|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 9: Scareware -- fake antivirus programs, data recovery utilities and like
Note: Material of this page reuses parts of Wikipedia article Scareware
|
Extortion is usually defined along the following lines (Wikipedia, Extortion ):
Extortion (also called blackmail, shakedown, outwresting, and exaction) is a criminal offence of unlawfully obtaining money, property, or services from a person, entity, or institution, through coercion. Refraining from doing harm is sometimes euphemistically called protection. Extortion is commonly practiced by organized crime groups. The actual obtainment of money or property is not required to commit the offense. Making a threat of violence which refers to a requirement of a payment of money or property to halt future violence is sufficient to commit the offense. Exaction refers not only to extortion or the unlawful demanding and obtaining of something through force,[1] but additionally, in its formal definition, means the infliction of something such as pain and suffering or making somebody endure something unpleasant.[2]
Extortionware comprises several classes of extortion oriented malware/ software which by itself provides no user value. It is specifically designed to blackmail user that he/she has computer infected with viruses, or his harddrive is failing and he can lose all the data, or that and the only role it plays is scare user into registering the software and paying the extortionist the requires bounty. Such software uses blackmail to coerce the user into paying for registration (Blackmail):
In common usage, blackmail is a crime involving unjustified threats to make a gain or cause loss to another unless a demand is met.[1][2] It may be defined as coercion involving threats of physical harm, threat of criminal prosecution, or threats for the purposes of taking the person's money or property.[1][3][4][5][6][7][8] It is the name of a statutory offence in the United States, England and Wales, Northern Ireland, and Victoria, and has been used as a convenient way of referring to other offences, but was not a term of art in English law before 1968. It originally denoted a payment made by English people residing along the border of Scotland to influential Scottish chieftains in exchange for protection from thieves and marauders.[3][4]
This "marketing of services via unjustified threats" uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unprofessional users. In a way this is racketeering and RICO statute should be applicable to companies developing extortionware.
|
Most classes of extortionware resemble security (first wave were fake antivirus programs) later we saw fake operating system tuning utilities (such as registry cleaners) and in 2012 fake data recovery programs (Data Recovery Trojan). But more and more additional classes of fake security are known. Actually any security program threat have wide appeal can be converted to scareware fake with minimal efforts. Among known fake security programs:
This class of program tries to convince the victim to register the rogue program by bombarding the user with constant warning or threatening messages
Extortionware is typically packaged with a look and feel that mimics legitimate security software in order to blackmail customers into registrering the software e websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk.[6] Products using advertisements such as these are often considered extortionware. extortionware software belong to more broad class of malware or rogue software.
A user can encounter a pop-up on a website indicating that their PC is infected. In some scenarios it is possible to become infected with extortionware even if the user attempts to cancel the notification. Typically those popups are especially designed to look like they come from the user's operating system when they are actually a webpage.
A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.[8]
Starting on March 29, 2011, more than 1.5 million web sites around the world have been infected by the LizaMoon SQL injection attack spread by extortionware.[9][10]
Research by Google discovered that extortionware was using some of its servers to check for internet connectivity. The data suggested that up to a million machines were infected with extortionware.[11] The company has placed a warning in the search results of users whose computers appear to be infected.
Spyware Dialog from SpySheriff, designed to scare users into installing the rogue software. Some forms of spyware also qualify as extortionware because they change the user's desktop background, install icons in the computer's notification area (under Microsoft Windows), and generally make a nuisance of themselves, claiming that some kind of spyware has infected the user's computer and that the extortionware application will help to remove the infection. In some cases, extortionware Trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text.
SpySheriff, exemplifies spyware/extortionware: it purports to remove spyware, but is actually a piece of spyware in itself, often accompanying SmitFraud infections. Extortionware may be promoted using a phishing scams.
Another example of extortionware is Smart Fortress. This site scares people into thinking they have lots of viruses on their computer and asks them to buy the professional service.
Uninstallation of security software. Another approach is to trick users into uninstalling legitimate antivirus software, such as Microsoft Security Essentials, or disabling their firewall.
In 2005, Microsoft and Washington State successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million over charges of using extortionware pop-ups.[14] Washington's attorney general has also brought lawsuits against Securelink Networks, High Falls Media and the makers of Quick Shield.[15]
In October 2008, Microsoft and the Washington attorney general filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the Registry Cleaner XP extortionware. The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.
On December 2, 2008, the U.S. Federal Trade Commission (“FTC”) filed a Complaint in federal court against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, as well as individuals Sam Jain, Daniel Sundin, James Reno, Marc D’Souza and Kristy Ross. The Complaint also listed Maurice D’Souza as a Relief Defendant, alleged that he held proceeds of wrongful conduct but not accusing him of violating any law. The FTC alleged that the other Defendants violated the FTC Act by deceptively marketing software, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.
According to the complaint, the Defendants falsely represented that scans of a consumer’s computer showed that it it had been compromised or infected and then offered to sell software to fix the alleged problems. The FTC alleged that the unlawful conduct netted the Defendants more than $100 million.
On June 25, 2009, the FTC reached a settlement with two defendants, James Reno and ByteHosting Internet Services, LLC. The settlement required the two defendants to pay nearly $1.9 million to the FTC. The settlement also prohibited James Reno and ByteHosting from using deceptive “extortionware” advertising tactics and from installing malicious programs on consumers’ computers.[17]
On February 10, 2010 the United States District Court for the District of Maryland entered a default judgment and order for permanent injunction against Jain, Sundin and Innovative Marketing, Inc. that imposed a judgment of more than $163 million. Subsequently, on May 26, 2010, Jain, Sundin and Reno were indicted by a federal grand jury for the United States District Court, Northern District of Illinois for wire fraud, conspiracy to commit computer fraud and computer fraud. The indictment alleges that from December 2006 to October 2008, Jain and Sundin placed false advertisements on the websites of legitimate companies. Currently both Jain and Sundin are fugitives and the FBI is offering a $20,000 reward for information that leads to their arrest..[18]
On January 10, 2011 the FTC reached a settlement with Marc and Maurice D’Souza which resolved the lawsuit brought by the FTC. The settlement required the D’Souzas, who had voluntarily terminated their relationship with the other Defendants at the end of 2006—before much of the alleged unlawful conduct took place, to assist the FTC in obtaining $5 million that was being held in an escrow account and to pay an additional $3.2 million to the FTC.
|
Switchboard | ||||
Latest | |||||
Past week | |||||
Past month |
XP Antivirus 2012 is a deceptive and quite sophisticated rogue anti-spyware program which applies the basic tricks of scams from this category. Though it declares to be a powerful virus remover, keep in mind that this program is the only one that needs to be eliminated because it reports invented viruses. To be more precise, XP Antivirus 2012 firstly will create numerous harmless files that it will drop in the infected computer's system. Then this scam will pretend to scan your computer and immediately will report numerous viruses that in reality are nothing else but these earlier created files. Some of its alerts may state about Trojan-BNK.Win32.Keylogger.gen threat for making you scared to death and push into purchasing its license which will be offered additionally. Pay attention to the fact, that XP Antivirus 2012 is dangerous and has nothing to do with computer's protection!XP Antivirus 2012 program has been manipulating people into believing it is useful software. However, this rogue anti-spyware mostly penetrates into a random computer system without the user's knowledge and approval and opens the backdoor of the system to let more threats or allow the scammers to reach your personal information. All this is done with a help of Trojans that infect vulnerable systems through fake video codecs and flash updates. As you can see, you should not believe XP Antivirus 2012 and its spyware detection reports as they are fabricated and have in fact nothing to do with the true condition of machine. Don't buy this software though it will definitely promise to fix your computer, but remove XP Antivirus 2012.
InternetNews.
The FBI said late last week that it has filed federal indictments against an Ohio man and two foreign residents in a move meant to halt one of the largest "scareware" malware scams.
Microsoft (NASDAQ: MSFT) hailed the indictments on its On the Issues blog because some of the bogus computer protection programs that the schemers were hawking either masqueraded as Microsoft products or strongly implied they were from the company.
According to the FBI's statement, the alleged perpetrators, who operated out of Ukraine, "caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million."
Scareware is a class of malware that, once installed on a user's PC, typically generates fake error messages that alert the user to purportedly serious security deficiencies or to apparent malware infections. The user is told all she or he has to do to remedy the situation is ante up for a similarly fake anti-malware repair program that actually does little to help the victim.
In this case, bogus products that go by names like DriverCleaner and ErrorSafe were sold to unassuming victims for between $30 and $70.
The scam was run by an Amelia, Ohio, man identified as James Reno in concert with Shaileshkumar P. Jain, a US citizen believed to be living in Ukraine, and Bjorn Daniel Sundin, a Swedish citizen believed to be in Sweden, the FBI said in its statement.
All three ran a company named Innovative Marketing, Inc. (IM), which is registered in Belize. The multiple-count indictment seeks $100 million in forfeitures plus any money held for IM in a bank in Kiev.
The alleged shelter company, IM, then set up "at least seven fictitious advertising agencies" that then placed booby-trapped ads on Web pages that would generate the error messages and alerts and hijack users PCs and take them to sites that supposedly sold the remedial software.
"The scareware went by various names, including WinFixer -- meant to mislead consumers into associating the bogus software with trusted Microsoft products," Tim Cranton, associate general counsel in Microsoft's Digital Crimes Unit, said in the blog post.
"At one time, WinFixer and its variants are thought to have been responsible for 75 percent of scareware worldwide," Cranton added.
Other phony products had names like Malware Alarm, Antivirus 2008, and VirusRemover 2008, the FBI statement said.
Microsoft teams helped the FBI and the U.S. Department of Justice investigate damages caused by the scheme and testified to a federal grand jury in Chicago, where the charges were filed, regarding how the malware scam worked, the blog said.
The case is just the latest in attempts by both government and the technology industry to curb scareware attacks.
Neither has Microsoft been the only technology firm targeted by such scams. For instance, the massive social networking site Facebook was hit by a similar scareware scheme in late January.
"The Department of Justice and the FBI have put a stake in the ground to protect consumers; at Microsoft, we stand beside them in the fight to make the Internet a safer place," Cranton's post concluded.
Users who are potential victims and would like to receive information regarding the criminal case may call 866-364-2621, ext. 1, for periodic updates, the FBI said.
Related Articles
What this programs does:
Dr. Guard is a rogue anti-spyware program from the same family as Paladin Antivirus. This rogue is promoted and installed through the use of fake alert Trojans that advertise the program on your desktop. This rogue is also known to be bundled with the TDSS, or TDL3, rootkit. As MBAM is not capable of removing this rootkit, you may need to request further assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum to remove all of the malware on your computer.
Once downloaded and installed, Dr. Guard will attempt to uninstall various security applications in order to protect itself from being removed. The anti-malware programs that it tries to uninstall include:
- Malwarebytes' Anti-Malware
- F-Secure
- NOD32
- Norton Internet Security
- Avira AntiVir
- Agnitum Outpost Security Suite
- AVG8
- avast!
- AntiVir
The program will then load and start to scan your computer for infections. Once the scan is finished it will state that there are numerous infections on your computer, but will not allow you to remove them until you purchase the program. In reality, the infections that it shows are all fake and do not actually exist on your computer. Therefore, please do not purchase this program based upon any of the scan results it shows.
Dr. Guard also employs numerous methods where it tries to trick you into thinking you are infected. The first method is the display of a Window that impersonates the legitimate Windows Security Center. The difference is that this fake version suggests you purchase Dr. Guard to protect yourself. While the program is running you will also see a constant display of fake security alerts and warnings appear on your desktop and Windows taskbar. These alerts contain dire messages stating that your computer is under attack, all of your data is being deleted, or that personal information is being sent to a remote location. Some examples of the alerts you may see include:
ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!
DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
PLEASE, OPTIMIZE YOUR PC. IT RUN ONLY 10%.
NEED HELP? PLEASE, CONTACT DR. GUARD CUSTOMER SUPPORT SERVICE.Windows Firewall has detected unauthorized activity, but unfortunately it cannot help
you to remove viruses, keyloggers and other spyware threats that steal your personal
information from your computerSystem files of your computer are damaged. Please, restart your system ASAP.
There are some serious security threats detected on your computer. Please, remove them ASAP.There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.Just like the fake scan results, these fake alerts are just another tactic where Dr. Guard is trying to convince you that you have a security problem on your computer.
As you can see, Dr. Guard was created to trick you into thinking you are infected so that you will then purchase the program. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company to dispute the charges. To remove this infection and any related malware, please use the removal guide below.
Threat Classification:
Advanced information:
View Dr. Guard files.
View Dr. Guard Registry Information.
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Dr. Guard"
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"Entries for this program found in the Add or Remove Programs control panel:
Dr. GuardTools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - HKCU\..\Run: [asr64_ldm.exe] %Temp%\asr64_ldm.exe
O4 - HKCU\..\Run: [Dr. Guard] "C:\Program Files\Dr. Guard\drguard.exe" -noscanGuide Updates:
02/19/10 - Initial guide creation.
An interesting part of the problem with this malware is that it blocks execution of many programs including programs you try to launch from CD/DVD in a perfect "reverse antivirus" fashion :-). It also uses fake setting in IE proxy configuration, setting proxy to localhost (that means that this malware runs proxy on the computer). In my case the port was 5555. Using this port you actually can detect which program is used as a proxy via netstat.
When the windows screen first appears, hit ctrl-alt-del. This gives you the task manager. Then search for the program with name ending with "guard", for example xylbsguard.exe and kill it.
When you stop this program you combine use of Microsoft Security Essentials tool (free Av tool from Microsoft) with some more specific tool. For example instructions on how remove it Remove Antivirus System Pro (Uninstall Guide), recommend program Malwarebytes' Anti-Malware. The latter works OK but like virus is difficult to remove ;-)
The key here to understand that you are probably dealing with combination of infections of which Antivirus Pro is just one component which were injected when you his some rogue Web site (often of Eastern European origin). Additional components might include Alureon.F, Hotbar, Renos.KS, Renos.JW, Bravine.A, etc. Of them Alureon looks pretty disturbing:
Win32/Alureon is a family of data-stealing Trojans. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon Trojan may also allow an attacker to transmit malicious data to the infected computer. The Trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the Trojan is removed from the computer.
As Antivirus Pro installs a proxy on the computer after killing *guard.exe process in memory you can run AV programs from a CD.
Of course restoring from a clean Ghost or Maxblast/Acronis True Image image, is a better way to spend your time then playing Sherlock Holmes with some unknown, probably Eastern European jerks.
Good analysis can be found at:
- Encyclopedia entry TrojanWin32-FakeScanti - Learn more about malware - Microsoft Malware Protection Center
- Win32-WindowsAntivirusPro Family - CA
Looks like the latest version of Windows Defender can be affective again this malware too.
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March, 12, 2019