In-Depth

Who's Afraid of Scareware?

Are you? Bogus pop-ups that hide crippling malware can bring networks to their knees. Here are some methods to stop scareware and fix the damages that it inflicts.

• By Doug Barney
• 02/01/2009

If you're a seasoned IT professional, you bypass the warning, impressive as it might seem, and smartly use the system tray to shut it down.

But your end users, friends, kids or spouse may not be so savvy. One click on this demon in disguise, which is actually a Web page, and you could run head-first into a shockingly bad virus, malware or spyware.

These pop-ups can trick you into buying unneeded software, steal personal data and passwords, and block updates and access to anti-virus Web sites. Welcome to the wonderful world of rogue security software, also known as scareware.

Pop-ups can appear randomly out of legitimate Web sites and are placed there with permission or sometimes through injection attacks. Despite recent crackdowns, scareware can be advertised even through credible entities such as Google Inc.'s search engine.

Scareware can hit users who thought they did all the right things. Asif Mirza, IT manager at InCube Labs LLC, had an employee infected, even though Symantec Corp.'s Norton AntiVirus was already installed. In this case "Vista AntiVirus 2008" did the dirty deed. The pop-up says you need to download the anti-virus tool because you're already infected. The truly cunning part? The warning dialog looks like any other Windows dialogue.

Mirza's answer to the user? "Boot from the XP CD, stay away from questionable Web sites and do not click on links that promise to clean your PC." Mirza also now uses Symantec Endpoint Security, which prevents users from going to malicious sites like Vista AntiVirus 2008.

Scareware Horrors
Scareware can attack at home and in the office. "I'm an IT pro, have been for 30 years," says Harry Rife from Holt, Calif. "We've had 15-plus machines get the 'AntiVirus 2008' or variant thereof since Aug. 1, 2008, and at least that many employees' personal home machines, which earned me some extra pocket money. But my own personal machines at home also got it thanks to one of my daughters. Before I found a great tool for removal, I spent days trying to clean them up.

"In fact," Rife continues, "on the one my daughter was responsible for, I had accidentally deleted some files in the Windows folder. From that point on, it prevented me from logging back into the machine, period. I had to change hard drives and make the original C drive the D to be able to back up the 75GB of stuff she had on it. Another week of restoring and reinstalling and she was back up and going. Lawsuit is not punishment enough. They should be tarred and feathered," Rife says.

Andre Sourdiffe, with Fisk Reed & Love, P.C. in Bennington, Vt., came across some bogus anti-spyware. "The pop-up reads, in bold letters on the title bar, 'Microsoft Security Warning.' In the window itself in bold print, 'AntiVirus 2009 Web Scanner detected dangerous spyware on your system!' It then lists the supposed infections, Spyware.IEMonster.b, Zlob.PornAdvertiser.Xplisit and Trojan.InfoStealer.Banker.s," Sourdiffe explains. "There are two buttons, Remove All and Ignore. Just clicking on the red 'X' doesn't prevent the download dialog from appearing. It offers the file A9installer_77011811.exe and, most helpful of all, the site that the file will be downloaded from, onlinescannersite9.com."

Being an IT type, Sourdiffe didn't fall for the ruse. But a customer of his did fall for it. "The bogus software has an uninstall option in the All Programs folder it gets installed to, but it doesn't really remove it. It stopped the constant warnings and pop-ups until the computer was restarted. Then, the uninstall option was no longer there and the pop-ups continued," he says. The client's Avast! anti-virus software, from ALWIL Software A.S., "detected only one of the files the software installed as malware." Sourdiffe was able to remove the infection with Malwarebytes Corp.'s Malwarebytes software.
Why do users fall for this stuff? Not only do the pop-ups and Web sites they link to seem legitimate, but they're treated as credible by many search engines. In Sourdiffe's case, the pop-up appeared while a user was playing tunes on his media player.

"What really surprised me," Sourdiffe says, "was that this site not only showed up as an advertisement on the site Windows Media Player was pointed to, but was a sponsored site on Google and Yahoo! and probably other search engines. I'm truly amazed that these search sites don't screen their advertisers better than this. This particular scammer will scan your computer and find all these things wrong and then tell you that you need to buy this software in order to clean your computer."

Google is cracking down on malware, although some of it still slips under the radar. A healthy debate still rages about whether the search engine giant is doing enough.

A Pound of Prevention
Sometimes security software, especially anti-spyware, can prevent, or at least remedy, the problem. But hackers know the state of security software and invent new attacks that protective software can't always recognize. That's where basic security precautions come in. It must be understood that first and foremost, scareware-based malware is installed code. Not giving end-users -- or friends, kids and spouses -- admin rights can go a long way toward preventing these attacks.

What works in the home may also work in the office regarding locking-down rights.

"If you maintain PCs for friends or family, you'd do them a huge favor if you set up multiple accounts in Windows, with the accounts that access the Internet with limited privileges," says reader Joe Elliot, a consulting IT architect with Nationwide Insurance. "For adults, provide them with clear instructions that the only time they can log into an administrative account is to install well-known software. I haven't had a single virus for years on a family computer actively used by four different accounts."

Other IT pros agree. "People should not be surfing the Web using an account with admin privileges," says reader Stephen Snyder, a systems administrator in Herndon, Va. "That means setting up the PC with an administrator's account and a limited-user account, and doing all of your normal work with that limited-user account. Of course, how many people not in the IT field would know about this?"

After coming face-to-face with "AntiVirus 2009 Web Scanner," Sourdiffe and company took even more serious measures. "On our site, we're using OpenDNS, and I have the option of blocking specific sites. I blocked the onlinescannersite9.com site, so no matter where it might be found on the Web, our office won't even have access to the link. I immediately warned everyone in our office of the occurrence and posted the screen shots of the software in action," he says.

Bleeping Computer LLC's anti-spyware download is a big help, according to Sourdiffe and others. You can download it at www.bleepingcomputer.com.

The Vista Answer
Some praise Windows Vista, with its more disciplined approach to user rights and code installation, as an effective anti-scareware measure.

"I'm a system admin responsible for over 40 Vista machines," says reader Ken Wirz, a network administrator at Delta Dental of Ohio. "I've had Vista deployed since March 2007 with User Access Control enabled. The users don't have administrator rights to their box. I haven't had a single virus or malware incident reported by my users or by Symantec anti-virus. Put me down as one admin that loves it because the users can't mess it up."

A Remedy Is All I Need
Because it's usually activated by a Web page masquerading as a security alert, scareware is often impervious to anti-virus software, as Earl Nittskoff discovered. "A client had pop-ups for Power AntiVirus 2009 bombarding her computer and telling her it was infected. McAfee Inc.'s anti-virus program found no viruses. She spent hours talking to tech support at McAfee with no positive results. McAfee tech support also sent manual removal instructions, which also did not work," Nittskoff, with V V E Computer Consulting in South Euclid, Ohio, explains.

"She called me. I assumed this was a variant of other similar problems and brought some removal tools like SmitFraud. I was wrong. None of these tools found any malware. I searched the Web for removal advice. Everything I found was similar to the efforts my client had already tried," he continues.

"I identified and stopped the offending process in Task Manager. The process was pwa.exe. Then I looked in the Programs Startup folder, MSCONFIG Startup tab and MSCONFIG Services tab to discover how the program started. It was in the MSCONFIG Startup tab. I renamed the C:\Program Files\PWA\pwa.exe file to C:\Program Files\PWA\pwa.fyf and unchecked the startup line. I restarted the computer. Problem solved," Nittskoff concludes.

Sometimes scareware has an easy fix; other times it requires more drastic measures. Jeff Ellis, owner of Nurtell Computer Doctor, has seen both sides. "I service computers at home. When they have good backups of data or don't care about losing files, I just reload the operating system software. For one of the first clients who really wanted to try and save their pictures, I spent four hours getting rid of this annoying bogus malware," says reader Ellis.

Bill Cooper, vintner at Cooper-Garrod Estate Vineyards in Saratoga, Calif., found his daughter's computer struck by scareware. "I used Symantec's eradication instructions, but it took days of effort, and I learned more about the registry than I wanted to know."

Often the only recourse is to rebuild.

"Our HR manager brought in his home laptop and he swore he only used it to visit the Georgia Bulldog Web site," recounts Buzz Hopper, a network administrator in Ohio. "The laptop had been taken over by one of those Your-PC-Is-Infected scams.

"It's infected all right," Hopper continues. "I'm at the point now where the only recourse is to erase the hard drive. I hope there will be teeth in whatever is done to go after these companies."

Chris Riley has an even more horrific tale to tell. "I've had to reload three different computers at three different sites in the last two days. All were infected with a new version of AntiVirus2009: Pandora Software. I tried four of the standard removal and anti-malware programs to no avail on the first two machines. After spending an hour with no positive results, I decided that wiping the disk and reloading the OS was more productive than wasting time trying to remove the malware. Luckily, all three of these client computers were loaded thin and nothing pertaining to the business was lost. Granted, the users lost stuff that was only saved to the local machine, and all three users never really followed company guidelines on saving all items to their supplied folder on the server for backup. Maybe some day they'll start following guidelines, but I'm not going to hold my breath."

Sometimes, fortunately, a restart will do the trick. "I had a machine last year with this problem," reports reader Jason Strack. "A user was clicking on the supposed 'problem' messages. I think Centurion, from Centurion Technologies Inc., or some other type of freezing software that puts the computer back to a clean state upon restart is one of the best ways to deal with scareware in a large deployment."