Virus or Fake Virus Warning

Confusing fake virus warning; which messages are actually dangerous and which messages are harmless? This is how you can find it out.

Do you trust the website that you visit regularly? Malware developers hope so, because if the browser displays a warning on a known page, few users believe that there is a virus and ignore the warning. Attacks on well-known sites show that this trust can be dangerous. About 500,000 websites were victims of an attack that infiltrated dangerous malicious code into the sites, including a few podcasts on iTunes.

Even in other cases, the malware developers targeted the innocence of the users. In addition to the perennial issue of phishing emails, attackers are now concentrating on two emerging markets in particular: social networking sites and smartphone apps. Yet only a few users believe that posts from their Facebook friends could be dangerous. However, new attacks are seen every day that are out to get the personal data of the users. Also, the number of apps in the App-store and in particular in the Android market that spy on cell phone data or rip off users is increasing rapidly.

On the other hand, browsers and operating systems confront the user time and again with similar harmless warnings, in which some suspect a virus attack: blocked websites, false alarms of the virus scanner, Windows messages. The distinction between where a virus actually lurks and where not is difficult. However, if you look at the right place and with the right tools, you will find the solution in no time.

What are Real Viruses:

This is how malware and con artists camouflage themselves.

HACKED WEBSITES

Attackers are increasingly using reliable sites to spread malware. The latest example: the aforementioned attack on about half a million websites, which became famous as the LizaMoon attack. Via SQL Mass Injection, hackers infiltrated codes into the sites that automatically forwarded you to a page that hosted the malware. Most of these forwarding’s led to the domain lizamoon.com – hence the name.

A similar attack affected about 114,000 sites in June last year. Exactly like that attack, the LizaMoon targeted sites that used the Microsoft server platform IIS and the content development technology ASP.net.

The malware packets on the target sites of the redirects specifically search for un-patched loopholes in the browser, the plug-ins, or even in Windows. These are often Trojans that spy on the data or rogue ware programs.

Even if the browser or virus scanner displays a warning, users rarely expect an attack on known sites. One would barely notice this since it is usually run in the background. Therefore, you should always update the virus scanner, the browser, and its plug-ins so as to rectify the security loopholes as properly as possible. With the Firefox add-on NoScript, you can also regulate the execution of active elements and block embedded scripts. Sometimes, the site itself is not the problem, but the contents on the page are added via iFrame. Hence, after installing NoScript, use the icon next to the URL line to go to ‘Settings | Embedded Objects’ and activate the ‘Ban <IFRAME>’ function there.

INCORRECT VIRUS DETECTION

Warnings from the Windows Stability Center should be taken seriously, right? It is better if you don’t because the tool is an unreliable security program (rogue ware) that wants to deceive you with fake warnings. It mostly originates from websites that initially generate a seemingly real virus warning in the browser using JavaScript. If you click ‘Remove viruses’ or similar buttons, an unreliable virus scanner that is most often difficult to remove is downloaded; for instance, the Windows Stability Center. Even this displays incorrect results again and offers the user the solution – a paid, but of course, completely useless pro version.

super guitar solo

Figure: Hacks, A data spy is hidden behind the seemingly harmless music application

Do not buy the tool. At first glance, the warnings seem threatening, but if you take a look at it again, the unusually large number of viruses that have been found should make you suspicious. You should generally install only reliable, well-known antivirus programs. If you see such a false alarm, check your computer thoroughly. The Remove Fake Antivirus tool can be used to find and remove the most common samples. You can find the tool at ‘http://www.softpedia.com/get/Antivirus/Remove-Fake-Antivirus.shtml’.

Despite original logos or seemingly real Windows messages, one can recognize such extortion attempts. Rare business practices (Windows activation solely via foreign telephone numbers), misspellings, email addresses that do not refer to an official domain, or anonymous payment methods indicate the scam. But even those who do not pay must still disinfect the computer. Since the system accesses in Windows are usually completely blocked, only a restart and system check with the live CD of the antivirus program helps. If this also does not help, the only remaining option is to reinstall Windows.

window firewall

Figure: False alarm, instead of preventing spy attacks, the firewall occasionally blocks harmless programs

ALLURING FACEBOOK LINKS

Fraudulent content spreads rapidly on Facebook. The reason: many users simply click content, which has allegedly come from their friends. The harmless variant of this so-called Facebook scam is videos that promise celebrity sensations, violence, or sex. If you click such a video link, the contents are posted on the user profile via a hidden ‘Like’ button. Advertising companies are behind this most of the time and earn money with every click. However, Apps are more dangerous; for instance, they promise you that you will be able to see all the people who visit your profile – something that is not possible on Facebook. Such apps forward the user data without permission or even steal passwords and infect the computers with malware.

You can quickly identify the suspicious videos on strange links such as chalaepic.zapto.org. In Apps, you should pay close attention to the data they use. You can delete already registered Apps in Account | Privacy settings | Apps and Websites | Edit settings. For safety, you should set a new password after each scam attack. You can do this in ‘Account | Account settings | Password Change’.

DECEIVING APPS FOR SMARTPHONE

The applications in the App-stores for ios or Android are not always as harmless as they appear. With free apps, in particular, it is possible that you click an ad banner and subscribe to something by mistake that is automatically billed to your phone bill. Smartphone viruses are worse.

In March, hackers infected more than 50 Android apps with the malware DroidDream, including Photo Editor, Super Guitar Solo, and Best Password Safe. In four days, the Apps were downloaded 50,000 times according to Panda. Once installed, such viruses can read the data, send expensive SMSs automatically and activate administrator rights, and thus download more malware.

Antivirus apps for smartphones prevent such attacks. A sleek and effective solution is AVG Antivirus Free (free of charge in the Android market). After installing an app, you should also check in the application information whether it is accessing your messages or browser history; this is typical of hackers and spies. However, if you find unusual entries in the bill, complain about this to the provider. Nevertheless, you must hope for fairness because it is very difficult to prove that you unintentionally subscribed to something.

PROFESSIONAL PHISHING

Phishing sites spread via email are once again increasing: According to Symantec, the number of phishing emails rose by 50 percent from January to February. The mails link you to professionally recreated banking sites, where you are asked to enter your log-in data.

Always enter the web addresses of banks, shops, or payment services manually or invoke them via bookmarks. Remember that banks never send such emails. Ensure that the bank and payment service websites use https links because only then are they really safe. Unusual domains such as paypaldeb.com are also suspicious. Click other links or sub-pages and they do not work in most cases. If you receive an error message when entering the access data and have to re-enter it, this could also be a trick. With this, attackers want to hack other accounts as well.

Fake Virus Warning

How harmless messages are upsetting

AGGRESSIVE VIRUS SCANNERS

If your current virus scanner pops up a warning, you should take it seriously. However, this, unfortunately, results in false alarms occasionally when you install or run an application. According to the AV test, the number of false alarms at the start of this year has certainly reduced as compared to the fourth quarter of 2010. However, security suites still grumble in the case of a number of known applications – even as regards OpenOffice or Notepad++, which are completely harmless. This is mostly due to a clear heuristic that classifies certain code parts or file actions in harmless programs as suspicious. Whether a warning is displayed depends on a threshold value. If this is exceeded, the scanner strikes.

If you know the blocked program, you should compare the checksum of the setup file with the value often specified on the download page of the provider using a tool like FileAlyzer (http://filealyzer.en.softonic. com/). This is useful, especially for large files such as the installer of the Open Office suite. If you do not find any checksum on the website, download the program once again from a trusted source for security. If the blocked file is unknown, move it to quarantine and start the counter check. Upload the file using VirusTotal Uploader (http://virustotal-uploader.en.softonic.com/) and get it analyzed from more than 40 engines. If only one or two strikes, it is not malware

fake virus warning

Figure: Fake virus warning comparison 20 typical applications

BLOCKED INTERNET OFFERS

The phishing filters of the browser are based on blacklists that include malicious codes of transmitting URLs. These lists are mostly reliable and block dangerous sites, but are not always up to date, New harmful sites are constantly appearing and the number has doubled to nearly 3,300 per day in the last year. However, the site itself may not harmful, but perhaps just one of the ads on it. The infected banner is usually removed quickly, but once the site is on the blacklist, the browser blocks it for days.

Check the blocked URL with the webpage scanner by AVG (avgthreatlabs.com/ sitereports) that analyzes the URL, including sub-domains in real-time. You can also protect yourself from infected banners by using an Adblocker for the browser.

INCORRECT CERTIFICATES

SSL-encrypted websites require certificates so that the browser can verify its authenticity and distinguish it from dubious or dangerous sites. If the certificates are not stored in the browser, it will block the page and display a warning to the user.

These warnings may have absolutely harmless causes: an incorrect date in the system (Windows or BIOS), an expired certificate (rarely), or a certificate from an unknown source. This is applicable to a few free-of-charge certificates, like those from CAcert, which you can then directly download via a selection window in the browser and store. Current browsers are so strict that you cannot just click and get away with these certificate warnings.

ANNOYING WINDOWS UAC

The Windows User Account Control (UAC) does not distinguish between malware and harmless software. By default, it always warns if an application wants to change the Windows settings (such as the registry). Experienced PC users mostly click and get done with the resulting pop-up window without reading, and inexperienced users tend to be unsure.

In ‘Control Panel System and Security Action Center Change User Account Control Settings: you can reduce the strictness of the UAC. If you deactivate it completely, you should not use Windows with admin right, as otherwise, malware can easily get into the system. Therefore, set up a quick user change, using which you can activate the Admin right with a click and install tools.

OVERZEALOUS FIREWALL

Not every program that sends data to the Web is a Trojan that accesses your account, credit card or log-in data. Some harmless programs also send data to the Web. The firewall does not strike in browsers or P2P tools that use other ports for data transmission.

If you are unsure, you can analyze active network connections using CurrPorts (http:// currports.en.softonic.com/). Hide all system processes by deactivating the ‘Display Items without Remote Address’ function under Options. With this, you are only left with known programs. If you see another process, find the file location in the ‘Process Path’ tab and upload the file from there using VirusTotal Uploader for a virus check. If a virus is found, disconnect the connection of the used ports in CurrPorts using [Ctrl] + T and abort the process in the context menu with ‘Kill Processes of selected Ports’.

TYPICAL SYSTEM ERRORS

Badly programmed malware can cause crashes or corrupt the memory. However, this is rare as it works secretly. In addition, many reliable malware kits are circulating on the Web. Thus, the causes of system failures are mostly conflicts in the memory system, old drivers or hardware wear out.

Check-in Device Manager if there are any hardware conflicts, and update the driver if necessary. This can especially help in older operating systems (Windows XP or its predecessors); the newer Windows versions generally download the appropriate drivers automatically. If you have installed a program before the problem, call an earlier stage using system recovery, in which the computer still worked. Use CCleaner (http://www.piriform. com/CCleaner/download) or Defraggler (http:// www.piriform.com/defraggler/download) to clean the hard disk and registry and get rid of old files and entries related to past system errors. You will thus no longer get any warning messages – at least till the next website has been hacked.

Leave a Comment