Network News

X My Profile
View More Activity

What To Do When Scareware Strikes

Mrs. Krebs and I were enjoying a relaxing, quiet morning last Saturday in our living room -- silently bonding with our respective laptops propped on our knees -- when she nearly jumped off of the sofa, shouting, "Uh oh! It's one of those fake virus things popping up! WhatdoIdo!?!?"

It occurred to me as I reached for her computer that most people probably wouldn't know what to do should they stumble across a hacked or malicious site that tries to frighten and corral visitors into downloading and purchasing some rogue anti-virus product (a.k.a. "scareware").

scarewarescan.JPG

The misleading pop-ups and animations about supposed security and privacy threats are unnerving, to be sure, and can be awfully convincing to the unwary. Typically, they are the result of scripts stitched into legitimate, hacked Web sites, or into banner ads that scam artists stealthily submit to some online ad networks.

It is tempting to try to mouse click your way out of the incessant offers, but this is almost always a losing battle: Doing so merely results in more prompts and offers to download installation files. Indeed, the real danger results from doing anything except completely closing out of the browser you are using, should you run across one of these attacks.

If this happens to you, here's the safest way out of the mousetrap:

-Remain calm: Take a deep breath. Most of these attacks go from scary to nightmare as soon as you start clicking "yes," or "no" or "cancel" (the malicious script is likely to try to run no matter which you choose).

-When in doubt, close it out: The safest (albeit somewhat extreme) route is to kill the browser process altogether. To do this, press ctrl+alt+delete to launch the Windows Task Manager, then select the process for the browser you are using (e.g., iexplore.exe, firefox.exe) and terminate that process. Yes, you will probably lose any windows you had open, and any unsaved data entered into forms in those windows, etc. (unless you're using Firefox, which has the capability to recover that data in those situations, although it doesn't always succeed).

-Run an anti-virus scan: Sometimes, a scareware attack is accompanied by a Trojan horse that tries to install other, more malicious intruders, such as keystroke logging programs. It's a good idea at this time to run an anti-virus scan on your system (you do have up-to-date anti-virus software installed, don't you?).

-Consider a second opinion: If you notice things still aren't right with your system, and you see strange messages warning you about security threats, download and install one (or both) of the following tools: Malwarebytes' Antimalware, and Superantispyware. I've found that these programs are almost always able to root out invaders left behind by scareware attacks. If you find that you cannot visit these sites, it may be because the malware is blocking access to security Web sites. Try downloading the installer file on another machine, and then copy the files to a removable media (CD-Rom, thumb/USB drive) and bring them over to the sickened machine.

If you still need help, consult a forum: Computer help forums such as BleepingComputer.com and DSLReports' Security Cleanup forum can be a lifesaver (BleepingComputer often has step-by-step instructions for removing specific scareware threats, such as this one designed to help victims of PolicePro, the rogue anti-virus product du jour). Just make sure to read all of the instructions at those sites before posting a request for help, otherwise your request may be ignored.

-Change your browsing habits: Microsoft Windows users can dramatically reduce their chances of having to deal with scareware-laced sites by browsing the Web with Mozilla Firefox, instead of the default Internet Explorer. Put simply, most of these scareware attacks rely on tiny scripts that try to silently redirect your browser to pull code from another site. There are several add-ons available for Firefox -- such as noscript, request policy, and adblock plus -- that block scripts and ads by default, and let you decide which sites should be able to load them.

By Brian Krebs  |  September 2, 2009; 1:00 PM ET
Categories:  Safety Tips  | Tags: scareware fire drill  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Getting Friended By Koobface
Next: Apple Updates Java, Backdates Flash

Comments

Ctl+Shift+Esc opens the task manager directly. Ctl+Alt+Delete gives it as an option, along with logoff, restart, etc.

Posted by: wiredog | September 2, 2009 1:35 PM | Report abuse

Very useful post. I'll be linking to it often. Wikipedia's list of rogue antiviruses -- http://en.wikipedia.org/wiki/Rogue_security_software -- seems to get longer all time, but the most popular scareware by far seems to be Personal Antivirus. I know the free F-Secure Online Scanner -- http://www.f-secure.com/en_US/security/security-lab/tools-and-services/online-scanner/ -- will help you get rid of it and any malware or hidden tracking cookies you've picked up. 20% of the PCs we scan are running something nasty, which is just about the same percentage as those who don't run any security software.

Posted by: F-SecureSecurityPal | September 2, 2009 1:38 PM | Report abuse

I have, on occasion, found it necessary to run a scan in safe mode, which lets our corporate symantec look in the system restore folders, & can keep some malware from being able to re-install itself if a restore point is used by on the machine.

Posted by: j0nharris | September 2, 2009 1:41 PM | Report abuse

Very useful posting, Brian - many thanks ! This information needs to become known to as many Windows users as possible, to prevent them from digging themselves ever deeper into the quicksand by, as you point out, trying to click themselves out of the situation. The only thing I'd like to add here is that just as Windows users can dramatically reduce the risk they run when surfing by choosing Firefox with such add-ons as NoScript and Adblock Plus as their browser, rather than Internet Explorer, they can also save themselves a great deal of grief by choosing other operating systems than the various Windows alternatives. Those familiar with Windows might want to consider trying, e g, Ubuntu, for an operating system close enough to the legacy to be easy to use, but distant enough to avoid many of the security pitfalls into which Microsoft products so often seem to tumble....

Henri

Posted by: mhenriday | September 2, 2009 3:06 PM | Report abuse

Thanks BK.

Only us dinosaurs remember the joke scripts where you had to say 'yes' or chase the dialog box with your mouse.

FireFox has a save all tabs and quit feature and I'm thinking it might be better to open a new tab before killing the process. When you kill a web process you kill the markup and the environment. Unlike HTML, XML carries the environment "internally". This is why Open Office can "recover" unsaved files. Maybe I'm just paranoid or maybe I'm just restating the point about Windows "recovery points" a different way, in either case, Mrs. Krebs is my real hero, be sure to tell her I said thanks.

Posted by: gannon_dick | September 2, 2009 4:22 PM | Report abuse

Brian

Just curious what kind of laptops you and Mrs. Krebbs use?

When I purchased my Blackberry Storm, I presumed that such a selection might aleviate the need for either a laptop or Webbook and when it comes to e-mail, that seems to be correct.

When it comes to bringing up the MRIS [Metro regional info system] used by Realtors, the Forclosure tab uses a contract 3rd party program that does not work for Blackberrys, Dingleberries and probably even Apples or Pears [LOL.]

Say keeping it to the $400 to $800 range, your suggestions might be ...

Posted by: brucerealtor@gmail.com | September 2, 2009 6:43 PM | Report abuse

Pardon the klutz.

That would be Mrs. Krebs, with one 'b.'

Posted by: brucerealtor@gmail.com | September 2, 2009 6:46 PM | Report abuse

Yeah, actually FF's tendency to reopen the same page you just closed out of could be a disadvantage here. (I believe if you kill the process and relaunch twice, it will not restore the same problem page the second time.)

Posted by: AlphaCentauri | September 2, 2009 6:46 PM | Report abuse

@Alpha -- that's a very good point. I hadn't considered that. But of course, FF gives you the option to start fresh or to try to reopen the page you were on before the browser crashed/was closed. In this case, the prudent thing to do, of course, would be to start anew.

Posted by: BTKrebs | September 2, 2009 7:04 PM | Report abuse

@Bruce -- I was using a MacBook Pro. The wife was on her IBM loaner from work.

Posted by: BTKrebs | September 2, 2009 7:05 PM | Report abuse

Hooray for the advice to *close* the browser. I'm an information security pro, and it wasn't until about a year ago that I learned that the "red X" could actually be set to install the rogue software.

-- Michael Seese, author of "Scrappy Information Security"

Posted by: MichaelSeese | September 2, 2009 11:00 PM | Report abuse

Regarding j0hnharris's comment on scanning in safe mode, I would also point non-commercial users to AVAST! Antivirus. One of the (many) reasons why it is my favorite product in the free AV market segment is it's boot-time scan mode, allowing it to get at the system restore files, locked DLLs, etc.

I also would like to give a shout out to Antimalware by the Malwarebytes team. Their free for non-commercial use version doesn't have scheduling or a resident scanner, but I don't want two resident scanners running simultaneously anyway. Taken together, I would highly recommend the following security stack:

Firefox 3.5
AdBlockPlus
NoScript
AVAST! Personal Edition
Antimalware

for any home PC environment. Aside from being entirely free, it runs well on older hardware too.

Posted by: conspirator5 | September 3, 2009 12:18 AM | Report abuse

Great post. General awareness is still very much needed for this threat despite industry efforts. Might this incident have something to do with the recent Blackhat SEO/Rogueware attack I posted about? ( http://pandalabs.pandasecurity.com/archive/Be-Careful-With-Your-Search-Results.aspx ) If so, it might be useful to mention the dangers of implicitly trusting search results.

Posted by: spcorrell | September 3, 2009 4:09 AM | Report abuse

The exact scareware you have pictured showed up on my Intel iMac under Safari. Of course, Mac will not run those .exes so there was no harm but it was still scary. Is there anti malware to scan my Mac just to make sure?

Posted by: foxbarb | September 3, 2009 5:19 AM | Report abuse

Amazing how the story of the "Cobbler's Children" still rings true.

Brian, I thought you'd have Pete Norton's AdBlocker and firewall activated for the Mrs.

Tsk... Tsk...

Okay, time to make it up to her, for your oversight. Take her to BVI or Aruba for your vacation.

Folks, I do not work for Symantec Corp. or have been compensated by Symantec Corp. by any means, for my remarks.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | September 3, 2009 6:48 AM | Report abuse

Opera seems to be a lot more resistant to malicious scripts than Firefox. Scripts that will loop in Firefox just create one pop-up. Scripts that spawn endless dialogue boxes whatever you click can be killed easily with the "Stop executing scripts on this page" option.

Having said that, the last time I came across one of these fake AV pages it was in Firefox, and I managed to deal with it by closing the tab.

Posted by: FreewheelinFrank | September 3, 2009 8:09 AM | Report abuse

I usually disconnect the network cable as soon as possible. This allows closing the browser and re-opening it without any phantom tabs or hidden windows trying to reload.

Posted by: moike | September 3, 2009 10:18 AM | Report abuse

Brian,
Great advice, but a few days late. My protection failed and I got one of the trojans. I tried everything but it stayed. I paid $100 for Norton 360, but it does nothing for already existing problems. The customer service rep at Norton said that for another $100 they would remove it. I don't think I will be buying Norton products again. Jim

Posted by: Getitright4 | September 3, 2009 10:27 AM | Report abuse

I'd echo Henri's suggestion about the use of Linux, the Ubuntu distribution probably being the most popular and easiest to use. It's pretty easy to set up a dual-boot system with Windows and Linux. Use Windows when you need to for applications which only run under that system, Linux for everything else, especially web access with Firefox. Its what we do for many of the computers at the school where I teach, and it eliminates a lot of problems.

George

Posted by: TeacherGeek | September 3, 2009 10:28 AM | Report abuse

My wife got one of these scareware popups -- it showed an MS Windows window with lots of scary notifications ... on her Mac.

Chris

Posted by: chrisviking | September 3, 2009 10:59 AM | Report abuse

@computerforensicsexpert -- not possible. as I mentioned to another reader, the wife's computer was a work laptop, so I wasn't at liberty to install programs or change the defaults. and yes, she was browsing with IE (at least it was IE7).

Posted by: BTKrebs | September 3, 2009 11:06 AM | Report abuse

Question: I am running BitDefender on my PC. Would downloading superantispyware cause a conflict?

Posted by: purdyjack | September 3, 2009 11:27 AM | Report abuse

@Purdyjack -- hard to say. one way to find out. fyi, SAS and Norton had a nasty conflict I think recently, one that Norton apparently issued a mea culpa on

http://news.cnet.com/8301-27080_3-10317686-245.html

Posted by: BTKrebs | September 3, 2009 11:50 AM | Report abuse

@purdyjack -- but in general, no - having SAS installed should not conflict with running AV.

Posted by: BTKrebs | September 3, 2009 11:51 AM | Report abuse

Good article...however, one of the biggest companies involved in scare tactics these days is google...telling folks in their search results that the site might be bad for them and stopping them from entering. Since when is it their business? While they give you opportunity to resolve and there is some that may have bad links, virus, etc...it is sometimes not the actual company/website, it is their hosting or server company at fault. So to brand the site bad is not google's business since they cannot accurately tell you the details...just my thoughts.

Posted by: planetbillboard | September 3, 2009 1:03 PM | Report abuse

Brian, how would IE7 running thru drop-your-rights deal with this? Would the whole thing install and your out of luck or would it only partially install. The reason I ask is that my father called me the other day with one of these on his machine (Win XP SP2 – Norton 2009 ). He lives a good distance away so I couldn’t get over to help out so I did some quick phone support. He apparently had gone to a legitimate site with IE7. I had him set up using the dropyourrights method for IE. He had already shut down the machine and reastarted it. It was popping up “Green AV”, to save the day, with it saying you’ve got all sorts of meanies on the machine. Before he called me he had clicked no on them but they kept popping up. What’s also interesting is that it either hijacked the Windows Security Center or was just popping up it’s own fake Security Center version, saying that he had no AV on the machine. He did of course – Norton 2009 IntSecSuite updated-to-the-minute. We scanned with Norton & Malwarebytes & no finds.

Since it came thru with dropyourrights set up for IE, is it possible that it was only downloaded but not fully executed - just the trojan horse part, not what's inside?, since it kept wanting him to click yes to save the day. The .exe was set to start on startup & its icon was in the system tray plain as day, so we found the .exe and killed it, then renamed it and no more pop ups. So we know what that part of it is. Looking on forums it appeared that GreenAV was relatively new ( couple wks maybe). Instructions were given about the folder name, .exe, dlls and all & it was siad that Malwarebytes would get it - but the file names included GreenAV. But what’s interesting is on my fathers machine it was not named the same… it was GRA (though all the popups said GreenAV). So apparently they had changed the file names to keep us guessing. This weekend I plan on visiting him and we’ll see if the antimalware people have caught up with this one & they can remove it. We’ll also try some other free antimalware besides the two we’ve used already. Plus I have some manual removal methods to try, but ‘d rather wait to see if the antimalware can do it itself.

Posted by: MinCT | September 3, 2009 1:31 PM | Report abuse

@MinCT -- The limited user approach is a good one for XP, but a lot of malware writers are starting to get wise to it (thanks to the fact that this is essentially the default mode of Vista). Basically, what we're starting to see is more malware that will just as happily run in windows\system32 directory as it will in the documents and settings\username directory. This is bad, but was an eventuality.

so, long answer short: it's very possible that it installed stuff even if you were browsing with drop my rights\limited user.

Posted by: BTKrebs | September 3, 2009 1:40 PM | Report abuse

Brian-

Take her anyway. ;) I'm just trying to give you an out to split town this winter and have a blast w/ the Mrs., in the Caribbean!!!

SJM

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | September 3, 2009 2:22 PM | Report abuse

==============
==============
Anyone stupid enough to use IE rather than Firefox deserves all the trouble they get.

Except old people.

--faye kane, homeless brain.
Read more of my smartmouth opinions at http://tinyurl.com/fayescave

Posted by: Knee_Cheese_Zarathustra | September 3, 2009 3:12 PM | Report abuse

First thing I do when one of these pops up is to use my firewall to shut down my internet connection, hopefully that would stop any further communication with the suspect site. Then I use task manager to kill the browser process. With FF you have to be careful, when you restart it will try to reopen the bad site. If you open FF before you reopen the internet connection then you can close the offending tab in FF, re-open internet connection and the refresh the other tabs.

Posted by: crete | September 3, 2009 3:41 PM | Report abuse

Re: Task Manager

In my version of XP, the easiest way to acesss the Task Manager: right click an empty space on the TaskBar. A 'drop-up' menu appears. Left click on 'Task Manager.'
E voila.

Posted by: featheredge99 | September 3, 2009 3:46 PM | Report abuse

Knee_Cheese_Zarathustra, *nobody* (save perhaps the IE developers) deserves the hassles that so often fall to the lot of IE users. Lack of familiarity with computers, browsers, and the web on the part of users is no excuse for Microsoft to release a browser with as many security holes as IE, nor to be so lax in patching these holes when they are discovered and used by the bad guys....

Henri

Posted by: mhenriday | September 3, 2009 3:49 PM | Report abuse

Can one run the No Script and Request Policy extensions for FF at the same time?

Posted by: Garak | September 3, 2009 3:55 PM | Report abuse

If you want to surf safely on your work laptop, where you can't install any software, do this:

Get an external USB drive. You can even use a USB flash drive if it's 8 Gb or larger. If you've upgraded your laptop's hard drive, find the old drive and put it in an external enclosure that you can pick up for $20 or so.

Plug it in to your laptop. Go into the BIOS on your laptop and set it as the boot device. Don't worry, when it's not plugged in, your machine will boot as normal. Now install Linux on the external drive.

As a bonus, you can encrypt the drive, so you can store your secrets on it and not worry if it gets stolen. Modern Linux distributions have a checkbox in the installer for encrypting the drive.

Whenever you want to surf safely, just plug in the external drive and boot up Linux.

This is a very nice solution because it makes no changes at all to your laptop and you don't need administrator privilege to do it.

This sounds like a lot of work, but it is really minor compared to the hassle of removing malware from your machine.

Posted by: frantaylor | September 3, 2009 4:25 PM | Report abuse

Don't forget to remove temporary internet files; this should take care of anything lingering somewhere.. that also includes cookies.

Have a Great Day

Posted by: akousen | September 3, 2009 4:57 PM | Report abuse

Great post! A lot of users encounter fake AV from compromised sites these days. The sad thing is, they don't have to venture into the "dark regions" of the Internet to get themselves in trouble, like we have described here: http://www.sophos.com/blogs/sophoslabs/v/post/2861 and http://www.sophos.com/blogs/sophoslabs/v/post/2038

In addition to the instructions above, there are two more minor steps I would suggest:

One is to check the antivirus to be up-to-date before performing the full scan. It would be upsetting to find out later that hours-long full scan turns out to be useless because the AV packages is days old. It would also give a false-sense of security if an out-of-date package claims good-health when the same AV product should have found malware.

The other suggestion is to empty the browser cache even if scan comes clean. That way, no traces of bad pages/site remains.

Savio Lau, SophosLabs

Posted by: saviolau | September 3, 2009 7:23 PM | Report abuse

My daughter fell for the rogue antivirus popup, infecting my wife's laptop with PersonalAV.

I got rid of it by downloading the free version of Spyware Doctor (available as part of Google Pack), updating it, then rebooting to safe mode and running a full scan.

Posted by: PostSubscriber | September 3, 2009 7:24 PM | Report abuse

Great post! A lot of users encounter fake AV from compromised sites these days. The sad thing is, they don't have to venture into the "dark regions" of the Internet to get themselves in trouble, like we have described here: http://www.sophos.com/blogs/sophoslabs/v/post/2861 and http://www.sophos.com/blogs/sophoslabs/v/post/2038

In addition to the instructions above, there are two more minor steps I would suggest:

One is to check the antivirus to be up-to-date before performing the full scan. It would be upsetting to find out later that hours-long full scan turns out to be useless because the AV packages is days old. It would also give a false-sense of security if an out-of-date package claims good-health when the same AV product should have found malware.

The other suggestion is to empty the browser cache even if scan comes clean. That way, no traces of bad pages/site remains.

Savio Lau, SophosLabs

Posted by: saviolau | September 3, 2009 7:25 PM | Report abuse

Firefox remembers open tabs. Today, closed using task manager but the scare site reopened when I re-opened the browser.
The solution was to open the (default) browser by clicking on a link in an old email and then closing the tab that asked whether or not I wanted to open previous tabs.
My 86 yr old dad would not be able to think up this solution!
There should at least be an option on right clicking the browser icon to NOT open previous tabs.

Posted by: jean13 | September 6, 2009 2:49 AM | Report abuse

A simple solution to this type of problem is to use a blocking hosts file. It will stop this type of stuff dead in its tracks so you won't even find yourself in a situation of what to do when scareware strikes (Prevention worth a pound of cure!)

http://www.mvps.org/winhelp2002/hosts.htm

Unlike a browser specific add-on or a software specific application (ex. security suite), it works at the operating system level. No software to install or be running using up system resources or to have to keep patched.

I've used the dreaded IE, even in shady parts of the Internet and have NEVER had an issue with malware/scareware. The hosts file blocks access to this known bad stuff.

The only caveat is to keep the hosts file updated. They typically release a new one once a month.

Posted by: xAdmin | September 6, 2009 12:39 PM | Report abuse

@xAdmin -- not to take anything away from the fine work that the folks who maintain that site do for those who care to use this approach, but I have found that host file maintenance is a non-starter for 95 percent of Internet users. Most people can't be bothered to keep up with this.

Posted by: BTKrebs | September 6, 2009 2:12 PM | Report abuse

"host file maintenance is a non-starter for 95 percent of Internet users. Most people can't be bothered to keep up with this."

That's really a shame as a blocking hosts file is a very effective (and simple) layer of defense in keeping a computer system secure.

That so many can't be bothered is indicative of the real problem in computer security and why so many continue to be compromised.

IMHO, a blocking hosts file is more effective by itself than any Antivirus software alone. The combination of the two, along with a limited user account, is the heart of the most effective three prong approach to a secure system.

Posted by: xAdmin | September 6, 2009 7:32 PM | Report abuse

Conspirator5

I believe that Malwarebytes Antimalware does have a resident scanner, unless you deactivate it.

Posted by: brucerealtor@gmail.com | September 7, 2009 10:23 PM | Report abuse

Conspirator5

I believe that Malwarebytes Antimalware does have a resident scanner, unless you deactivate it.

Posted by: brucerealtor@gmail.com | September 7, 2009 10:24 PM | Report abuse

If you visit a website and the popups shown above appear, is that an indication that your security software has failed? Or will a well protected computer still show the popups?

Posted by: drcronk | September 9, 2009 10:56 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company