From rogue AV to fake disk clean-up utilities

From rogue AV to fake disk clean-up utilities

Summary: Security researchers are reporting a surge in fake disk clean-up utilities reporting PC errors and demanding an activation fee to fix these problems.

SHARE:
TOPICS: Hardware, Security
44

Security researchers at Symantec are reporting a surge in fake disk clean-up utilities reporting PC errors and demanding an activation fee to fix these problems.

The fake hard disk scanners and defragmentation tools closely resemble the rogueware (fake anti-virus) scam.  In many ways (see sample image above), the graphics appear convincing enough to trick the average end-user.

"What started as a trickle has now become a steady outpouring, with new clones being released almost daily," Symantec's Hon Lau said in a blog post. follow Ryan Naraine on twitter

Some of the detected fake disk clean-up tools include:

  • Ultra Defragger
  • Smart Defragmenter
  • HDD Defragmenter
  • System Defragmenter
  • Disk Defragmenter
  • Quick Defragmenter
  • Check Disk
  • Scan Disk

The rip-off works by performing a scan upon installation that purports to look for problems on a computer.

After the scan, it reports a whole host of errors and warnings. The user is prompted to run the defragmentation process, which then boots into a black “safe mode” (which is fake) and proceeds to “fix” some of the issues.

However, the fake defragmenter utility leaves some serious issues that require the application to be activated for a fee before they can be resolved.

Topics: Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • I don't understand why they go to the effort?

    We are told time and time again that Windows is so easy to break into with drive bys and worms and viruses so why bother creating applications that users actually have to download and run? Seems to me that it would be easier for the "bad guys" to just hit a button and take over every single Windows computer in the world.

    ...

    Unless it isn't that easy?
    NonZealot
    • RE: From rogue AV to fake disk clean-up utilities

      @NonZealot
      I see your trying, just not hard enough.

      Flame bait??
      choyongpil
    • really?

      @NonZealot is this a serious post?
      sportmac
      • You tell me

        @sportmac
        If it is SOOOO easy to break into Windows, why rely on tricking users to download and install malware themselves? Why not just break into every Windows computer without any end user interaction required at all?

        Unless it isn't that easy?
        NonZealot
      • Perhaps...

        @NonZealot Perhaps it's because anyone stupid enough to buy a Windows machine is dumb enough to download & install these fake apps?
        ashdude
      • Good point, @ashdude

        And it sounds like the Zealot did just that, too.
        ahh so
    • RE: From rogue AV to fake disk clean-up utilities

      @NonZealot My guess is that the point of doing it this way is to keep the user thinking the process is total innocuous. If they just hijacked the box, I suspect most users would be aware they were hacked and do something about it. If they're not aware, they just continue on in their blissful ignorance.
      tech_monster
      • RE: From rogue AV to fake disk clean-up utilities

        @ashdude As oppposed to buying a Mac and thinking you're not at risk? The days of Mac users not worrying about this stuff is rapidly coming to an end.
        mepallow
  • As long as there are people to fool

    there will always be rougeware like this.

    For those wondering, the software appears as a fake Windows Update download box that appears after visiting a compromised website.

    Oddly, Windows Vista is listed as a vulnerable OS, but not Windows 7.

    Eitherway, it appears both Symantec and MSE will catch and remove the baddie.

    More info:
    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/FakeSysdef

    http://blogs.technet.com/b/mmpc/archive/2010/12/01/fakesysdef-we-can-defragment-that-for-you-wholesale-diary-of-a-scamware.aspx
    The one and only, Cylon Centurion
    • As long as there are people to fool

      @Cylon Centurion 0005

      There is ChromeOS from them. Hence no local storage.
      Alan Henry
  • RE: From rogue AV to fake disk clean-up utilities

    My users run into this at least once a month. It doesn't infect the computer but does display all the warnings. Happens most often during Google image searches. I'm sure a lot of people give them their credit/debit card info. After all, people still fall for the Nigerian bank scam. Someone locally was on the news last year, she gave over $400,000 of her husbands retirement thinking she would get a big payoff and be able to surprise him. That one relies on greed though, these are based on fear and ignorance regarding basic PC security.
    Admin71
    • Those type of users really make me mad

      @Bookmark71

      Whether by ignorance or just plain stupidity, those people just refuse to learn from their mistakes. It's beyond me how people can be so idiotic about traversing the Internet.
      The one and only, Cylon Centurion
  • My boss somehow got one of these...

    ...Just yesterday. It was the HDDscan scam. I was able to remove it (with hijack this and malware bytes), but I have no idea where he got it from. Does anyone know how these are being delivered? He claims he didn't do anything abnormal.
    lostarchitect
    • See my post above

      NT
      The one and only, Cylon Centurion
    • RE: From rogue AV to fake disk clean-up utilities

      @lostarchitect

      Users always claim that...
      kukamonga
    • PORN...

      @lostarchitect ...is the answer you're looking for.
      Stormbringer_57th
      • RE: From rogue AV to fake disk clean-up utilities

        @Stormbringer_57th <br>I dunno...I've surfed my share of p*rn and haven't been infected, and my wife's run across these a couple of times without looking at "naughty" pictures...
        AmraLeo
    • RE: From rogue AV to fake disk clean-up utilities

      @lostarchitect The ones I've come across used Java or PDF flybys.<br><br>Partial solution is to turn off Java in the browsers and in Firefox (don't know how to do this in IE) to make the Adobe Acrobat file formats have the action "Always Ask." "Always Ask" means for Firefox to ask the user whether to save the file or open it in a program like Adobe Reader. Of course, the user has to know that if he or she receives an unexpected PDF they should click Cancel.

      EDIT: Also, in Acrobat Reader you need to turn off JavaScript.
      nightbirdsf
    • RE: From rogue AV to fake disk clean-up utilities

      @lostarchitect The worst cases of infection are actually coming from infected banner ads - some ingenious people actually purchased a bunch of space for banner ads and infected them ... my clients saw a marked increase in infections until I installed firefox with ad-Block plus - now they see none ...

      Ludo
      Ludovit
  • per your article...

    curious, if you pay for it do they leave your computer infected or do they work?

    with the fake AV programs they'd just remain infected after "paying" for it

    clearly i would never pay for such a thing, but it would be interesting to see what approach they took.
    OneTwoc21