Issue 9 – Oct 2010 | Page - 1
Issue 9 – Oct 2010 | Page - 2
We fear viruses so much that now we are falling in for fake anti-viruses. This issue of CHMag will try to put light on the issue of Fake Anti-virus. This issue will cover more insight on Fake Anti-viruses in Tech Gyan & how to be safe from there. Accordingly even I made the poster say "Don't click it, Don't close it, Task manage it" and similar more ways to prevent you from getting infected with Fake Anti-virus in our Mom's Guide section. Removing Fake Antivirus using Malwarebytes in Tool Gyan.
Non related topics in this issue will be Cyber Squatting in Legal Gyan and secure file wiping in command line. BTW, are you coming to meet Bruce Schneier this December at http://clubhack.c om/2010 ???
Issue 9 – Oct 2010 | Page - 3
Fake Antivirus Introduction A sudden injection of fear is a very useful tool for getting people to do what you want. While surfing the Web you must have seen the above pop-up message or similar advertisements. A free PC scan or an offer to clean your computer which it claims to be infected, is usually an attempt by fraudulent person to install malicious software(malware) such as Trojan horse, keylogger , or spyware. Such software is referred to as Fake Antivirus also known as Rogue Antivirus. Google analysis of 240 million web pages over the 13 months of study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains detected on the web.
Possible names: Antivirus XP, Antivirus 2009, Antivirus 2010, Security scan 2010, Winfixer, DriveCleaner, Internet security 2010, XP
Antivirus Pro, XP-shield, PC Clean Pro, Data Protection, etc
Possible Images There are many variations of Fake Antivirus from nano to pro till defenders and some alerts and warnings. You can see them all below.
Issue 9 – Oct 2010 | Page - 4
Issue 9 – Oct 2010 | Page - 5
Issue 9 – Oct 2010 | Page - 6
Issue 9 – Oct 2010 | Page - 7
Issue 9 – Oct 2010 | Page - 8
Issue 9 – Oct 2010 | Page - 9
How can a sysyem get infected? The most common way Fake Antivirus software gets on your system is the result of you clicking on malicious link in an advertisement or similar pop-up message. The advertisement or the pop-up is usually alarming, made to get your attention and attempt to convince you to scan your PC or clean it immediately with the given tool. The given tool is mostly very cheap and sometimes free too hence making the user to use it. If you click to a link you might link to a website similar to one in the image to the left . As you see in the image above this is on a web browser, it is not on screen from my computer but the website designer makes it look like my computer. You will also notice that it shows 100% scanning for Virus, but when you want to do scan using online scanner, then it must install some
component in your PC, usually Active X, but here it did not ask you to install anything and scanner cannot detect Malware when nothing is installed inside the PC. Mostly user will get tricked and press start protection to remove the threats which actually do not exist. Then the browser will pop up a message that says program wants to install do you wants to continue, then the user again tends to say yes and hence falling into the trap.
Issue 9 – Oct 2010 | Page - 10
Infection Vectors 1.Exploit kits There are exploit kits which are released targeting pdf vulnerabilities. One of the recent one is Phoenix. The Fake Antivirus spread is made through Phoenix Exploit‘s kit. Phoenix Exploit‘s kit spreads a Trojan downloader exe.exe which establishes a connection to a particular host from which it downloads and executes the fake antivirus.
attackers target the popular search terms and when the users search for these terms the results will redirect users to malicious website.
4.legitimate looking websites While searching for a genuine Antivirus, the Fake AV may appear in the search result which looks like a legitimate one.
5.Social Networking Sites Social Networking sites such as Orkut, Facebook, Twitter, etc can also be used to post the link to the users like a post saying After checking out the reviews of many professionals I decided to use the following AV: http:// _____ AV.com and thus giving out link which leads to Fake AV website.
6.Fake Codecs Codecs are often designed to emphasize certain aspects of the media, or their use, to be encoded. Thus codecs are needed to play media files some types of media files. Attacker use this method by Making fake codecs which infact is a Fake AV installer and thus trick the users to install Fake AV.
7.compromised websites 2.Spam emails Fake Antivirus is usually sent to the victim as a attachment or a link in a spam message. The spam messages use social engineering techniques such as ―password reset‖, ― your wife photos‖, ―you have received an ecard‖,etc to trick the users to run the attachment or click on the link.
3.Search engine optimization poisoning Search Engine Optimization is a process of improving the visibility of the website to improve its ranking and traffic thus appearing among the top search results. The
Users can sometimes be redirected to Fake AV websites by browsing legitimate websites which have been compromised, where IFRAME codes have been injected or even some malicious advertisement in compromised websites may lead to the installation of Fake AV.
Issue 9 – Oct 2010 | Page - 11
Effects of Fake Antivirus on your computer Fake Antivirus can affect your computer in various ways, It makes changes to the system on which it is installed by installing malwares hence controlling and monitoring the user‘s actions and steal the user credentials like credit card details, passwords, etc. The malware may also use the user‘s system as a platform for compromising other systems in your network. It may flood your system with popup windows with false or misleading alerts. It may also slow down your system, corrupt files, disable updates of windows, disable legitimate antivirus and block some websites hence preventing the victim to visit legitimate antivirus websites. It may also alter system files and registry entries so that even if you remove the Fake AV some of the infected files and the registry entries may remain and due to this after reboot the Fake AV may again be activated.
Pankit Thakkar pankit@chmag.in
Issue 9 – Oct 2010 | Page - 12
Preventing Fake Antivirus Introduction The threat of viruses has increased and computer users have fear of getting affected with viruses thus the attackers knowing this concern of users attackers have come up with this Fake Antivirus which you may come across while surfing the internet through pop-ups or advertisement or through a link on your mail which claims that your system is infected and this AV will clean up your system. Don‘t be fooled! actually it offers no security and instead affect your computer with malwares. Users should be aware of this threat since not only it affects your system but also a user can compromise on their credentials like credit card details or their important passwords. One important thing they should keep in mind is a legitimate antivirus company would never market its product using popups or emails.
How to Identify a Fake AV 1. You may get a pop-up alert warning you that your system is infected and it claims to clean up your system or similar fear injecting pop-ups. As I said before a genuine antivirus would never advertise using popups. 2. You may be invited for a free security scan. 3. You may come across an advertisement clean your system or to clean your registry or to enhance your computer performance, etc. 4. You may come across a website which claims that it has scanned your computer and asks you to download a software. 5. If an attempt is made through e-mail the message is not addressed to the user receiving the mail instead it would be like to the account holder, dear customer, etc.
Issue 9 – Oct 2010 | Page - 13
6. As you can see in the above image this is on a web browser, it is not on screen from my computer but the website designer makes it look like my computer. 7. Injecting fear into the users mind and prompting ‗Buy it right now‘, a genuine antivirus always lets you download a free version before you buy it. 8. If your system has been infected, the Fake AV would slow down your system. 9. Other signs of infection include new wallpaper, new desktop icons, change of your default homepage, even when you are not online pop-up alerts may appear.
To close the pop-up If you come across a pop-up claiming you are infected, what would you do? Close it by clicking on ―X‖ ? that would be your first and the last mistake. Don‘t click on ―No‖ or ―Cancel‖ or even ―X‖ on the top right corner of the pop-up. If You click it you will open the door to malware as some of the malwares are designed in such a way that any of those buttons can activate it. What should you do then? First close the browser, then If you using windows: 1. Press Ctrl + Alt + Del and open the task manager. 2. Scroll down the dialog box and find the name of the pop-up window and select it. 3. After you have selected it, click on the end task. If you using Mac press Command + Option + Q + Esc to force quit.
Issue 9 – Oct 2010 | Page - 14
Fake Antivirus prevention tips: 1. Think before you click on a link. 2. Don‘t open an email attachment unless you are sure about the source. 3. Do not click on the pop-ups alerts. 4. Use browsers like Mozilla which block the pop-ups. For Mozilla, go to tools -> options. Click on the content tab, and uncheck Enable JavaScript. 5. Check out the list of Fake Antivirus to be aware of them. 6. Do not download freeware unless you are sure about the source. 7. Check on search engine before downloading anything. 8. Keep your antivirus updated. Also use a good firewall. 9. If your antivirus software does not include antispyware software, you should install separate software with antispyware support. 10. Turn off ActiveX and scripting or prompt their use thus if you visit a compromised website accidently this would not allow the scripts to run. 11. Disable JavaScript on adobe acrobat reader. To do this, click on Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript. 12. Regularly scan and clean your computer.
Pankit Thakkar pankit@chmag.in
Issue 9 – Oct 2010 | Page - 15
Malwarebytes to remove Fake Antivirus Introduction To remove Fake Antivirus and similar malwares you can use Malwarebytes. It is easy to use and effective. For removing Fake Antivirus it is not necessary to buy the full version, the free version is sufficient. You can download the free version of malware bytes from http://www.malwarebytes.org/ Support for Windows 2000, XP , Vista, and 7 (32-bit and 64-bit). If you are infected with Fake Antivirus boot the computer in safe mode. Once you have downloaded malwarebytes, double click the downloaded file and follow the steps to install the application on your system. Once the application is installed, double click on the malwarebytes icon on your desktop to start the program.
Update If you did not check for tht updates during the install process, go to the updates tab where you can see the current database version, associated date and the number of malware signatures. Click on ―Check for Updates‖ to update the database.
Issue 9 – Oct 2010 | Page - 16
to be scanned, select the one which you want to be scanned and click Scan.
Scanning Once the application database is updated, you can start the scan. You can either go for a quick scan or a full scan. Select one of them, click on Scan to start the scan. If you go in for a full scan you will see the pop-up window as shown in the fig. to the right asking you to choose which drives you want
Issue 9 – Oct 2010 | Page - 17
Once the scanning is completed, malwarebytes will display the number of objects scanned, the number of objects infected and the time taken as shown in the above image. Click on ―OK‖ to close the scan completed message.
Removal of the malware Click on ―Show Results‖ you will see the below window displayed with the list of malwares found with its location on your system. For now ―No action taken‖ is listed for all da infected objects so that you can check if anything has appeared in the list
Issue 9 – Oct 2010 | Page - 18
which you don‘t want to remove. Once you go through the list and checked the objects, click ―Remove Selected‖ to remove the malware from your system. The below image shows how the removal process looks like.
After Malwarebytes is done with removal of malwares, it will automatically display a scan log as shown beside.
Issue 9 – Oct 2010 | Page - 19
In the end it would ask you to reboot your system. Click ―Yes‖ to the reboot you system.
Pankit Thakkar pankit@chmag.in
Issue 9 – Oct 2010 | Page - 20
Cyber Squatting
What is Cyber Squatting? Domain names serves as an identity on the Internet. They can be closely identified with
Introduction Idea of ―Cybersquating‖ was originated at a time when most businesses were not savvy about the commercial opportunities on the Internet. Some criminals registered the well-known companies names as domain names with intent of selling them back to the companies when they finally woke up. With increasing use of online business for
the company, as customers surfing Internet believe that domain reflects company‘s name,
as
the
courts
suggested
in
MTV Networks Inc v/s Curry*(S.D.N.Y. 1994), that, “A domain name is mirroring a corporate name may be valuable corporate asset, as it facilitates communication with a customer base.”
of
A Cyber Squatter identifies popular trade
products, domain names of company‘s
names, brand names, trademarks, & even
gained equal value as of Trademark. Like
names
increase in other Cyber Crimes, matters of
Sushmita
infringement of Trademarks & passing off
Cybersquatting] & registers domain name
are also increasing. This is called as
on their name with the malicious intention
―Cybersquatting‖. Existing Laws are still
of extorting money from persons who are
learning how to deal with Cyber Squatters.
associated with that domain name.
advertising,
promotion
&
selling
of
celebrities Sen
was
[Miss
also
a
Universe victim
of
Issue 9 – Oct 2010 | Page - 21
In the famous case of ―Intermatic Inc v/s
First country to have legislation on this is
Toeppen
“United States of America”, they have
(USPQ2d1412),
the
court
expressed its opinion about Cyber squatters
introduced
as :
Consumer
―They are the persons who attempt to profit from the Internet by reserving & later reselling
or
licensing
domain
names
(incorporating a famous mark) back to the companies
that
own
the
mark.”
“Anti-Cybersquatting Protection
Act,
1999”
Under this Act a cybersquatter can be held liable for actual damages or statutory damages in the amount of a maximum of $100,000 for each name found to be in violation.
In this sense Cybersquatters are violating
Australia also
has
a law
to
prevent
fundamental rights of trademark owner to
Cybersquatting. It entitles the interested
use their trademark.
person to register business name with an Australian Business Number (ABN) issued
International Scenario
by
the
Australian
Taxation
Office. However, this has failed to protect
Internationally, the United Nations agency
Australia from such cybersquatting acts.
“World
Property
Any Australian citizen over the age of 16 can
Organization” [WIPO] has been working
obtain an ABN (which is free) and use it to
since 1999 to provide an arbitrational
register as many domain names as he/she
system where a trademark holder can
wishes.
Intellectual
register a claim against squatted site.
Considering the number of cases filed with
Keeping in view the practical difficulty in
WIPO, in 2010 1796 cases are filed with
traditional litigation, ICANN (Internet
WIPO while in 2009 and 2008 it was 2107
Corporation for Assigned Names &
and 2329 respectively.
Numbers)
approved
the
UDRP
(Uniform Dispute Resolution Policy). However, one of the shortcomings is that it just focuses on arbitration of dispute, not
On average, 84% of claims are decided in the complaining party's favor. (Source WIPO Website)
litigation. Further decisions of UDRP can be overruled by traditional courts. Some
countries
have
specific
Indian Scenario laws
Indian
judiciary,
after
realizing
the
concentrating on ―Cybersquatting‖ along
importance of domain names have woke up
with the traditional Trademark laws.
&
responded
strongly
against
Cybersquatting. They have formulated some
Issue 9 – Oct 2010 | Page - 22
legal
principles
regarding
this
ever
increasing crime.
There after till date around 150 cases are filed under INDRP policy.
.IN is India's top-level domain (cTLD) on the Internet. It is governed by the official
Conclusion
.IN registry. IN registry was appointed by
There must be some uniform law on this
the government of India, and is operated
highly increasing crime as it affects the
under the authority of NIXI, the National
goodwill of the owner of Trademark as well
Internet
India.
as it will increase many other crimes like
The registry has formulated many policies
Credit Card fraud, cyber bullying & even
for the registration and administration of
pornography & ordinary people will suffer a
.IN domain names. Most important policy is
lot.
Exchange
of
―.IN Dispute Resolution Policy (INDRP)‖. It has been formulated in line with UDRP, and with the relevant provisions of the IT Act. Under INDRP there are two important documents:
Talking about India, currently cases relating to Cybersquating come under Tort of Passing off & infringement of Trademarks. It is not a quick process & a speedy trial. To fight
with
it
the
The .IN Domain Name Dispute
Trademark/Copyright
Resolution Policy (INDRP)
amended to include Cybersquating as an
INDRP Rules of Procedure
offence.
I
Act
current should
be
One of the major problems is about applying
NDRP disputes are decided as arbitration procedure.
punishment: One view says that, though Cybersquatting
On my best knowledge the first reported
is a frame of blackmailing; it will be too
Indian case on the topic is
harsh to apply criminal punishment of blackmailing
―Yahoo
Inc. v/s Akash Arora, 1999‖
Defendants
domain
for
the
offence
of
cybersquatting.
name
“Yahooindia.com” was identically similar
Another
to plaintiff’s business name “Yahoo”. Court
cybersquatting is a crime affecting society,
expressed their views that though “Yahoo”
its basic victim is Trademark owner & he
is a dictionary word, it has acquired
should apply for ‗Permanent Injunction‘
uniqueness & moreover it is a business
restraining its use.
name of plaintiff. Such words have received maximum protection.
view
says
that
though
Issue 9 – Oct 2010 | Page - 23
Better solution for this is to make blacklist
Many times people find that paying the
of cybersquatters. ICANN can create such a
cybersquatter is the easiest choice. It may be
policy that punishes anyone found by Court
a lot cheaper and quicker to come to terms
of Law to have cybersquatted. It may be
with a squatter than to file a lawsuit or
loosing domain name registrations incl.
initiate an arbitration hearing, these court
those which are legal & take off all other
processes will save substantial time &
benefits which he would probably receive
money.
from the use of Internet. This would serve
Trademark owners should get unite &
as
decide not to fulfill Squatters demands.
a
deterrent
cybersquatters
on
because,
other
―Future‖
infringing
the
benefits from the use of Internet would definitely harm anyone in today‘s world.
This
should
be
stopped.
All
If we see WIPO‘s experience, it shows that UDRP disputes are mainly concentrating in the .com domain. Attention must be paid to
Moreover, the process of registration of
establish preventive mechanism against
Domain Name is not as strict as that of
illegal registration in new generic top-level
Trademark. Anyone can approach a Domain
domains [gTLDs]. E.g. in 2005, ICANN
Name Registrar & register any available
approved creation of new gTLDs like .travel,
domain name.
.jobs etc. If there is no strict policy for its
Delhi High Court in Aqua Minerals Limited v/s Pramod Borse [2001] PTC 619 (Del.) observed that,
assignment, Trademark owners have to compete with cybersquatters for their own Trademark.
”If any person gets the domain name registered with the Registering Authority, which is actually the trade name of some other person, the Registering Authority can’t inquire into it to decide whether the Domain name was registered before as a Trademark & belongs to some other person.” Such
an
inquiry
is
necessary.
Most important thing is that, there must be co-ordination
between
‗Registering
Authority of Domain Names & Trademark Registration Authority.‘
Sagar Rahurkar sr@asianlaws.org Sagar is a Law graduate. He is Head at Asian School of Cyber Laws(Maharashtra). He specializes in Cyber Law, Intellectual Property Law and Corporate Law. He teaches at numerous educational institutions across India.
Issue 9 – Oct 2010 | Page - 24
Wiping files securely Introduction This issue ―Command Line Gyan‖ is not directly related to Fake AntiVirus but still we have something interesting for you The idea this time is to delete a file and make sure it‘s not recoverable (easily). We all know kind of deletion is called as wiping the file. We also know that there are a bunch of freeware & commercial tool to do so, but the idea is to achieve this from built-in commands/utils in a system. Remember you might get stuck on a machine where you don‘t have your favorite tool and might not be connected to internet to download the same. So let‘s see how we can achieve the same from built in commands/utilities in both Windows & Linux environment.
Windows What we have to start is by first deleting the file and then overwriting the area again and again to make it unrecoverable To achieve the same, in windows you‘ll find a command called ―cipher‖. C:\> cipher /w:c:\windows
This command will cause overwrite on ALL unallocated space (available unused space only) within the volume which holds the folder c:\windows. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed. Don‘t worry, this wont delete c:\windows or even any content inside. Pretty neat, loved it. But the only problem here is this command will cause overwriting
Issue 9 – Oct 2010 | Page - 25
of the space only thrice. First time by all zero‘s, second time by all one‘s and the third time by random numbers.
you won‘t have to delete the file first & then overwrite, this itself will take care of all # shred -n 3 -z -u myfile
Ok, I got your concern & even I have read that you should overwrite a space atleast 25 times to make the data unrecoverable. So let‘s see how we can exploit this to achieve that. 3 * 8 = 24 3 * 9 = 27 I think even if we repeat this whole operation 8 times, it will suffice. You can choose 10 or 12 iterations also but remember the time taken is directly proportionate to size of volume & free unallocated area.
Ok, very obvious from the command itself that n -3 means 3 iterations which can be changed to 25 as per above scenario. -z specifies that zero‘s are to be overwritten in final iteration so that it looks like blank & -u to remove the file. Pro – I don‘t need to do it on the whole volume, just the file Con – This command is for file, what about the whole disk Con! Did I hear a ―con‖ in Linux environment?? No way. Here‘s the solution
So for the sake of our example, we‘ll do it 8 times.
# shred -n 3 -z /dev/sdc
C:\> for /L %i in (1,1,8) do @cipher /w:c:\windows
If you notice we haven‘t specified –u here, so it won‘t delete the file pointer itself from the system.
I remember those college days when we used loops to make life easier. IN this example we‘ll run the same process of cipher in 8 loops making it 24 iterations in total. Now I‘m sure you‘ll be happy that data has been wiped properly.
What if the shred itself is not installed, now in such case, please it
Remember I have cautioned you. The time taken is directly proportionate to size of volume & free unallocated area.
Linux I loved it this time cause windows method wasn‘t that difficult. But Linux is always easy. The command here is ―shred‖ which is there in most of the distros. In case of shred
Rohit Srivastwa rohit@clubhack.com
Issue 9 – Oct 2010 | Page - 26