The ultimate guide to scareware protection
by Dancho Danchev | September 13, 2009 5:36pm PDT | Image 1 of 58
Previous | Next
Diverse portfolio of fake security software - scareware-
In order to avoid the negative publicity of a particular scareware brand, cybecriminals periodically change the brand and the layout of the application. They intention however remains the same - to scam gullible users.
Just In
I have seen many of these screens before, on my own PC. I usually retreat to AVG, Norton, or Symantec sites to check their claims, do online scans, and Google search to find unhappy "users"
there ought to be laws... even so far as a kind of "western justice". BILLIONS of dollars are wasted each year in productivity loss due to these scams!
You might want to check TrendMicro's RUBotted. I installed this thinking it might be a good idea. Two weeks later it "detected a bot." It instructed me to download some other software to remove the "bot." On attempting to install this software I was informed that I "must" remove SpyBot. When I did that SpyBot had a message stating that TrendMicro could not explain (nor could SpyBot) why Spybot S&D had to be removed.
I smelled a rat and removed RUBotted. None of my other detection programs have detected anything amiss.
I smelled a rat and removed RUBotted. None of my other detection programs have detected anything amiss.
The problem with RUBotted is that is also a bit
paranoid inducing. After it "detects a bot" make sure you read the log before you go to their clean up. A lot of the time its for
something on the order of somehow you talking
to a suspect site. If its something simple, just clear your log, otherwise consider using
something to clean up your system. The
problem with the online versus is that it is
terribly slow.
I think of RUBotted as a potential semi-scare
ware in that it is over reacting to a potential
problem in order to get you to go to their site
to advertise their software to you. That said,
at least they do sell real software as opposed
to fake application that do nothing real.
As to spyware search and destroy, well it does
sound kind of nasty, but it is possible that the applications do not play nicely together.
paranoid inducing. After it "detects a bot" make sure you read the log before you go to their clean up. A lot of the time its for
something on the order of somehow you talking
to a suspect site. If its something simple, just clear your log, otherwise consider using
something to clean up your system. The
problem with the online versus is that it is
terribly slow.
I think of RUBotted as a potential semi-scare
ware in that it is over reacting to a potential
problem in order to get you to go to their site
to advertise their software to you. That said,
at least they do sell real software as opposed
to fake application that do nothing real.
As to spyware search and destroy, well it does
sound kind of nasty, but it is possible that the applications do not play nicely together.
I went to IS 2006 when Norton was obviously blowing itself up. I really liked the program, but had great difficulty getting the Spybot S&D immunizer to work with PC-cillin. Somehow I got them to work together, but the 2007 product was just as bloated and junky as Norton by that time, and I abandoned all suite software from then on (until now).
Standalone products work way better, and use less system resources. Spybot S&D is finally obsolete, however. My clients are doing much better with Adaware Anniversary Edition and AdWatch enabled. I think this is a move to pitch Safer-networking off the market for good.
MBAM is all you really need though(for malware) with a lifetime license on the real time protection. Just no comparison out there. Superanti-spyware may be doing this now too, but it may hog system resources; I notice the scan does, even without the real-time protection.
Believe it or not, I was basically forced into using NIS 2009 for about a year now, and no viruses! No particular performance hit either!! I was very surprised when I upgraded a client that had NIS 2005 on his older PC, and it improved the performance!! Go figure! I can now recommend it for users with a bigger budget and no particular adeptness for security.
Standalone products work way better, and use less system resources. Spybot S&D is finally obsolete, however. My clients are doing much better with Adaware Anniversary Edition and AdWatch enabled. I think this is a move to pitch Safer-networking off the market for good.
MBAM is all you really need though(for malware) with a lifetime license on the real time protection. Just no comparison out there. Superanti-spyware may be doing this now too, but it may hog system resources; I notice the scan does, even without the real-time protection.
Believe it or not, I was basically forced into using NIS 2009 for about a year now, and no viruses! No particular performance hit either!! I was very surprised when I upgraded a client that had NIS 2005 on his older PC, and it improved the performance!! Go figure! I can now recommend it for users with a bigger budget and no particular adeptness for security.
While I have spent some time removing these "Scarware" products from our work computers, I still think a lot of the burden should be on the user (I try and teach them not to go or download them).
But as my first boss used to say if it wasn't for the users screwing up we would have one heck of a system here.
I think most IT professionals should bear in mind that very few organizations are in the business of IT; providing support to users (who are creating wealth by the way) is our purpose. Very few people in IT directly create wealth.....
and besides I don't fault the user, these things come in as drivebys on legitimate sites. My AV blocks them before they have a chance to get through the firewall.
On XP a good Comodo/NOD32/AdAware combo defeats them regularly also.
On XP a good Comodo/NOD32/AdAware combo defeats them regularly also.
Would that it was so simple. Gone are the days that we could say "Don't click on attachments, don't download anything and you'll be fine". These days, even visiting a reputable site like the New York Times can lead to a drive by install. Users don't have to actually do anything wrong, compromised websites, compromised website advertising and scripting vulnerabilities lead to infections very easily. Sad state of affairs.
WHAT SOFWARE CAN STOP-DELETE THIS NEW CODEC ATACK,DON'T LET IN???
I see it popup, occasionally to tell me it has kicked butt on one variant or another before it even downloads.
Thats Norton, but MBAM may be able to block it too, and it has a very economical lifetime license for realtime protection for personal use.
I've seen mine kick butt in real time on a lot of malware(some false-positives), but it won't Identify it unless it is already on your PC and being quarantined from a scan. It also fixes any registry cracks the malware has committed.
MBAM = Malwarebytes-antimalware, you can use it free as a scanner - download from CNET or FileHippo
Thats Norton, but MBAM may be able to block it too, and it has a very economical lifetime license for realtime protection for personal use.
I've seen mine kick butt in real time on a lot of malware(some false-positives), but it won't Identify it unless it is already on your PC and being quarantined from a scan. It also fixes any registry cracks the malware has committed.
MBAM = Malwarebytes-antimalware, you can use it free as a scanner - download from CNET or FileHippo
TREND MICO over the last 3 years is NOT compatable with SpyBot as well as ADAWARE. I've used the Trend AV Software for 4 years and found this out the hard way.
I removed all TRENDS Software and installed a Different one and all was good. If one likes Trend so much they won't replace it, your going to have to dao without SpyBot and Adaware. No to mention if you had SpyBot running at one time all the flagged/deleted/and quarentined stuff that gets loaded onto ones Registry.
I learned the hard way, with hours and hours of cleaning and removing stuff from my HD/Registry and then some.
Use Trend, you can't use Spybot & Adaware.
Use another AV Program and after using Trend with Spybot & Adaware your in for hrs of fun and games!
BTW; This is all listed on TRENDS Knowledge Base Page!
I removed all TRENDS Software and installed a Different one and all was good. If one likes Trend so much they won't replace it, your going to have to dao without SpyBot and Adaware. No to mention if you had SpyBot running at one time all the flagged/deleted/and quarentined stuff that gets loaded onto ones Registry.
I learned the hard way, with hours and hours of cleaning and removing stuff from my HD/Registry and then some.
Use Trend, you can't use Spybot & Adaware.
Use another AV Program and after using Trend with Spybot & Adaware your in for hrs of fun and games!
BTW; This is all listed on TRENDS Knowledge Base Page!
a pain in the @ss! I got rid of it and went to NOD32, which LOVES Spybot, Adaware, MBAM, - it don't care 'cause it is just a dang good antivirus. The free Avast is almost as good.
Trend was almost good enough in 2006 to use by itself, but not anymore. I don't use ANY suite by itself ANYMORE, and never will. If the AV can't play nice, it ain't worth have'n. I spent two years tearing my hair out and running laboratory honey pots to find this out.
Trend was almost good enough in 2006 to use by itself, but not anymore. I don't use ANY suite by itself ANYMORE, and never will. If the AV can't play nice, it ain't worth have'n. I spent two years tearing my hair out and running laboratory honey pots to find this out.
Is for the various credit card industries install a method to actively deny charges to an identified scamware business. heck, they have the power and should use it to prevent this type of fraud.
I think it was Trendmicro that made PC-cillin. I tried it when I was looking for an alternative to resource hog Norton Internet Security. I had problems with PC-cillan where after a couple weeks my computers would start slowing down. I timed certain functions. Cold start boot-up times approached 15 minutes! No exaggeration! When on line changing a page at a website would take between 6 and 10 minutes. It didn't matter whether it was reading an article or purchasing an item. Again, the boot up and general slow downs would occur after a couple weeks. After I was able to document the behavior and its pattern I engaged in a week long exchange with TrendMicro. The solution was to delete the setup and re-enter the teaching mode. It did return process speeds back to normal, but 10 days to two weeks later, same old thing. I also didn't care for the inability
to pause a virus scan once it started after the scan progressed past a certain point. Too many times an immediate need arose and the scan couldn't be stopped to perform the task and the computer had to be powered off and restarted to wrest control back. I tried a couple other security programs, but ended up going back to Norton/Symantec. Their triple license for each program really sweetened the deal since my network is fairly small. To be fair, TrendMicro also offered the triple license, but even a dozen licenses wouldn't make it a good deal with the results I was getting. Oh yeah, my machines are running XP Pro on three machines and Vista on one.
to pause a virus scan once it started after the scan progressed past a certain point. Too many times an immediate need arose and the scan couldn't be stopped to perform the task and the computer had to be powered off and restarted to wrest control back. I tried a couple other security programs, but ended up going back to Norton/Symantec. Their triple license for each program really sweetened the deal since my network is fairly small. To be fair, TrendMicro also offered the triple license, but even a dozen licenses wouldn't make it a good deal with the results I was getting. Oh yeah, my machines are running XP Pro on three machines and Vista on one.
but don't quit using addon malware defenses, Norton Internet Security plays very well with any anti-malware that doesn't have a virus engine.
I was really shocked to see Norton cleanup their act for this year. They got rid of the bloat, and are very reliable - I've double checked it several ways - by uninstalling it and scanning with NOD32, and running a malware scanner with anti-virus(Lavasoft), just to make sure. No viruses for year - and this is a lab honeypot, so it gets a lot of combat duty.
The only rub is they use some-kind of partitioned background scanning for certain trusted applications as a substitute for heuristics. Apparently finding they could compartmentalize it and lower system usage.
I'm not sure I like that as a heuristic engine, but I must admit, it is fast anyway. It has blocked threats from all angles. From infected DVDs, USB,flash media, IM messenger attacks, Port 80, you name it, it stops it quick!
It has a smart firewall that pretty much stops the leaks unless you got AT&T and have to reset the IP so it will pass a firewall test. I'm not convinced it has outbound blocking as good as Comodo. With the over all features I say it is well worth it.
I do not work for any man or company, I just hate malware to pieces!!!
I was really shocked to see Norton cleanup their act for this year. They got rid of the bloat, and are very reliable - I've double checked it several ways - by uninstalling it and scanning with NOD32, and running a malware scanner with anti-virus(Lavasoft), just to make sure. No viruses for year - and this is a lab honeypot, so it gets a lot of combat duty.
The only rub is they use some-kind of partitioned background scanning for certain trusted applications as a substitute for heuristics. Apparently finding they could compartmentalize it and lower system usage.
I'm not sure I like that as a heuristic engine, but I must admit, it is fast anyway. It has blocked threats from all angles. From infected DVDs, USB,flash media, IM messenger attacks, Port 80, you name it, it stops it quick!
It has a smart firewall that pretty much stops the leaks unless you got AT&T and have to reset the IP so it will pass a firewall test. I'm not convinced it has outbound blocking as good as Comodo. With the over all features I say it is well worth it.
I do not work for any man or company, I just hate malware to pieces!!!
I also check with zdnet.com and cnet.com to check on legitimacy
...and on the same ZDNet Page is an ad for PCTools for
anti-virus software.
How in the world is a non-technical business person
suppose to differentiate the malware from the legits?
I feel sorry for PC users these days.. they can't win
for losing.....
The Credit card idea is sort of interesting
though.....
anti-virus software.
How in the world is a non-technical business person
suppose to differentiate the malware from the legits?
I feel sorry for PC users these days.. they can't win
for losing.....
The Credit card idea is sort of interesting
though.....
don't click on anything you didn't purposely initiate. A legitimate anti-virus is not going to pop up out of nowhere and offer to scan your computer and hold it hostage until you pay.
Simple. Don't click on any popups that you aren't sure of - end them with task manager.
Simple. Don't click on any popups that you aren't sure of - end them with task manager.
I work in IT and when stupid users get this you tell them to shut off their PC or laptop but they keep working on their data not thinking this software may be sending their data to someplace in the world. The User hate it when I yell at when they tell me their computer is off but they turn it back on. When any of these scumbag softwares (as I call them) I rebuild the users PC to make sure its clean. If they did not save their data to the network. I tell them all is lost. Its good to make users feel stupid for their dumb web surfing actions.
Haven't you been noticing? This happens even on legitimate sites. Making a person feel stupid for asking your assistance is not my idea of customer support. Educating them to understand when something bad happens and to ask for help right away would be better for you and the Help Desk than teaching them that they will be berated when they run across something like this and need help.
I have tried this method for a long time and have finally given up. You cannot fix stupid. My co-workers only care about when it is going to be fixed not how it happened or prevention. They do not care fix it i am going to lunch is there solution. So i think a little berated is needed. Since no one has invented an anti stupid pill.
for treating a client like that. Like someone else on this thread pointed out, those "users" are a asset gain, for the company. In IT we just try to keep from losing money for the company.
That "user" is working and employed to make money for the company, and does it for every minute they are on the job. We IT types are lucky if we can make the operation break even. I wouldn't be so inclined to diss your working clients in that manner.
That "user" is working and employed to make money for the company, and does it for every minute they are on the job. We IT types are lucky if we can make the operation break even. I wouldn't be so inclined to diss your working clients in that manner.
You went wrong with my CIO has no idea O. C level suits are not true IT people most are MBA holders with no real world IT skills.
Perhaps living in South-America has attuned me to a reality every web surfer could learn from: Free does exist, but UNSOLICITED free is quite possibly the most expensive free you can ever get.
I knew it! When they are in your face they are a fraud.
I've been closing them as fast as they come up and yes, I've see some of these.
I've been closing them as fast as they come up and yes, I've see some of these.
I was suckered into buying one of these programs, (PcDrPro) about 6 or 8 weeks ago. I discovered within 15 or 20 minutes that it was a scam because it found a "potentially dangerous file" "C:\Windows\messenger\messenger.dll"
The first week I bought my computer, I had deleted Messenger, all of it's directories and sub-directories, as well as all it's registry enterys. The named file and path that PcDocPro found did not existon my computer.
I immediately started calling the only phone number they had (a modem, btw) as well as down loading the "PcDocPro" program just as fast as I could click the download button to get their attention because they and they had no e-mail or street address listed anywhere on their website.
I finally got a hold of the people who process their payments who gave me an immediate refund. I felt very lucky to get the refund. The owner or someone in control called me the next day to ask why I didn't want the program so I told him and he tried to explain how the program could find programs that didn't exist on my computer. I finally broke off the conversation as I felt that I was talking to a criminal.
I also noticed that in the path statements to "potentially harmfull files" (mostly "DLLs") sometimes the path started with an upper case "C:\*.*" and sometimes with a lower case "c:\*.*"
Hopefully noone will ever have a need for this info who has read this article.
slocode
The first week I bought my computer, I had deleted Messenger, all of it's directories and sub-directories, as well as all it's registry enterys. The named file and path that PcDocPro found did not existon my computer.
I immediately started calling the only phone number they had (a modem, btw) as well as down loading the "PcDocPro" program just as fast as I could click the download button to get their attention because they and they had no e-mail or street address listed anywhere on their website.
I finally got a hold of the people who process their payments who gave me an immediate refund. I felt very lucky to get the refund. The owner or someone in control called me the next day to ask why I didn't want the program so I told him and he tried to explain how the program could find programs that didn't exist on my computer. I finally broke off the conversation as I felt that I was talking to a criminal.
I also noticed that in the path statements to "potentially harmfull files" (mostly "DLLs") sometimes the path started with an upper case "C:\*.*" and sometimes with a lower case "c:\*.*"
Hopefully noone will ever have a need for this info who has read this article.
slocode
The one I got hit with looked like the official system Vista Computer screen, and I thought my PC was malfunctioning. So I opened task-manager to end it.
Turns out that was what you're supposed to do. Whew!! Now my anti-virus tags them everytime.
Turns out that was what you're supposed to do. Whew!! Now my anti-virus tags them everytime.
The last couple of weeks I have removed Personal AntiVirus (PAV) from serveral computers along with a few that were listed in the article. In about every case, Limewire was also being used on the computers.
ZDNet could do its readers a favor by providing a text list, each item linked to the image pages, and a downloadable image collection in a single file so that we don't have to waste time clicking through all these separate pages! An efficient alternative would be a PowerPoint file! It is maddeningly time-wasting for those who don't have screamingly-fast DSL or better!
I f*ing hate the ZDnet page templates. Viewing this photo gallery I have to load a new page every time. Nice for ZDNet cuz they get more ad impressions, but a total pain for users. Also, I hate your comments tree software. It also makes me click way too many screens...why on earth can't you just facilitate a comment eye-scan by us poor readers? Gah!
The more of a pain - the less I use it.
When an item takes 30 clicks / pages -
it is useless. I just close zdnet & move on.
When an item takes 30 clicks / pages -
it is useless. I just close zdnet & move on.
Maybe I haven't had enough coffee this morning to understand your problem....but why do YOU have your browser set up to bring up new pages instead of tabs? I just went thru the lot using one tab and clicking the 'Next' link. When I'm done with the site, I will close one tab.
It's too early for me
It's too early for me
It's about time someone said something. It is ridiculous for a computer / IT website to be in the 1980's. You have great articles but they are a pain to read!
Hi Baptie,
What image viewer do you suggest that would be an improvement for ZDNet?
I personally think the "flat view" should be the default view.
R
What image viewer do you suggest that would be an improvement for ZDNet?
I personally think the "flat view" should be the default view.
R
There's an unfortunately large percentage of people who fall for what seem to me obvious scams. I'm about half educated computer wise and long ago I learned certain basic things. Like "who is this telling me my computer is 'infected' and why?". I use Bitdefender Internet Security 2009, Counterspy, Winpatrol paid version and threatfire free version and I don't get them except on my gmail page. And what kind of dope falls for such stuff, with no investigation at all, no googling the name, no nothing? The same people I talk to who ask stuff like "what's defragmenting?" and "I really need antivirus and stuff?" And there's a lot of people like that. I live in a small town in Costa Rica with a large expatriot population and am considered a computer expert because I know how to download and run the WinCleaner trial and/or TuneUp utilities or CCleaner and just clean them of gigabytes of crap and they're "like new" till the owner gunks them up again. Fact is, most people don't give a crap until it causes them a problem or a dollar. And with it being such a big scam there must be as many idiots out there as I imagined.
You guys are right...many people, who are also intelligent, fall for these fake scams, saying that they look so official!!..and many who use LIMEWIRE and BEARSHARE almost always get these rogue programs installed onto their PC's. I clean up these PC's ALL the time...make good money doing it too!!!!LOL..
I'm very impressed with your intelligence level,super smart and it is so evident!!!!
A little of topic of the theme but this has to be said in light of all the high cost bailouts caused by your ilk. You claim to create wealth. Create wealth??? Or mearly re-distribute it?? And charge for it. Get a grip on your self inflated sense of worth.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
