×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

334 comments

The worst offenders (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29607109)

Are AVG for a decline in detection rates and Symantec which sucks in just about every area except preventing itself from being uninstalled. (Notable exception is their corporate product)

Re:The worst offenders (3, Interesting)

Icegryphon (715550) | more than 4 years ago | (#29607143)

Yeah it's sad when you need a second virus protection program to be safe or have things removed.
Makes me wonder how many computers percentage wise are really infected out there with back-doors.
Very scary zombies everywhere.

Re:The worst offenders (1)

EMCEngineer (1155139) | more than 4 years ago | (#29607977)

Even worse is how they have rebranded things. It used to be that you bought an anti-irus program to prevent your computer from getting hosed by viruses or whatever was out there.

So then they started on with worms, trojans, spyware, keyloggers, and on and on. 'New' threats that require different software, and more money. It is at the point where the average user is not likely to be able to protect themselves without multiple programs, and even then they probably will have to do more recovery than prevention.

That said, Norton has stopped me from getting a few actual viruses. It did absolutely nothing to prevent the drive-by downloaders from installing 'WinPro Antivirus 20XX' when I visit some websites.

Re:The worst offenders (0)

Anonymous Coward | more than 4 years ago | (#29608175)

You do realize that if your running two AV's they stomp on each other and nothing works. I have a malware scanner, NIS 2009 and then use the online web scanners at trend, panda, symantec, and one other I can't name right now to scan my systems "remotely".

OVERWHELMING SCANNERS!! (5, Funny)

TrisexualPuppy (976893) | more than 4 years ago | (#29607297)

In interesting news, a fake antivirus has caused quite the riot with women in their mid-twenties. Due to unemployed data operations programmers trying to earn some money to at least pay their bills, they have created a fake antivirus much like Windows Antivirus 2009. However, this pseudo-antivirus program is smart and employs unique data mining technologies to determine which users are likely to be attractive women in their late teens to late twenties. These victims are then targeted and scammed.
 
The women are targeted with an algorithm that determines how much proportional web browsing is carried out on Myspace, Facebook, email, and on online clothing shopping sites. By using a modified log-normal distribution, ex-programmers were able to create a model that determined which users were of the targeted age group 86% of the time and which were hot 49% of the time. With the statistical combination, the "antivirus" program learned which users were "hot women" and instructed them to sit on their scanners with their skirts and underwear removed, or else their computers would go up in smoke. As such the demographic is generally technically illiterate, the women have been doing so, scammers have been receiving really nice butt-on-glass pictures, and the scanners themselves--especially the ones marked "HP"--have been completely overwhelmed.

MODERATORS! Who modded this down?? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29607377)

Mod parent up!

MOOOO0OOODDDD.DDDDDDDDSSS.SSSS.SS!!!! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29607917)

MOD PARENT UP

Re:The worst offenders (3, Interesting)

jayhawk88 (160512) | more than 4 years ago | (#29607357)

McAfee is bad lately as well. Completely ignored the infection of two machines on our network the other day. We had to use Malwarebytes to find on one, and interestingly enough, Microsoft Security Essentials seemed to do a good job at finding and cleaning the other one.

McAfee not even detecting these is worrisome though. We've got like 300 CPU's, all EPO protected, and for all I know they could all be infected.

Re:The worst offenders (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29607479)

We've got like 300 CPU's, all EPO protected, and for all I know they could all be infected.

That is some serious virus, dude. I've heard legend of some that corrupt the BIOS, but actually infecting the CPU? That's hard-core.

[Sorry, but this is a nerd forum. Please speak nerd.]

Re:The worst offenders (0)

Anonymous Coward | more than 4 years ago | (#29607639)

Just curious what virus this is. We're using VSE 8.7 with the latest engine and DATs with ePO 4.0 and have had very good results. Your comment has me concerned though that we may be missing something...

Re:The worst offenders (1)

lukas84 (912874) | more than 4 years ago | (#29608125)

I'm currently in the process of migrating from VSE 8.7 to Forefront Client Protection, the for-pay version of MSE.

VSE is quite bad, since they want to upsell you to their Total Protection garbage.

Re:The worst offenders (0)

Anonymous Coward | more than 4 years ago | (#29607661)

Mind sharing what virus you found? Something that EPO does not pick up is relevant to my interests...and honestly not for nefarious reasons--my organization uses it, too.

Re:The worst offenders (2, Interesting)

jmnugent (705421) | more than 4 years ago | (#29607897)

In the organization I work for.. we are using Mcafee VirusScan Enterprise + AntiSpyware Enterprise 8.5.0i....... I've noticed (almost on a weekly basis).. machines infected with various kinds of spyware (antivirus2009, AlphaAV, and other names) and Mcafee seems incompetently clueless about detecting it. If I install MalwareBytes on the box.. and start a "Full Scan" (using MalwareBytes)... as it goes through touching files on the hard drive only THEN does Mcafee popup and say "Hey, you are infected with XXX " I don't know WHY that is... we seem to have the current Mcafee scan engine and dat files... I chalk it up to corporate level antivirus just not being able to keep up with the fastpaced changes to spyware. I decided to never rely on a single protection product. If I suspect a machine is acting weird (even if it does have up to date Antivirus).. I scan it with Malwarebytes and NOD32's free online scan. I don't think this is strictly a fault with Mcafee.. I think any tool used by itself will miss something... thats why a combination approach is best. (and hey.. if you do some testing and can find patterns of Mcafee not fully protecting you - that might be ammo/fodder to go back to your bosses (or Mcafee rep) and push some buttons.

Re:The worst offenders (3, Informative)

Latinhypercube (935707) | more than 4 years ago | (#29607931)

AVG 8 is so bad is makes me want to puke. It chokes my system worse than a real virus. It's a shame because up until 7.5 it ran like a dream.

Re:The worst offenders (0)

Anonymous Coward | more than 4 years ago | (#29608001)

You know its funny you say that. I think there corporate product blows chunks, I had the 5 server license version and spent TO MANY hours on the phone with tech support trying to support 2003 server, and there personnel version (2009) is dam good.

Re:They said the old days... (1)

Nexus7 (2919) | more than 4 years ago | (#29608167)

"Who will police the police?" that's what they used to ask, in the old days.

The whole anti-virus ecosystem is amazing, come to think of it. It represents a point in our civilization where we started thinking nothing of fixing a manufacturer's product for them at our expense. When I re-image an old piece of hardware and give it to someone who can't afford a new one, I tell them to be sure and put an anti-virus on it, and they accept that as if it were the most obvious thing in the world. And having used Linux ever since my first computer, I'm the one left feeling that I was being Captain Obvious.

So how long before people accept that they have to install anti-anti-malware on their machines too?

Pay For Full Version (0, Informative)

Anonymous Coward | more than 4 years ago | (#29607149)

It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.

Re:Pay For Full Version (5, Funny)

sopssa (1498795) | more than 4 years ago | (#29607215)

It makes sence to make a virus like this. My buddy got one. It said you have a virus pay us $X for full version of Anti-Virus program to remove it. It was a real pain to remove as I remember.

I know, I have naively installed Symantec on my computer too...

Re:Pay For Full Version (1)

Runaway1956 (1322357) | more than 4 years ago | (#29607309)

I've had those things pop up on Linux machines, and they report dozens of infections. Once, I couldn't kill the blasted thing, nor could I close Firefox. I had to go to the system monitor, and kill Firefox to regain control of my browser. Aggravating bit of nonsense, especially since I had several windows and tabs open.

Re:Pay For Full Version (0)

Anonymous Coward | more than 4 years ago | (#29607925)

try opera for linux

Re:Pay For Full Version (0, Interesting)

Anonymous Coward | more than 4 years ago | (#29607967)

The best part comes when you start firefox again after killing it, it will automatically go back to the website you were on WITHOUT ASKING.

Re:Pay For Full Version (0)

Anonymous Coward | more than 4 years ago | (#29608069)

You are doing it wrong...

Re:Pay For Full Version (2, Insightful)

Pax681 (1002592) | more than 4 years ago | (#29608335)

yups, you get a choice of recovering session or starting a new one

not even a case of not RTFM but a case of not opening yer anonymous wee eyes!

AV2009 To The Rescue (5, Funny)

excid3 (1108239) | more than 4 years ago | (#29607179)

I'm pretty sure that Antivirus 2009 has protected me from emerging threats quite reliably.

Re:AV2009 To The Rescue (5, Informative)

Darkness404 (1287218) | more than 4 years ago | (#29607251)

Note to clueless mods, Antivirus 2009 is one of these fake antiviruses, mod them funny, not interesting....

Re:AV2009 To The Rescue (1)

excid3 (1108239) | more than 4 years ago | (#29607291)

Wasn't meant to confuse, but a quick google search produces lots of results only on removal. :)

Re:AV2009 To The Rescue (1, Funny)

Anonymous Coward | more than 4 years ago | (#29607903)

Note to clueless mods, Antivirus 2009 is one of these fake antiviruses, mod them funny, not interesting....

Antivirus 2009 saw this thread as an emerging threat, promptly made that post and used other accounts to mod it interesting/insightful.

Re:AV2009 To The Rescue (2, Insightful)

Shikaku (1129753) | more than 4 years ago | (#29607261)

Um mods? This is a joke. It's a really bad malware that's almost impossible to remove.

Re:AV2009 To The Rescue (5, Informative)

kimvette (919543) | more than 4 years ago | (#29607361)

See my other post on this subject. Antivirus XP (and variants) can be removed by hand but it's a tedious process. Malwarebytes removes it VERY easily though. With some Antivirus ($FOO) variants you do need to rename the Malwarebytes installer filename and then the executable filename but once you get the process launched it will fully automate the removal process. IMHO Malwarebytes is the very best ad/malware removal utility at the moment, with Spybot S&D and Superantispyware being tied for a very distant second.

Re:AV2009 To The Rescue (1, Informative)

Anonymous Coward | more than 4 years ago | (#29608239)

Spybot is not that good. Get the Google pack of PC Tools Spyware Doctor or maybe the new Security Essentials and use Spybot to augment it with its immunization tools.

Re:AV2009 To The Rescue (2, Informative)

Kaeles (971982) | more than 4 years ago | (#29608241)

Combofix! Go download it and use it. it will slaughter those stupid antivirus xp 200x and all that jazz. I want to make out with whoever made it.

Re:AV2009 To The Rescue (1)

jmnugent (705421) | more than 4 years ago | (#29607493)

"almost impossible" = hyperbole Antivirus2009 is actually pretty easy to remove (relatively speaking, when compared to other modern spywares and rootkits). In fact, in many coworkers machines, if they hands-off the keyboard/mouse fast enough (dont click on any popups)... all you really have to do is reboot the computer. (of course, I still do scans with multiple tools just to make sure its clean). Using a combination of tools (Malwarebytes, Spybot S&D, GMER, NOD32 online scan,etc... I've found I can clean almost 100% of machines with no ill after effects)

Re:AV2009 To The Rescue (1)

Mover (723856) | more than 4 years ago | (#29608217)

OK, Genius, How many people know not to touch anything and reboot? (Actually, you do not need to reboot, just open task manager and end the iexplorer process to kill it) Since most are conditioned by MS Windows to click on the X or the Cancel button, it is very likely that it will infect the system AND THEN it is a buick to remove. In the case of the AV09 spinoff rogueware named Windows Police Pro, I had to rebuild the OS (after backing up the data of course).

Re:AV2009 To The Rescue (1)

schnikies79 (788746) | more than 4 years ago | (#29607333)

My sister got this on her XP system. She is pretty clueless but had never managed to get any malware on her system other than this.

Took me and her boyfriend nearly 2 hours to clean it off.

Re:AV2009 To The Rescue (1)

woodrad (1091201) | more than 4 years ago | (#29607427)

Note to clueless replies and mods: WOOOOSH

Re:AV2009 To The Rescue (0)

Anonymous Coward | more than 4 years ago | (#29607803)

> Note to clueless replies and mods: WOOOOSH

Are you aware that irony tends to be invisible on the 'net?

Re:AV2009 To The Rescue (2, Funny)

Deathlizard (115856) | more than 4 years ago | (#29607695)

Av2009 sucks! Antivirus 360 is the best scanner ever! and it's only 79.95! And it also came with a great product called File Fixer Pro!

All my documents were corrupted, And this File Fixer Pro fixed them all for only $49.95! I was so relieved!

I'm also hearing great things about "Antivirus Number 1" too. After all, It's Number 1!

(Yes this is a Joke. Laugh, becaue you'd be surprised how many times I've heard something similar to this.)

Are we surprised? (5, Informative)

Canazza (1428553) | more than 4 years ago | (#29607207)

Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.

The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.

It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.

Re:Are we surprised? (0)

Anonymous Coward | more than 4 years ago | (#29607467)

One thing that's remarkably consistent is that fake AV peddlers seem to be systematically not native English speakers. I can't remember the last time I saw one of their sites without some kind of typo on it. It my be worthwhile to train lusers solely based on that criterion. For a while, of course, until they're successful enough to start hiring real writers...

Re:Are we surprised? (2, Funny)

lenester (625236) | more than 4 years ago | (#29608355)

[blockquote]One thing that's remarkably consistent is that fake AV peddlers seem to be systematically not native English speakers. I can't remember the last time I saw one of their sites without some kind of typo on it. It my be worthwhile to train lusers solely based on that criterion.[/blockquote]
wat r u talkng abot?

btw usa#1!!!

Re:Are we surprised? (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#29607571)

The more interesting thing is the recent development in them - they've actually started to detect small amount of threats.

Combined with that and the fact that they aren't a virus but seemingly legitimate software makes it hard in law point of view. By far the only way to have them procedured has been about misleading marketing, which is right. But for example I installed Norton Antivirus (or the quick scanner of it to see if I had viruses). It ended up being really hard one to delete, popping up its scan from time to time and reporting me about *tracking cookies* and that I'd have to buy the full version to secure my system. Only after that it would clean my computer. Obviously I know better than that and didn't buy it, but its somewhat the same marketing tactics.

It gets more interesting when the bad guys have actually made their software to protect against some small amount of threats too. There's no law against badly working software or if antivirus engine doesn't detect 100% of threats, because none of them do.

It's a bad problem, but theres also problems with the law about it. imo misleading advertisement should have larger fines than now - not just in scareware, but everywhere, because its about misleading the customer.

You've got virus! (1)

oo_HAWK_oo (1619801) | more than 4 years ago | (#29607217)

It's amazing how many people will respond to any random pop up message and installing software they don't know. We need to issue computer permits. You can't drive on the information super highway until you have a permit!!

Re:You've got virus! (1)

gnick (1211984) | more than 4 years ago | (#29607587)

You jest, but I've heard compelling arguments for requesting that ISPs disconnect computers doing malicious stuff even if the owner is unaware of it until they clean up their act. I could even be swayed to believe that ISPs should be held partially responsible/liable for malicious traffic they're relaying just to convince them to enforce such measures. It puts an additional burden on ISPs, but where else can we stop clueless users from polluting our Interwebs?

Developer needed - Pop-up antivirus, LLC (0)

Anonymous Coward | more than 4 years ago | (#29607221)

Why would anyone, ever, under any circumstances click on a popup ad? For antivirus?

Who are these people, and how can I take their money somehow more legitimately?

Norton (4, Funny)

Krneki (1192201) | more than 4 years ago | (#29607253)

Still I'd rather have a fake anti-virus then Norton Symantec or Windows Live Family protection. At least the fake anti-virus will let me use my PC every now an then. :)

Re:Norton (1)

praxis22 (681878) | more than 4 years ago | (#29607611)

Actually I've never had a problem with Symantec AV, but then I've always used the corporate edition without all the consumer crud.

Yeah, very very scary... (4, Interesting)

Obfuscant (592200) | more than 4 years ago | (#29607267)

Very very scary. Not.

My netbook required an update to MacAfee ("free" from Comcast) because one part of it stopped working, and during its first scan, it started reporting a problem. Wouldn't tell me what the problem was unless I let it run for twelve hours to scan the whole system. I tried stopping it and looking at logs, I tried looking at logs while it was running, nothing other than the "ominous" 1 under "detected threats".

Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".

Phhhht.

Re:Yeah, very very scary... (4, Informative)

Krneki (1192201) | more than 4 years ago | (#29607351)

A classic, they are more interested in stoping you using different no-cd cracks then they are in your security.

Uninstall this crap.

Re:Yeah, very very scary... (1)

The Wild Norseman (1404891) | more than 4 years ago | (#29608129)

Turned out that it was reporting the crack program that allows me to run Duke Nukem without the CD -- since the netbook doesn't have a damn CD and I own the copy of Duke Nukem. MacAfraid called it "a program you might not want to have".

I concur with McAfee. Duke Nukem was a program you definitely did not want to have...

Major pain (3, Informative)

zip_000 (951794) | more than 4 years ago | (#29607307)

I've been losing this battle with the staff where I work; they just can't seem to understand that it is itself spyware and/or viruses. I've had to remove this crap from 5 or 6 computers in the last month alone.

Re:Major pain (4, Informative)

Krneki (1192201) | more than 4 years ago | (#29607379)

Start with removing them from local Admin group for a start.

Re:Major pain (2, Insightful)

Runaway1956 (1322357) | more than 4 years ago | (#29607499)

"Start with removing them from local Admin group for a start."

I'll second that. Make sure they have no privileges outside their specific job description. If "Limited User" isn't good enough, go to group policies and restrict them there. Lock the user down tight, and he won't be able to run these scripts or install anything. No mercy - if you have to protect a dumbass from himself, protect him. You wouldn't let your toddler play in traffic, would you?

Re:Major pain (1)

cnvandev (1538055) | more than 4 years ago | (#29607899)

It's undoubtedly your trusting & respectful attitude that makes your workplace a wonderful place to get things done. What ever happened to educating people about what the problem is with this software? I wouldn't go so far as to say start holding classes, but if it's a continuous problem there's nothing stopping you from sending out a mass e-mail telling them that there are fake things on the internet that people need to watch out for. Mention the extreme security risk, include lots of pictures and borrow a copywriter from Marketing for a half hour to make something people will actually read, instead of dismissing like "another IT e-mail," and you just might reduce some problems. Management & people skills shouldn't be just for the guys in the suits.

Want a car analogy? What if AAA took away your keys and left you with the valet one everytime you locked your keys in the car, or your insurance company installed a camera on your dashboard [slashdot.org] to make you paranoid and start to do that check-your-mirror-every-3-to-5-seconds thing you did while taking driving lessons and then immediately stopped once you passed your test.

Sure, it's your job to take care of the company's computers - and this involves keeping them clean and virus-free - but power-tripping with technology most people don't understand properly (or understand only as deep as they need to do their jobs) doesn't help anyone. Neither does a "no mercy" policy.

Re:Major pain (1)

number17 (952777) | more than 4 years ago | (#29608101)

Want a car analogy? What if AAA took away your keys and left you with the valet one everytime you locked your keys in the car, or your insurance company installed a camera on your dashboard [slashdot.org] to make you paranoid and start to do that check-your-mirror-every-3-to-5-seconds thing you did while taking driving lessons and then immediately stopped once you passed your test.

Its more like your co-worker uses the company and its you are the mechanic. Every he comes back with the car it looks like it was used in a massive orgy and car fluids are leaking all over the place. You start the engine to see whats wrong and it shuts itself off.

You continuously let the guy know the problems hes causing but he is still going to invite the hookers into the car.

How much of your time do you spend fixing things? The workstation is a tool for performing a set of work tasks. If they can continue to do their job with a "no mercy" policy then whats the problem? Its like putting a giant piece of plastic on the seats and when they leave the car it all gets removed. They can still let the hookers in but won't get things dirty.

Re:Major pain (1)

Runaway1956 (1322357) | more than 4 years ago | (#29608215)

Point taken. I'll make a counter point, though. I'm not a people person. I don't hang at the water cooler to chat with people, because I just don't give a damn about the gossip. I don't care that the secretary's daughter's cheerleading team won an award, don't care that the forklift driver just bought a new motorcycle - I'm not a people person. I'm sure as hell not going to make some eye candy presentation to teach people about the hazards involved. I'm willing to send an email, telling them how stupid it is to install this crap, and detail how and why it's stupid.

If they can't or won't learn from a simple email explanation - I call trump with my authoritarian mindset. I'm responsible for the network, which implies the authority to put policy in place to protect the network. Anyone who failed to learn from my email WILL bow to authority when he is locked out. I just don't give a crap how offended he might be. We can go together to the front office, to explain the situation to the boss. No problem.

Re:Major pain (1)

lukas84 (912874) | more than 4 years ago | (#29608251)

I'm sorry, educating 9-5ers is impossible. They're just there for the money and don't give a shit how much work they cause others that take their job seriously.

Re:Major pain (2, Interesting)

EMCEngineer (1155139) | more than 4 years ago | (#29608087)

Yeah, except that won't neccessarily fix the problem. I got caught by a drive-by downloader on my work laptop, where I do not have admin priviledges. I didn't click on anything, or agree to download anything. I merely visited a popular webcomic - then bam, install script trying to give me AntiVirusPro2010 or something along those lines. I got rid of it easily enough with MalWareBytes, but I couldn't even use safe mode to run HiJack this because I have no admin privileges.

Re:Major pain (1)

jgtg32a (1173373) | more than 4 years ago | (#29607617)

We do this too, we also randomly remove people who were in the group as well, to see if they complain

Re:Major pain (1)

jayhawk88 (160512) | more than 4 years ago | (#29607437)

Tell me about it. We've had to resort to sending out emails with screenshots of various Antivirus 2009 screens cribbed from ISC and other places. "Hey, see this? Don't click on it". And I know it won't do a damn bit of good.

Re:Major pain (2, Informative)

Deathlizard (115856) | more than 4 years ago | (#29607787)

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't patch stupid.

Understanding the above when making your corporate system build will pay off in the end.

We need more severe penalties... (1)

drew_92123 (213321) | more than 4 years ago | (#29607323)

Start chasing these guys down and giving them 10 years with no chance for parole... or better yet, look the other way when a mob hunts them down and breaks their knees...

Combofix (5, Informative)

Anonymous Coward | more than 4 years ago | (#29607329)

I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).

http://www.bleepingcomputer.com/combofix/how-to-use-combofix [bleepingcomputer.com]

Use it. Love it. Marvel at its simplicity, its beauty.

Re:Combofix (1)

SatanClauz (741416) | more than 4 years ago | (#29608203)

someone put this under the article pls

I THANKFULLY found combofix about a year ago and its always on my jump drive now :)

They're well-written (4, Insightful)

kimvette (919543) | more than 4 years ago | (#29607335)

Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.

A few weeks later Malwarebytes and Spybot S&D were updated and could easily remove any variant I've come across since then. The first time I hit it was a pain in the neck, then it was routine removal of it for a few weeks (a bit of time consuming but not nearly so much as the first time) and then it became a simple matter of renaming the malwarebytes and Spybot S&D installers, renaming the installed executable and running them. Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.

The douchebags who write that software aren't stupid. Malware is getting to be extremely well-designed and it's a damned shame those authors aren't doing more productive work.

Re:They're well-written (1)

Ephemeriis (315124) | more than 4 years ago | (#29607627)

Those are some of the best-written software out there. No, really! The first time I encountered the more advanced ones, almost malware detection/removal software could detect them, and none of them could remove that malware. It was on a system for a friend where reformat/reinstall was not really an option (would have taken more time to do that) so I dug into it. It took 26 hours to completely remove the crap from the system - it had strewn source files through the Windows and System Restore directories, had several hidden processes which monitored process killing and file deletion and would modify, recompile, and reinstall multiple copies of itself again.

It isn't that they're especially well-written... They may be, I don't know. The problem is that the mainstream anti-virus/malware stuff (like Panda, Symantec, McAfee, etc.) does basically nothing for them. You need to use tools like - as you suggest - Malwarebytes and Spybot. Of course there's some lag between when something new comes out and when definitions get updated... But that's always been the case. If you're one of the first infections of anything it will be a pain to remove.

Ad-Aware couldn't detect them - and it's a shame. Ad-Aware is pretty much useless now. It seems that once they gained commercial viability they became complacent.

Agreed. We used to throw Ad-Aware at pretty much any computer that came through our door. We'd routinely recommend it as a complement to whatever antivirus the client was using. These days it is crap. Not even worth the time it takes to download.

Best Apple marketing ploy EVER (0)

Anonymous Coward | more than 4 years ago | (#29607909)

Your comment about the quality of malware made me think... Who benefits from these programs? What would cause a rapid migration from PC to Mac more than a rapid escalation of virus problems?

My father has a Thinkpad running XP. I am the one who advised him to get this machine about 4 years ago. It served him well, except that he falls for social engineering ploys that are common in spam and virus infected e-mail. I recently spent several hours helping him get rid of "Windows Anti-Virus Pro". It was not fun; he lives hundreds of miles away. I was on the phone advising him on how to diagnose and repair his crippled computer. His next machine will be a Mac. One more incident like this, and Dad's Thinkpad goes on Craigslist. Something tells me it won't be long. I would convert the machine to Linux, but I think it would require more training time than I currently spend on his Windows problems. On a Mac, he would be pretty much self-supporting.

Who benefits? And the stuff is high quality? Harassing the customer until he switches? This is exactly what MS would do to its competitors if they could figure out a way to pull it off.

Re:They're well-written (1)

dword (735428) | more than 4 years ago | (#29607955)

I would like to congratulate the writers of that malware. I would also like to honestly congratulate you for finding the way to removing it in 26 hours!

While I always advocate full reinstall (3, Informative)

Sycraft-fu (314770) | more than 4 years ago | (#29608299)

for compromised systems, one thing that works great in the cases where you can't is Process Explorer from Microsoft. It is a more detailed task manager so you can get more information on processes. That itself isn't useful. However, what it can do is suspend processes. You choose a process and there's a suspend option, as well as killing it. Well, what that does is allow you to shut this stuff down, but its watchdog process doesn't notice. It is still "running" it just doesn't get CPU time. So the main process can't stop you from modifying the system, and the watchdog doesn't know to reload it.

You then can make use of Autoruns, also from Microsoft. That shows you everything that starts up on your system. Use that to track down and remove the startup of the processes. Reboot to clear the file locks (or boot to a live CD), and delete the files.

I can get rid of all the malware I've thus far encountered manually using those tools and spending some time. We have to do it sometimes because professors refuse to let us reinstall, even though that is the best option, since I can never be 100% sure I cleared all threats.

What we need... (0)

Anonymous Coward | more than 4 years ago | (#29607337)

What we need is a website that offers rewards for killing these people. Of course, it'll have to be disguised as a 'death pool' sort of thing, where people 'guess' when a particular person will die (and by what means)

Re: Fake Antivirus Overwhelming Scanners (3, Interesting)

ahuger (1648027) | more than 4 years ago | (#29607375)

That number in itself should not surprise anyone. Many threats which are using the web as their primary introduction vector are using server side polymorphism. The sheer volume which the APWG is calling out really only reflects that allot of people are downloading the rogue AV packages. Of course, given the nature of malware collections there is a very strong chance that many of those people already had 'real' AV which detected it, hence the sample being sent to an AV company in the first place. Of course crawling and honeynets will account for some of the sample set but not the majority. The assertion that this is only the tip of the iceberg is likely true given no AV vendor has an omnipresent view of the world but I am not convinced it's any worse than a plethora of other highly deployed threats. Bluntly, they are all out there in gut wrenching numbers. The rise in rogue AV is driven by the fact that it's gaining in popularity with malware distributors because it's a fast, proven revenue source. In some cases they may even skirt the law on whether it's even illegal. Remember, some of these things have rudimentary AV detection capabilities. -al Immunet Corp

Getting these all over the place (5, Informative)

Girtych (1345935) | more than 4 years ago | (#29607483)

I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.

First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol [cnet.com]

Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/ [combofix.org]

After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.

So far, this combination of steps has eliminated the infections that we've come across.

Re:Getting these all over the place (4, Informative)

Ephemeriis (315124) | more than 4 years ago | (#29607755)

There seems to be very little response from the traditional/big/mainstream antivirus companies.

We usually install something centrally-managed for our clients, like Panda or Symantec. They do a decent job of stopping viruses, and it makes for less work for us... But they do absolutely nothing for these new rogue things. They don't get detected, they don't get blocked, they don't get removed... Nothing at all.

You wind up having to actually sit down at the machine and run through a battery of individual scans... Slaving the HDD to another machine, booting into safe mode, booting into normal mode... Far more time-consuming than I'd like.

Re:Getting these all over the place (1)

kimvette (919543) | more than 4 years ago | (#29608149)

The ones that are truly lovely are the ones that patch the Windows Restore directory tree with binaries and source. Those are really nasty!

Re:Getting these all over the place (4, Informative)

Z34107 (925136) | more than 4 years ago | (#29607833)

^This.

I work help desk at the college I'm enrolled at, and removing this virus and its variants from student laptops is pretty much the entirety of my job description.

I recommend running ComboFix first, because it will generally neuter a virus enough for MalwareBytes to install and remove it. If the virus keeps ComboFix from running, rename it to magickitties.exe - some kill AV processes by name.

Anything more interesting than that, download the free Windows AIK [microsoft.com]. Make an image of the drive using ImageX. Mount the image (and the registry hives on the image) on a clean PC and do a scan on that. Reimage the PC with the clean image.

Just creating an image with ImageX is sometimes sufficient to remove the rootkit portions. ImageX is file based, and the rootkit portions hide from the MFT. ImageX simply fails to gather the rootkit portion, because it hides too well.

Usually, all it takes is 10 minutes of letting ComboFix run and 30 minutes of letting MalwareBytes run. Very slick.

Re:Getting these all over the place (0)

Anonymous Coward | more than 4 years ago | (#29607937)

I wish I could personally kiss the creator of Combofix - it is probably one of the best programs out there for removing many of these, or at least helping you to get a handle on the situation. The person/persons who created it, I salute you!

Re:Getting these all over the place (1)

Deathlizard (115856) | more than 4 years ago | (#29608077)

I love our campus laptop program for this very reason.

If we get one of these viruses, we swap their hard drive with a preimaged one then clean and copy "my documents", "desktop" and "favorites" from the old drive to the new one, then wipe and image the old drive for the next person.

This way we know the virus is totally dead, since so much crap these days rootkit your box right off the bat.

There is viruses that nothing truly removes. My favorite is still TDSS. There was a varient that would reside in the recycle bin, rogue DHCP the network to spread (Which Bradford Campus Manager would block at the switch thank god.) and would infect a clean machine because it would add an autorun.inf to the system drive to rootkit explorer.exe, so Using My Computer on another PC and double clicking on the drive looked perfectly normal but infected the host OS. Any PC infected with it had to be touched with kid gloves or you would be wiping 2 machines.

Re:Getting these all over the place (1)

bfagan (71306) | more than 4 years ago | (#29608091)

Funny, but just a few weeks ago I had to remove one of these things from a friend's computer. His verical software provider had run Malwarebytes without success. I tried a couple things, but was only sucessful after booting with Linux and running clamAV, then booting in safe mode and running comboFix, then Spybot. Finally, it was gone. I confirmed with Malwarebytes and another run of Spybot.

Total time 6 hours.

Re:Getting these all over the place (1)

dword (735428) | more than 4 years ago | (#29608293)

A single scan isn't enough and you should scan your computers with multiple competitive scanners simultaneously. We need something stronger that can protect against many kinds of holes. Until recently, I've been quite satisfied with ESET's NOD32 and I had even considered purchasing a couple of licenses for home use, but their anti-trojan team seems to have taken a long break. Then, I realized: antivirus products protect well against viruses that look for holes in the software, not against trojans that look for holes in the brain of the computer user. Because everything is getting very social on the Internet, malware writers also focus on social patterns. Antivirus writers should also get with the times and they could start writing their own patches for Microsoft Windows and release them in their product. You guys could make it really big, now that Microsoft fucked up with WGA and everybody knows that patching Windows XP is a disaster if you have sensitive software installed. Yes, you would be doing Microsoft's work, but you would be getting paid for it, and I don't see any harm in that.

Good luck!

frustrating as hell (4, Interesting)

Ephemeriis (315124) | more than 4 years ago | (#29607525)

What really annoys me is the fact that the mainstream antivirus products (Panda, Symantec, McAfee, etc.) do such a crappy job of dealing with these rogue antivirus things. Most of them don't do a thing. Don't detect the rogue stuff, don't disinfect it, nothing.

Which means that we have to use something like Malwarebytes or Spyware Doctor to remove them.

This is especially annoying for us... We're outsourced IT for our clients. We aren't there every day to take care of everything they need. We set things up as safely and securely as we can, manage it all as best we can, but we can't lock things down as tightly as I'd like because these folks need to be able to operate without us - installing their own software and updates, things like that. So it's only a matter of time before one of our clients stumbles into one of these rogue antivirus products.

Does anyone know of a good, centrally-managed (like Symantec of Panda) anti-virus/malware package that actually detects these rogue things?

Disaster for Regular Users (1)

Clovis42 (1229086) | more than 4 years ago | (#29607629)

I got to fight with Windows Police Pro after it got onto my Mom's computer. It pretty much makes the computer useless. It even changed the file registration for .exe's and .com's. Luckily, after fixing the registry I was able to get Malwarebyte working and got things running again.

My wife later told me about someone at work getting something similar. She asked what to do and I started rambling on about all the steps. She then asked what this non-techie should do. I had no idea. Find a geek or pay for one at Best Buy or something? It looks like that option would cost about $200! Maybe this is a good opportunity to buy a new computer? If I hadn't been able to help my Mom she would pretty much not have a usable computer now.

Anyone have advice for the average (or below average) joe on what to do when they are stuck with this? What advice is even good to avoid this? Don't install anything from the internet?

Re:Disaster for Regular Users (3, Insightful)

Girtych (1345935) | more than 4 years ago | (#29607751)

1. Don't use Internet Explorer. I swear that most of the infections I've run into are from compromised websites using exploits that target IE.

2. Don't install anything- ANYTHING- from the internet unless you know exactly what it is. Even then, you might want to run a quick scan on it. Most virus scanners add an option to the right-click context menu to make this simple.

3. If you see anything saying "your computer may be infected" or something along those lines while browsing the internet, ignore it. It's a downright lie. Even if it looks legit. When in doubt, call a tech.

4. In the event that you get infected, call a tech, or if you're brave enough, follow the steps I outlined in my previous post here [slashdot.org].

Re:Disaster for Regular Users (1)

Attila Dimedici (1036002) | more than 4 years ago | (#29608039)

If you can turn it over to a geek for about two days (how long depends on the computer, some I can scan and clean in a couple of hours, some take longer), they should be willing to fix it for under $100. It really takes very little of my time to clean these, a couple of minutes to install software then let it run until it has finished scanning (maybe reaching over and clicking "ok" every now and again) while I work on other things. If I can work at it at my leisure in between working on other projects, I figure it takes about an hour of my time to clean it up.

Re:Disaster for Regular Users (1)

jggimi (1279324) | more than 4 years ago | (#29608151)

i>Maybe this is a good opportunity to buy a new computer? ... Anyone have advice for the average or below average joe on what to do when they are stuck with this?

Buying a new computer will help your local economy, and of course, computer vendors. But you need not go that far.

Your computer vendor included one or more methods for something called disaster recovery. This will either be a bootable Compact Disc, or, perhaps a special keyboard sequence to use during power-on. The end result will be to have your computer's data storage, including the OS and applications, revert back to an as-shipped-from-the-factory state. Of course, just like buying a new computer, it will have none of the data you put there since turning it on the first time: files, settings, address book entries, browser bookmarks.... all will be gone.

For instructions, look in that drawer where you tossed everything that came with your computer. Hunt for your Owner's Manual. There will be instructions within. Hunt for the Recovery CD, if there is one.

Obviously, this is an imperfect solution, but similar to buying a new computer, without the expense. In both cases, one must re-install all 3rd party applications, and restore configurations and files from a prior backup.

Unfortunately, users who need to ask questions like yours have likely never taken a back up, and wouldn't even necessarily know how. Since Slashdot is not the place for such instruction, I recommend practicing your Google Fu, Grasshopper.

Another +1 for MalwareBytes Anti-Malware (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29607671)

You know MBAM is good when the newest variants of this shit specifically prevent its installer and the application itself from running (unless you rename them).

Whoever is responsible for this fake antivirus and security software should be killed slowly and painfully over a period of weeks. Like, torture them to near the point of death and keep a couple medical personnel on hand to nurse them back to health so you can start over again, and repeat the process a few times. And put videos of it on YouTube for the enjoyment of all of us who have to clean that shit off computers.

Microsoft AV, Free Counterparts... (1)

Xin Jing (1587107) | more than 4 years ago | (#29607753)

I'm not ashamed to admit that I use three different security programs to protect my XP pc that I got from Download.com: AVG Free, Zone Alarm Free and Advanced System Care Free.

I'm sure there's some overlap in functionality and there's more stuff running in the background precipitating the need to run a ram monitor to watchdog the whole mess, but the result is that nothing yet has gotten through so I guess it's doing it's job. Something that hasn't changed with the free products is that there is a lot of user-approving that is required. I guess those are the equivelant of 'nag screens' that are designed to wear people down and get them to upgrade to the paid version.

On the AV front what I find interesting is that several years back, I recall Microsoft including an antivirus program with it's OS (I want to say DOS 6 but it could have been Win3.1) that was displayed during the install screen slideshow. Even now, when I go into Security Manager in XP, it's very clear that MS has never filled this empty space with a proprietary product. Was a true proprietary AV in Windows product merged with OneCare? To not have seen an official MS retail (or free version!) of an AV product after all these years seems like a missed opportunity.

Motivation (5, Interesting)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#29607775)

This is all the free market working against the unfree market. In a free market competitors work to make the best product to make the most money. Right now, that's malware writers, each trying to outdo one another and make the best trojans to get the most bots and personal info.

In a free market consumers would buy computers best suited to deal with this threat, with defenses that appropriately reduce this threat to a small subset of their customers. But, since we have one player with a huge amount of influence on the desktop OS market, with huge influence on computer makers and other markets and who has built substantial barriers to prevent consumers from trying other options, desktop OS's are not adapting appropriately. Why should they if it is not losing them significant money?

Trojans aren't some unsolvable problem, but for the most part they are a problem that needs to be dealt with at the OS level. Add on software from computer makers is only going to be partially effective. SELinux, for example, does a reasonable job of mitigating trojans in the secure workstation market, but has not been adapted to the consumer desktop market as yet because it requires integration on the part of application developers and there is no real motivation to do that. Linux and OS X desktops don't face significant levels of attack. Windows doesn't lose real money when it fails to defend against them. Why would anyone who understands the benefits of free market capitalism expect anything but to have malware writers win. They have direct, financial motivation.

Seriously, MS could easily create a sandboxed backwards compatibility layer (they already have). They could easily require all software that did not have a proper signature and an ACL to run in a restricted sandbox. They could dump money into crafting a good UI for it and motivating developers by restricting access to new, useful APIs. The real question is, why should they, as a business, spend that money?

I have a modest proposal that will solve this problem and a lot of other problems all stemming from the same cause. Break up Microsoft. Seriously. They're repeat offender antitrust violators. Break them up and give at least two new companies complete rights to use all the source code and patents and an equal portion of the human resources and capital. Forbid these companies from any nonpublic communication or any agreements they don't offer to other companies with the same terms.

When you have executives at MS-A and at MS-B both realizing they have to do something to win sales contracts from Dell and HP and Sony and Asus guess what, they'll have to compete. Then their financial well being will depend upon which can deliver a better product at a lower price. Neither will be able to strongarm customers or people in other markets. They'll have motivation to fix the flaws in Windows and the accompanying software that people have been learning to work around for decades. And neither company will have to worry about antitrust concerns and will be able to bundle whatever crap they want including their version of IE. I'd be willing to bet if our justice department had the balls, the malware problem would be a minor annoyance in 5 years time.

The Flaw In "Additional Safety Software" (3, Insightful)

EXTomar (78739) | more than 4 years ago | (#29607901)

Isn't it about time to start asking Microsoft to fix the system instead of installing additional software that helps cover up the flaws? The reason why they went with this is that it is cheaper to offer "feature rich environment" but cover the holes with "additional safety software" than it is to make sure the "feature rich environment" is correct let alone sane or safe. The weakness has always been the "additional safety software" part. If legitimate software can be "additional safety software" then illegitimate software can be "additional safety software" as well.

Who validates what is legitimate "additional safety software"? The AV Industry? Microsoft? These guys aren't exactly impartial and at an abstract level represents a conflict of interest. Should it be left up to the user? If the user was qualified to do that they wouldn't need "additional safety software". This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.

Linux is the best antivirus I have found (1)

cenc (1310167) | more than 4 years ago | (#29608141)

No viruses. Not one, and not a single Windows computer is permitted to connect to my network. I keep one copy of windows in one box. It is a cardboard box in my closet under some books and smelly socks. It has not gotten a single virus either.

I do have to keep a frigen virus scanner on my mail and files coming from outside my network, so I don't simply pass them on to other windows computers if the files ever leave my network. It pisses me off that I have to waist time and resources on protecting windows computers that are 100% band from my office network, not to mention waisting resources on sorting spam and other security threats the all the bots turn out from those infected computers.

Why is there not a class action law suit against MS for the damage their product does to those that are not MS customers (they should get their share too)?

Re:The Flaw In "Additional Safety Software" (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#29608301)

This is a gigantic losing battle where we have long since pasted the point where we need more AV and UAC "protection" and start closing loopholes and flaws in the Windows OS and architecture.

The core flaws are the that Windows does not clearly provide the user with appropriate information on who is providing a given application and if that is a reputable source or an anonymous provider. Windows does not allow users to run software within a sandbox with permissions appropriate to the software, by default. Windows does not clearly provide granular controls and feedback on what a given application wants to do and what risk this entails. Further, when it comes to determining trust, MS has failed to make this valuable information a competitive market to motivate creation of the best data. Windows still has a lot of duplicate services running on average because MS insists on using proprietary services for interaction between Windows machines and third parties have to implement standards compliant services for interoperability with everything else. Finally, Windows machines still have a significant number of vulnerabilities due to methodological lack of an ongoing security policy for development (although this is improving significantly).

I would note, UAC isn't a bad concept, just a terrible, terrible implementation with a user interface and default settings that make it unusable.

Re:The Flaw In "Additional Safety Software" (3, Insightful)

lukas84 (912874) | more than 4 years ago | (#29608303)

AppLocker fixes this in properly managed environments.

But there is no way, for any OS, to fix "user willingly downloads malware and runs it".

Practice Safe Internet (0)

Anonymous Coward | more than 4 years ago | (#29608003)

Use a 'Buntu.

I blame Google (1)

tirnacopu (732831) | more than 4 years ago | (#29608097)

This is in a big part triggered by our increased dependence on search engine, instead of common sense and stricter ICANN regulations, that would educate us to go to something like bitdefender.com or mcafee.com
Quick case study: let's type "best antivirus software" in Google, Bing and Yahoo. First links, for all three, are not antivirus vendors but shady "review" sites like toptenreviews.com. Immediately on entry, toptenreviews tried to sell me their own "security configurator" thing. Also, all "buy now" links for the listed antiviruses go to interesting domain names like jdoqocy.com and kqzyfj.com.
Check http://anti-virus-software-review.toptenreviews.com/ [toptenreviews.com] for yourself, or any other similar site.

Seizing assets? (1)

Dogbertius (1333565) | more than 4 years ago | (#29608107)

I'm wondering if anyone else has considered this: A legal agency let's this thing get installed on an isolated PC. They then pay for this trojan (ie: the extortionist fee for temporarily disabling the fake antivirus for a year), and, making good use of the powers they have, simply have the bank account receiving these funds or credit card payments frozen, the owner jailed, etc etc. Even if it's an off-shore account, surely the US could apply some pressure or invade.

Is a Hardware based OS the answer? (1)

popo (107611) | more than 4 years ago | (#29608295)

If viruses change the way a system functions, wouldn't it just be safer to burn the OS into a chip?

Seriously, I'm happy with Windows XP. I never need to change it, and MSFT certainly isn't maintaining it anymore.

Couldn't we just burn XP to a chip and be done with the virus problem forever? Or is there always a need for external (non read only) files?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...