Educause Security Discussion mailing list archives
Re: how does fake antivirus work?
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 28 Apr 2011 10:15:58 -0700
Bob asked: #The "SANS Securing The Human Program" training module #2 about Social #Engineering demonstrates that fake antivirus programs fool you into going #through the installation process to load their malware onto your computer. #Locally, I am hearing the assertion that fake AV is not nearly that gentle, #that your computer is instantly and automatically compromised as soon as you #go to their website, the process of installing their fake product can be #just as fake as the process of evaluating your computer for current #infections. # #What is the range of how fake AVs really work? Do some cajole you into #installing their code while others silently inject their code automatically? The fake A/V products I've seen most commonly like to use Flash to display a fake "live" scan of your system (always funny when you see this on a Mac -- didn't know I even had a C drive -- oh wait, that's because I don't. :-)). After the fake "live" scan "completes" (wow! that was fast!), you'll then typically be given the opportunity to download a "tool" to "fix" the "problems" that have been "found." Clicking pretty much anywhere typically will be sufficient to trigger that download, normally an exe from some third party download site. If you run tha exe through VirusTotal or a similar sandbox, it will invariably be tagged as malicious by one or more products, although others will routinely miss it (sigh). As to whether the payload autolaunches or requires the user to manually cooperate in being 0wn3d, that often depends on the browser and OS that the user is running. One of my favorite resources to help people understand the vulnerabilities that exist in many browsers has been http://ha[dot]ckers[dot]org/xss.html , which focuses on Cross Site Scripting issues. It doesn't look like that page has been updated recently for the latest versions of popular browsers, but it does give you an idea of just how little it can take to have random content accessed via a web page. Of course, basic steps (like disabling scripting in the browser) would help tremendously in many cases, but since that breaks all the cool applications that rely on scripting (such as much of what Google offers), folks are reluctant to do that. You can try giving users more granular control over scripting (such as via NoScript), but some users may find it overly complex, and quickly end up either blocking stuff that they shouldn't, or permitting stuff that they shouldn't. Regards, Joe St Sauver (joe () oregon uoregon edu) http://pages.uoregon.edu/joe
Current thread:
- how does fake antivirus work? Bob Bayn (Apr 28)
- Re: how does fake antivirus work? Alexander Kurt Keller (Apr 28)
- <Possible follow-ups>
- Re: how does fake antivirus work? Joe St Sauver (Apr 28)