Scareware Scams – What is Scareware? Detecting and removing Scareware.
The rise and … rise … of Scareware Scams
If you are not already familiar with the scams that experts and media have dubbed “scareware” then we’ll start by explaining it. Essentially everyone these days knows that a major security issue regarding the Internet is harmful computer software like computer viruses and Trojan horses and other various incarnations of malware. It is one of the first things we become aware of regarding the subject of online security. For this reason all Internet surfers are familiar with - and usually have - genuine anti-virus software installed onto their computers.For the majority of these users, they will have experienced computer malware in some way, and have seen their anti-virus software in action, both detecting and removing any threats, so that they can continue with their online activities.
Most good anti-virus software will automatically remove threats, or at least automatically show a pop-up window requesting a decision from the user, such as requesting permission for an application to contact the Internet, or informing the user that a website is trying to download something onto the user’s computer. It is this functionality that scareware takes advantage of, by pretending to be anti-virus software in order to get the victim to inadvertently download further malware and/or pay for “full copies” of fake anti-virus software. We’ll explain all this in more detail further on.
There are a handful of ways a user’s computer can be affected and we’ll explain the most common here.
- A victim has adequate anti-virus/firewall protection, but navigates to a webpage that is instructed to show a pop-up window. This pop-up window appears in the users Internet browser (e.g. Internet Explorer or Firefox) and it looks identical to – for example – the Windows Security Center (for Vista users, click control panel then Security Center to see what it looks like) – the window reports a security threat and prompts the victim to take action by clicking on various options within the window. The victim will usually comply both because they are being fooled into thinking the window belongs to the Window operating system and hence is trustworthy, and because the window seems to be helping them out, reporting problems and providing a solution. However, the window doesn’t belong to the operating system, and the options they are clicking are going to allow the full scareware application to download onto the victim’s computer. Because the victim inadvertently downloaded the scareware application themselves, existing anti-virus software on the victim’s computer will usually let the software install on the basis that it was the victim who started the installation. The initial pop-up window doesn’t have to look like the Windows Security Center, but can take any guise. It may just simply say it is from a generic anti-virus program and has found problems, or may take on the form of other popular legitimate anti-virus software guises.
- A victim has some anti-virus/firewall protection, but it is not adequate enough to prevent a small program from installing onto the victims computer. Again the victim will usually stumble on a website that will manage to install this small program onto the victim’s computer. The role of this program is similar to the pop-up in the previous example, however because in the previous example the pop-up is dependant on the victim visiting a webpage before appearing, this small program has the advantage of once installed, it will cause various pop-ups to appear on the victim’s computer regardless of what they are doing. It is not just always standard pop-up windows either, but can also cause the pop-up balloons in the bottom right that Windows users will be familiar with or more official looking pop-up boxes, or a combination of these. These pop-ups will have the same aim as the previous example – to trick the user into allowing the download of the full scareware application.
- A victim has some anti-virus/firewall protection, but it is not adequate enough to prevent a small program from installing. Again this program is typically inherited by the victim stumbling on the wrong sort of website. However this program has a slightly different role than in the previous example. Its aim is to create a backdoor so that the full scareware application can download without the victim’s knowledge. These programs are often referred to as “installers” and good anti-virus software these days should detect and remove them. However if they are not detected, even if a legitimate anti-virus software scan removes the main scareware application, the victim will soon discover that they have been infected again.
- A victim has poor anti-virus protection/firewall, and the full scareware application manages to download onto the victims computer in one go.
So that is how it gets onto a victims computer. Once there the scareware is designed to report phantom threats. The threats it will report will actually exist (though not on the victims computer) to make the purported results more believable. Once the scareware has managed to install itself and convince the victim that it is legitimate antivirus software and the victim has an infected computer, then what next?
Typically the scareware will report the threats, but informs the unfortunate victim that they will need to purchase the full licensed copy of the “anti-virus” software before it can take further action. In the most extreme cases it will also completely lock down the victim’s computer rendering it useless. This includes preventing applications from loading and preventing the user from visiting web pages. If the victim purchases the full software, some functionality is usually restored, but the full copy is typically useless or of poor quality and the victim will still have malware on their computer.
Often scareware will have other objectives – ones more common with other malware scams, like identity theft and questionable advertising methods.
So now you know how it installs itself and what it does how do you spot and avoid it?
Some initial advice and readers should take this as general advice – be careful what websites you visit. As we reported in the first part of this article, usually the victim ends up in trouble because the scareware is downloaded (partially or in full) through websites.
Internet users are advised familiarise themselves with credible Internet security software and recognise the difference between a firewall and an anti-virus program. Both are essential, and they can be installed separately or together as a whole security package. Once installed it is good practice to only use these programs and not to trust or follow the advice of any other software claiming to be anti-virus software. This means that if Internet users see pop-ups claiming that their computer is infected or reporting any other type of Internet threat, then the user should ascertain whether it is their installed security software reporting the problem, or a third party, which should not be trusted. Always be on the watch out for fake pop-ups designed to look like legitimate security windows. Fake pop-ups will usually appear within the Internet browser window, whilst legitimate pop-ups won’t. For Windows users, you can tell this by looking at the taskbar. For example windows that appear within Internet Explorer will take on the blue “e” icon on the taskbar.
Scareware applications usually take on credible names, like AntiMalware 2009 and GuardPCs 2009 but don’t be fooled. Always trust your anti-virus software. If you want to know what anti-virus software we trust, we recommend certain antivirus programs, including AVG who in 2010 are offering 2 years subscription for the price of one year.
Facebook Scareware Example
There was an example of a Facebook scareware a short while back, in the guise of the Facebook Fan Check Application. The application was claimed to be dangerous, and cautious surfers looking for information found themselves in trouble when various websites claiming to provide both information and prevention information on the subject actually were in reality just designed to install scareware applications on to the victim’s computer. This is an example of how the installation of scareware can be unavoidable if up-to-date legitimate anti-virus software isn’t installed.
So what if a victim has already had their computer infected?
Removing scareware….
First of all, don’t purchase anything, even if you are being pressured to. Firstly, find out the name of the scareware application. They shouldn’t be hiding it; rather they will be advertising it as this is how they persuade victims into buying their rogue software. Google the name of the scareware application followed by the words “removal instructions” – this should provide information on the successful removal of the scareware. There are some excellent sources for this kind of information like bleepingcomputer.com and the speed of how quickly new threats are resolved is also first rate. Of course if the victim cannot access the Internet they will need another computer.
If you do not have access to another computer, it is worth trying to access safe mode on your computer by pressing (Windows) F8 when the computer is turned on and selecting Safe Mode. In safe mode, the computer only runs essential processes, so any processes added by the scareware software should not be running. Once in Safe Mode, victims are advised to attempt to run their installed and trusted anti-virus software.
Another option is the System Restore feature that Windows operating systems have, that will take the operating system back to an earlier date. The advantage of this is that personal data is not lost, but the disadvantage is that is rarely works by itself and the victim will still have to follow other advice in this article.
Removing scareware can be frustrating and extremely difficult to delete completely. Again if the victim is not able to remove the software completely using the previous advice, and expert advice does not help, users are advised to enter into Safe Mode, back up wanted information, and perform a full system recovery, meaning the computer will resort to factory settings. Of course this is a last resort.
Lastly, remember this – scareware is on the rise. Due to the confusion is causes, it is one of the most increasingly effective and popular scams facing cyberspace today, so be careful, and if you haven’t already, get good security software on your computer.
ThatsNonsense.com
| Iain Says: |
| I saw the fake anti virus \'security tool\' on a friends computer and I removed it by finding the shortcut to the program on the desktop and right clicking, then selecting properties and showing the original file location - when I found the file (which is named as a load of numbers then .exe eg \'57686968.exe\' and can be found in the \'program data\' folder in vista. Because the program is constantly open and would not let me delete it because of this, I changed the name of the extension of the program to something that isn\'t recognized by the computer so that it would be unable to open the fake program on the next startup. I then restarted and sure enough things were back to normal. I then removed the file. Don\'t worry about having to use system restore or reinstall the operating system or anything crazy! What I have said does the trick :) |
| 05/03/10 |
