Another great article from Brian Krebs.

Fake Antivirus Industry Down, But Not Out

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

http://krebsonsecurity.com/2011/08/fake-antivirus-industry-down-but-not-out/

Certifiedbug.com

Scareware Industry lull

Graham Cluley

Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack.

If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems.

http://nakedsecurity.sophos.com/2011/01/20/fake-anti-virus-attack-twitter-via-goo-gl-links/

Certifiedbug.com

Fake anti-virus attack on Twitter

Malware that has already passed through various iterations.

Microsoft Malware Protection Center.

Initially it was “System Defragmenter”, then “Scan Disk” and now it’s called “Check Disk”. While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical “errors” and other “problems”.

As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer for problems such as: it “checks” if your hard disk is working correctly, “defragments” it, and even checks the health status of your RAM and GPU (Graphic Processor Unit). Of course, once you start checking for problems using this ‘program’ it is going to “find” a bucketful of them:

* Bad sectors
* RAM fragmentation
* Registry errors
* Very high CPU/GPU temperature
* RAM failures

Story and screenshots:
http://blogs.technet.com/b/mmpc/archive/2010/12/01/fakesysdef-we-can-defragment-that-for-you-wholesale-diary-of-a-scamware.aspx

Certifiedbug.com

FakeSysdef-Diary of a scamware

Rogue security products use false advertising, drop malware and often have a similar name or appearance to legitimate security software.

Scareware has already mimicked the Windows Security Center. This one mimics Microsoft Security Essentials and calls itself “Security Essentials 2010”.

Microsoft Malware Protection Center.

As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.

Screen-shots and more information at the MMPC Threat Research & Response Blog.

Microsoft detects the imposter as Trojan:Win32/Fakeinit. Encyclopedia here

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

Rogue-Security Essentials 2010

Rogue security programs usually pop up a screen informing users that their PC is infected with malware. The user, understandably alarmed by the nonstop pop-ups which suddenly appear on their frozen screen, will often click to make a purchase and download the “fake” software which claims it will remove the infection. In a nutshell that “is” the infection and a lucrative business for criminals.

According to researchers at Symantec the authors of Live PC Care have taken things to the next level. The free trial version of Live PC Care includes a yellow online support button. Clicking on that button connects the potential victim with so-called “support agents” who will answer questions about the product via instant message.

Fake AV & Talking With The Enemy

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

Fake Antivirus adds “Support”

Sunbelt Blog: New rogue borrows massively from AV company sites

Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Article

Certifiedbug.com

System Adware Scanner 2010, rogue with fake credentials

Press Release December 11, 2009.

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you can’t click a link to go to the real site to review or see recommendations. Cyber criminals use botnets—collections of compromised computers—to push the software, and advertisements on websites deliver it. This is known as malicious advertising or “malvertising.”

Once the pop-up warning appears, it can’t be easily closed by clicking the “close” or “X” buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.

Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggers—hardware that records passwords and sensitive data—being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.

Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.

If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.

Pop-Up Security Warnings Pose Threats

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

FBI warns consumers about rogue security programs

S!ri, a well known and respected malware fighter in the security community, wrote that some webmasters (cleaner affiliates) regularly use the screenshots that he made after analyzing a rogue, in their own blog posts.

The cleaner affiliates write about the dangerousness of the rogue and link to a “Free” Scan or “Free” Removal tool which may not be free at all.

So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the “serious” guys.

Those guys are inventing files, folders and keys name.

Secure Shield fake rogue

Certifiedbug.com

Cleaner affiliates gotcha

While performing a search I saw the red warning circle given by Web Of Trust (WOT) to sites they have rated dangerous.

Normally one should stop there people but I was digging. In a clean, uninfected virtual machine I opened the url which took awhile to load its nasty stuff and then the popups began.

“Don’t close this window if your want you PC to be clean”

Certifiedbug. September 6, 2008.
http://certifiedbug.com/blog/2008/09/06/smartantivirus2009-rogue-security-program/

Harry Waldon has a nice article Malware Close Encounters – Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.

Certifiedbug.com

Rogue-Personal Antivirus

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors.

List of current IPs Secure Home Networks

Certifiedbug.com

advancedprotectionscanner.com et al-rogues deployed