The Antivirus hoax is one that I think infects all layers of antiviral software, both legitimate and non.
Hello folks, sorry I havn't posted in a while. Seems tonight is an insomnia night so I thought I'd update you all based on some observations in the past few days.
It's no secret that I work with the public, on their computers, and often when they become infected with malware/virii. The customers I've dealt with have had just about every antivirus program under the sun. Everything from McAfee, to Norton, to AVG (the paid version)... the list goes on and on. At work, our systems use Nod32, so everything is in the mix. I still have yet to see anything that would remotely constitute a "good" antivirus.
Internet Explorer's best-known trait is that it's vulnerable. A program can install itself by ActiveX almost always without the user's knowledge or permission. A lot of my customers use IE. I use IE at work because some of our software only works correctly in IE. An interesting thing happened today, but first, some background.
Many of the recent virus programs (or malware if you insist), are part of a new trend called "rogue antivirus". We've seen a few of these, including Security Tool 2011, Thinkpoint, and Palladium, to name a few. All pose as Antiviral software, proporting to be internationally renowned as excellent software (usually "worlds leading antivirus" or something like that), all of which ask for a payment for services (usually around $80), to fix the supposed issues on your system. Fact is, the issues don't exist, the program is a fraud, and paying for it won't change a thing...
These Rogues get onto your computer by very crafty webpages that utilize a large amount of Javascript to animate, what looks to be, a Windows Explorer, showing several infections in shared folders, local disks, etc. with very convincing progress bars and the sort. To the untrained eye, a prompt like this represents a huge problem, and any attempts to close it are met by a prompt asking if you're sure you want to 'navigate away' from the page, and often, the page will re-open itself when closed. To the trained eye, this is an obvious fraud, and should be destroyed with great Prejudice.
Well, while googling something for a customer early this morning (now yesterday morning), I came across one of these pages, hosted from an IP, and "impossible" to close. My first instinct was to destroy it, however, if I killed IE, half the pages I needed to perform my job would go away too, so I opted to block the site... with the URL clearly visible, I opened Internet Options and added the IP to the list of restricted sites... after a short bout of trying to refresh the page, it returned with a blank page (all scripts were blocked, so no content was showing)... interesting, I can now painlessly close the page and return to work.
I decide to check something, so I remove the restriction, and refresh the page. I select to download whatever software they're pimping out, and save the file to the desktop. I ask Nod32 to scan it... 2 files scanned, 0 viruses.
Interesting.
I'm certain the situation would be the same for Norton, McAfee, AVG, Trend... the list goes on.
I renamed the file to "THIS IS A VIRUS.exe" and left it on my desktop, now in my roaming profile. I'll see how long it will be until the file get's picked up. My guess is at least 3-4 weeks, if ever.
All antivirus software is like this. The majority of the time people just keep eliminating the virus and the SOURCE of the virus just moves on and stops hosting the old virus... so it goes away... this is more likely to happen than a definition being put out that will actually stop the software from infecting your computer.
I havn't used an Antivirus in many years on any of my main PCs, in my humble opinion, they're useless. Knowing when to close a browser window and knowing when to deny a UAC prompt is about a million times more useful than any antivirus.
User education over user protection. Unfortunately, not many users want to learn, they just want their farmville.
Monday, January 17, 2011
Subscribe to:
Posts (Atom)