Under Operation Tovar, global law enforcement—in conjunction with the private sector and McAfee—has launched an action to dismantle the Gameover Zeus and CryptoLocker infrastructure. Disrupting the criminal infrastructure by taking control of the domains that form part of the communications network provides a rare window for owners of infected systems to remove the malware and take back control of their digital lives.
If you, or anybody you know, receive a notification from your Internet service provider, then please do not ignore it. Use the removal tool to delete the malware from your system, and ensure you have appropriate protection to prevent future infections.
The removal tool is available at the following URL:
Researchers have been investigating not just the intricacies of the malware code that these ransomware programs deploy to infect your computer, but the money trail that is left by those who either don't know where to turn for help, or are intimidated by the threats included in the ransomware's blocking screen.
A French security expert and blogger known by the handle Kafeine and his colleagues from the botnets.fr project have managed to access a BlackHole exploit panel associated with Reveton distribution.
Blackhole and Styx exploit kits are often used to infect systems with this ransomware, and the most effective means of infection is by exploiting weaknesses in Java. The control panel shows this clearly.
Once a system is infected there is always the possibility that the user will look for ways to remove it, either by searching the internet for removal guides or by seeking help online in one or other of the self-help forums. Probably only rarely will a user pay to have the infection removed since the cost of doing so is likely to be nearly as much as the ransom demanded, and the fear and embarassment factor will mitigate against allowing outsiders to have access to the system.
What this means is that the success rate, for the ransomware distributors, is going to be less than they might hope for (which is why some of them are now resorting to encrypting files). The proportion of users who pay the ransom seems to differ from country to country, but the calculations derived from access to the control panel indicate that the controllers can count on receiving about 40,000 Euros per day. And that is from just one operation among many.
The money, of course, has to be laundered to get it back to the controllers, and they will expect to receive only a part of that 40,000 Euros. Laundering money costs money. Assuming that half of that amount goes to intermediaries, they will still get in the region of 7 million Euros a year for their efforts.
Kafeine from botnets.fr has outlined the entire infrastructure of Reveton distribution and monetizing details in the following graphic:
These screenshots were taken from the privacy-pc.com report (see below), which has a link to an earlier analysis of the FBI Moneypak ransomware containing removal guides.
Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine
Compromised websites has scripts, iframe to redirect or download other malwares.
The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.
On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is infected by critical malware and suggests that the user clean the computer.
The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.
Upon executing the malicious file, it shows variety of fake security alerts and warnings. Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.
As on windows 7:
Finally, it attempts to convince the user to purchase the full version of fake product.
McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.
McAfee has received multiple reports of corporate customers who are severely affected by variants of W32/autorun.worm.aaeb-h.
W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.
The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.
This threat is server-side polymorphic, therefore there is potential for new variants. McAfee Labs are continuing to closely monitor the situation and will provide enhanced generic detection as needed.
Coverage for the majority of variants are in the current DAT update files, however McAfee have also released an additional Extra.DAT and Stinger to detect and clean this threat.
The Blackhole Exploit kit has received a complete makeover. The authors have completely rewritten the code in order to evade detection by the majority of anti-virus programs. This exploit kit is probably the most successful (and, for PC users, most dangerous) piece of malware around at the moment, and it relies for its success on users who haven't updated operating systems, browsers, and widely-used applications such as Flash, Adobe Reader and Java.
The creators of the infamous Blackhole exploit kit have announced version 2.0 of the malware, claiming to have rewritten the code entirely from scratch so as to evade popular antivirus software. The kit includes noteworthy and nasty tricks, such as the use of short-term, random URLs for delivering exploits, but perhaps in recognition of the still-struggling global economy, the kit's creators aren't changing pricing.
According to Sophos, the Blackhole exploit kit is "the most popular drive-by malware we've seen recently.... It offers sophisticated techniques to generate malicious code. And it's very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious."
Blackhole 2.0 also has been trimmed of old exploits that have since been fixed, replacing them with a new batch. Further, the creators have broadened the number of OSes the malware can recognize, adding to the list Windows 8 and unspecified mobile platforms, "giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS" .
The exploit kit is customisable, so the list of exploits given in the InfoWorld article above is certainly incomplete.
The latest Security Intelligence Report from Microsoft (vol. 13) has this to say about the exploit kit in its Summary Section -
Blacole, a family of exploits used by the so-called “Blackhole” exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012.
Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.
A drive-by download site is a website that hosts one or more exploits that target specific vulnerabilities in web browsers, and browser add-ons. Malware distributors use various techniques to attempt to direct Internet users to Web sites that have been compromised or are intentionally hosting hostile code. Users with vulnerable computers can be secretly infected with malware simply by visiting such a website, even without attempting to download anything themselves.
This technique usually involves posting exploit code to a legitimate website, either by gaining access to the site through intrusion or by posting malicious code to a poorly secured Web form, like a comment field on a blog. In most cases, the exploit code itself is hosted on a different website and is exposed through the compromised webpage using a technique like a URL embedded in malicious script code or an inline frame, called an IFrame for short. An IFrame is an HTML document that is embedded in another HTML document.
During a drive-by download attack, an IFrame is typically used to load a separate HTML page into a window on the current page. Inline frames can be as small as a single pixel making them impossible to detect with the naked eye. Because the IFrame loads another webpage, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs malware, into non-malicious HTML pages hosted by trusted websites.
This is one member of an entire family of malware known as ransomware. The aim of those producing and spreading this ransomware is to intimidate and blackmail users whose PCs are infected and persuade or force them to pay for having the malware removed or neutralised. As a form of cybercrime it is crude, but often effective - often enough that the authors have gone to some lengths to customise this particular variety for different countries in Europe (so far, only a few examples from outside Europe have been seen).
The basic mechanism is simple enough. A PC is infected with a Trojan dropper by visiting an infected website. The actual infection can be the result of a "drive-by", where simply going to an infected webpage is enough to download the Trojan. Once on the PC, the code inserts a registry entry to make sure that it will be run every time the PC starts up, then displays a country-specific picture and a message (completely obscuring the desktop) and apparently locks the PC. The full details are in a paper by Trend Micro, which explains it better than I can.
Newer variants of this ransomware are said to have been modified to encrypt files and overwrite the MBR. If that is true, it confirms that the authors are actively developing it and intend to keep it going as long as possible.
One of the first articles to draw attention to this ransomware appeared last December in Microsoft's Malware Protection Center, when most of the infections were being reported from Germany (the BundesPolizei variant) :
Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole.
... Microsoft security essentials showed up 2 severe threats:
Exploit.java/Blacole.BX - severe
Trojan/Win32/Reveton was the subject of another article in Malware Protection Center on April 18th : "Revenge of the Reveton". The malware infection is classed by Microsoft as Severe, and a description and removal guide can be found HERE. It is important to note that this infection is the intermediate variant that purports to be from the Metropolitan Police : later variants may require a different removal process.
Trojan:Win32/Reveton.Aarrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.
When Windows starts, it executes the command associated with the shortcut, as follows:
When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.
What Microsoft calls PWS:Win32/Reveton.A is a refinement apparently added to this ransomware variant :
This threat is classified as a password-stealing trojan. Typically, a password stealing trojan installs a keystroke logger (commonly referred to as a keylogger) which records keystrokes and sends the recorded information to remote attackers. Some keyloggers monitor only keystrokes involved in specific types of web-based transactions. For example, a keylogger may include a component that monitors browser activity, only recording keystrokes when certain bank or ecommerce sites are accessed. Other types of password-stealing trojans include those that capture screenshots in an attempt to bypass graphic-based security measures.
The advice to anyone who has fallen victim to this version of the ransomware is the usual :
What to do if you think you have been a victim of a scam
If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage.
Change the passwords or PINs on all your online accounts that you think might be compromised.
Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.
Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.
If you know of any accounts that were accessed or opened fraudulently, close those accounts.
Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.
The whole subject of these "Police Trojans" has been investigated in depth by Trend Micro, who published their findings in a White Paper. The blog entry where the White Paper is discussed asserts that the same people are likely to be behind this as were responsible for a DNSChanger Trojan that had been sponsored by Rove Digital. That particular group was taken down last November when 8 Estonians were arrested, but the Police Trojans continue to be modified, enhanced and released - so there are others involved. There are clues within the source code, apparently, that point to Russian-speakers as being the authors of this malware (although such "clues" could be deliberately planted in order to mislead the investigators).
This analyses the operation and external communications of the Police Trojans in some detail. It also provides an explanation for the patchy detection rate by anti-virus programs, and the difficulty in keeping track of changes to the Trojans :
... there must be an affiliate download site where partners can download a ready-made Trojan using their own user names and the C&C server of the day already embedded. This also explains the very low detection rates across the board. Each Trojan is custom compiled with different configurations and applies two layers of packing and obfuscation on top. Given the rate at which the attackers are changing C&C servers, this recompilation must be happening very often that is why security companies are having a difficult time obtaining good detections.
The cybercrime activities of the authors of this ransomware are identified, showing that these are professional (or at least semi-professional) cybercrooks -
The gang spreading the ransomware discussed in this research paper does not seem to be a novice in committing cybercrime. In fact, we can relate the ransomware Trojan to several data-stealing campaigns involving ZeuS and CARBERP Trojans, TDSS rootkits, and FAKEAV malware dating back to 2010 and 2011. We can also relate the Police Trojan gang to a ZeuS Trojan campaign launched in mid-March of this year and a Gamarue worm.
.... The TDSS samples we have seen in Police Trojan attacks were also the DNS changers Rove Digital’s affiliate program used. As such, we believe that one or some of the gang members spreading the Police Trojans may also have been members of Rove Digital’s affiliate program in the past. This shows that the gang is certainly not new to cybercrime.
The probable source(s) of infection are set out at the end of the White Paper. The authors' conclusions about the websites that cause the infection should come as no surprise.
These malware programs tend to exploit known vulnerabilities in programs such as Java and Flash, for which updates are available but may not have been downloaded and applied. Some can exploit security weaknesses in Windows (most often XP); if the fixes for these issues by Microsoft are in the Optional download section (unlikely, but possible) then some users may not be aware of them.
To check whether your PC is missing any Windows or other Microsoft updates you should go to the Microsoft Update website (for which you must be using Internet Explorer; go to the Microsoft Download Center if you are using another browser such as Chrome or Firefox) or run Microsoft's MBSA, which scans for a number of security vulnerabilities in your OS and browser. For Adobe Flash, you can check whether you have the latest version here (different versions must be downloaded for IE and Firefox; Chrome should update its own sandboxed version automatically).
As a footnote to this piece, I note that there is a recent ransomware variant - purporting to be from West Yorkshire Police here in the UK - which has some extra features missing from earlier variants. Many files are encrypted - including .doc and .pdf - and are given a prefix of 'Locked' and a random 4-character suffix. A Russian AV vendor (Dr.Web) classifies this variant of the ransomware as "Trojan.Matsnu.1" and can decrypt the files, provided that they receive both an encrypted file and its unencrypted (pre-infection) version. This implies that the file has been backed up and so is available for comparison - which reinforces the message that files should be backed up regularly.
Innovative Marketing, a notorious purveyor of Fake AV programs, has finally been persuaded - under extreme pressure - to reimburse a large number of people who were duped by their "Your PC is infected ..." scareware into buying their worthless programs.
The company had its headquarters in the Ukraine, but with subsidiaries in the United States and elsewhere. The refunds appear to be for victims in the US only, where the FTC took action against the company in 2008.
In the US, at least 320,000 people will receive a refund of about $20. The figure of 320,000 represents only those in the US who are known to have paid Innovative for one of their scareware products : the list of those products is extensive, since the same underlying program code would have numerous user interfaces and product names.
The number of people eligible for a refund is expected to grow, since the FTC is inviting anyone who paid for one of Innovative's "antivirus" programs, and who does not receive a refund, to contact them.
Anyone outside the US has very little chance of ever receiving any compensation.
A list of some of the names of the Fake AV and other programs peddled by Innovative Marketing can be found on the Microsoft website at
OpenCloud Security FakeAlert are commonly found to be installed by other trojandownloaders. These trojans usually arrive as e-mail attachments, or via drive-by-downloadattacks exploiting vulnerabilities in Windows and third-party applications.
Upon execution, It copies itself to the following paths:
The most recent makes part of a family of Rootkits. ZeroAccess as it is called, replaces Windows System files and installs kernel hooks in attempt to remain stealth. ZeroAccess utilizes an advances method for protecting itself and disabling any security tool trying to detect and remove it.
ZeroAccess is usually installed on a system by a malicious executable disguised as a cracking tool for popular applications. Once this dropper is executed, it will perform some actions like:
The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\<random> or c:\windows\prefetch\<random>. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.
ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.
The original system driver file is stored inside the virtual file system. The rootkit uses it to provide legitimate information for requests to access the original file information on disk such as md5, digital signature, including a file copy.
The malware will also create a tripwire device. This device is disguised as a normal file on disk, but whenever accessed, it will trigger the rootkit protection routine.
In older variants, the tripwire device used to be named like \\??\Global\systemroot\system32\svchost.exe.
In new variants, the tripwire device is installed in an Alternate Data Stream (ADS).
NOTE: An ADS is an NTFS structure that allows more than one data stream to be associated with a file.
The rootkit tripwire device ADS is usually installed as %SYSTEMROOT%\<randomnumbers>:<randomnumbers>.exe.
The malware then creates a service, and points its ImagePath to the tripwire device, to run it every time the system boots.
Whenever the tripwire file or the process in memory is accessed by a security tool, the rootkit kernel component will kill the process from the kernel.
In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files. This action is an attempt to disable security related tools and components.
ZeroAccess also establish a network activity to reporting the installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.
We are seeing ZeroAccess associated with other malware families, as FakeAlert and Katusha.
For more details of this threat and remediation steps, please read .
Our systems are attacked daily byTrojans, viruses, worms, and other malware. We face these risks while browsingthe Internet, chatting, downloading applications, and in many other ways. We know we have to protect our systems and that we need to use security software.Unfortunately, one of the most popular ways for the bad guys to make money isto trick users into believing their systems are infected. They convenientlyoffer to sell us fake, or rogue, security applications that often do little more than act busy and collect our money.
How harmful are rogue security applications?
FakeAlert anti-virus software can be harmful to your systems. FakeAlert Trojans operate in a similar way: We get them either during a “drive-by” install or a downloader will silently load either part of or an entire roguesecurity application. Rogue software can sometimes damage the system and harm other drivers andutilities.
We use several detection names for fake anti-virus software, including FakeAlert-Antiviruspro, Rogue Antispyware, and Fraudtool.
Let’s look at one example of fakealert software: When sysguard.exe runs on a victim’s machine, it infects the system and deletes the registry key of the AppInit_DLLs applications from the machine:
When this pop-up window warns of a (fake) infection, most users click on “Yes,remove threats.”
What happens next?
As we see in the previous screen,once the Trojan runs it offers a graphical interface designed to appear as alegitimate security application. It reports multiple “infections” on thevictim’s computer. It also adds the following registry key:
Finally the fakealert software offers the user the chance to clean up the attack by buying the “full” rogue application. (See next screen.) Once the victim pays, the attacker has won. And the user’s machine remains infected by the rogue product.
How can you protect your system?
The first step in protectingyourself is to download the McAfee SiteAdvisor tool, which will warn you beforeyou visit the suspicious links.
McAfee anti-virus products such as VirusScan Enterprise 8.x have features that can help your PC. VSE adds user-defined rules and protects your system against fakealert trojans.
You should also update your McAfee products to ensure you are protected from these threats.
You can help by sending us a sample for analysis in a password-protected ZIP file. (Use the password “infected”).For more details on how to submit fake alert related samples, please visit this link: https://community.mcafee.com/docs/DOC-2752
Please use our updated McAfeeFakeAlert Stinger tool to protect your system,which detects and remediates fakealert threats
Many people try to search for free antispyware, install something purporting to be genuine, but unknowingly become victimized and land up paying two fold - by damage caused to their system and potentially by later parting with credit card details to remove bogus infections.
One of the most popular current fakealert variant seen is "Fakealert-Sysdef"
The tool are advertised like – System Repair, WinXPRecovery, XP Security
FakeAlert may install itself onto your PC without your permission, via a drive-by attack on a compromised website.
If victim tries to stop the scanner, it won’t close rather force the victim to complete the scanning and displaying fake warnings and trick them into buying rogue antispyware programs
Often fake-alert infections will prevent the machine from working as expected. This makes the threat persistent and prevents users from remediating the infection.In some cases, fake-alert infections will hijack certain Windows Registry Keysthat associate applications based on file extensions.
%UserProfile%\Desktop\Windows XP Repair.lnk
%UserProfile%\Start Menu\Programs\Windows XPRepair\Windows XP Repair.lnk
%UserProfile%\Start Menu\Programs\Windows XPRepair\Uninstall Windows XP Repair.lnk
it connects to the following sites to download other malicious files.
To stay safe online we recommend users buy proper AV like McAfee, keep their software and operating system patches updated, and ensure security best practices are followed at all times.
It’s but obvious you might have heard people telling that in 2012 the world will come to an end, but not for this rogue FakeAV (read:XP Security 2012).
Fake AV software’s aka Fraud AV’s are one of themost popular malwares being seen these days. Although they were present, the numbersof fake AV Trojans are rapidly increasing day by day and their main motivebehind this is to make quick money by enticing unsuspecting or novice users whofall into their trap.
So what does this XP Security 2012 do?
Upon execution, the malware throws up a window showing a lot of files as infected
As you can see the title it says “UnregisteredVersion” and again if you click on any other tabs on the left hand side like Personal security or Proactive Defense, they will all be disabled and it will prompt you to enable or register your version of “XP Security 2012”.
Apart from that it will also keep throwing messages like “System in Danger” to create fear among the users.
Once the unsuspecting users click on “Register”,which is what the malware guys are expecting you to do it takes you straightaway to some rogue site and asks you to provide your personal details as can be seen below
Once you enter these, comes the most interesting part for the bad guys as this is what they have been waiting for – “Money” and to get that they ask you to provide your credit card details
Apart from the above, the file also drops or copiesitself into the following locations:
C:\Documents and Settings\Administrator\LocalSettings\Application Data\g8v4b5de0b26j82m6ftqwv6f0aire
C:\Documents and Settings\Administrator\LocalSettings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\LocalSettings\Temp\g8v4b5de0b26j82m6ftqwv6f0aire
One of the prevalent fakeAlert trojan found nowadays is ‘defender.exe’. McAfee detection is on this fakeav is FakeAlert-Rena variant.
It's icon is generally like shown below:
When this fakeAV is executed, it copies itself hidden to thelocation “%appdata%\defender.exe”, and display the window as below:
It creates a start up registry so that every time windows starts , defender.exe runs.
This trojan tends to be distributed along various channels such as emails, malicious web pages, Inter Relay Chat channels (IRC) and some peer-to-peer networks. It is also highly capable of downloading additional malware onto the infected computer system, usually from a remote internet website, which is ultimately executed on a local system.
The best practice to prevent and deal with this infection is keep a fully functional and updated Anti-virus on your machine, avoid surfing malicious sites etc.
Fake Anti-Virus style malware or rogue security ‘software’ has been growing in popularity since around 2007, but was seen in the wild in smaller numbers prior to this. It is Trojan based, and therefore does not self-replicate, but instead propagates in a multitude of ways – via known infected websites, spam runs, mal-vertising (otherwise clean websites where the 3rd party advertising stream has been compromised), email attachments, file sharing/p2p etc. Basically if you can think of any potential malware infection method you can guarantee the authors of this type of malware are already making use of it.
Once a machine is infected, the user sees a pop-up window purporting to be security software which has found genuine malware detections, and they are prompted to purchase the software in order to remove these infections. Attempts to close the pop-up window frequently result in further pop ups appearing, and more often than not the real security software installed on the machine is then disabled.
Users who are tricked into parting with their credit card details are incredibly likely to find their information is soon passed to criminals. Regardless of being duped or otherwise into parting with credit card information often find that their machines are unstable, with any attempt to launch a program being met by yet another fake-av pop-up window, and commonly routes to security or OS vendor websites are blocked or re-routed. Frequently further malware is also downloaded onto the machine which could potentially have spreading capabilities, so what initially starts life as a single machine issue can easily have wider implications for a home or corporate network.
Fake-AV is server-side polymorphic, which in simpler terms means the files that infect machines are rapidly changed in order to evade basic signature type detection which looks for file fingerprints (MD5 hashes). You could look at two machines which on the surface appear to be infected with the same malware – what you see on the screen looks identical, even the infected file names could well be the same, but from a fingerprint perspective the files are actually very different.
So the model used by the authors of this malware is very simple but effective – pretend to be software that everyone knows they need to have on their machine, that in most cases will annually require renewing via credit card, utilize as many infection methods as possible, ensure the infected files are changed rapidly to evade detection from the very same type of software that it’s masquerading as, whilst disabling the genuine article in the process, and whilst you’re there also download more malware with further capabilities to compromise machines, steal data and make money for the criminal underworld.
And that’s the bottom line – Money – the people behind these scams are full blown software vendors, they are far from the script kiddies of yesteryear and are operating real businesses. With this in mind it’s clear that these types of infections are not going to go away any time, and the true security vendors are in a constant battle to keep up with the waves of new variants being produced 24x7x365.
How can I remove Fake AV from my machine?
Please start by ensuring your genuine AV software is up to date and that you have run a full scan. If you are still having an issue, or your machine has been rendered almost inoperable by the infection (most commonly that .exe files won't run due to broken file associations) please download our free Fake Alert Stinger tool, which is updated every week day. Instructions for use can be found on the web link. Should you stil be having a problem please submit any potential samples to us and provide details of your submission ID in the Top Threats community. One of our security experts will be on hand to assist as soon as they are able to.
My anti-virus software is up to date – why did I get infected with Fake-AV?
Due to the ever-changing nature of this malware having up-to-date software is not always enough to fully protect a machine; in fact even with the strongest defenses if you are a user of e-mail and internet there is every chance your machine could still get infected. A good AV solution, personal firewall, host IPS and local web reputation software are strongly recommended to protect again both fake-AV and other types of threats.
I only ever visit genuine websites – why did I get infected with Fake-AV?
In recent months a common delivery method of fake-av malware has been to poison 3rd part advertisement streams which are part of an otherwise clean website. The hosting webserver itself is not infected, and commonly has strong security measures in place to prevent it from being compromised. However, as many site owners often utilize 3rd party advertisements as a revenue generator the bad guys have used this as a doorway to infecting unsuspecting users who believe they are surfing safely.
I read on the internet that the infection I got has been around for months – why didn’t my anti-virus software detect it?
A family of fake-av malware may have been in existence for months, but the files infecting a machine today may only have had a life-span of a few days, hours or even merely minutes.
McAfee detect literally millions of different fake-av files, and are adding new detections on both a daily basis in the traditional DAT files, and in near real-time via GTI file reputation technology. Our GTI web reputation software also blocks many known bad sites and has the capability to block poisoned ad streams. However, as new variants are created - from minute to minute in some cases - there will always be new undetected infected files so a holistic approach to endpoint protection is necessary – not forgetting the all important user education.
I used a free version of MalwareBytes to clean up the infection, why do I need to pay for anti-virus software?
MalwareBytes is not a full endpoint security solution, or even an anti-virus solution. Nor is it even vaguely scalable for an enterprise from a installation, reporting, manageability, or updating perspective. It is however good at removing very specific types of malware, and they themselves recommend on their forums running AV software (and a firewall, and URL filtering etc etc) as well as their software.
The free version of Malwarebytes anti-malware is an on-demand scanning tool – it does not offer on-access scanning. It’s important to note that having two on-access scanning tools on one machine can cause instability as there is much potential for both scanning engines to fight over a file as it is accessed. In worst cases this can cause blue screens and file corruption.
Unfortunately no AV vendor in the world will offer 100% protection, sometimes you may be unlucky enough to get infected, but follow good security online practices and you can lessen this risk considerably. If you do fall foul of a fake AV infection McAfee recommend running our Fake Alert Stinger tool as a first port of call, and should you need to submit potential fake alert samples to us here's how.
McAfee Labs is pleased to announce the availability of our “Fake Alert” Stinger – an improved Stinger tool with aggressive generic content targeted at enhanced detection and remediation of fake alert based threats. In our efforts to provide the best of protection for our customers against rogue security products or fake alert type malware – Read more…
The fake-alert families (bogus or rogue anti-virus software) are one of the most prevalent threats we face, and we see lots of new variants everyday. The threat is expanding constantly. For example, a couple of weeks ago, we observed MacDefender/MacProtector, which targeted Mac users, in addition to the usual attacks against Windows users. Today, I’m Read more…
Hi, everyone. I am very excited to announce that I recently joined McAfee Labs. As many of you know, I have spent more than 20 years doing anti-virus (AV) development and research. Needless to say, I am not happy to see the new developments in fake AV software. Fake AV developments began only a few Read more…
Fake-alert Trojans, also known as scareware, fool consumers by claiming imaginary threats, and insisting its victims purchase a product to repair the “infected” systems. They exist in Windows and Macintosh environments. In my recent report explaining this threat, I included a table showing the approximate number of scareware products with their known release dates: After Read more…