Topic: Security

Rogue security programs are 'ongoing threat'

Summary: Symantec's report on rogue security software noted that 250 rogue security programs launched some 43 million attempts to prompt user installation between July 2008 and June 2009.

By Vivian Yeo | October 20, 2009 -- 05:17 GMT (22:17 PDT)

Rogue security software, also dubbed scareware, is an "ongoing threat" that is impacting largely users from English-speaking markets, according to findings from a year-long study by Symantec.

Released Tuesday, Symantec's report on rogue security software noted that 250 rogue security programs launched some 43 million attempts to prompt user installation between July 2008 and June 2009.

Further analysis on the top 50 most reported scareware was carried out between July and August this year, during which Symantec found that 38 of the programs had been detected prior to Jul. 1, 2008.

"The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims, despite efforts to shut them down and raise public awareness," the security vendor said in the report.

The five most commonly reported rogue security applications during the study were SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, Spyware Secure and XP AntiVirus.

For more, read "Rogue security programs are 'ongoing threat'" from ZDNet Asia.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments

Log in or register to join the discussion

The sites of these 'rogue security programs'

Should be immediately shut down when they are
found, by doing a DDoS attack if necessary.
There is no reason to allow these bastards to
shill their break-ware on the rest of us in the
world.

Lerianis10
20 October, 2009 06:02

Reply Vote
Getting worse...

I've seen a hugh increase in infections from these programs lately. The pop-up advertising from browsing are getting very convincing. It's sad when users can even recognize the AV program that is actually on their computer over a rouge pop-up that looks legit, but can be easy to spot as fake.

Narg
20 October, 2009 07:40

Reply Vote
- Not always so easy to spot...
  
  I once got a very realistic popup that looked like a Vista Computer window with a fake scanning progress bar. Now I've never seen a scanner in the Computer window, but if you're a new Vista user, you don't know how Vista works yet! 'Maybe thats how Windows Defender works now', they may think.
  
  Fortunately I was on my XP laptop when it happened and didn't get click happy with it. I would have shut it down with tasks manager anyway; I've got into that habit a long time ago, because of regular malicious popups. So now I do it with many processes Windows doesn't want to close.
  
  I only click the red [X] if it is a bona fide IE or FireFox window, and even then, I have now begun closing those using the task bar.
  
  JCitizen
  20 October, 2009 19:05
  
  Reply Vote
  - Actually, yes...
    
    I tell my users who ask me about it, give your drives a name. The scareware animation will say "Scanning: Local Disk (C:)", but your C:\ drive label is "My_C_Drive", not Local Disk, which no drive label.
    
    Another trick is to either split your C:\ into two partitions or install another hard drive. The animation assumes you only have one drive/partition (note that the drive size is never displayed). "Where's the D:\ drive?" -- Obviously a trick.
    
    Then use any of the herein described methods to kill the threat.
    
    Worth2Cents
    21 October, 2009 14:37
    
    Reply Vote
    - I simply tell my users...
      
      to end ALL unexpected process or changes with task manager, then run CCleaner to clean out the temp files.
      
      NIS 2010 reports blocking some of them.
      
      MBAM blocks every one of these anyway, so far.
      
      Even someone on a budget can afford the lifetime license.
      
      JCitizen
      25 October, 2009 21:24
      
      Reply Vote
Advice ! !

Hit Ctrl + Alt + Del FAST if a web page says scanning your computer or won't let you exit the page or has a a click to exit prompt, and close the browser window from task manager.

Failing this, hit the RESET button FAST!!!!

chaz15
20 October, 2009 08:06

Reply Vote
- Close the tab or the browser.
  
  First, always keep your OS and browser up to date.
  
  But in general, close the tab or the browser. An ad like this can't control the browser itself, just the page.
  
  Don't click on the page itself or download anything.
  
  Generally, it's not a big deal as long as everything is up to date.
  
  CobraA1
  20 October, 2009 08:32
  
  Reply Vote
  - I hit Ctrl-Alt-Del and then task manager..
    
    just to hedge on the safe side; once and a while I have simple closed the window using the task bar. Like you said, it isn't particularly big deal as long as you don't click anywhere on the window.
    
    However I got one that looked EXACTLY like a UAC box, and the only reason I didn't click [cancel], was because I was too busy trying to write down the goofy code string I saw on the box. It timed out before I could check it out. Next time I'll take a screen shot.
    
    I didn't even notice there was no password box on it, even though it was on the restricted account!
    
    JCitizen
    20 October, 2009 19:26
    
    Reply Vote
    - That was me - that was my nanny screen
      
      And it was put there simply to annoy you.
      
      :D
      
      Wintel BSOD
      21 October, 2009 18:09
      
      Reply Vote
      - HA!HA!...
        
        I like your moniker there! :^0
        
        Perfect comeback!! =)
        
        JCitizen
        25 October, 2009 21:26
        
        Reply Vote
RE: Rogue security programs are 'ongoing threat'

I recently ran into this situation with "SOFT SOLDIER" I ended up using Malwarebytes Antimalware and IOBIT 360 to get rid of it...... I Highly recommend Both Programs C.E.Wilson

RUGRAT54
20 October, 2009 08:21

Reply Vote
- MBAM works!!..
  
  Yep - I put it on, and no more scareware!
  
  No more Halloween BOO! for me! HA!
  
  JCitizen
  20 October, 2009 19:58
  
  Reply Vote
The ad system needs an overhaul.

The ad system needs an overhaul. We can't really trust the current ad agencies anymore. We need more responsible ones.

One thing that [b]REALLY[/b] annoys me is ads that resize or break out of their ad squares. Even ZDNet has such ads.

Framkly, maybe it's time to get rid of Flash ads and go back to images and text ads.

ZDNet, are you willing to take a stand on what types of ads you will allow?

CobraA1
20 October, 2009 08:36

Reply Vote
- Use AdBlock Plus...
  
  and that is what you'll get. I haven't seen an ad in a LONG time! Not even the underlying text ones!
  
  JCitizen
  20 October, 2009 21:33
  
  Reply Vote
  - RE: Use Ad Block Plus
    
    Like you, [b]I have not seen an ad on ZDNet[/b] in a long time. And I can point to Ad Block Plus as the reason why. Couple it with a good set of filters, and you can kiss obnoxious ads [b]goodbye!![/b]
    
    One of the primary reasons why I block ads is due to their [b]consuming MY bandwidth,[/b] and slowing down page loads. It is the worst when dial up is your only ($$$) acceptable option.
    
    Many sites serve up ads from third party CDN (I call them [i]crap delivery network[/i]) sites, like akamai.net. Recently, the NY Times was serving up poisoned ads from an infected ad server. Why even take the chance. If it comes from a third party site - [b]BLOCK IT!!![/b] That is one way to kill XSS (cross site scripting) attacks.
    
    Browser users have to be vigilant. Using a computer is not [b]set and forget![/b] unless you want to be [b]'pwned'.[/b]
    
    fatman65535
    21 October, 2009 16:30
    
    Reply Vote
    - For sure!...
      
      and for my clients that refuse to us FireFox, I put SpywareBlaster on the PC, which is almost as good.
      
      Their are good host files out there for IE 8 as well, but I haven't looked for them in a while.
      
      JCitizen
      25 October, 2009 21:31
      
      Reply Vote
Rogue security programs

Ran into the same problem when a friend brought me their laptop after failing to remove an "antivirus program" -- Windows PC Defender. It was the worst situation I've come upon. I would remove the app through normal means only to have it crop up again after rebooting. Finally, after several hours of research, I discovered that not only had it been installed in Program Files, but that it had placed another .EXE file in a hidden directory. Seems that after the uninstall and reboot, the hidden file reinstalled it. Makes you want to get your hands on some of these guys' computers for a little while.

Jerry Guinn
20 October, 2009 08:47

Reply Vote
RE: Rogue security programs are 'ongoing threat'

Seen this one before in several PC's and its a pain to get rid of at times. And most of the time these rogue apps will reinstall themselves after reboot, and this is even after you cleared the registry, *.dll, folders and some files manually. Found out the best way to get rid of it was Format C:\. and reinstall Windows and apps and is faster than trying to remove this crap.

Tracer76
20 October, 2009 09:12

Reply Vote
- Naaa!...
  
  Here's the scoop:
  
  1. download MBAM or AdAware and install/update.
  
  2. Turn off restore and go to file folder applet in control panel and unhide files both check boxes and the one radio button above them
  3.Reboot to safemode and do a scan; the utility may suggest doing one again.
  4. Reboot and either do another scan or get to normal mode and turn restore back on and rehide the files.
  
  I've been doing it like this since the '98 days and it is still applicable to Vista even. I must admit, I haven't had to do it on Vista for a long time with what I'm running as real time protection.
  
  I do not work for any man or company; I just hate malware to pieces!
  
  JCitizen
  20 October, 2009 21:40
  
  Reply Vote
RE: Rogue security programs are 'ongoing threat'

What I hate is when I click a link from a Google search and voila! the file counter starts counting all the "bad" files on my computer. So now ya' gotta be careful about reading the abstract on the Google page before selecting a link. They mash a bunch of gobbledygook around one or two of your search terms to make it look reasonable... unless you take a slightly closer look.

TunerGeek
20 October, 2009 09:19

Reply Vote