I’ve been seeing more and more people fall victim to the fake anti-virus viruses that have exploded in popularity in the last few years. With a blending of social engineering tactics, in addition to traditional technical exploits, “scareware” viruses have seen an exceptional level of success. Preying on users who are perhaps unaware of what (if any) anti-malware applications are installed on their systems; “scareware” viruses trick users by appearing to be legitimate anti-malware programs.
When visiting an infected web site, these viruses pop up and take control of the browser window. They display a list of files that are supposedly infected, and prompt the user to clean or remove the files. When the user attempts to clean the “infected” files, the virus then installs itself on the computer. The damage depends on the particular variant, but most will pester the user to purchase a full subscription to the program. Unfortunately when a user actually does try to buy the software, their credit card information is instead stolen and used for identity theft purposes. Additionally, many “scareware” viruses install backdoor trojans, which allows a hacker to access anything he wants on your system, and often times recruit your computer to participate in a botnet (swarm of zombie infected computers that can be directed to take down a web site by flooding it with bogus requests).
While it is tempting to try to “click your way out” of these types of scams, doing anything less than completely exiting your web browser will result in infection. The buttons that say “cancel” or “exit” will actually register your mouse click as “Ok – install this” by the computer. That makes these viruses particularly frustrating!
There are a few things you can do to protect yourself from these types of viruses:
- Know what anti-malware programs you have running on your computer (you do run some anti-virus program, right?), so that you can recognize its logos, graphics, and name. When you see a “scareware” virus while browsing the internet, you’ll notice that the name and/or interface are inconsistent with what you’re presently using.
- Use a 3rd party web browser, such as Firefox or Chrome. While this won’t be enough by itself, running a 3rd party browser is safer, and you’re less likely to be infected by simply viewing an infected web site.
- If you believe you’re looking at a “scareware” virus web site, immediately close your web browser via the taskbar (bottom of the screen). Tricky viruses will sometimes take control of the whole window, and when you think you’re clicking an “exit” button, you’re really clicking a picture of an “exit” button. The virus then actually registers your click as “install the virus”. It’s very sneaky!
- If you run Firefox, install the NoScript plugin. At first it’s a bit of a pain to use, because you have to build a whitelist of sites. NoScript will automatically block certain elements of web pages that can harm your computer. Unfortunately, that includes many great features, such as embedded graphics and videos. So when you visit a site for the first time, NoScript will block these elements. If you trust the site, you can quickly whitelist the web site (and it will remember your choice), and all functionality is enabled. If after whitelisting a site, you immediately experience a “scareware” pop-up, you’ll be more likely to deduce it’s a virus. This is also very effective at blocking cross site scripting attacks, which are very popular these days.
So how do you recognize a “scareware” virus? You’ll first encounter this type of virus while surfing web sites. An infected site may even be well respected, just unfortunately a victim of hacking (or serving an infected ad on a hacked ad network). Suddenly a new window will pop up or fill the screen indicating that a virus scan is being conducted. Within a few seconds, a list of files supposedly on your computer, and supposedly infected with malware will be displayed. You’re prompted to either clean the files, or download an anti-malware application that purports to be able to clean the infestation. You can spot “scareware” viruses by observing the following:
- The scan that is conducted takes only a few seconds. Really the “scareware” virus is simply playing a video – it isn’t scanning anything. True malware scans take anywhere from 10 or 15 minutes to several hours to complete.
- The graphics and sometimes the name of the scanner aren’t anti-malware programs that you know and use.
Last week, news began circulating that the first “scareware” virus for Mac had gone mainstream. While the Apple version is somewhat less sophisticated (it still requires the user to walk through an installer, unlike some Windows viruses), it is still easy to get tricked.
It’s now important that all computer users, not just Windows users, need to install some form of anti-virus protection. While the Mac operating system is safer by design, it can still become infected with or transmit viruses.
For All Operating Systems
Mozilla FireFox (http://getfirefox.com)
NoScript Plugin for Firefox (http://noscript.net)
Apple Mac OS X
Sophos Anti-Virus for Mac – Free (http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx)
Avira Anti-Virus – Free (http://www.avira.com/en/avira-free-antivirus)
Windows Defender – Free (http://www.microsoft.com/windows/products/winfamily/defender/default.mspx)
MalwareBytes Anti-Malware – Free (http://www.malwarebytes.org/products/malwarebytes_free) (Note: This is more of a cleanup utility than a real-time protector)