by Ira Wilsker (APCUG PUSH Article)
Hardly a week goes by that I do not get a call from a friend or co-worker asking for help with a computer that had been hijacked by one of the thousands of variants of a type of malware generically known as "Rogue AntiVirus". Last weekend was busy for me in this respect in that I received multiple frantic calls for help on Friday, Saturday, and Sunday. All of the computers I was asked to clean had been totally hijacked by this rogue antivirus operating under the names "Vista AntiVirus 2012", "Windows 7 Antivirus", and "Microsoft Antivirus 2012".
While they all had different names, they all had the same modus operandi in that they infected a computer, displayed frequent popup windows alerting the user that the computer was heavily infected with viruses and spyware, offered to repair the problem for a fee, and totally took over the computer by not allowing most other programs to load. Often infecting the computer via an email from a known acquaintance whose own computer had been hijacked and which sent out spam email with a link that would load the malware, or by visiting a legitimate or rogue website that injects the malware via the web browser, this rogue antivirus software is becoming more dangerous, and more difficult to remove. As had been written here before, this rogue software generally protects itself from detection and removal by neutralizing the installed security software on the computer, and preventing other detection and repair software from executing. Most of the rogue software also blocks access to many of the websites with removal utilities, and prevents most programs on the computer from running by blocking almost all ".exe" files from opening.
What the user of the infected machine does not often see is that many of these rogue variants also disseminate their code to people whose email addresses are in the user's address book (both webmail and computer based address books), Facebook and Twitter friends. This spamming of illicit code is typically in the form of friendly emails apparently from you to your email buddies with a short polite message along with a link to a purloined website which will automatically load the malware code onto their machines. Facebook and Twitter have also become major vectors used to promulgate this malware, as the rogue software will post short messages apparently from you, with links to the malware; anyone clicking on those links will be hijacked as well, and the process repeats geometrically. In addition to propagating itself, this rogue software also often adds the hijacked computers as "zombies" to a massive "bot" of computers used to send out spam emails for a fee, payable to the crook that started this spider web of malware and hijackings. In addition to the revenues from sending countless spam emails from the "bot" (network) of "zombies" (hijacked computers), the purveyors of this malware also generate substantial revenues by charging a fee, typically $29 to $69, often payable only by credit card, for the rogue software to "clean" the infected computer. If the unfortunate victim pays this extortion, not just will the rogue software not clean the computer, but will also often sell the credit card number (along with its expiration date, and CVV security code) on other illicit websites, typically resulting in massive fraudulent charges on the credit cards.
In the past, I have had great success using the free portable version of SuperAntiSpyware (www.superantispyware.com) to detect and remove the rogue antivirus infections. Using a clean computer, I download a fresh, updated copy of the portable version of SuperAntiSpyware to my USB flash drive, which I then take to the hijacked computer. I boot the infected computer into Safe Mode (F8), insert the flash drive, and run the SuperAntiSpyware, often in "full scan" mode. Once cleaned, I use the "Repair" button on the bottom of the SuperAntiSpyware screen to undo many of the improper changes the malware had made to the computer. Because of its very frequenting updating, ease of use, and high success rate, SuperAntiSpyware portable version is still my first choice to clean an infected computer. The problem is that in this very rapidly evolving cat-and-mouse game between the malware code writers, and the security software companies, some of the recently released malware has become harder to detect and kill. I found this out last Friday when my normal battery of top-rated and updated malware detection and removal utilities that I carry on my flash drive (SuperAntiSpyware, Emsisoft Emergency Kit, and MalwareBytes) were unable to totally remove a persistent infection on a heavily compromised computer.
Knowing that a "Plan B" was necessary to defeat this stubborn malware, I went home to download some other utilities that I have used in the past to remove stubborn malware that resisted the most common and popular methods of cleaning. I downloaded the latest versions of McAfee's Stinger, Kaspersky Rescue Disk, AVG Rescue CD, and Microsoft Standalone System Sweeper Beta. I downloaded the McAfee Stinger to my flash drive, and created fresh CDs with the Kaspersky, AVG, and Microsoft utilities. Be sure to implicitly follow the directions provided by these software companies for creating the bootable CDs or bootable USB flash drives necessary to load and run the utilities.
Returning to the location of the hijacked desktop computer, I booted it into safe mode (F8), inserted my flash drive and ran the McAfee Stinger. While McAfee Stinger detects far fewer types of malware than many of the other utilities, it does an excellent job in detecting and killing some of the more stubborn infections, which it did on this victimized computer. After rebooting the computer, and rerunning the McAfee Stinger (it found no additional infections), there was very substantial improvement, but still some evidence of malware on the computer.
I inserted my newly created bootable Kaspersky Rescue CD into the drive, and was required to press the F12 key in order to boot the computer with the bootable CD (some computers require F10 or F2 in order to select a "boot from CD or flash drive" option). Since booting with a CD does not load the infected copy of Windows that is on the hard drive, but instead loads a clean operating system from the CD (usually some form of Linux or WinPE), the malware cannot load and protect itself from detection and removal. The Kaspersky Rescue CD detected and removed the remainder of the malware, proving itself as a very viable method of malware removal. I removed the Kaspersky CD and inserted the Microsoft System Sweeper bootable CD, and rebooted the computer (F12). This Microsoft CD, very capable in its own right, did not detect any other malware on this computer, corroborating the fact that the computer was most likely clean of all forms of malware. If I still had any other problems, I know from past experience that the AVG Rescue CD, bootable the same way as the other CDs, had some very capable detection and system repair utilities which are often necessary to recover a badly damaged computer, but in this particular case, it was not necessary.
This badly infected and compromised computer had one of the major commercial security suites installed, but was still penetrated by the rogue antivirus, a common occurrence in that the rogue software is very well written by experts in security penetration. Rather than reinstall and update his current security software, which was near its expiration and renewal date, this computer owner wanted a different security suite than the one he had, in the hope that it would better protect his computer.
Whatever security software suite he would choose, it is absolutely imperative to install some comprehensive security suite immediately after cleaning the computer that had been hijacked, as the security software that was previously installed was totally dead, killed by the malware in the earliest stage of the takeover, which left the computer vulnerable to the inevitable follow-on attacks. While there are several excellent commercial and free comprehensive security suites available, in this case the user decided to try one of the popular freeware security suites, Outpost (free.agnitum.com), rather than purchase another commercial product; that was his informed choice.
Now, when I am called upon to clean an infected computer, I include McAfee Stinger in the arsenal of utilities on my USB flash drive, and bring the three bootable CDs that I created (Kaspersky, AVG, and Microsoft), just in case they are needed.
Ira Wilsker is a member of the Golden Triangle PC Club, an Assoc. Professor at Lamar Institute of Technology, and hosts a weekly radio talk show on computer topics on KLVI News Talk AM560. He also writes a weekly technology column for the Examiner newspaper <www.theexaminer.com>. Ira is also a deputy sheriff who specializes in cybercrime, and has lectured internationally in computer crime and security.