Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm Center get messages from our readers about new rogue AV sites daily. |
Bojan 396 Posts ISC Handler Sep 17th 2009 |
Thread locked Subscribe |
Sep 17th 2009 1 decade ago |
most home users are so braindead around the computer that they need an IT professional holding their hand... it's that plain and simple.
|
Anonymous |
Quote |
Sep 17th 2009 1 decade ago |
Part of the problem is that people in IT are lucky. To do our jobs we need to know how a computer works. People in other businesses need to know how to do their job AND know how a computer works.
|
Anonymous |
Quote |
Sep 17th 2009 1 decade ago |
Guessing RJX does not work in IT. Yeah your point may be right we get to "just" know computers but part of your job is to know computers too but you still slack at it so the above Fake AV still happens and very often since normal users are like joeblow said too braindead.
Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over. |
Anonymous |
Quote |
Sep 17th 2009 1 decade ago |
Guessing RJX does not work in IT. Yeah your point may be right we get to "just" know computers but part of your job is to know computers too but you still slack at it so the above Fake AV still happens and very often since normal users are like joeblow said too braindead.
Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over. |
Anonymous |
Quote |
Sep 17th 2009 1 decade ago |
Sorry screen refreshed.
|
Anonymous |
Quote |
Sep 17th 2009 1 decade ago |
One must be more concerned when the security solution they use is from HIGHLY REACTIVE and sleeping vendor, here is the detection when last sample was submitted ONLY 4 OUT OF 41 and the vendor is still analyzing ļ
https://www.virustotal.com/analisis/5a0022f6e17b10622d45f8ba85616be27264987e7750b868ab532c5a660cf31f-1253129224 |
Ramu 12 Posts |
Quote |
Sep 17th 2009 1 decade ago |
No only do we have to know computer and all the software that is running on them. We also have to know how to remove these fakes once they do get installed. I have had 2 stations so far and both users had no clue as to how they got there.
|
Ramu 17 Posts |
Quote |
Sep 17th 2009 1 decade ago |
"LAWL" at the "we know computer" people.
In reality, the problem is the culture of antivirus and window security, in general. The market has conditioned the users into believing that "secure" means "secure" - when in fact, most security products are about as security related as the "ENCRYPTED/Secure Site" graphic in the bogus page sample, above. In a world where snake-oil abounds... statistically, this "fake" av product is only slightly less effective than most "legit" ones. Q.v. the virustotal comment above, lmao - and both the "fake" and "legit" have the same goal, and same technique - get the sucker's money, and make them "feel good". |
Steven 42 Posts |
Quote |
Sep 17th 2009 1 decade ago |
I've often thought that what lends credence to these fake sites is that IE and Windows Explorer are so closely related. If you're in Firefox/Safari/Chrome/Opera it's more clear that the page wasn't created by Windows, and you're looking at web page.
I'd be curious to see the web browser statistics on these sites. |
jtanium 3 Posts |
Quote |
Sep 17th 2009 1 decade ago |
The new fake antivirus programs tend to be harder to remove, and leave some security holes even after you take them out.
Some new ones that have shown up since yesterday at about noon (EDT) also attempt to load a proxy and I assume a data grab tool as well. The way these things are written it seems they time out on some machines after they reconfigure the network layer and do not re-enable the LAN adapter. Of course, if finding 3 that failed to do this, chances are there are a lot more that succeeded. Hold on.. rough ride ahead! -Al |
Al of Your Data Center 80 Posts |
Quote |
Sep 17th 2009 1 decade ago |
They are successful because they put in the effort on the front-end to look legitimate. If end-users pay any attention to the stories about identity theft and super-worms, they are frightened into downloading the program because it looks like something from their own operating system.
This is contrary to shotgunning SPAM with broken English and hoping you get enough idiots to click. |
Jasey 93 Posts |
Quote |
Sep 17th 2009 1 decade ago |
One of the programs i like to use is ComboFix.
Has anyone been able to get it to run off a CD or Flash drive as i know it seems to only run off the desktop. |
Jasey 17 Posts |
Quote |
Sep 17th 2009 1 decade ago |
One of the programs i like to use is ComboFix.
Has anyone been able to get it to run off a CD or Flash drive as i know it seems to only run off the desktop. |
Jasey 17 Posts |
Quote |
Sep 17th 2009 1 decade ago |
I have been calling this stuff extortionware. And I have been wondering why government has not managed to find these people. Extortionware has been around for at least half a decade to my direct knowledge and a single credit card transaction should lead any competent law enforcement organization right to them.
|
KBR 63 Posts |
Quote |
Sep 17th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!