I have a medical office customer who had a computer get infected with Malware yesterday.  This was a winXP machine, non-admin account locked down via a domain controller, and centrally administered A/V.  This computer is locked down so hard they can’t even install a printer without logging in as administrator.  The entire network is behind a $1500 firewall appliance, complete with it’s own paid antivirus and filtering subscription.

The malware completely “installed” a fake A/V, fakealert/loader, proxy, and began showing porn popups.  The customer was simply doing their job, going online getting insurance information.

This kind of malware is written to install without requiring true admin privilege, yet is not easily removed by folks not knowledgeable or well equipped.  The “malware” content isn’t really even detectable by any A/V, period, as it isn’t really a virus until after it runs.  But, it messes things up bigger than life when it does.

These kinds of malware basically can’t be stopped.  Day to day, amongst the networking and other stuff I do, maybe 80% is malware remediation.  80% of that is of the fake antivirus variety.


Calling for Malware Screen Caps

Malware usually likes to be as stealthy as possible, but the fake A/V’s are noisy, they want people to get scared and pay the money to “activate”.

Invariably, the fake A/V’s are obvious to security professionals because the alert messages are just way to specific and verbose, and have some strange grammar – obviously many coders are ESL.

But, some of these are interesting, amusing, humorous or downright funny.

Send me such pics, and I’ll put them on here.

Email them to me:

submit “at” therestorestore “dot” com

“New” Malware Behavior

I haven’t seen this one before – but apparently it’s not really new.

Generally it’s possible to sneak in a Ctrl-Alt-Del in order to launch a task manager in order to kill fake antivirus processes and then run cleanup progs.  This one has the task manager disabled from the get-go, giving an error saying the administrator has blocked it.  Either that’s a fake message or they’ve implemented some sort of group policy.  According to MS it’s either a group policy or a registry hack.

Even after “fixing” the disabled task manager it would not run, which is typical malware behavior even though it was no longer GP’d out.  Rebooting the comp re-disabled the taskman.


This was a much tougher fake A/V, this comp had a cocktail of malware that was blocking updates from the various cleaning app websites even though I was able to go to the respective websites.  Got it out though.

Underground Services Let Virus Writers Check Their Work

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like and, which bank on the guarantee that they won’t share your malware with the anti-virus community.


For $1 per file scanned (or a $40 monthly membership) will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also, we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.


Virtest checks suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: “Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,” the site pledges. “On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.”

The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of is the ability for malware authors to test “exploit packs,” pre-packaged kits that — when stitched into a malicious or hacked website — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan web pages for malicious content, and this service’s “exploits pack check” will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely used anti-virus software.

But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.

Investigative journalist Brian Krebs is a former reporter for The Washington Post, where he wrote the Security Fix blog. He’s currently editor of

  • Calendar

    • January 2010
      M T W T F S S
      « Dec   Feb »
  • Search