Archive for March, 2010

The name you know

Monday, March 1st, 2010

Remember that Eddie Murphy movie The Distinguished Gentleman? Well his character – Thomas Jefferson Johnson – happens to have the same name as the deceased former incumbent congressman, and so Johnson runs a campaign based on name recognition on the basis that people will just vote for the “name you know”. It works, he’s elected to congress, and hilarity ensues.

Recently I’ve seen three people locally get hit by the “Live Antivirus” malware. One of the things I learned from years doing computer crime work is that scammers often use name recognition to make you drop your guard. They’ll tell you that something comes from Microsoft, Yahoo or Google because you know and likely trust those brands. (They often play the religion card if they really want your money, but that’s a topic for another post I guess.) If you’re on the internet and running Windows, then you’re familiar with the “Windows Live” branding, especially for Hotmail or Messenger.

“Windows Live” “Live Antivirus” See what they did there?

So after seeing an advertisement for a free virus scan, using a name that’s vaguely familiar, my clients clicked on the link, download the software to their computer, and are then confronted with continual nagging warnings that their computer is infected, and would they like to pay for an “upgrade” to remove the infections? The rum is that the only infection is generally the malware that’s “warning” them. I watched it report network intrusions even when no network connection was active, and report viruses in files that weren’t on the computer. The other wonderful feature of this malware is that it stops you from running real AV, the registry editor, the control panel, and all the other methods you’d normally think of removing bad software.

Thankfully the technology was reasonably simple once you know what you’re dealing with. This software had only 3 artifacts, an executable file which was placed in your data files area instead of the usual “Program Files” area and 2 registry entries: one in the global “run” key, and a second in the user’s “run” key. These registry keys are one way for Windows to know what programs to load when the computer first starts up.

Removal was simple if you are comfortable with the registry and safe mode. Thankfully, in safe mode, the programs in the Run keys aren’t run, which means this nasty piece of software couldn’t get into memory and stop me from accessing the registry editor. The first time I cleaned it, I started by inspecting the Run key and found the offending entry. It stuck out like a HumVee in a lot full of compacts because it was the only program that wasn’t in the Program Files folder, plus the name wasn’t recognisable to me, and after doing hundreds of registry inspections, I pretty much know what to expect. Having found where it was hiding, I simply deleted the file and the 2 registry keys, rebooted the PC and it was gone.

I then counseled my client about not installing software from advertisements on the internet and general internet safety.

It’s a bit much to expect that everyone on the internet know everything they are looking at, and what they are installing, but just remember to spend an extra minute before installing something just because the name sounds familiar. Perform a quick search on Google for “Live Antivirus” and the first 3 entries are all about how this is “rogue” software.

As President Reagan used to say: “Trust but verify”.