Sunday, January 4, 2009

Antivirus 2009

Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).

Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.

PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

1 comment:

Anonymous said...

Download and buy new amazing antispyware programm

Best protection!