Security

Rogue software: How do you know?

It's no secret, many anti-malware scanners are actually malware in disguise. Is it possible to distinguish the difference? Let's give it a try.

Lately, I've been particularly focused on malware and how to get rid of it. The frustration in your comments and e-mail messages regarding malware is more than obvious, hence my quest.

I hope my previous articles about malware removal and the ensuing comments from members (who've been there and done that) have made a difference. For what it's worth, I'm not done yet, especially because of one particular question.

Know your enemy

I've been asked countless times, how do I know that the endless parade of new viruses aren't being created by the antivirus companies that claim to protect us. Truth be told, it's a great business plan: create the problem and then market the solution. If I remember correctly, they even made a movie based on this premise.

In their defense, I'm acquainted with many dedicated people who work for Symantec, McAfee, and other AV companies, and they truly want to squash malware. Besides, if it came to light that an AV developer was less than forthright, public outcry would totally destroy the company's credibility.

That's not nice

Ironically, malware developers are using the "street cred" earned by legitimate malware-fighting companies to develop a malware delivery vehicle for their malicious code. Grudgingly I have to admit, it's a good plan. See if the circumstances from the following scenario resonate with you.

The computer I'm working with is acting really strange. All of a sudden, advertisements (you know the kind) start popping up all over my monitor. This is not good. Why didn't my AV application or the malware scanners prevent this from happening? What am I going to do? I really need to finish my work, but I need to use Adobe Acrobat and that's installed only on the infected computer.

Luckily, I have another computer, so I scour the Internet trying to find a different scanner that will remove the malware. Wait a minute, I find what I need. Yes, the Web site is describing exactly how my sick computer is acting. I sure hope it works, but is the software what I really think it is?

I'll stop right there. Sound familiar? That's just one scenario. Brian Satterfield describes several more in his IT Security article "Welcome to Scam City: Rogue Anti-Spyware Apps." It seems that rogue software is a thriving underground enterprise, with most of the malware code pretending to be antimalware software.

How do I know?

Now to the question many of you have been asking me. How do I know that the software I'm about to download and install is safe? It appears that Satterfield and I were thinking along the same lines as we both found several Web sites that publish lists of rogue software and applications. Checking whether an application is listed on these Web sites will help determine whether the software in question is malware or not.

Rogue malware listings
  • Sunbelt Software, the developer of CounterSpy, has a Web site that lists over 397 rogue security programs (their name for rogue software). I personally have used Sunbelt Software for many years and have no reservations about the company.
  • Spyware Signatures has an extensive list of rogue software signatures. In fact, it has so many that it's almost easier to use the search function. The main focus of Spyware Signature is to provide relevant data to security companies that offer antimalware applications. That's good, because it means there's incentive to keep the list relevant and up to date.
  • My favorite malware scanner, MBAM from Malwarebytes.org, has a list called newest rogue threats. It's a little different from the others because the rogue software list is published in a forum venue and is member driven. Truth be told, it's the first place I check.

These are the three lists that I refer to, but I'll bet there are other good ones. In fact, I'd appreciate hearing which lists you prefer.

Side note

You may be wondering why I included the above image (courtesy of MessageLabs). While doing research for this article, I stumbled upon a MessageLabs Web site that was displaying work created by Alex Dragulescu. I found it to be strangely fascinating, as it allows me to put an image with a specific malware. Dragulescu describes his work as:

"The visualization of worms, viruses, trojans and spyware code. For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity. Therefore the patterns and rhythms found in the data drive the configuration of the artificial organism."

Final thoughts

I hope that the rogue software listings will be of help. I realize that it's not a perfect solution or even near perfect. I'm hoping it's a conversation starter and that you, the members, will share your alternative approaches and rogue software lists with the rest of us.

Another side note

Being an anal paranoid, I wanted to make sure that I didn't lose you as readers or have you wondering where my security rantings have gone. The editorial staff at TechRepublic feels I should post my security articles in Chad Perrin's section IT Security. It makes sense to me, and I hope it does to you as well. So to cure my paranoia, please sign up for the IT security newsletter and look for me there.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

152 comments
Chi-7
Chi-7

It all still boils down to buyer beware, too many people are willing to trust included links rather than do their own homework. In our society of convenience, pop ups are taken as real rather than questionable. In part apathy, in part perhaps the mentality of "I just want it to work" too many folks use a computer while having little or no knowledge of the nuts and bolts of the beast or how easily it and the user can be fooled. At this rate, at least all of the Tech world will always make a decent living, and I hate to sound like a bastard which profits from ones misfortune and or gullible nature.

Michael Kassner
Michael Kassner

How have you been. It's been a while since I've seen you commenting?

deepsand
deepsand

For approx. the past 2 months I've been re-visited by a degenerative cervical disc, a condition that had been quiescent for the better part of 5 yrs. At first, it manifested itself in its usual manner, impacting nerves involved in the lower right side of the neck on through to those in the right hand, a condition that is not only quite painful, but renders the arm/hand well less than fully functional. More recently it has been affected nerves to the "north," resulting in excruciating headaches & partial loss of vision, greatly interfering with my ability to sleep, resulting in sleep deprivation. With the need to concentrate my efforts as best possible on pressing business & financial matters has left me with little time or desire to do more than read what's being posted, both here & on others forums in which I normally participate, making brief comments where possible, and deferring lengthy ones until an offline composition can be completed & edited. At the moment I'm at a client's location for several weeks, doing work that is more easily done on site than from a distance via remote access and telephone. When I get back home I'll need to drag out the cervical traction setup and see if that's of any help re. the neck, etal.. Should that fail, then physical therapy or surgery must be considered. Thanks for noticing my absence.

deepsand
deepsand

After but one good night's sleep, followed by a good day & a tolerable night's sleep, the hellish pains have returned.

deepsand
deepsand

I am genuinely touched by the attention given and sentiments expressed by each of you. One could not ask for better. Throughout this ordeal, my neck mobility has been substantially restricted with regards to being able to rotate rightward. Last night, in turning in that direction, so as to be better able to converse, I both felt and heard a "snap" in my neck, with substantial noticeable physical sensations quickly ensuing. The severe head & neck pain subsided, while the right arm went nearly completely numb; while certainly not an ideal situation , it was welcome relief compared to the what had become sheer agony. Over the course of time, and with exercise, the arm has become more useful, with more normal sensations returning. The neck is still quite sore, perhaps owing to soft tissue swelling due to inflammation; if that is indeed the reason, I should expect further improvement in that regard. As a result, I last night had my first uninterrupted sleep in about 2 months, and awoke today with the felling that it might actually be a day worth its while and effort. When I return home, I still plan to dig out and use the cervical traction gear, knowing that it can't hurt, and might just serve to reduce the risk of future occurrences of the nightmare just ended.

HAL 9000
HAL 9000

With things like that rest is generally the only real way to get any real reduction in the symptoms. Col

santeewelding
santeewelding

What it took to still a voice as yours. Well, not quite still. If prayer is what it takes, I will capitulate to make you whole.

Michael Kassner
Michael Kassner

That you get better. That's sounds really painful and not being able to sleep, ouch. I'm sending all sorts of positive waves your way. Take care.

cwang
cwang

have read your previous article and tried Malwarebytes. It works great to me when dealing with the issue my colleagues has lately. Thanks

Michael Kassner
Michael Kassner

Thank you, still I must confess. I was not the one to originally bring MBAM up. Several members brought it to my attention. They deserve the credit. The amount of help being offered is why I truly love TechRepublic, the sharing of ideas and possible solutions is truly special.

armchairmusician
armchairmusician

I had to pause it to remove the 65,000 .tmp files in the root dir. OMG!! One file created every minute for like a year!! After that, it worked like a charm... just as it always does. Edit: This is Part I

Michael Kassner
Michael Kassner

It was my turn last year, had a triple bypass. Take care of yourself to be sure. I'd love to hear an update from you when your better. I've switched to Avast and it seems fine. I sense that Web pages are a bit slower, but can't truly point a finger at Avast.

Chi-7
Chi-7

We initially had the CA security suite, AV, Mal, spy The 2006 suite was effective and relatively easy on resources. The following CA security suite made an unacceptable hit on performance. The Norton solution was just totally unacceptable from a big time performance hit to frequency of updates and missed bugs. ( I would always prefer a false positive than a false negative ) I have personally used both AVG Free and the AVG-Pro security suite, AVG lived up to all expectations without a substantial performance hit, AVG is still my second choice. My hat is off in reverence to Avast! From resource demands, updates to virus database ( sometimes several a day ) by all due appearances the info is distributed as soon as it's been verified. This is the kind of service I strive to give my clientle, it delights me to find a vendor making every effort to deliver goods and services with the same integrity that I bust my posterior to achieve. One of my primary clients will be going with the Avast small business server and 12 screen license next month, ( soon as I'm back in commission, there puttin new valves in the ol ticker next week, already asked about stickin in another 2GB of DDR, maybe I'll remember more ) I will report back after it's been up for a few days, as you can already tell, it may be somewhat biased but be assured, if anything stinks I won't let em off the hook.

armchairmusician
armchairmusician

It can lead you right to the virus you are trying eradicate. Tools are much easier. I put them on a thumb drive and I'm all set.

tstreich
tstreich

I have had my share of issues, searching forum after forum and the main thing I see is people recommending Hijack This and going through an incredibly painful, long process to remove infections manually. I've said it before Avast has not failed me yet in removing these newer malware/spyware programs. The one thing I recommend is during the install process where it asks you if you want to schedule a boot time scan click on no. That way the install process finishes without requiring a reboot. Then go ahead and start the program and do all the updates THEN schedule your boot time scan.

armchairmusician
armchairmusician

And it took forever to remove Win32G infection - I love the boot clean feature. I'm sold. Woohoo!! I thought that was a record too! I captured a screen shot of the "are you sure you want to delete 65,000 files" prompt. I'll post it later.

Michael Kassner
Michael Kassner

It's obvious, but needs to be stated. When someone is fighting malware, including me we aren't in the most logical state of mind.

mcleod_andre
mcleod_andre

Hey y'all, what's up. what i do if i find a "suspicious" file is i just google "prevx, filename." i find that this works for me. most often than not, they've come across the "suspicious" file. they have a free version, as well as a paid version. Haven't really used any of them, i just google to find info on the suspicious file. Should be worth a try if anyone's interested. God bless.

zclayton2
zclayton2

Putting you in the security section may make sense to your editors. I don't need yet another newsletter coming into my mailbox. I'll miss your blogs.

Dr_Zinj
Dr_Zinj

That's what rogue software and malware writers should face. These psychopaths cause more damage than a serial killing, pedophilic rapist. The reason why horse theives were hung, even if they did no other harm to the person stolen from, was because the loss of a horse had a grave, detrimental impact on the quality of life and survival options of the victim. Malware, rogue software producers are absolutely no different, nor should they be treated any differently. Find them, convict them, and either put a bullet through their heads, or get a short rope and a tall tree.

babznme
babznme

Thieves, thieves, thieves, of the worst kind. I do tech work for the disabled and seniors. It is awful because often they fall for it befoer calling a tech, because the fee is cheaper than the tech. (until they find me) I agree. These malware jokesters are criminals!!!

The 'G-Man.'
The 'G-Man.'

There is no diet pill that actually works, There is no 'cheap deal' car in the lot without those future hurts, There is no 'to good to be true' money making scheme and there is no quick fix , one fits all, solution for the PC machine!

Michael Kassner
Michael Kassner

Thanks G-man. Succinct, to the point and correct in my opinion.

Photogenic Memory
Photogenic Memory

I like the program and it's very versatile. I also came across another one made by VIPRE(sunbelt). As seen here: http://live.sunbeltsoftware.com/ Thanks for being proactive in your research. I don't know how to thank you.

barbara.lodge
barbara.lodge

I consider myself fairly internet "savvy" but was horrified to find myself locked out of my Vista laptop. In panic I searched for a solution and found myself utterly sucked in by www.resetwindows.password.com. I am still so mad at myself for not checking it more thoroughly but that?s what blind panic will do! I coughed up my cash and lo and behold downloaded the file that was going to save me. Or, in this case, a zero mb file that did nothing! Paypal don't want to know - another interesting learning point - they only become involved when the goods are "tangible". Numerous emails later I have had precisely zero response. I feel grateful it was only ?20 or so. I can definitely see a rise in trusted names, this experience has just confirmed for me that I am better off only purchasing through the bigger names such as Amazon. I will also take more notice of software recommendations etc in forums and message boards. Will not be relying on a Google sponsored link or search again! A lesson learned. Oh ? and the password? I remembered it an hour later. Muppet!

michaelsaltmarsh
michaelsaltmarsh

Never leave home without it ;) http://www.hiren.info/pages/bootcd

Michael Kassner
Michael Kassner

I didn't see MBAM.

Michael Kassner
Michael Kassner

I suspect you are correct. MBAM need roots and after a bit of research, I suspect I was over reaching. OK, Michael (great name by the way) is the CD you referred to available as one download? I must be anal as I was going to grab it, but I didn't see an iso. Please forgive an old fart if it's completely obvious.

michaelsaltmarsh
michaelsaltmarsh

I'm not even too sure how he would get MBAM on there i was trying to make it portable the other day so i wouldn't have to install it, and it's looking like the only way to do it will be making it one of those U3 Installers. :( Have you heard anything about this Michael?

tstreich
tstreich

Are most of these utilities free/shareware???

michaelsaltmarsh
michaelsaltmarsh

Yeah most of the utilities are freeware or some form of them and others....well others are just "trade secrets" if you know what i am saying. I just don't think that this hiren guy went to all these people that made these different programs and said hey would you mind if i did this with your software? But at the same time this cd has been out for years if someone was mad his site would have gotten shut down.

Slayer_
Slayer_

Wow, But what happens when you boot off it?

michaelsaltmarsh
michaelsaltmarsh

When you first boot it, you will get a menu with a countdown on what you would like to load the cd or your first hard disk. After you choose the cd it gives you a dos like menu with the programs, you just chose what you wanna load ;D

tedj
tedj

Thanks for the article. Thought you would be interested in another tool. My HP Compaq 6910p has a built in TPM chip. This chip is very helpful in validating the boot sector and making sure that any changes require an additional password that cannot (according to the documentation) be faked. Well, now I get a helpful pop-up from the tpm software notifying me that "An application needs access to a protected key" and asks for the TPM user password. No explanation of which application or what key. Thanks HP for a well thought out application. Have been canceling the message two or more times a day for a week. Not sure how to trace the app that is causing this. MBAM and Symantec don't find anything nasty on the machine.

pgit
pgit

You always make things interesting. I appreciate it, a lot of tech related reading is so dry it could negate Noah's flood. Nice touch with the link to the artwork...

Michael Kassner
Michael Kassner

I debated whether to add it or not. It was just too cool not to though. BoxFiddler reminded me of how similar those images look to real-life creatures.

pgit
pgit

Never doubt your instincts, they're serving you well. If the guts say "do it," then by all means... Those pictures certainly look like microscopic life forms, viruses, protozoans... the stuff that'll make your guts wrench. Most appropriate for the topic.

Michael Kassner
Michael Kassner

I want you to know that your support is truly appreciated.