In-Depth

Who's Afraid of Scareware?

Are you? Bogus pop-ups that hide crippling malware can bring networks to their knees. Here are some methods to stop scareware and fix the damages that it inflicts.

You're happily computing along when out of nowhere a bright orange pop-up leaps out: "Warning! Spyware detected on your computer!"

If you're a seasoned IT professional, you bypass the warning, impressive as it might seem, and smartly use the system tray to shut it down.

But your end users, friends, kids or spouse may not be so savvy. One click on this demon in disguise, which is actually a Web page, and you could run head-first into a shockingly bad virus, malware or spyware.

These pop-ups can trick you into buying unneeded software, steal personal data and passwords, and block updates and access to anti-virus Web sites. Welcome to the wonderful world of rogue security software, also known as scareware.

Pop-ups can appear randomly out of legitimate Web sites and are placed there with permission or sometimes through injection attacks. Despite recent crackdowns, scareware can be advertised even through credible entities such as Google Inc.'s search engine.

TIPS: Frighten Away Scareware
  • Use a firewall
  • Use anti-virus
  • Use anti-spyware
  • Use a legitimate copy of Windows in order to get updates
  • Keep Windows regularly and automatically updated and patched
  • When a pop-up appears, check the source and remove it via the system tray; do not click the close button or any part of the pop-up
  • Use an alternative browser and lock it down; no Active X, scripts or Java
  • Don't give out admin rights
  • Consider Windows Vista, or Linux or a Mac

Scareware can hit users who thought they did all the right things. Asif Mirza, IT manager at InCube Labs LLC, had an employee infected, even though Symantec Corp.'s Norton AntiVirus was already installed. In this case "Vista AntiVirus 2008" did the dirty deed. The pop-up says you need to download the anti-virus tool because you're already infected. The truly cunning part? The warning dialog looks like any other Windows dialogue.

Mirza's answer to the user? "Boot from the XP CD, stay away from questionable Web sites and do not click on links that promise to clean your PC." Mirza also now uses Symantec Endpoint Security, which prevents users from going to malicious sites like Vista AntiVirus 2008.

Scareware Horrors
Scareware can attack at home and in the office. "I'm an IT pro, have been for 30 years," says Harry Rife from Holt, Calif. "We've had 15-plus machines get the 'AntiVirus 2008' or variant thereof since Aug. 1, 2008, and at least that many employees' personal home machines, which earned me some extra pocket money. But my own personal machines at home also got it thanks to one of my daughters. Before I found a great tool for removal, I spent days trying to clean them up.

"In fact," Rife continues, "on the one my daughter was responsible for, I had accidentally deleted some files in the Windows folder. From that point on, it prevented me from logging back into the machine, period. I had to change hard drives and make the original C drive the D to be able to back up the 75GB of stuff she had on it. Another week of restoring and reinstalling and she was back up and going. Lawsuit is not punishment enough. They should be tarred and feathered," Rife says.

Andre Sourdiffe, with Fisk Reed & Love, P.C. in Bennington, Vt., came across some bogus anti-spyware. "The pop-up reads, in bold letters on the title bar, 'Microsoft Security Warning.' In the window itself in bold print, 'AntiVirus 2009 Web Scanner detected dangerous spyware on your system!' It then lists the supposed infections, Spyware.IEMonster.b, Zlob.PornAdvertiser.Xplisit and Trojan.InfoStealer.Banker.s," Sourdiffe explains. "There are two buttons, Remove All and Ignore. Just clicking on the red 'X' doesn't prevent the download dialog from appearing. It offers the file A9installer_77011811.exe and, most helpful of all, the site that the file will be downloaded from, onlinescannersite9.com."

Being an IT type, Sourdiffe didn't fall for the ruse. But a customer of his did fall for it. "The bogus software has an uninstall option in the All Programs folder it gets installed to, but it doesn't really remove it. It stopped the constant warnings and pop-ups until the computer was restarted. Then, the uninstall option was no longer there and the pop-ups continued," he says. The client's Avast! anti-virus software, from ALWIL Software A.S., "detected only one of the files the software installed as malware." Sourdiffe was able to remove the infection with Malwarebytes Corp.'s Malwarebytes software.
Why do users fall for this stuff? Not only do the pop-ups and Web sites they link to seem legitimate, but they're treated as credible by many search engines. In Sourdiffe's case, the pop-up appeared while a user was playing tunes on his media player.

A Rogue's Gallery of Scareware
There are literally hundreds of scareware programs, many of which are simply clones or modifications of earlier programs. Here's a small sampling:
  • AntiVirus 2008, 2009 and 2010: Three versions of the same scareware tool. The 2010 version comes with its own bogus Blue Screen of Death.

  • AntiVirus Plasma: Once installed hogs memory and processing.

  • AntiVirus Plus: Scareware that can use Microsoft Security Center alerts.

  • Antispy 2008: Fairly amateur scareware app.

  • AntispywareXP 2009: Slows down your PC and displays fake warnings and fake scan results.

  • AntiVirus Sentry: Fake alerts trick users into downloading the software. This has also been known to download without permission; it then prompts you to buy the software to remove malware.

  • Content Eraser: Fake privacy application.

  • PCVirusless: Lures users in with Web ads.

  • Personal Defender 2000: Fake anti-spyware application that uses a fake Firewall Security Alert to trick users into doing a fake scan. The results always show infections, and the program then tries to get you to buy the software.

  • ProAntispyware 2009: Scareware often advertised on Web sites.

  • RapidAntiVirus: Once installed, this can identify legitimate files as malware and harm your PC if deleted.

  • Real AntiVirus: Like other scareware software, this one runs scans that show malware that doesn't exist and prompts you to buy anti-virus software.

  • SpyProtector: Often shows users fake taskbar alerts.

  • Security 2009: Similar to SpyProtector, this is often advertised on the Web.

  • WinDefender 2009: Trojan horses can display bogus alerts and prompt you to download the WinDefender 2009 software. If you load WinDefender it will always find malware, even if it's only the malware that it installed itself. The program then tricks you into buying the full WinDefender package.

  • XP Antispyware 2009: The same essential program as AntispywareXP 2009.

Definitions are based on work done by Bleeping Computer LLC.

"What really surprised me," Sourdiffe says, "was that this site not only showed up as an advertisement on the site Windows Media Player was pointed to, but was a sponsored site on Google and Yahoo! and probably other search engines. I'm truly amazed that these search sites don't screen their advertisers better than this. This particular scammer will scan your computer and find all these things wrong and then tell you that you need to buy this software in order to clean your computer."

Google is cracking down on malware, although some of it still slips under the radar. A healthy debate still rages about whether the search engine giant is doing enough.

A Pound of Prevention
Sometimes security software, especially anti-spyware, can prevent, or at least remedy, the problem. But hackers know the state of security software and invent new attacks that protective software can't always recognize. That's where basic security precautions come in. It must be understood that first and foremost, scareware-based malware is installed code. Not giving end-users -- or friends, kids and spouses -- admin rights can go a long way toward preventing these attacks.

What works in the home may also work in the office regarding locking-down rights.

"If you maintain PCs for friends or family, you'd do them a huge favor if you set up multiple accounts in Windows, with the accounts that access the Internet with limited privileges," says reader Joe Elliot, a consulting IT architect with Nationwide Insurance. "For adults, provide them with clear instructions that the only time they can log into an administrative account is to install well-known software. I haven't had a single virus for years on a family computer actively used by four different accounts."

Other IT pros agree. "People should not be surfing the Web using an account with admin privileges," says reader Stephen Snyder, a systems administrator in Herndon, Va. "That means setting up the PC with an administrator's account and a limited-user account, and doing all of your normal work with that limited-user account. Of course, how many people not in the IT field would know about this?"

After coming face-to-face with "AntiVirus 2009 Web Scanner," Sourdiffe and company took even more serious measures. "On our site, we're using OpenDNS, and I have the option of blocking specific sites. I blocked the onlinescannersite9.com site, so no matter where it might be found on the Web, our office won't even have access to the link. I immediately warned everyone in our office of the occurrence and posted the screen shots of the software in action," he says.

Bleeping Computer LLC's anti-spyware download is a big help, according to Sourdiffe and others. You can download it at www.bleepingcomputer.com.

The Vista Answer
Some praise Windows Vista, with its more disciplined approach to user rights and code installation, as an effective anti-scareware measure.

"I'm a system admin responsible for over 40 Vista machines," says reader Ken Wirz, a network administrator at Delta Dental of Ohio. "I've had Vista deployed since March 2007 with User Access Control enabled. The users don't have administrator rights to their box. I haven't had a single virus or malware incident reported by my users or by Symantec anti-virus. Put me down as one admin that loves it because the users can't mess it up."

A Remedy Is All I Need
Because it's usually activated by a Web page masquerading as a security alert, scareware is often impervious to anti-virus software, as Earl Nittskoff discovered. "A client had pop-ups for Power AntiVirus 2009 bombarding her computer and telling her it was infected. McAfee Inc.'s anti-virus program found no viruses. She spent hours talking to tech support at McAfee with no positive results. McAfee tech support also sent manual removal instructions, which also did not work," Nittskoff, with V V E Computer Consulting in South Euclid, Ohio, explains.

"She called me. I assumed this was a variant of other similar problems and brought some removal tools like SmitFraud. I was wrong. None of these tools found any malware. I searched the Web for removal advice. Everything I found was similar to the efforts my client had already tried," he continues.

"I identified and stopped the offending process in Task Manager. The process was pwa.exe. Then I looked in the Programs Startup folder, MSCONFIG Startup tab and MSCONFIG Services tab to discover how the program started. It was in the MSCONFIG Startup tab. I renamed the C:\Program Files\PWA\pwa.exe file to C:\Program Files\PWA\pwa.fyf and unchecked the startup line. I restarted the computer. Problem solved," Nittskoff concludes.

Rusty's Story

Recently my son got attacked by one of these programs. I eventually fixed it but it took three days, a lot of investigation and a copy of bootable Linux to get to the root of the problem. It was almost as bad as a rootkit to get rid of. Normally I would have reformatted the hard drive and reinstalled, but I was bound and determined that some punk wasn't going to get the best of me.

My son's laptop computer became infected with some sort of scareware that made multiple windows open up telling him he was infected with malware. It also displayed an ad that he could click on to purchase cleaning software for about $39 to get rid of it. At first I ran anti-virus software from Trend Micro Inc. and Lavasoft's Ad-Aware. Although Ad-Aware found some problems, it didn't fix the root scareware problem.

Had I not been so determined not to let this beat me, I would have just formatted the computer and reloaded everything. Instead I started digging deep in the OS, which was Windows XP.

I looked through all the run keys in the registry, turning off anything I could find. I also uninstalled any software that was on the system that he didn't need or use. I scoured the computer for any other auto-run stuff I could find. Multiple reboots later we still had the problem.

It was not until my son-in-law and I booted the computer with a Linux CD and started to really dig that we finally found the problem. It took us a total of 30 man-hours to clear the stupid thing up. It was only the joy of besting the programmers that kept me from throwing the laptop against the wall several times.

I stressed to my son how important it was that he stop using Internet Explorer and only use Firefox from now on. Everyone else in the house uses Firefox, and we haven't had any issues with scareware since. IE is considered the Typhoid Mary of the Windows PC in our house.

--Rusty Yonkers, senior systems engineer for a large, international insurance company

Sometimes scareware has an easy fix; other times it requires more drastic measures. Jeff Ellis, owner of Nurtell Computer Doctor, has seen both sides. "I service computers at home. When they have good backups of data or don't care about losing files, I just reload the operating system software. For one of the first clients who really wanted to try and save their pictures, I spent four hours getting rid of this annoying bogus malware," says reader Ellis.

Bill Cooper, vintner at Cooper-Garrod Estate Vineyards in Saratoga, Calif., found his daughter's computer struck by scareware. "I used Symantec's eradication instructions, but it took days of effort, and I learned more about the registry than I wanted to know."

Often the only recourse is to rebuild.

"Our HR manager brought in his home laptop and he swore he only used it to visit the Georgia Bulldog Web site," recounts Buzz Hopper, a network administrator in Ohio. "The laptop had been taken over by one of those Your-PC-Is-Infected scams.

"It's infected all right," Hopper continues. "I'm at the point now where the only recourse is to erase the hard drive. I hope there will be teeth in whatever is done to go after these companies."

Chris Riley has an even more horrific tale to tell. "I've had to reload three different computers at three different sites in the last two days. All were infected with a new version of AntiVirus2009: Pandora Software. I tried four of the standard removal and anti-malware programs to no avail on the first two machines. After spending an hour with no positive results, I decided that wiping the disk and reloading the OS was more productive than wasting time trying to remove the malware. Luckily, all three of these client computers were loaded thin and nothing pertaining to the business was lost. Granted, the users lost stuff that was only saved to the local machine, and all three users never really followed company guidelines on saving all items to their supplied folder on the server for backup. Maybe some day they'll start following guidelines, but I'm not going to hold my breath."

Sometimes, fortunately, a restart will do the trick. "I had a machine last year with this problem," reports reader Jason Strack. "A user was clicking on the supposed 'problem' messages. I think Centurion, from Centurion Technologies Inc., or some other type of freezing software that puts the computer back to a clean state upon restart is one of the best ways to deal with scareware in a large deployment."

Fighting Fire with Firemen

I'm a division chief with a south Chicago suburb fire department and also the IT manager for the same municipality. I've had about 30 PCs infected by these seemingly legitimate pop-ups. I advise my users to just pull the power plug when one appears -- no matter what they're doing at the time. For the unfortunate ones that don't, or just click the 'X' in the top right corner, they pay the ultimate data-processing price: Their hard drives go to alphabet heaven.

A few infected machines have been recovered by purchasing other anti-virus software, and these programs actually cleaned up the mess.

Most weren't so lucky.

A lot of these firefighters are instructors for the fire service and use their personal PCs for training. Hours and hours of PowerPoint presentations-movies depicting things not to do, rescues that worked by being innovative and many other facts, lessons and details that firefighters and paramedics utilize -- all went up in smoke.

The average user can't afford the hardening that a corporate entity can. Knowledge, anti-virus software, firewalls and more knowledge are our defenses against the rogue viruses, trojans and spyware that abound on the Internet.

The problem with this latest round of "You're infected" is that it has the look and feel of a real Microsoft window. My users say it happened when they were doing an update, or a "Windows screen" popped up.

Firefighters save lives. Responsible data-processing companies save time, work and usually their integrity.

When a virus takes on the look and feel of an OS company, the average user is just not going to have the tools at their disposal to know that.

Many public servants have asked, "Isn't there a law against this?" Criminal actions -- the result of damage or loss to property -- are prosecutable. Period. Microsoft and the states, if not officials at the federal and even international level, should hunt these authors down and prosecute them as felons.

A Web site that can log destructive actions, like a missing-child database, should be created, monitored and forwarded to state and federal agencies.

The next time you dial 911 and a young, aggressive and dedicated public servant comes to your aid, you should hope they studied the lessons that were on some of these PCs before those lessons were lost to immature and criminal actions.

--Tom Mullally, Evergreen Park Fire Department, Evergreen Park, Ill.

comments powered by Disqus

Reader Comments:

Tue, Apr 21, 2009 K. Brenner WA

System restore doesn't always work. On the systems that I have restored from AV09 attacks the malware had wiped all previous restore points and made a new one immediately after installing itself. Tarring and feathering is WAY too polite of a punishment.

Thu, Mar 26, 2009 DrDoom CLE

I've been cleaning these types of infections off of PC's for a while now. The 2 tools I've always used are from Sysinternals - Autoruns and Process Explorer. If your strapped for time and don't want to dig into the issue - go for a system restore. Just make sure you check the task scheduler first for any scheduled tasks that may have been installed. If you have time (never taken me more than 1-2 hours max) use the sysinternals tools to find the processes and dll's that are being loaded and running the "scareware". I've found that adaware tools don't work so well on malware dll's that have been registered with explorer.exe or as BHO's to iexplore.exe - so I don't use them. Using process explorer you can easily identify suspect dll's and then prevent them from loading with autoruns. Then they can be unregistered. No offense to Rusty but I find it hard to believe a person with a Sr. Sys Engineer title would be lost for 30 hours on a problem like this. I also don't consider this "digging deep into the OS" - that would be looking at thread stacks/calls and memory dumps for problems. Any Sr. Sys Engineer should be very familiar with the registry and how com server objects work already.

Thu, Feb 26, 2009 Colorado Expat Georgetown, TX

I work for a small schol district, and lately have been reimaging system at the rate of about one a week due to malware such as Antivirus2010; that's about the only really effective and time-conserving means of dealing with the stuff.

My own opinion of those who write and distribute malware is that they should find themselves after a slow and painful demise spending Eternity trying to clean their own stuff out of a corrupted installation of Windows ME, with habanero enemas three times a day - to remind them of what a pain (and where) their malware really is!

Mon, Feb 23, 2009 Anonymous Anonymous

This is a valuable article which I'd like to circulate in the office - how come when I try to print it the only thing that comes out is the first 5 paragraphs followed by a second blank page, and nothing else? Please fix this...

Thu, Feb 19, 2009 Anonymous Anonymous

System restore may work sometimes but not in my mum's case, i've found superantispyware.com which is supposed to work, trying that

Tue, Feb 17, 2009 Anonymous Anonymous

How ironic that this article is followed by an ad to Spyware Terminator which is provided by a Google Ad. Is Redmond mag screening their ads well enough as they asked of Google?

Tue, Feb 10, 2009 Jon Iris NC

We should not be too quick to blame IE Rusty. Even though malware will use IE for its messages that has nothing to do with what browser the user was using when they became infected. I recently repaired an XP-Home Dell laptop that was infected through Firefox. If the user is going to click the links no browser is currently going to save them.

To repair the infection I booted the machine into safe mode. I checked and when necessary deleted offending entries from the system config files, startup folder, and registry. Last but not least I used Windows Explorer to delete all the files from the temp directories and all of the locations where IE has cached files. I rebooted and the machine was cured.

There are a lot of very good ideas here on how to deal with this situation.

Thu, Feb 5, 2009 Anonymous Anonymous

I also was successful with Safe Mode and System Restore

Wed, Feb 4, 2009 Rob Kelly Pennsylvania

System Restore, people. SYSTEM RESTORE!
I've dealt with about a dozen of these infections. Your first move should be Safe Mode, System Restore. More than half the time I've gotten very lucky!

Thu, Jan 29, 2009 Anonymous Anonymous

My home XP machine was hit by one of these malware programs (GetConfig35.exe) the other day. The Fiddler2 web debugger (www.fiddler2.com) is good at telling you which process is accessing dangerous sites, and you can use Task Manager or the Process Explorer from sysinternals.com to kill the process, and to find and delete the executable. You can block the websites through your router administration. You should also open Programs->Accessories->System Tools->Scheduled Tasks to remove any tasks which try to restart it. Use something like the msconfig startup tab to eliminate registry settings which start it when you boot, and make sure there's nothing unusual in your Programs->Startup folder. Unless system files are infected, that should keep just about any malware from starting on its own.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.