Sign in to follow this  
JChriss

A question about rogue antivirus applications

Recommended Posts

I was conducting a Google image search of May 2011 calendars. On the second or third one I clicked on, there was a rogue antivirus application apparently imbedded in the picture file. Anyway, it ran for awhile until I was able to exit from the program. It did not get far enough to offer a download box to "remove" the fake trojans it had found. I immediately ran a quick scan and nothing was found, so I assume it did no damage.

So are these things typically harmless if you don't download anything? And I should also assume Google image searches are a bit dangerous, no?

Share this post


Link to post
Share on other sites

Usually you have to download an execute the offered file to get hit by anything. At the moment Google image search is a real minefield, almost every popular search has a few of these hijacked images.

Share this post


Link to post
Share on other sites

I'm no expert on this, but I would assume that the page itself contains the code to display the fake AV warning, not the image. And, I suspect that the application is not embedded in the image.

Regardless of the mechanics, if you encounter a web page that displays a fake alert start Task Manager and kill the browser processes that are running. Don't click anything in the browser. There's an Emsisoft article about fake av somewhere.

[Edit]

And here it is:

http://www.emsisoft.com/en/kb/articles/tec080923/

Share this post


Link to post
Share on other sites

I'm no expert on this, but I would assume that the page itself contains the code to display the fake AV warning, not the image. And, I suspect that the application is not embedded in the image.

Regardless of the mechanics, if you encounter a web page that displays a fake alert start Task Manager and kill the browser processes that are running. Don't click anything in the browser. There's an Emsisoft article about fake av somewhere.

[Edit]

And here it is:

http://www.emsisoft.com/en/kb/articles/tec080923/

Thanks for the link to the article. I will read it shortly.

Share this post


Link to post
Share on other sites

Hi Guys,

There are many rogue AV's out there.

Thing is that any known one can be modified easily, so current "real AV" based on just signatures (+ heuristics) would miss them.

Usually you have to download an execute the offered file to get hit by anything

Correct, "usually",... but not necessarily

You can be infected just by visiting sites.

Drive-by installation will be performed without any users interaction whatsoever, because the code executes straight away whether it is Active X (the most dangerous) or Java applet

... At the moment Google image search is a real minefield, almost every popular search has a few of these hijacked images

That is not a matter of "search" at all

Any spelling mistake e.g. when typing the site in address bar can bring you to nowhere ... or ... in many cases - to the malicious site

The images/pop-ups/fake scanning of the PC will appear - that is just an animation (pre-recorded GIF). That's when some users are confused thinking that their PC were indeed scanned

But the latter is different to drive-by download & installation

Therefore you need additional layers of security in place.

Despite the latter still will not protect you (us) 100% it will decrease the number of accidents

EAM provides Surf Protection (hosts management); and it has Behavioral Blocker

Most of decent Firewalls have HIPS

You have to consider using secure DNS

You have to avoid using browsers like IE that employs ActiveX technology

Use more secure browsers (e.g. FireFox) and in addition having security Add-Ons like NoScript / RequestPolicy / etc.

You may consider using link scanners whether those are real-time or Off-line, so you can check the link/site before clicking. Many of those will scan the site for an embedded malicious code

Several latter mentioned measures definitely reduce fun of free surfing, but that's users choice

That is impossible to cover all within this thread. Most discussions would be OffTopic,... speaking of which, for a change please read this ;)

Cheers!

p.s. {added} forgot to mention few things

- using Limited User Accounts Account instead of Admin

or

- using Software like Run Safe (OA)

- any Software like "Drop My Rights" (DMR) / or similar by SysInternals (PsExec)

- sure do not forget Software like SandBoxie

Share this post


Link to post
Share on other sites

Both articles (and there are more) are indeed interesting

but my point was - what is special about Google search?

Similar can be implemented for any kind of search and not necessarily for the "search"

Cheers!

Wow - that is a comprehensive analysis. Thanks for posting.

Share this post


Link to post
Share on other sites

Google is one of the most, if not the most popular search engines and so more users get infected via Google than another search engine. Probably because of the Google tool bar and buttons for specific search areas also, i.e. images, maps, news, and so on it is more popular to target for exploits. Even other search engines will point to Google for results.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.