Top Threats

7 Posts authored by: SamSwift

A new version of RootkitRemover is now available :


The new version contains some excellent ZeroAccess removal features.


We very much  value your feedback, so please do let us know if you use the tool and if it solved your issue.





If you use the internet (and if you're reading this then it's pretty safe to assume you do)  then you run the risk of your machine getting infected with malware. Infection vectors are wide and varied, and even a website that you've visted 1000 times before and you thought was safe could be loaded with malware the next time you click. There are some great documents and discussions on this site on how to stay protected, but even with the best defence mechanisms there is still unfortunately a chance that something nasty will slip through the net.


Most malware these days, somewhere down the line, is money-driven - be it from attempting to swindle you into buying fake anti-virus "software" or paying ransom money to have your files decrypted (and then selling on your credit card details too), or by stealing your online banking password or intercepting transactions in the browser. And where there's an illicit opportunity to make money, there will generally be people willing to take that opportunity - so the new malware just keeps on coming.


Some infections are easy to spot - if you have Fake-AV or Ransomware then you'll know about it . Others are stealthier and lurk inthe background doing their best to go un-noticed, and it's only when you check your bank balance that you see something untoward has occurred.


There is help at hand though, it's totally free and it's available for you to use if you think you've got an infection on your pc:


Stinger is McAfee Labs' free standalone removal tool - it is released on a daily basis and at the time of typing this it covers nearly 6000 malware familes, including Vundo, Autorun.worm, Xpaj, ZeroAccess, Blacole, Zeus and a whole host of FakeAlerts, Backdoors, downloaders, password stealers and banking trojans.


It might just be the droid you were looking for....



Posted by SamSwift Nov 30, 2012

McAfee has received multiple reports of corporate customers who are severely affected by variants of W32/autorun.worm.aaeb-h.



W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.

The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.

This threat is server-side polymorphic, therefore there is potential for new variants. McAfee Labs are continuing to closely monitor the situation and will provide enhanced generic detection as needed.



Coverage for the majority of variants are in the current DAT update files, however McAfee have also released an additional Extra.DAT and Stinger to detect and clean this threat.

To download the Extra.DAT and Stinger, see KB76807:


For more information on McAfee product coverage and mitigation for this threat, see PD24169 - Threat Advisory: W32/Autorun.worm.aaeb:





McAfee Labs' own Peter Szor and Guilherme Venere have written two excellent blogs around these attacks: ames-of-cyber-warfare


Today's Stinger will contain coverage for W32/Skywiper, also detection is already available in our DAT files.


Our ThreatCenter has further information which can be found here.


Skywiper page now available on and McAfee Labs whitepaper






New blogs posted from Francois Paget, Peter and Guilherme: -update


Threat Advisory available in the McAfee ServicePortal here




Fake Alert/Fake AV FAQ

Posted by SamSwift Jul 20, 2011

What is Fake-AV malware?


Fake Anti-Virus style malware or rogue security ‘software’ has been growing in popularity since around 2007, but was seen in the wild in smaller numbers prior to this. It is Trojan based, and therefore does not self-replicate, but instead propagates in a multitude of ways – via known infected websites, spam runs, mal-vertising (otherwise clean websites where the 3rd party advertising stream has been compromised), email attachments, file sharing/p2p etc. Basically if you can think of any potential malware infection method you can guarantee the authors of this type of malware are already making use of it.


Once a machine is infected, the user sees a pop-up window purporting to be security software which has found genuine malware detections, and they are prompted to purchase the software in order to remove these infections. Attempts to close the pop-up window frequently result in further pop ups appearing, and more often than not the real security software installed on the machine is then disabled.

Users who are tricked into parting with their credit card details are incredibly likely to find their information is soon passed to criminals. Regardless of being duped or otherwise into parting with credit card information often find that their machines are unstable, with any attempt to launch a program being met by yet another fake-av pop-up window, and commonly routes to security or OS vendor websites are blocked or re-routed. Frequently further malware is also downloaded onto the machine which could potentially have spreading capabilities, so what initially starts life as a single machine issue can easily have wider implications for a home or corporate network.


Fake-AV is server-side polymorphic, which in simpler terms means the files that infect machines are rapidly changed in order to evade basic signature type detection which looks for file fingerprints (MD5 hashes). You could look at two machines which on the surface appear to be infected with the same malware – what you see on the screen looks identical, even the infected file names could well be the same, but from a fingerprint perspective the files are actually very different.


So the model used by the authors of this malware is very simple but effective – pretend to be software that everyone knows they need to have on their machine, that in most cases will annually require renewing via credit card, utilize as many infection methods as possible, ensure the infected files are changed rapidly to evade detection from the very same type of software that it’s masquerading as, whilst disabling the genuine article in the process, and whilst you’re there also download more malware with further capabilities to compromise machines, steal data and make money for the criminal underworld. 


And that’s the bottom line – Money – the people behind these scams are full blown software vendors, they are far from the script kiddies of yesteryear and are operating real businesses. With this in mind it’s clear that these types of infections are not going to go away any time, and the true security vendors are in a constant battle to keep up with the waves of new variants being produced 24x7x365.


How can I remove Fake AV from my machine?


Please start by ensuring your genuine AV software is up to date and that you have run a full scan. If you are still having an issue, or your machine has been rendered almost inoperable by the infection (most commonly that .exe files won't run due to broken file associations) please download our free Fake Alert Stinger tool, which is updated every week day. Instructions for use can be found on the web link. Should you stil be having a problem please submit any potential samples to us and provide details of your submission ID in the Top Threats community. One of our security experts will be on hand to assist as soon as they are able to.

My anti-virus software is up to date – why did I get infected with Fake-AV?


Due to the ever-changing nature of this malware having up-to-date software is not always enough to fully protect a machine; in fact even with the strongest defenses if you are a user of e-mail and internet there is every chance your machine could still get infected. A good AV solution, personal firewall, host IPS and local web reputation software are strongly recommended to protect again both fake-AV and other types of threats.


I only ever visit genuine websites – why did I get infected with Fake-AV?


In recent months a common delivery method of fake-av malware has been to poison 3rd part advertisement streams which are part of an otherwise clean website. The hosting webserver itself is not infected, and commonly has strong security measures in place to prevent it from being compromised. However, as many site owners often utilize 3rd party advertisements as a revenue generator the bad guys have used this as a doorway to infecting unsuspecting users who believe they are surfing safely.



I read on the internet that the infection I got has been around for months – why didn’t my anti-virus software detect it?


A family of fake-av malware may have been in existence for months, but the files infecting a machine today may only have had a life-span of a few days, hours or even merely minutes.

McAfee detect literally millions of different fake-av files, and are adding new detections on both a daily basis in the traditional DAT files, and in near real-time via GTI file reputation technology. Our GTI web reputation software also blocks many known bad sites and has the capability to block poisoned ad streams. However, as new variants are created - from minute to minute in some cases - there will always be new undetected infected files so a holistic approach to endpoint protection is necessary – not forgetting the all important user education.



I used a free version of MalwareBytes to clean up the infection, why do I need to pay for anti-virus software?


MalwareBytes is not a full endpoint security solution, or even an anti-virus solution.  Nor is it even vaguely scalable for an enterprise from a installation, reporting, manageability, or updating perspective. It is however good at removing very specific types of malware, and they themselves recommend on their forums running AV software (and a firewall, and URL filtering etc etc) as well as their software.

The free version of Malwarebytes anti-malware is an on-demand scanning tool – it does not offer on-access scanning.  It’s important to note that having two on-access scanning tools on one machine can cause instability as there is much potential for both scanning engines to fight over a file as it is accessed. In worst cases this can cause blue screens and file corruption.

Unfortunately no AV vendor in the world will offer 100% protection, sometimes you may be unlucky enough to get infected, but follow good security online practices and you can lessen this risk considerably.  If you do fall foul of a fake AV infection McAfee recommend running our Fake Alert Stinger tool as a first port of call, and should you need to submit potential fake alert samples to us here's how.

McAfee Labs Releases “Fake Alert” Stinger - David Marcus

McAfee Labs is pleased to announce the availability of our “Fake Alert” Stinger – an improved Stinger tool with aggressive generic content targeted at enhanced detection and remediation of fake alert based threats. In our efforts to provide the best of protection for our customers against rogue security products or fake alert type malware – Read more…


Combating Fake Alerts - Shinsuke Honjo

The fake-alert families (bogus or rogue anti-virus software) are one of the most prevalent threats we face, and we see lots of new variants everyday. The threat is expanding constantly. For example, a couple of weeks ago, we observed MacDefender/MacProtector, which targeted Mac users, in addition to the usual attacks against Windows users. Today, I’m Read more…


The ‘Art’ of Fake Anti-Virus Software - Peter Szor

Hi, everyone. I am very excited to announce that I recently joined McAfee Labs. As many of you know, I have spent more than 20 years doing anti-virus (AV) development and research. Needless to say, I am not happy to see the new developments in fake AV software. Fake AV developments began only a few Read more…


Fake-Alert Scams Growing Again - Francois Paget

Fake-alert Trojans, also known as scareware, fool consumers by claiming imaginary threats, and insisting its victims purchase a product to repair the “infected” systems. They exist in Windows and Macintosh environments. In my recent report explaining this threat, I included a table showing the approximate number of scareware products with their known release dates: After Read more…

Filter Blog

By date:
By tag: