Wednesday, August 7, 2013

When Antimalware Goes Rogue

Let's tell a story, shall we?

Once upon a time, in a not-so-far-away, high-tech land, a young security enthusiast who enjoyed blogging almost as much as she enjoyed discussing Slenderman theories was surfing the Internet and came upon a Wiki page that seemed harmless.  Indeed, it was harmless.  However, a nasty hacker had anticipated her arrival and planted a very strange-looking piece of malware on the page.

The girl innocently visited the page only to find that it refreshed by itself, suddenly reloading into a white page with a popup: "Viruses have been detected on your computer.  Your computer must be scanned to prevent further damage."

Oh no!  How did this happen?  Did a bunch of viruses really elude this security nerd?  Would this mysterious and conveniently-located program that was causing the pop-up really save her from the deadly infection?

Most of you have probably experienced something similar before.  And, if that event in your computing life has taught you anything, it's that the pop-up on your screen is full of major BS.  If you were to click "OK", another window would open up.  What this window looks like varies depending on the program and the operating system (yes, some of these are written for Macs!).  However, for most of you it probably looks something like this:


Or this:


Or this:


Okay, and here's a Mac one:

"Spyware is a type of malware that can be installed on computers..."
As opposed to types of malware that can't!  =D

You get the gist of it.  These pages try to make you panic and think that you've been infected by a gazillion viruses and must download Super Antivirus Pro Shield Supreme v2.0 to save your data!  However, in fact, these programs are called "rogue antimalware", or "rogues" for short, and their only purpose is to get you to pay for software you don't need.

After it does its "scan" and tells you that your computer is on the very brink of death, it offers Super Antivirus Pro Shield Supreme v2.0 for "only" x amount of money.  If you fall for its tricks, you'll go ahead and pay for the program—which, just by itself, would suck.  However, not only has the program scammed you into paying x amount of money for a BS-ing piece of malware (that you now have to clean off your system anyway), but you've also given the hackers your credit/debit card number.  Have fun with that!

Dealing With Rogues

If you happen to run into a rogue, try not to let it get too far into its scam.  The reason is that, even if you decline to download anything, it may automatically download a piece of malware onto your computer anyway—and, trust me, those are a serious pain in the you-know-what.  (My computer suffered an infection like that, and it took about 10 months to clean completely because it undermined almost every new real antivirus program I tried to download to fix it.  It was also the reason I started learning about malware, and it's how I discovered just how cool computers are.)

If you use Windows, Task Manager is your best friend in this situation.  (I don't know if other operating systems have Task-Manager-like programs, but hear me out.)  What you want to do is hit CTRL-ALT-DEL.  (You can also right-click the taskbar at the bottom of your screen and hit "Start Task Manager.")  If you use the CTRL-ALT-DEL keystroke, Task Manager might come up right away or you might have to select it from a list of options (depending on your version of Windows).  Regardless of how you do it, just start Task Manager.

This is what Task Manager looks like, in case you've never seen it before.  It's just a way to control the things that are happening on your computer.  As you can see, my browser session is in there ("Blogger: Technical Difficulties...").  That's me writing this here post.  However, if you're under attack by a rogue, you'll see another browser session (look for the icon of whatever browser you use) that probably has some suspicious name, like "Viruses have been detected on your computer blah blah blah...", "Scanning your computer blah blah blah", or "Super Antivirus Pro Shield Supreme v2.0" or whatever.  It should stand out to you.

What you need to do is click on this suspicious name and hit "End Task".  In all likelihood, it won't just close the page nicely like it's supposed to.  In fact, your entire browser will probably crash, closing all your tabs.  You'll lose any information that wasn't saved (i.e. forum posts, etc.).  But it's still a thousand times better than dealing with a rogue infection.

What if I Fell For the Rogue's Scam?

Don't feel bad.  It's not uncommon—especially since many rogues are written to look exactly like real, legitimate antimalware programs.  You will have lost some money, though, and you'll have to freeze the number of whatever credit/debit card you used so that the hackers can't rack up a nice fat bill for you to pay.

In addition, you'll need to get the rogue and anything else it downloaded off your computer.  Keep in mind that rogues are considered malicious programs, and some of them actually go so far as to damage your computer after they scam you (yes, these hackers really are pieces of s***).

If you look it up, you'll find many resources for cleaning a rogue infection.  However, I really like this YouTube channel.  As you can see, RogueAmp really likes infecting his computer with rogues and getting rid of them.  So he's pretty good at it.  He's done so many videos that you mind even find your specific program on his channel.

If not, however, these are the basic steps you should take:

1) Restart your computer.  Before you even see anything on your screen, start hitting the F8 key like crazy.  (Just do it.)

2) When you get the list of options, choose "Safe Mode With Networking".  (This allows you to access the Internet while in a mode that won't allow the rogue to push you around.)

3) Go online and download the free version of Malwarebytes Anti-Malware.  (Yes, this is a real antimalware program!  =D  I really love MBAM, and I learned about it through RogueAmp.)

3.5) MBAM's specialty is rogue removal, so it should be able to kill off the infection.  If not, ComboFix is another, far more aggressive program you can try AT YOUR OWN RISK.  (Notice that I'm not linking it.  You can find it on CNET, if you're really interested.)

3.75) Let me stress that again: COMBOFIX IS REALLY FREAKING AGGRESSIVE.

4) Restart your computer.  It will automatically load into Normal mode.  You should be rogue-free!

What if the Rogue Downloads Something Automatically?

Again, sometimes you don't fall for the rogue's scam but something gets downloaded on your computer anyway.  This is what happened to me.  The problem with this type of infection is that rogues are infamous for disabling real antivirus programs (that's why restarting in Safe Mode is so important).  However, it can be fixed through the very method described above.  Again, Malwarebytes is known for its rogue removal, and it was the program that finally got rid of the marathon infection I had.

I wouldn't use ComboFix unless absolutely necessary, and even then I'd be REALLY careful (and I'd back up personal files).  I've actually never used ComboFix before, so there's my disclaimer.

Yeah, this was a really long entry.  However, I think I covered all the basics of rogues.  You've got an idea of how to identify them and what you need to do should you be infected by one of them.  I think the most important rules here are 1) never trust a program that just pops up out of nowhere and offers you something (especially if it asks for money) and 2) don't give your credit or debit card number online unless you KNOW you're on a secure website.  Scams happen all the time—and you do not want to be one of the victims.

No comments:

Post a Comment