In-Depth

Who's Afraid of Scareware?

Are you? Bogus pop-ups that hide crippling malware can bring networks to their knees. Here are some methods to stop scareware and fix the damages that it inflicts.

You're happily computing along when out of nowhere a bright orange pop-up leaps out: "Warning! Spyware detected on your computer!"

If you're a seasoned IT professional, you bypass the warning, impressive as it might seem, and smartly use the system tray to shut it down.

But your end users, friends, kids or spouse may not be so savvy. One click on this demon in disguise, which is actually a Web page, and you could run head-first into a shockingly bad virus, malware or spyware.

These pop-ups can trick you into buying unneeded software, steal personal data and passwords, and block updates and access to anti-virus Web sites. Welcome to the wonderful world of rogue security software, also known as scareware.

Pop-ups can appear randomly out of legitimate Web sites and are placed there with permission or sometimes through injection attacks. Despite recent crackdowns, scareware can be advertised even through credible entities such as Google Inc.'s search engine.

TIPS: Frighten Away Scareware
  • Use a firewall
  • Use anti-virus
  • Use anti-spyware
  • Use a legitimate copy of Windows in order to get updates
  • Keep Windows regularly and automatically updated and patched
  • When a pop-up appears, check the source and remove it via the system tray; do not click the close button or any part of the pop-up
  • Use an alternative browser and lock it down; no Active X, scripts or Java
  • Don't give out admin rights
  • Consider Windows Vista, or Linux or a Mac

Scareware can hit users who thought they did all the right things. Asif Mirza, IT manager at InCube Labs LLC, had an employee infected, even though Symantec Corp.'s Norton AntiVirus was already installed. In this case "Vista AntiVirus 2008" did the dirty deed. The pop-up says you need to download the anti-virus tool because you're already infected. The truly cunning part? The warning dialog looks like any other Windows dialogue.

Mirza's answer to the user? "Boot from the XP CD, stay away from questionable Web sites and do not click on links that promise to clean your PC." Mirza also now uses Symantec Endpoint Security, which prevents users from going to malicious sites like Vista AntiVirus 2008.

Scareware Horrors
Scareware can attack at home and in the office. "I'm an IT pro, have been for 30 years," says Harry Rife from Holt, Calif. "We've had 15-plus machines get the 'AntiVirus 2008' or variant thereof since Aug. 1, 2008, and at least that many employees' personal home machines, which earned me some extra pocket money. But my own personal machines at home also got it thanks to one of my daughters. Before I found a great tool for removal, I spent days trying to clean them up.

"In fact," Rife continues, "on the one my daughter was responsible for, I had accidentally deleted some files in the Windows folder. From that point on, it prevented me from logging back into the machine, period. I had to change hard drives and make the original C drive the D to be able to back up the 75GB of stuff she had on it. Another week of restoring and reinstalling and she was back up and going. Lawsuit is not punishment enough. They should be tarred and feathered," Rife says.

Andre Sourdiffe, with Fisk Reed & Love, P.C. in Bennington, Vt., came across some bogus anti-spyware. "The pop-up reads, in bold letters on the title bar, 'Microsoft Security Warning.' In the window itself in bold print, 'AntiVirus 2009 Web Scanner detected dangerous spyware on your system!' It then lists the supposed infections, Spyware.IEMonster.b, Zlob.PornAdvertiser.Xplisit and Trojan.InfoStealer.Banker.s," Sourdiffe explains. "There are two buttons, Remove All and Ignore. Just clicking on the red 'X' doesn't prevent the download dialog from appearing. It offers the file A9installer_77011811.exe and, most helpful of all, the site that the file will be downloaded from, onlinescannersite9.com."

Being an IT type, Sourdiffe didn't fall for the ruse. But a customer of his did fall for it. "The bogus software has an uninstall option in the All Programs folder it gets installed to, but it doesn't really remove it. It stopped the constant warnings and pop-ups until the computer was restarted. Then, the uninstall option was no longer there and the pop-ups continued," he says. The client's Avast! anti-virus software, from ALWIL Software A.S., "detected only one of the files the software installed as malware." Sourdiffe was able to remove the infection with Malwarebytes Corp.'s Malwarebytes software.
Why do users fall for this stuff? Not only do the pop-ups and Web sites they link to seem legitimate, but they're treated as credible by many search engines. In Sourdiffe's case, the pop-up appeared while a user was playing tunes on his media player.

A Rogue's Gallery of Scareware
There are literally hundreds of scareware programs, many of which are simply clones or modifications of earlier programs. Here's a small sampling:
  • AntiVirus 2008, 2009 and 2010: Three versions of the same scareware tool. The 2010 version comes with its own bogus Blue Screen of Death.

  • AntiVirus Plasma: Once installed hogs memory and processing.

  • AntiVirus Plus: Scareware that can use Microsoft Security Center alerts.

  • Antispy 2008: Fairly amateur scareware app.

  • AntispywareXP 2009: Slows down your PC and displays fake warnings and fake scan results.

  • AntiVirus Sentry: Fake alerts trick users into downloading the software. This has also been known to download without permission; it then prompts you to buy the software to remove malware.

  • Content Eraser: Fake privacy application.

  • PCVirusless: Lures users in with Web ads.

  • Personal Defender 2000: Fake anti-spyware application that uses a fake Firewall Security Alert to trick users into doing a fake scan. The results always show infections, and the program then tries to get you to buy the software.

  • ProAntispyware 2009: Scareware often advertised on Web sites.

  • RapidAntiVirus: Once installed, this can identify legitimate files as malware and harm your PC if deleted.

  • Real AntiVirus: Like other scareware software, this one runs scans that show malware that doesn't exist and prompts you to buy anti-virus software.

  • SpyProtector: Often shows users fake taskbar alerts.

  • Security 2009: Similar to SpyProtector, this is often advertised on the Web.

  • WinDefender 2009: Trojan horses can display bogus alerts and prompt you to download the WinDefender 2009 software. If you load WinDefender it will always find malware, even if it's only the malware that it installed itself. The program then tricks you into buying the full WinDefender package.

  • XP Antispyware 2009: The same essential program as AntispywareXP 2009.

Definitions are based on work done by Bleeping Computer LLC.

"What really surprised me," Sourdiffe says, "was that this site not only showed up as an advertisement on the site Windows Media Player was pointed to, but was a sponsored site on Google and Yahoo! and probably other search engines. I'm truly amazed that these search sites don't screen their advertisers better than this. This particular scammer will scan your computer and find all these things wrong and then tell you that you need to buy this software in order to clean your computer."

Google is cracking down on malware, although some of it still slips under the radar. A healthy debate still rages about whether the search engine giant is doing enough.

A Pound of Prevention
Sometimes security software, especially anti-spyware, can prevent, or at least remedy, the problem. But hackers know the state of security software and invent new attacks that protective software can't always recognize. That's where basic security precautions come in. It must be understood that first and foremost, scareware-based malware is installed code. Not giving end-users -- or friends, kids and spouses -- admin rights can go a long way toward preventing these attacks.

What works in the home may also work in the office regarding locking-down rights.

"If you maintain PCs for friends or family, you'd do them a huge favor if you set up multiple accounts in Windows, with the accounts that access the Internet with limited privileges," says reader Joe Elliot, a consulting IT architect with Nationwide Insurance. "For adults, provide them with clear instructions that the only time they can log into an administrative account is to install well-known software. I haven't had a single virus for years on a family computer actively used by four different accounts."

Other IT pros agree. "People should not be surfing the Web using an account with admin privileges," says reader Stephen Snyder, a systems administrator in Herndon, Va. "That means setting up the PC with an administrator's account and a limited-user account, and doing all of your normal work with that limited-user account. Of course, how many people not in the IT field would know about this?"

After coming face-to-face with "AntiVirus 2009 Web Scanner," Sourdiffe and company took even more serious measures. "On our site, we're using OpenDNS, and I have the option of blocking specific sites. I blocked the onlinescannersite9.com site, so no matter where it might be found on the Web, our office won't even have access to the link. I immediately warned everyone in our office of the occurrence and posted the screen shots of the software in action," he says.

Bleeping Computer LLC's anti-spyware download is a big help, according to Sourdiffe and others. You can download it at www.bleepingcomputer.com.

The Vista Answer
Some praise Windows Vista, with its more disciplined approach to user rights and code installation, as an effective anti-scareware measure.

"I'm a system admin responsible for over 40 Vista machines," says reader Ken Wirz, a network administrator at Delta Dental of Ohio. "I've had Vista deployed since March 2007 with User Access Control enabled. The users don't have administrator rights to their box. I haven't had a single virus or malware incident reported by my users or by Symantec anti-virus. Put me down as one admin that loves it because the users can't mess it up."

A Remedy Is All I Need
Because it's usually activated by a Web page masquerading as a security alert, scareware is often impervious to anti-virus software, as Earl Nittskoff discovered. "A client had pop-ups for Power AntiVirus 2009 bombarding her computer and telling her it was infected. McAfee Inc.'s anti-virus program found no viruses. She spent hours talking to tech support at McAfee with no positive results. McAfee tech support also sent manual removal instructions, which also did not work," Nittskoff, with V V E Computer Consulting in South Euclid, Ohio, explains.

"She called me. I assumed this was a variant of other similar problems and brought some removal tools like SmitFraud. I was wrong. None of these tools found any malware. I searched the Web for removal advice. Everything I found was similar to the efforts my client had already tried," he continues.

"I identified and stopped the offending process in Task Manager. The process was pwa.exe. Then I looked in the Programs Startup folder, MSCONFIG Startup tab and MSCONFIG Services tab to discover how the program started. It was in the MSCONFIG Startup tab. I renamed the C:\Program Files\PWA\pwa.exe file to C:\Program Files\PWA\pwa.fyf and unchecked the startup line. I restarted the computer. Problem solved," Nittskoff concludes.

Rusty's Story

Recently my son got attacked by one of these programs. I eventually fixed it but it took three days, a lot of investigation and a copy of bootable Linux to get to the root of the problem. It was almost as bad as a rootkit to get rid of. Normally I would have reformatted the hard drive and reinstalled, but I was bound and determined that some punk wasn't going to get the best of me.

My son's laptop computer became infected with some sort of scareware that made multiple windows open up telling him he was infected with malware. It also displayed an ad that he could click on to purchase cleaning software for about $39 to get rid of it. At first I ran anti-virus software from Trend Micro Inc. and Lavasoft's Ad-Aware. Although Ad-Aware found some problems, it didn't fix the root scareware problem.

Had I not been so determined not to let this beat me, I would have just formatted the computer and reloaded everything. Instead I started digging deep in the OS, which was Windows XP.

I looked through all the run keys in the registry, turning off anything I could find. I also uninstalled any software that was on the system that he didn't need or use. I scoured the computer for any other auto-run stuff I could find. Multiple reboots later we still had the problem.

It was not until my son-in-law and I booted the computer with a Linux CD and started to really dig that we finally found the problem. It took us a total of 30 man-hours to clear the stupid thing up. It was only the joy of besting the programmers that kept me from throwing the laptop against the wall several times.

I stressed to my son how important it was that he stop using Internet Explorer and only use Firefox from now on. Everyone else in the house uses Firefox, and we haven't had any issues with scareware since. IE is considered the Typhoid Mary of the Windows PC in our house.

--Rusty Yonkers, senior systems engineer for a large, international insurance company

Sometimes scareware has an easy fix; other times it requires more drastic measures. Jeff Ellis, owner of Nurtell Computer Doctor, has seen both sides. "I service computers at home. When they have good backups of data or don't care about losing files, I just reload the operating system software. For one of the first clients who really wanted to try and save their pictures, I spent four hours getting rid of this annoying bogus malware," says reader Ellis.

Bill Cooper, vintner at Cooper-Garrod Estate Vineyards in Saratoga, Calif., found his daughter's computer struck by scareware. "I used Symantec's eradication instructions, but it took days of effort, and I learned more about the registry than I wanted to know."

Often the only recourse is to rebuild.

"Our HR manager brought in his home laptop and he swore he only used it to visit the Georgia Bulldog Web site," recounts Buzz Hopper, a network administrator in Ohio. "The laptop had been taken over by one of those Your-PC-Is-Infected scams.

"It's infected all right," Hopper continues. "I'm at the point now where the only recourse is to erase the hard drive. I hope there will be teeth in whatever is done to go after these companies."

Chris Riley has an even more horrific tale to tell. "I've had to reload three different computers at three different sites in the last two days. All were infected with a new version of AntiVirus2009: Pandora Software. I tried four of the standard removal and anti-malware programs to no avail on the first two machines. After spending an hour with no positive results, I decided that wiping the disk and reloading the OS was more productive than wasting time trying to remove the malware. Luckily, all three of these client computers were loaded thin and nothing pertaining to the business was lost. Granted, the users lost stuff that was only saved to the local machine, and all three users never really followed company guidelines on saving all items to their supplied folder on the server for backup. Maybe some day they'll start following guidelines, but I'm not going to hold my breath."

Sometimes, fortunately, a restart will do the trick. "I had a machine last year with this problem," reports reader Jason Strack. "A user was clicking on the supposed 'problem' messages. I think Centurion, from Centurion Technologies Inc., or some other type of freezing software that puts the computer back to a clean state upon restart is one of the best ways to deal with scareware in a large deployment."

Fighting Fire with Firemen

I'm a division chief with a south Chicago suburb fire department and also the IT manager for the same municipality. I've had about 30 PCs infected by these seemingly legitimate pop-ups. I advise my users to just pull the power plug when one appears -- no matter what they're doing at the time. For the unfortunate ones that don't, or just click the 'X' in the top right corner, they pay the ultimate data-processing price: Their hard drives go to alphabet heaven.

A few infected machines have been recovered by purchasing other anti-virus software, and these programs actually cleaned up the mess.

Most weren't so lucky.

A lot of these firefighters are instructors for the fire service and use their personal PCs for training. Hours and hours of PowerPoint presentations-movies depicting things not to do, rescues that worked by being innovative and many other facts, lessons and details that firefighters and paramedics utilize -- all went up in smoke.

The average user can't afford the hardening that a corporate entity can. Knowledge, anti-virus software, firewalls and more knowledge are our defenses against the rogue viruses, trojans and spyware that abound on the Internet.

The problem with this latest round of "You're infected" is that it has the look and feel of a real Microsoft window. My users say it happened when they were doing an update, or a "Windows screen" popped up.

Firefighters save lives. Responsible data-processing companies save time, work and usually their integrity.

When a virus takes on the look and feel of an OS company, the average user is just not going to have the tools at their disposal to know that.

Many public servants have asked, "Isn't there a law against this?" Criminal actions -- the result of damage or loss to property -- are prosecutable. Period. Microsoft and the states, if not officials at the federal and even international level, should hunt these authors down and prosecute them as felons.

A Web site that can log destructive actions, like a missing-child database, should be created, monitored and forwarded to state and federal agencies.

The next time you dial 911 and a young, aggressive and dedicated public servant comes to your aid, you should hope they studied the lessons that were on some of these PCs before those lessons were lost to immature and criminal actions.

--Tom Mullally, Evergreen Park Fire Department, Evergreen Park, Ill.

Featured

comments powered by Disqus

Subscribe on YouTube