Bluray Drive Phanteks PH-TC14PE 
OSMonitorPowerCase
Win 10 x 64 P2715Q 4K  EVGA SuperNOVA 750G2 Phanteks Enthoo Pro  
  hide details  
Reply
From FX to i7
(15 items)
 
  
CPUMotherboardGraphicsRAM
I7-7700K 5ghz delid MSI Z170A Gaming M7 1080Ti 32GB Trident Z @ 3600 
Hard DriveHard DriveOptical DriveCooling
Samsung PM961 M.2 850 Evo LG Bluray Drive Phanteks PH-TC14PE 
OSMonitorPowerCase
Win 10 x 64 P2715Q 4K  EVGA SuperNOVA 750G2 Phanteks Enthoo Pro  
  hide details  
Reply
post #4 of 92
My advice? offer to install Malwarebytes pro on their PC and enabled 1/week quick scan and daily updates.
They will never see a virus again.
From FX to i7
(15 items)
 
  
CPUMotherboardGraphicsRAM
I7-7700K 5ghz delid MSI Z170A Gaming M7 1080Ti 32GB Trident Z @ 3600 
Hard DriveHard DriveOptical DriveCooling
Samsung PM961 M.2 850 Evo LG Bluray Drive Phanteks PH-TC14PE 
OSMonitorPowerCase
Win 10 x 64 P2715Q 4K  EVGA SuperNOVA 750G2 Phanteks Enthoo Pro  
  hide details  
Reply
From FX to i7
(15 items)
 
  
CPUMotherboardGraphicsRAM
I7-7700K 5ghz delid MSI Z170A Gaming M7 1080Ti 32GB Trident Z @ 3600 
Hard DriveHard DriveOptical DriveCooling
Samsung PM961 M.2 850 Evo LG Bluray Drive Phanteks PH-TC14PE 
OSMonitorPowerCase
Win 10 x 64 P2715Q 4K  EVGA SuperNOVA 750G2 Phanteks Enthoo Pro  
  hide details  
Reply
post #5 of 92
some people simply don't know enough, they click on advertises and allow pop ups, and I'm sure if they do download illegal content, somewhere in the description it will say "to install, simply turn off your AV, we can assure you this isn't a virus, your AV will just detect it as one"
also, most people (most meaning, people I know) think running an AV scan once, will keep there system safe, they don't even scan files once downloaded, update definitions, clean there systems, so getting infected is easier.
I remember when I had MSE, it turned off when I was playing a game and I saw this fake AV scanning my pc, sometimes the AV turns off for some reason and even windows firewall doesn't launch when the system is booted.

the only thing to do to stop this is to install good programs such as Malwarebytes, MSE/AVG and inform them about the importance of doing so. also recommend regularly updating the system, or set automatic updates and installing add blockers on browsers. simple steps can insure system safety.

Before I knew so much about computers, I got infected a lot, after doing a bit of research, I realised simple steps can be taken to insure my safety .

stupidity increases the chance of infection, keep away from suspicious sites, don't click adds, don't download from "warez" sites, illegal downloads are usually unsafe.
Edited by trojan92 - 4/1/11 at 10:10am
Ivy-E Defined
(17 items)
 
  
CPUMotherboardGraphicsRAM
4930K @ 4.5ghz w/ 1.336v RAMPAGE IV FORMULA GTX 980 Jetstream  G.Skill Ripjaws 16GB 1600mhz 
Hard DriveCoolingOSMonitor
120GB Samsung 840 EVO + 6TB (Storage) Corsair H80i w/ 2 x SP120 Windows 7 Ultimate 64-Bit Asus VG278HE  
KeyboardPowerCaseMouse
Ducky Shine 3 - Brown Cherry MX Switch - Green LED Corsair AX860  Fractal Design Define R4 Black Pearl w/ Window  Razer DeathAdder 2013 
Mouse PadAudioAudioAudio
Overclockers Medium Mouse Mat KRK ROKITS Fiio E10K  Audio Technica ATH-M50 
  hide details  
Reply
Ivy-E Defined
(17 items)
 
  
CPUMotherboardGraphicsRAM
4930K @ 4.5ghz w/ 1.336v RAMPAGE IV FORMULA GTX 980 Jetstream  G.Skill Ripjaws 16GB 1600mhz 
Hard DriveCoolingOSMonitor
120GB Samsung 840 EVO + 6TB (Storage) Corsair H80i w/ 2 x SP120 Windows 7 Ultimate 64-Bit Asus VG278HE  
KeyboardPowerCaseMouse
Ducky Shine 3 - Brown Cherry MX Switch - Green LED Corsair AX860  Fractal Design Define R4 Black Pearl w/ Window  Razer DeathAdder 2013 
Mouse PadAudioAudioAudio
Overclockers Medium Mouse Mat KRK ROKITS Fiio E10K  Audio Technica ATH-M50 
  hide details  
Reply
post #6 of 92
ive been getting lots of PC's with these rogue/fake security software too, im not complaining as its money in my pocket. People need to be more careful when browsing the internet, i myself have never had any on my comp. I recommend Malwarebytes full version
Gaming Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Q6600 G0 @ 3.5GHz Gigabyte GA-P35-DS3L EVGA GTX 260 Core 216 Superclocked Edition 4GB G.Skill DDR2 PC2-6400 HK 4-4-3-5 @ 940MHz 
Hard DriveOSMonitorKeyboard
WD6401AALS 640GB Black + Samsung F3 1TB Windows 7 Ultimate 64Bit Samsung SM2253BW 22" 1680x1050 Microsoft Digital Media 3000 
PowerCaseMouse
Corsair AX750 CoolerMaster 690 NVIDIA Edition Microsoft Laser Mouse 6000 
  hide details  
Reply
Gaming Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Q6600 G0 @ 3.5GHz Gigabyte GA-P35-DS3L EVGA GTX 260 Core 216 Superclocked Edition 4GB G.Skill DDR2 PC2-6400 HK 4-4-3-5 @ 940MHz 
Hard DriveOSMonitorKeyboard
WD6401AALS 640GB Black + Samsung F3 1TB Windows 7 Ultimate 64Bit Samsung SM2253BW 22" 1680x1050 Microsoft Digital Media 3000 
PowerCaseMouse
Corsair AX750 CoolerMaster 690 NVIDIA Edition Microsoft Laser Mouse 6000 
  hide details  
Reply
post #7 of 92
Mbam/proc explorer works great for finding and killing fake av's
Gene-Z Dedi
(7 items)
 
Captain America
(6 items)
 
 
CPUMotherboardRAMHard Drive
i7 2600k @ 5.2 Ghz Asus Maximus IV Gene-Z Gskill 2133 4GB Caviar Black 
CoolingOSPower
Corsair H100 Arch x64 OCZ 650 Watt 
CPUCPUMotherboardGraphics
Intel Xeon E5-2650 Intel Xeon E5-2650 ASUS Z9PE-D8 WS XFX 6870 
RAMOS
32 GB Samsung Arch Nix 
  hide details  
Reply
Gene-Z Dedi
(7 items)
 
Captain America
(6 items)
 
 
CPUMotherboardRAMHard Drive
i7 2600k @ 5.2 Ghz Asus Maximus IV Gene-Z Gskill 2133 4GB Caviar Black 
CoolingOSPower
Corsair H100 Arch x64 OCZ 650 Watt 
CPUCPUMotherboardGraphics
Intel Xeon E5-2650 Intel Xeon E5-2650 ASUS Z9PE-D8 WS XFX 6870 
RAMOS
32 GB Samsung Arch Nix 
  hide details  
Reply
post #8 of 92
It's good to now that even after over a year out of the repair business.

Malware Bytes is still kicking serious ***
post #9 of 92
The first thing that these scripts does is to alter the permissions in Services as well as disable your AV and Windows updates. That is why AV's doesn't detect it.
GOD MODE
(14 items)
 
  
CPUMotherboardGraphicsGraphics
i7 970 4.60Ghz @ 1.456v GA-X58A-UD7 Visiontek HD 5870 Visiontek HD 5870 
RAMHard DriveOptical DriveCooling
G.SKILL Ripjaws Series 24GB (6 x 4GB) 240-Pin D... 2X250gb SAMSUNG 840 Series SSD on RAID 0  Blueray Burner Kracken X60 
OSPowerCase
OSX 10.6.6/Win 7 Ultimate Ultra x4 1200 Watts Xigmatek Elysium 
  hide details  
Reply
GOD MODE
(14 items)
 
  
CPUMotherboardGraphicsGraphics
i7 970 4.60Ghz @ 1.456v GA-X58A-UD7 Visiontek HD 5870 Visiontek HD 5870 
RAMHard DriveOptical DriveCooling
G.SKILL Ripjaws Series 24GB (6 x 4GB) 240-Pin D... 2X250gb SAMSUNG 840 Series SSD on RAID 0  Blueray Burner Kracken X60 
OSPowerCase
OSX 10.6.6/Win 7 Ultimate Ultra x4 1200 Watts Xigmatek Elysium 
  hide details  
Reply
post #10 of 92
Are you positive they aren't hiding and just resurface after you clean them?
It's also different when you plug their HDD in and clean it, because the *ware can be intertwined with the OS files, and can interfere with the AV.

Tell these people to stop clicking on crap, and punching the monkey. Or just be satisfied that they are idiots, and keep taking their money.

Know what they say, 'fool me once, shame on you. fool me twice, shame on me.'
Deimos
(13 items)
 
Pluto
(18 items)
 
 
CPUMotherboardGraphicsRAM
AMD 1090T Biostar TA890FXE Nvidia GTX 470 Corsair Vengence 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 MZ-7PC128D/AM Western Digital Black Western Digital Green Western Digital Blue 
CoolingOSOSMonitor
Dtek v2 Water Windows 7 Pro Fedora 16 LG4250 42" LCD TV 
KeyboardPowerCaseMouse
Microsoft Ergo Silverstone ST-1000P Cooler Master Cosmos 1000 Logitech G500 
Mouse PadAudio
X-Trac Ripper Asus D1 
  hide details  
Reply
Deimos
(13 items)
 
Pluto
(18 items)
 
 
CPUMotherboardGraphicsRAM
AMD 1090T Biostar TA890FXE Nvidia GTX 470 Corsair Vengence 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 MZ-7PC128D/AM Western Digital Black Western Digital Green Western Digital Blue 
CoolingOSOSMonitor
Dtek v2 Water Windows 7 Pro Fedora 16 LG4250 42" LCD TV 
KeyboardPowerCaseMouse
Microsoft Ergo Silverstone ST-1000P Cooler Master Cosmos 1000 Logitech G500 
Mouse PadAudio
X-Trac Ripper Asus D1 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Spoof anti-virus software