Skip navigation

All posts tagged with "Security"

XP Anti-Virus 2011 is a very clever virus

Have you ever had one of those fake antivirus things pop up on your computer? You know the type, "50,000 infections found! Click here to remove! *click* Pay $$$ to remove or you have viruses!!1". They're very convincing; usually they look like legitimate programs and/or parts of Windows. They prey on novice PC users who jump at the word 'virus' and think they have done something wrong.

I recently had the misfortune to meet one called XP Anti-Virus 2011 (not my computer that was infected, I was just tasked with fixing this particular one). This virus - and yes, I am calling it a virus even though it technically isn't one - is the nastiest rogue software I have seen yet, though I'm sure it's not the only one to run as it does. It's not new, despite the name - it's been around for years under various different names, mainly comprising of your version of Windows and the current year. So under Windows XP, you'd get XP Anti-Virus 2011 and under Vista you'd get Vista Anti-Virus 2011...etc.

Why is this particular one clever? Well, as I said, it's probably not just this one, but what this program does is to change how .exe files are run on your computer. On Windows, .exe files are normally programs; nearly all executable files will have that extension. Mr Nasty Virus here reroutes all .exe files to run through itself - and it'll block any it doesn't like. Those it doesn't like include almost all legitimate antivirus/antispyware scanners and certain web browsers as well - it didn't seem to stop Chrome but it put a stop to Internet Explorer in any case and kept reopening itself informing me that the computer had too many viruses and I must click here to register and remove threats. That of course makes removing this piece of rubbish a right pain since, well, it doesn't let you. :P Of course, it did everything else these fake programs do - nice threatening messages, cloned the Windows Security Center but plonked itself there instead, typical antivirus program look... All very lovely.

I removed it by following a mixture of guides online - this guide is one of many that explains the basic steps (note the insertion of the license key in those steps - once you do this the program will act as if it removes the viruses and/or itself. Ha - I restarted and it came back up an hour later saying my registration needed confirming and I still had threats). Once you've got rid of it, make sure to update your real antivirus/antispyware protection and run a full scan to make sure it really has gone. A lot of those guides keep trying to push a download of SpywareDoctor (normally labelled as the "remover" for the viruses)... I've never found that program anything more than bloat, personally - I removed the items manually then ran MalwareBytes' Anti-Malware on a full scan to make sure all traces had gone.

How do you protect yourself from getting fake antivirus software on your computer? Here are a few tips:

  1. Know what your real antivirus software is (and firewall, if you have one), what it looks like and how to run it. If a window pops up saying you have viruses but it doesn't look like your normal AV software, it is more than likely fake.
  2. Use a browser other than Internet Explorer, or if you like IE, keep it up to date. XP Anti-Virus and its variants creep in through unpatched vulnerabilities in browsers - mostly IE.
  3. Keep Windows up to date. I know, Windows Update is a right pain and sometimes its updates take ages to download/install and sometimes break things. However, some of the updates do fix holes in the operating system so that fake AV stuff can't get in as easily.
  4. Don't click on dodgy links. Got some weird email from your friend with a link in it? Might be worth checking they really sent it and didn't get their email account hacked with virus-infested site links now being distributed through it (it happened to me last year - my email account got hacked and my contacts all received some virusy links :( )
  5. If a message does pop up about viruses on your computer, read what it says carefully. In most cases, fake AV software is in broken English with poor grammar and spelling (e.g. "threat is been discovered on your computer"). If your computer's primary language isn't English and this rubbish shows up in English, that's also a giveaway right there.
  6. If you do happen to get one of these fake programs on your computer, don't click on any notice it gives you. Click the X button at all times, don't click any buttons it gives you on screen - in getting rid of the millions of popups it was giving me, I inadvertently clicked on what I thought was a cancel button - it tried to send me to some dodgy website. Ick.

Don't get caught out by phone scams

Most people are wise to so-called phishing scams, usually in the form of emails pretending to be from a reputable place such as a bank asking you to click a link to 'secure your account' or similar. Said link is usually a clone of the real site so that users feel comfortable entering in their confidential data. Of course, it all gets sent to scammers who go and use your details to commit fraud. Lovely.

It's not a new thing at all, but people are doing this over the phone too. A popular one that recently caught out a family member is that someone will call, ask for the householder by name, and proceed to tell them they are from Microsoft or 'Windows Support'. They may have the householder's email and/or home address (from where I have no idea; they may be using the local phone book or have the details sold onto them from other sources) and will gain the trust of the user by confirming these with them, proceeding then to tell the user their computer is infected by viruses and this must be fixed now or they will be fined/their computer will crash/other similar threats. Sounds like a classic scam, but due to the user being named it can catch people out - especially if they're computer illiterate.

The scam generally continues with some or all of the following:

  1. The user is instructed to go to their computer, go to the Run command/Windows+R (which brings up the Run box) and type in "eventvwr" and/or some form of "prefetch unwanted"

  2. The scammers tell the user that the entries listed in the resulting window are viruses and these must be cleaned.

    This is of course not true - "eventvwr" brings up the Windows Event Viewer and entries listed within this are events logged by Windows. Scammers may go further with this one and say that any items with a yellow warning triangle or red cross are malicious items, but they aren't - they're errors logged by Windows which for the most part are harmless. They are definitely not viruses.

    The "prefetch unwanted" command brings up the Windows prefetch cache, which is just that - a cache of programs which enables Windows to open them more quickly. Deleting these files won't remove a virus nor will it damage your computer.

  3. After insisting that the files found are dangerous, the scammers will offer to 'fix' them and will ask for payment to do this. They might take users to a website or they will ask for card numbers over the phone. Common websites users are sent to include some variant of the words "tech support" in the URL.

  4. What follows is an attempt to connect to the computer remotely. How this is done differs slightly per scam but in general they will direct users to a web page via the Run command and/or will ask them to install a program such as TeamViewer or LogMeIn. Installing those particular programs (the ones mentioned, that is - other programs may be more malicious) is not dangerous in itself - it's the part where the user hands over control that is, and the scammers will do this by asking the user to enter a code into the website or program. Control is then given over to the scammers - they can then see and use the computer as if it was their own.

  5. Once the card payment has gone through (for far more than the user paid for, in most cases), the scammers will set about 'fixing' the computer, which generally involves downloading and installing lots of software onto the machine and possibly deleting anything they think is a virus (note: this could be anything - personal documents, essential Windows files, etc). They might tell users to leave the machine for a bit and during that time they'll snoop into their personal files - or they'll do it right in front of the user and claim it's part of the fixing process. It isn't - they're just looking for information they can steal.

  6. Once all the software is installed, the user is told their computer is fixed and the call is ended. The installed software is, in most cases, harmless; it's just junk that doesn't do anything (or perhaps does do something, but not what it advertises - it may pop up a load of ads or redirect your browser to a dodgy search page, for example). However, some scammers have installed software which opens a backdoor to the computer and leaves it in their complete control and can use this to do far more damage. Rootkits and keyloggers can get installed and the computer can end up a so-called 'zombie' acting as part of a botnet.

Wonderful, eh?

Fixing all this once the user discovers they've been conned depends on quite how bad the damage is to the computer. Personally I'd recommend a full reformat - you never know what nasty little things were done during the 'fixing' process and what that seemingly harmless software might leave behind. It might still be 'calling home' in the background, sending personal details back to the scammers. Not really a nice thought. It also goes without saying that you should cancel all cards given out to these fraudsters and contact your bank telling them what happened. It's unlikely you'll get the money back, as you willingly gave the details out, but you should still contact them. Watch out for an increase in junk mail, email spam and/or similar phone scams as your details get passed around - don't fall for them again. If you can, get a credit check done to make sure no one is fraudulently using your details.

However, the best advice is not to be scammed in the first place. When random people call you up out of the blue, treat them as if they'd emailed you - would you blindingly trust any email that says it's from a certain sender? You shouldn't trust people on the phone that claim as such either. If they pretend to be from a reputable company, ask their name and ask for a reference number for the call, then call the company's main advertised number (NOT the number the person on the phone tells you to call, even if they say it's their private extension or similar) and quote the details. No such person/reference? You know that call wasn't genuine.

Think about it: would a major computer company such as Microsoft really care about individuals with viruses? And furthermore, if they did care, would they really task themselves with dealing with it? No, they wouldn't - they're a huge company with far better things to do. It's common sense; you cannot know a person is who they say they are even if you met them face to face, so how can you possibly know over the internet/phone? You can't, so don't give them the privilege of having your personal data. You don't know what they'll use it for - ID theft, selling it on, stealing from your bank account ... You name it.

Oh, and don't save things on your computer that will delight such fraudsters when they find them either - bank details in a Word document? Not a good idea. Really.

PHPAskIt is insecure!1!1!zomg!11

I came across a couple of websites discouraging the use of PHPAskIt because it uses a database and therefore absolutely must be insecure.

One such example states:

PHPAskIt isn't completely secure, either. It uses a database so I woulda thought that was more INsecure than the flat file of Waks Ask & Answer script.

Another says:

PHPAskit is just as insecure [as Wak's Ask&Answer] only people think it's secure because it's not flat file.

And so on, and so forth.

For the record, there is no difference in security in using one method or another, as long as they are both done properly. Wak's Ask&Answer and CuteNews (flat file scripts) aren't. PHPFanBase and SimpleDir (MySQL scripts) aren't either. Jem's Bella~ series and FlatPress however, are flat file scripts and they are fine. Similarly, WordPress and PHPAskIt are MySQL scripts and they are absolutely fine.

Yes, it's true that hackers discover more and more vulnerabilities in scripts and programming languages all the time, so those scripts may not always be secure in their current versions so it is very important to keep your scripts up to date. But to say a script is insecure because of the method of storage that they use is stupid and shows complete ignorance. If you are going to say a script is insecure, don't just back it up with "well I looked it up online and it said it was insecure". People seem to like publishing fake reports of insecurities (probably where all this is coming from, actually... PHPAskIt had a nice security hoax published about it - and in case you're still living in the dark ages it was wrong) so "looking it up online" isn't always the answer.

If in doubt, ask someone who knows what they're talking about. :)

Older Entries