Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Security Blog

Preventing Rogue Security Infections

Created: 15 Jun 2010 • Updated: 15 Jun 2010 • 4 comments
khaley's picture
+4 4 Votes
Login to vote

There are a lot of big numbers being thrown out in the security world these days.  Seems like every week a new stunner comes out.  Last week we  announced the discovery of 44 million stolen credentials from gamers.  https://www-secure.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered 
 
So given all those headlines you may have missed a very telling one.  The FTC reported that a scareware (what we call a misleading application or rogue security) vendor between 2004 to 2008 made $163,167,539.95.   http://www.ftc.gov/os/caselist/0723137/100304jainamendedjudgement.pdf
 
We've done a lot of estimation on the size of the underground economy.  But we’ve never been able to examine the books for one of these criminal gangs.   The FTC has.  Think it's strange that a bunch of cybercriminals might “keep the books” and have accountants?  Well this particular criminal group, wasn’t just run like a company; it actually was a company.  Innovative Marketing had hundreds of employees, offices around the world.   I’ve been told that it even had a company soccer team. 
 
An XPAntiVirus here, a Spyware Guard there and pretty soon we’re talking serious money.  $163,167,539.95 in the case of Innovative Marketing.  That’s a pretty powerful incentive for cybercriminals to get into the rogue security software game.  The FTC shut Innovative Marketing down, but that didn’t end the problem.  There were lots of gangs willing to step in and take Innovative Marketing’s place.  This rogue security epidemic will end when end-users no longer fall for the scam.  And the ending will be messy.  Look at spam.  Spammer first increased their volume to increase revenue.  But now with anti-spam technology and smartened up end-users they’ve had to increase the amount of spam to keep revenue from falling.  Rogue security vendors are making way too much money to go out of business with a whimper.  Things will get worse before they get better.
 
I’ve been asked so many times what can be done to stop these threats that I’ve had a website put up to answer the question.  http://go.symantec.com/best_practices/  The site covers general best practices for endpoint protection, but each one of these best practices will help prevent rogue security software from getting on your machines.  I said prevent on purpose.  It’s about stopping the threats from getting on your machine in the first place.  Not about cleaning up after they’ve infected a system.  Prevent is a lot better than repair.  But I’ll talk about repair in another blog.
 
On the site I talk about using Symantec Endpoint Protection’s application and device control to stop malware.  Many people don’t know about this feature, or don’t have any idea about all the great things it can do.  So I’ve got a site up for that as well.  http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=adc
 
I can’t predict when this epidemic of rogue security will end.  But I can predict you'll be a lot less troubled by it if you follow best practices for stopping them.

Comments 4 CommentsJump to latest comment

kdunning's picture

It used to be the only security threat to the typical home computer user was some Script Kiddie getting his kicks from breaking something. The only victims of real cyber hackers were corporations who had valuable information.

We need to send a few of these Rogue software company CEOs to prison to send a message. There seems to be no honor among these scoundrels, who attack anyone, anywhere all for the love of money.

My two cents.

Kenneth

0
Login to vote
deepak.vasudevan's picture

Isn't there a detterrent way to make other companies/persons not to involve in such acts. The nations' top most organization FTC too is aware of the issue. I am really wondering what is causing such scareware companies to proliferate so much?

My two cents.

+2
Login to vote
Mithun Sanghavi's picture

Hello,

Good Info... to have...

As, I have worked with Lot of such Rouge Antivirus Cases.

I found few common things.

1) The Threat files would be found either in the Recycler folder. OR
2) The Threat files would be found either in the C:\Documents and Settings\<user name>\Local Settings\Application Data   OR
3) The Threat files would be found either in the C:\Documents and Settings\<user name>\Application Data

Most of the time, these files would be hidden.

To Unhide the Files.

The steps are :-

  • Open registry( select run command from start menu and type regedit and then press enter)
  • In the left pane goto path HKEY_LOCAL_MACHINESoftware\Microsoft \Windows \CurrentVersion \Explorer \Advanced \Folder \Hidden \SHOWALL
  • Delete the value CheckedValue in the Right pane by right clicking it and selecting delete. (Its type should be REG_SZ and data should be 2.)
  • Create a new DWORD value called CheckedValue by right clicking in the Right pane and then selecting new -> DWORD Value and then changing the name to CheckedValue. (same as above, except that the type is REG_DWORD). Modify the value data to 1 (0×00000001) by right clicking the CheckedValue in the Right pane and selecting modify and changing the value data to 1.

Deleting files from Recycler folder

You can remove the files directly from Windows it self.

Use the commandpromt to go to the catalog and the use the command "attrib -s -h" on all the files, the you can juste remove the with the del command in the commandpromt!

Example:

E:\RECYCLER\S-1-5-21-2025429265-1757981266-1177238915-1003>attrib -s -h *.*

E:\RECYCLER\S-1-5-21-2025429265-1757981266-1177238915-1003>del *.*

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
deepak.vasudevan's picture

I would like to share my experience. Besides hiding in recycler folders and other system locations, Antivir Windows XP had also resorted in creating a wallpaper which was virtually unremovable. It was telling 'System Infected'.

I wonder how came they created such an immutable wallpaper!

0
Login to vote