Is Rogue Anti-Virus Malicious or Should We Just Ignore Them

Yep.

Rogues are pure malware, no doubt about that. Many of them simpy disables Windows Security Center and does all kinds of similar damage to very important settings. Some of these rogues simply blocks everything so theres no way to run anything. Some rogues has rootkit-like behaviour or have rootkits or other nasty stuff in them.

They are pure malware and that’s it. Period. I just hope that those people at Avast forum reads this blog.

Btw, I’ve been surffing on that forum for few times and I have to say that they aren’t very smart compared to some other similar forums

It’s OK to test a program but please do it on a level playing field.
avast! plus Malwarebytes plus Winpatrol as layered protection have done an excellent job on my systems.
Any one who expects total protection from one single source, may find their system seriously compromised.
Once avast!Internet Security is released, that may all change since it will offer:
1. Continuous protection against viruses and spyware
2. Ensures all mails sent and received are clean
3. Keeps you protected from “chat” infections
4. Stops attacks from hijacked websites
5. Blocks hacker attacks to protect your identity
6. Keeps your mailbox free from spam
7. Allows safe and uninterrupted gaming

People you are forgetting the most important thing here…………..Identity theft and credit card fraud. What if somebody gets infected with one of these rogues and actually pays for it. They are doomed and I have seen it happen. You have to cancel all your credit cards. Change you back account. Some of these rouges charge you $50 for the program but then they charge you $50/day everyday. I have seen people with $5,000 bills from these rogues. Never mind the clean up that needs to be done afterwords. Cleaning up your credit and your life is a million times harder then cleaning a rogue out from your pc.

Sounds like the Avast forum folks are suffering from misdirected fervor. They need to complain to the Avast dev’s to fix the problems. You gave a fair review of their product and from my experience, rogues are quite malicious and destructive! Anyone who says otherwise, obviously has no clue.

Ppl slamming ALWIL for words that came out of my and other avast! Evangelist’s mouth. We are NOT a representatives of ALWIL and we are not employed by them. So our comments or statements do not represent anything official.
If i say fake AV’s are no biggie, that doesn’t mean ALWIL thinks the same.

And ppl also tend to forget several things like the fact that it’s still BETA, that Behavior Shield is still not fully implemented, that signatures even though they are updated are not yet fully operational and working with full capacity and capability (avast! 4.8 is still their primary concern at the moment and it’s VPS format is totally different).
And last, have you cared to send the missed sample(s) to ALWIL? Ppl tend to complain that X misses Y, but they never send the sample to virus lab. No sample, no detection. Not all vendors have the same honeypots and sources so they don’t detect same things. So what if MBAM detects every fake out there. But can it also disinfect complex file infectors? Can it detect very complex polymorphic viruses? Advanced rootkit detection? I pretty much doubt that it can, since it’s mostly focused on spyware, adware and rogues.
Sure missing anything is never a good thing but then again, no one is perfect.
avast!’s weak point might be rogue/fake AV’s, MBAM’s are complex infectors, for someone else are rootkits, some other has problems with exploits and so on and so on.

RejZoR there are plenty of people that send malware and rouges to avast…. being they have 100M users.

@Eochaid

“as it is, I didn’t care about a non-functional beta”

You don’t get it what i said. If avast! 4.8 doesn’t detect it, that’s not important here.
avast! 5.0 utilizes generic unpacking engine that can unpack even certain unknown packers, heristics engine and a code emulator based on dynamic translation. None of it is available in avast! 4.8, at least not at such extent.
And because avast! 5.0 is not out yet, they are not utilizing all the new features yet that can offer enhanced detection of stuff that was not even possible with avast! 4.8. So yes, it makes one hell of a difference whether you like it or not.

I agreed with Matt. We all should be work together to put them out of bussiness.

@927!

Well, Avast is not ONLY an Antivirus software either you know.

Mbam is Antimalware wich mean it detects all sorts of malware like, trojans, backdoors, rouges, keylogers, viruses, dialers etc….

And so do Avast even if the software name says “Antivirus” it doesn’t really say much about it’s detection capabilities.

IMO, All security softwares named like
“Antivirus Software” should be RE-named to
“Antimalware Software” UNLESS it ONLY detects Viruses! Much like A2 wich says it is an Antimalware software and according to what it’s suppose to detect, it’s quite right in that case.

Another one is Supteranitspyware (SAS)

Does SAS only detect Spywares? NO of course not. SAS detects Trojans and other malware as well.
So for someone who isn’t really into the animalware business it’s sometimes quite missleading if we look at the names of the products, and compare to what it actually detects.

I haven’t seen anyone at Avast! pissed off, but some do question the review of the incomplete beta. Avast! 5 certainly provides for detection by its Web Shield (and elsewhere) of Viruses, Potentially Unwanted Programs (PUPs) and Suspicious content based on both signatures and heuristics (including code emulation). At least the completeness the beta database for Rogues and how aggressive the default settings are seem to be an issue in the review, so good of Matt to remind Alwil at this point that many think this is very important. As of yet haven’t seen anything from Alwil on the subject, though. Or comments on what else needs to be done (besides pay more attention to the data base and settings for Rogues).

My answer was to Rjezor, he wrote:
“So what if MBAM detects every fake out there. But can it also disinfect complex file infectors? Can it detect very complex polymorphic viruses?”
And i say, it does not detect these type of malware. If you got a Virut infection, MBAM wont tell you that explorer.exe is infected

Have you guys tried out these tools? They are from esagelab.com

Bootkit remover

This is a free antivirus tool providing generic detection and disinfection of so-called bootkits (such as Sinowal/Mebroot/MaosBoot, Stoned Bootkit etc.)

Current version: 1.0.0.3 DOWNLOAD (last updated 01-10-2009)
OS supported: 32-bit and 64-bit editions of Microsoft Windows XP, Server 2003, Vista, Server 2008, Windows 7 (RC1, RTM)
Archive size: 479 KB
Binary MD5: 88dad0461d30a91e7a285af4f72462e3 remover.exe

A bootkit is a program that alters Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code. In some cases a bootkit will also try to avoid detection by hiding its own code in the MBR.

Bootkit Remover is capable of detecting malicious boot code (both explicit and sheltered) installed by all kinds and modifications of bootkits. An infected boot code can then be fixed and/or dumped.

Cleaning all versions of Sinowal (Mebroot) is supported.

See readme for usage instructions.

Links:
Discuss the tool here

Rootkit.Win32.TDSS remover

This is a free antivirus utility capable of removing the TDSS rootkit (all modifications).

Current version: 1.6.3 DOWNLOAD
OS supported: Windows 2000, Windows XP, Windows Vista, Windows 7 (32-bit)
Archive size: 1.4 MB
Binary MD5: 0b0aad85c419e1d45784082ab4914654 remover.exe

Rootkit.Win32.TDSS remover tool allows complete semi-automatic cleaning of a system infected by the TDSS malware (also known as Tidserv, TDSServ, Alureon, and TDL3). The program will search for hidden and malicious files, drivers and registry entries, and will allow to remove them in one click.

Note: the TDSS remover is a powerful anti-rootkit by design. Though the tool is adjusted to remove the TDSS malware, it may discover and allow removal of other known or unknown rootkits as well.

Links:
Discuss the tool here
How to use TDSS remover – video

IOCTL fuzzer

IOCTL Fuzzer is a command line tool designed to automate searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

Current version: 1.1 DOWNLOAD archive or browse source at Google code
OS supported: Windows XP, 2003 Server, Vista and 2008 Server (32-bit)
Archive size: 436 KB
Binary MD5: ca41d562f2441c28afd11a40707849b2 ioctl_fuzzer.exe

Usage: ioctl_fuzzer.exe [config.xml]
If no configuration file is specified, the tool will start in monitoring mode.

Program capabilities:

* IRP filtering by process name, driver name, device name, or I/O Control code
* IRP fuzzing
* monitoring mode
* logging output to console and/or file.

While processing IRPs, the fuzzer will spoof those IRPs conforming to conditions specified in the configuration file. A spoofed IRP is identical to the original IRP in all respects except the input data, which is changed to randomly generated fuzz.

For usage details, see readme_en.chm inside the archive.

Hopefully Matthew can test these tools out and tell us what he thinks of them…

Eochaid you are wrong about rouge anti viruses… They can disable your whole computer and make it a recycle bin….

I think the WORST offenders right now are : “Security Tool” and “Antivirus Live” because they come bundled with some other unwanted “guests” (e.g.: Vundo, Conficker, etc.) and those are the ones who disable EVERYTHING on your computer, from e-mail clients, task manager, to browsers. And it’s so easy to get infected because any legitimate web page can become infected with some banner ads that redirect you to the offenders site. The worst is that if you are not computer savvy enough, you end up clicking on the red X to close your browser upon being promted to download one of those “tools”. I always tell my friends that if they come across with some of those fake messages they just need to either start the Task Manager and shut down the iexplore.exe process from there or just hit ALT F4 simultaneously. Doing that may save your day before it’s too late.

Just my usual reminder that black-lister/behaviour blocker software is not enough these days. You need to enforce a default-deny policy and ensure you are working in a Limited User Account.

Finally, everyone should be learning how to use programs like Sandboxie. Only this way can you get “100%” security.

@Carlos

QUOTE:
“The sad thing is that companies like ESET, AVAST, and other claim that they don’t detect those fake AVs because they are “not malicious”. What a lot of nerve they got.”

ANSWER:
What if you’d read the damn facts for a change and stop accusing these companies of claiming something they NEVER claimed?
avast! developers NEVER said anything like that and i’m sure they never will. We, the avast! Evangelists are NOT ALWIL Software employees and their (avast! Evangelist’s) statements or comments do NOT reflect the business practices, models, ideas or methodologies of ALWIL Software and their official representatives.
That was MY opinion and my opinion alone. That’s what I think about fake AV’s. If you don’t share the same opinion, so be it. I could say this on any forum or blog and it wouldn’t mean any more or less than that.

So all of you stop the avast! bashing crusade and calm down will ya?

I agree with Matt; rogues are no laughing matter. They can cause substantial damage to the end user, with their money and even identity stolen, and going to great lengths to force the user to purchase their so-called products, such as locking security programs and prevent the user from even attempting a scan.

Hopefully in the future, more antivirus vendors will realize the true potential threat of rogues and equip their antivirus products to deal with them.

Also ssj100 even though Sandboxie has a 64 bit version it doesn’t have the same protection as in a 32 bit OS. Sandboxie is good but its far from 100%.

@ SSJ100: Wake up ! man…There is not such thing as “100%” protection. Not even Sandboxie is 100% bulletproof. I used the trial version of SBIE (3.42) and browsed several shaddy web sites downloading malware on purpose with IE8 sandboxed running on Windows 7 Professional ALL PATCHED and some of these malware somehow managed to STOP the Sandboxie SERVICE and freeze the Internet Explorer. I had to re-enable the SBIE service through the Services console. So, what have you got to say about that?…

@ ReJZor: Peace out man…Don’t get so pissed off because some critics. Anyahow, you stated you don’t work for AVAST!…right? Be open minded and don’t get mad because some criticism. Every AV company in the world have had their blunders. I use ESET, but I don’t deny the fact that at Wilders Forum, Marcos (ESET moderator) always try to downplay the fact the NOD32 v.4 misses many Fake AV samples and he writes that those ones are not really “malware”….Anyway, I keep hunting those Rogue AVs and keep sending samples to ESET so they can be added to their signatures.

@Dieselman

where did u get this 64 bit sandboxie?

People, please calm down. I said “100%” protection. Please note the quotation marks. When I say “100%”, I mean as close as possible to 100% as you can get.

Also “Carlos”, how did you configure your sandbox when you were surfing “shady” web sites? Did you have start/run/internet access restrictions in place? Also, were you using a Limited/Standard User Account with Software Restriction Policies/AppLocker enabled?

Also, if you want to help Sandboxie, why not give me the “shady” web sites and see if I can reproduce your problem? Because for now, all I hear is noise at the moment with no proof that Sandboxie was genuinely bypassed.

Dieselman, yes Sandboxie 64-bit is still in Beta and will not guarantee kernel level protection for services calling out from the sandbox, but it will still be extremely powerful and provide “100%” protection when combined with a Limited/Stander User account with Software Restrictions/AppLocker in place.

ssj100 either way you look at it you do not say 100% so stop trying to back track. Your better off saying 99%. I am on Win 7 64 with KIS 2010. Thats all I need. Common sense surfing is the first line in defense. Never been infected in well over 6 years now. Actually 7.

Okay, whatever pleases you most Dieselman. I’ve been saying “100%” for a long time now. The quotation marks have always been in place, in all the forums I’ve posted in.

It’s interesting how people get so uptight and seemingly insulted and angry when I type those numbers. Why 99%? It’s not 99% either. 99% is mis-leading, as it suggests an exactness. What would be more accurate would be writing it as: “99.999%”. Then hopefully people will get the point I am trying to make. I just thought “100%” was clear enough haha.

By the way Matt, I don’t think you’ve answered my question yet. If you get time, I’d appreciate a reply. Otherwise, no worries.

Basically I was asking if you ever promote Limited/Standard User accounts +/- Software Restrition Policies/AppLocker to your clients? I’m just interested to know.

I am betting that, for the majority of your clients, it would take far too much time and effort on your part to educate them about these sorts of things. Right?

Furthermore, rogues, scareware etc will always succeed in its goal if the computer user is naiive and not experienced/educated enough, no matter what protection you have in place. Therefore, rogue protection/detection is indeed very very important for the “average” user who should understand how to use an Antivirus. Unfortunately, for many people out there, even if their Antivirus alerts of a potential malware, they will simply ignore it and proceed anyway. That is indeed, the REAL world! You can’t win all the time I guess.

100%=Perfection. You CANNOT GET PERFECTION when it comes to fighting malware. Any system at any time can be infected.

You can educate people about how to use security and how to safe surf till your blue in the face. Will they listen. Nope. Your pc with your knowlegde maybe 100% secure but in the real world with the average user there is no such thing as 100% secure. People do not know how to use there pc. I ask people “What they were doing last to cause the error or infection?”. They all answer the same way “I dont know.” Its like talking to a 5 year old. Try fixing computers ssj100 and you will see where Matt and I come from.

I agree with Dieselman, antimalware tools are only 50% of the solution to fight malware, the other 50% is the education of the public. Why are these things not taught in schools? Would not hurt to have even 1 school day dedicated to educate people on malware.

And good on you for setting up and promoting LUA Dieselman!

@SSJ100: You believe that LUA is the universal drug that cures-it-all…Is that what you mean?….When IT Administrators at workplaces grant access to users and place them in the Restricted User group (Limited User, Standard User or whatever you call it) is not necessarily means that they do that with your theory in mind. They do it because they want to PREVENT users from installing/uninstalling programs at work. Not because the want to apply SSJ100 theory about avoiding virus infections. That’s the point. By the way: I hate Windows XP. As soon as Microsoft released Vista back in January 2007 I dumped XP for Vista even with all its shortcomings. I’m now using Windows 7 Pro 32-bit if that is what you want to know. And, yes…on Win 7, Sandboxie 3.42 FAILED with default configurations. After I downloaded some malware samples from .cn and .ru web sites ( I did NOT execute them) SBIE froze, IE 8 stopped responding and had to shut it down and when I checked the SBIE service was STOPPED. How do you explain that? Is SBIE 3.42 100% safe???….no !!!

Hi Matt, thanks for this great videos. I personally have learn from watching them how to be almost 100% secure when I surf internet. I like to thank you specially for the 3 Sandboxie videos which turned me on to it. I am sure that if you had Avast and Sbxie running together when you ran these tests the infection would not have happen. I am using Avira and most likely it would also fail against most rogues so its a blessing to be running sandboxed despite what Carlos and Dieselmen say of Sandboxie.
Greetings from Central America, hope you and Dieselmen have a fun year working against the bad guys.
Bo

SSJ100 , keep on putting the good word about the box. I am also doing so on my side of the world.
Later brother
Bo

And Carlos. No, LUA does not “cure it all”. But it certainly reduces the malware attack surface significantly.

And feel free to PM Windchild from the Wilders forums if you have any other questions about LUA – he is the most knowledgeable person on the internet I know of. He was the one that convinced my to move to LUA several months ago. I also wasn’t convinced…until I tried it. Here’s one of his posts:
http://www.wilderssecurity.com/showpost.php?p=1608918&postcount=60

Completely agree with ssj100. However, LUA, SRP etc have their own pitfalls and doesn’t work for everyone.

But in saying that, the majority of people out there should be using Limited or Standard accounts. You will never catch a main-stream Linux system defaulting to run as an administrator. In fact in Linux Ubuntu, you can’t even run as administrator. And for good reason too.

HAHA WOW Dieselman!!!!

So what you are saying is,
that people should stay away from Wilders ONLY because SOME of the posters/readers changes their setup everyday?
That’s just a stupid acclaim, for one I don’t change my setup everyday

What about the content/information that is available at Wilders did you forget about that as well?

Hey Dieselman, yes I agree with you to an extent regarding Wilders, but it’s quite entertaining reading the forum from time to time!

Not sure what happened to my previous posts, but I was stating again why LUA etc is so beneficial. Here’s what Microsoft themselves say:

http://technet.microsoft.com/en-us/library/bb456992.aspx#EGAA

And here’s an excellent post about it also:
http://www.wilderssecurity.com/showpost.php?p=1533486&postcount=5

Anyway, seems like you’re not allowing this to go through. Clearly I have done something wrong. I would appreciate it if you could tell me what I did wrong. Thanks for your time.

Too much doesn’t mean your better protected. There is such a thing called overlapping security. All I need is KIS 2010 and common sense.

bo.elam, just curious as to what malware has escaped the sandbox genuinely? Keep in mind that most of the reported “bypasses” of Sandboxie have been proved WRONG (usually either due to the user not realising what has actually happened, or due to the user not using Sandboxie correctly). And as far as I know, there have been no genuine “bypasses” when Sandboxie’s start/run/internet access restrictions are in place.

Hmm? You guys can be at 99% if you want, but I’ve never seen anything get past Sandboxie, let alone thru my Kaspersky, Defense+, Threatfire, S&D All of my on-demand scanners, MBAM Pro, PeerBlock, etc. If any malware gets past all of this shit they can just have my identity, because I will have died from shock.