S E C U R I T Y T I P S FO R W O R K & H O M E
December 2010
Volume 1, Issue 15
Dale Ducommun
Information Security Officer, Privacy Officer
OPEN SOLUTIONS INC.
Now it’s SCAREWARE ?
We’ve all seen them, those pesky little pop-up messages
telling you your computer is infected with a virus. To get
rid of it, all you have to do is order the antivirus software
being advertised.
Before you click, though, think about it; very few
legitimate Internet security companies use ads to tell you
about a virus on your computer. Most of these pop-ups
are scams, and it’s one of the fastest-growing types of
Internet fraud today.
These scams have a name. They’re called “scareware”
because they try to frighten you into purchasing fake
antivirus software with a seemingly genuine security
warning.
Many of these criminals operate outside the U.S.,
making investigations difficult and complex for any law
enforcement or agency. But there has been some
success. For example, in May 2010, three people were
charged in Illinois and Ohio in connection with a scheme
that caused Internet users in more than 60 countries,
including the US and Canada, to buy more than $100
million worth of bogus scareware software.
PC Security 2011
PC Security 2011 is a fake rogue anti-spyware program
from the same family as Win7 AV. This rogue program
utilizes web pages that host exploit kits that attempt to
exploit vulnerabilities in your Windows operating system
or in programs that may be installed on your computer in
order to install PC Security 2011 on to your computer
without your knowledge or permission. Once the rogue is
installed it will be configured to start automatically when
Windows starts. Once started it will scan your computer
and display numerous infections, but will state that you
first need to purchase the program before you can
remove any of them. As these scan results are all
fake, you should not purchase this program based on
anything that is displayed.
In order to protect itself PC Security 2011 will also
terminate many programs when you launch them. It
does this in order to protect itself from security
programs that you may attempt to run in order to
remove this infection. When it terminates a program it
will display alerts that state the program is infected or
has crashed. Just like the fake scan results, these
infection messages are just another tactic to protect
itself and scare you into thinking you are infected.
PC Security 2011 will display a continuous stream of
security alerts and nag screens that contain messages
stating your computer is severely infected or that
applications are sending private information to a
remote computer. The text of some of these alerts, will
contain spelling and grammatical errors. That is a
definite give away.
All of these alerts should be ignored when you see
them as they are just trying to scare you into
purchasing the program.
Without a doubt, PC Security 2011 was created for
one reason; to scare you into thinking your computer is
infected so that you will then purchase the program. It
goes without saying that you should absolutely not
purchase this program, and if you already have, you
should contact your credit card company or payment
company and dispute the purchase stating that the
program is a computer virus and a scam. Finally, to
remove this infection and related malware, you may
Page 2
use the free version of Malwarebytes Anti-Malware.
The author has been using this application for well over
a year and has found it to be a great help.
AVG Antivirus 2011
AVG Antivirus 2011 is a rogue anti-spyware program
from the same family as AVG 8. This computer
infection is named and should not be confused with the
legitimate anti-virus program called AVG Anti-virus.
This rogue is promoted through web sites that pretend
to be online anti-malware scanners, but are instead
advertisements that when finished state your computer
is infected. This fake scanner will then prompt you to
download and install AVG Anti-Virus 2011 on to your
computer in order to protect it. It should be noted that
these fake online scanners are just an advertisement
that have absolutely no way of knowing what is running
on your computer. In fact anyone visiting these sites
will get the same messages, same infection results
over and over again. DO NOT be concerned by what
these online scanners show you.
When AVG Anti-Virus 2011 is installed it will be
configured to start automatically when Windows starts.
Once started it will perform a scan on your computer
and when finished state that it is infected with a variety
of malware. If you attempt to use the program to
remove any of the malware it finds, though, it will state
that you first need to purchase the program before it
will remove anything. This is a complete scam as the
scan results are all fake and many of the listed files are
actually legitimate files that if removed could cause
problems for your computer. Therefore, do not
manually remove any of the items it displays in its scan
results.
While AVG Anti-Virus 2011 is running it will also display
alerts and warnings that attempt to scare you into
thinking your computer has a serious computer security
problem. These alerts will state that personal
information is being stolen, active malware has been
found, or that you are using unlicensed software.
AVG Antivirus 2011 will also attempt to protect itself by
not allowing you to run various programs that may
assist in removing it. When you attempt to run these
types of programs, AVG Anti-Virus 2011 will terminate
Now it’s Scareware ?
December 2010
Volume 1, Issue 15
it and then state that the file is infected.
Just like the fake scan results, all of the above security
alerts are fake and only being shown to scare you into
purchasing the program.
Last, but not least, AVG Antivirus 2011 will hijack Internet
Explorer, Firefox, Chrome, or Safari so that a different
program is launched that displays a security alert.
Ransomware
A Ransomware Program is a program that literally
ransoms the data or functionality of your computer until
you perform an action, which is typically to purchase the
program or send someone money.
Ransomware are programs that take your computer
hostage in order to force you to give them money so that
your computer operates properly again. These programs
typically change the behavior of your computer in the
following ways:
•
Make it so that you can not execute programs other
than ones required to pay the ransom.
•
Terminate any non-essential programs that may be
running.
•
Encrypt your data so that you can no longer access
it or open it with programs.
•
Remove your ability to browse the Internet other
than to locations that will allow you to pay the
ransom
Once you pay the requested ransom, the criminals may
send you a code that you can input into the Ransomware
program that will then allow you to use your computer or
decrypt your data. In some situations, though, even if you
do pay the ransom, the criminals will just take your
money and run, with you being left with your problem
unresolved.
Though the loss of your data and computer can be
devastating, sending the ransom could be even more so.
Depending on how the criminals want you to pay the
ransom could put you at risk for Identity Theft as the
information you send may contain personal information.
Therefore, we suggest that you never pay these ransoms
Page 3
Now it’s Scareware ?
as in almost all situations a solution will be found that will
allow you to remove the ransomware or restore your
data without you having to pay the ransom. Therefore, if
you ever run into a ransomware, please do not send the
payment. Instead, research your situation through
Google or other search engines, as the answer will most
likely be published or at least being worked on.
Kaspersky Lab warns users about two highly dangerous
new ransomware programs sweeping across the
Internet that could potentially wipe data from victims’
computers.
One of the malicious programs is a new variant of the
infamous GpCode Trojan. It targets files with a wide
variety of extensions, including doc, docx, txt, pdf, xls,
jpg, mp3, zip, avi, mdb, rar, and psd, and encrypts them
without the user’s authorization.
Trojan-Ransom.Win32.GpCode.ax spreads via infected
sites, exploiting vulnerabilities in Adobe Reader, Java,
Quicktime Player, or Adobe Flash. Unlike previous
versions of GpCode that date back to 2004, this Trojan
doesn’t delete files after encrypting them, but instead
overwrites data in the files making it impossible to use
data-recovery software to restore the deleted data. The
program uses the strong RSA-1024 and AES-256 crypto
-algorithms.
Kaspersky Lab experts are carefully analyzing the new
version of GpCode and investigating possible ways to
restore data on affected machines.
The second ransomware program, detected by
Kaspersky Lab, is a Trojan that infects the master boot
record (MBR) of a compromised computer. Two
signatures were added to the company’s antivirus
databases: Trojan-Ransom.Win32.Seftad.a for the
dropper and Trojan-Ransom.Boot.Seftad.a for instances
when the MBR is infected. After infection, the malicious
program overwrites the boot area before demanding that
the computer’s owner makes a payment for a password
that will restore the MBR. If an incorrect password is
entered three times the infected computer reboots and
the Trojan repeats its demand for money.
What you can do
Both Scareware and Ransomware are sufficient enough
to be very alert to anything that may seem to be odd or
curious on you r computer. For all the legitimate security
software companies out there, they do not need to stoop
so low as to forcing you to buy their AV software.
At least with scareware, there is usually an out, a fix or a
How To delete it somewhere on the internet. However,
the ransomware is the most dangerous of them all. The
fact you know you are being held hostage and know that
getting your data and software back at best is a 50-50
chance.
Be diligent in knowing what is real and what is a hoax.
Think to yourself if what you are seeing is legitimate at
all.
Be diligent in keeping your AV current with the most up
to date .dat files.
For Firefox users, be sure to add in WOT—Web of
Trust, this is a good warning system before you enter a
site from a search engine.
For the IE users, SmartScreen Filter and Pop-up Blocker
are turned on
Web Site Example:
http://programs.holyfile.com/?WebOfTrust/
OnlinePrivacy/Internet/download/2180
NOTE: the left columns
“Make your PC faster—Free download”
“Remove spyware from your PC”
“Download AVG 2011 Now”