Tuesday, May 3, 2011

Free! (Fake) Antivirus Software!

Hopefully you've heard about the plethora of fake AV programs making the rounds these days that are used to infect PCs -- I have come across this kind of thing three times in the last couple weeks and it's pretty impressive how the crooks manage to hijack the browser. Let's take a look at how it goes down.

Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.

From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a free malware scan of your system! How generous! Except that it's not really scanning anything.

That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files was found, and that you can download something called Windows Defender:

Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (please tell me you don't), after clicking pretty much anywhere, you'll get something like this -- but don't press Run for crying out loud!:

Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in

At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.

This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.

So yet again I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to http://www.mozilla.com/firefox/. Install that and then go to http://noscript.net/ and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.

Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".

Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.

No comments:

Post a Comment