• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos6

What To Do When Scareware Strikes

We have all either experienced first hand or read here in the forums about those alarming windows that pop up while you are browsing that try to frighten you into downloading a program to cure the viruses and spyware it claims to have discovered on your computer.  Responding correctly to this unnerving threat can keep you from getting infected.  Brian Krebs has posted an article today on his Washington Post Security Fix blog about What To Do When Scareware Strikes.  I'm sure many here will find it helpful and informative.  

Replies

Kudos0

Re: What To Do When Scareware Strikes

Anyone know him well enough to get Norton Forums added?

If you still need help, consult a forum: Computer help forums such as BleepingComputer.com and DSLReports' Security Cleanup forum can be a lifesaver (BleepingComputer often has step-by-step instructions for removing specific scareware threats, such as this one designed to help victims of PolicePro, the rogue anti-virus product du jour).

Hugh
Kudos1

Re: What To Do When Scareware Strikes

Scareware is not as bad as Ransomware

Quads 

Kudos0

Re: What To Do When Scareware Strikes


Quads wrote:

Scareware is not as bad as Ransomware

Quads 


I also agree with Quads here; "Scareware" just shows Threats that are on your computer, but dealing money, i.e. Ransonware, for example, will be more frightening to the User.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos1

Re: What To Do When Scareware Strikes

True but these guys are sending people to other forums.

I believe Sendofjive wants people to be advised to come here

"All that we are is the result of what we have thought"
Kudos2

Re: What To Do When Scareware Strikes

Many of the rogue antivirus infections we see here are the results of people not knowing better and clicking in the malicious pop-up.  I'm just hoping that people will read Mr. Krebs advice and not get infected in the first place.
Kudos1

Re: What To Do When Scareware Strikes


SendOfJive wrote:
Many of the rogue antivirus infections we see here are the results of people not knowing better and clicking in the malicious pop-up.  I'm just hoping that people will read Mr. Krebs advice and not get infected in the first place.

That's one reason to have N.I.S. 2007 and Newer, which includes Phishing Protection.  Just remember, though, that Norton may not Detect all the Fake Web Sites, but will Detect quite alot of them. 

And just remember that Norton AntiVirus 2009/2010 does not have a Firewall, so this is possible where customers are Infected because they are un-aware that Norton AntiVirus 2009/2010 does not have a Firewall.

At the Time of Writing, Norton 2010 Products were Not Released.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: What To Do When Scareware Strikes

The article says to close IE with task manager.  Would Cntl F4 work as well or is task manager safer?
Kudos2

Re: What To Do When Scareware Strikes

Floating_Red,

To quote from the article:


Typically, they are the result of scripts stitched into legitimate, hacked Web sites, or into banner ads that scam artists stealthily submit to some online ad networks.
Respectfully, anti-phishing and firewalls will not protect you from this type of threat.  This is one case where an informed user offers the best defense.
Kudos1

Re: What To Do When Scareware Strikes

alt + F4?  This is Safer than trying to get the T.M. to Open as, during that time, the Threat, Mis-Leading Application, could have caused more damage; plus, most Threats now prevent T.M. from Opening, so it's good to get in to the habit of using alt and F4 - plus, it could stop Infection.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: What To Do When Scareware Strikes


SendOfJive wrote:

Floating_Red,

To quote from the article:


Typically, they are the result of scripts stitched into legitimate, hacked Web sites, or into banner ads that scam artists stealthily submit to some online ad networks.
Respectfully, anti-phishing and firewalls will not protect you from this type of threat. 

But Intrusion Prevention and Auto-Protect will, and Scanning, i.e. Manual Scanning...

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos4

Re: What To Do When Scareware Strikes

Car825:

I have found that the best way to stop something is to pull the connection to the internet first.  I also use Control F4 because it snaps everything closed.  If you have three tabs open and use Alt F4 it asks you if you want to close all tabs.  Clicking on anything is ill-advised.

Remain off the internet until you have dumped your browser cache, and temp files, and run enough scans to convince yourself that you are bug free.  Then you can hook back up to the net, and update the antivirus scanners, and do it again.  It takes the better part of six hours on my machine.

With ransomeware, you don't want to kill it until you find out what it has done, or you may not be able to reverse it.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: What To Do When Scareware Strikes


Floating_Red wrote:

alt + F4?  This is Safer than trying to get the T.M. to Open as, during that time, the Threat, Mis-Leading Application, could have caused more damage; plus, most Threats now prevent T.M. from Opening, so it's good to get in to the habit of using alt and F4 - plus, it could stop Infection.


Do you have to rush to close the window or should you take your time and make sure it is done right.  In other words, is there a time component to this?  Can the popup do any damage while you are deciding what to do if you don't click anything?

Kudos1

Re: What To Do When Scareware Strikes

Hi,

You want to Close the pop-up as quickly as possible, but you also want to make sure you know what you are doing, so you don't make the situation worse; however, should this pop-up just be on your Browser, it won't actually be installed on your computer, whereas, if it is on your computer, you will want to get a Full System Scan Completed with your Norton Product, and/or Malwarebytes' Anti-Malware.  The longer you leave any Threat on your computer, the more damage it can do.  And even although you have a pop-up, the Threat could be causing damage while you are sitting there watching the pop-up or "Product" work, e.g. Nortel Antivirus.  Just because the pop-up appears, does not mean the Product will stop.  Usually, though, when you see the "Product" Launch, that will be the Final Stage of the Threats activity; the next one will probably be asking you to "Buy" a "Subscription", which, of course, you should not "Buy"...

Message Edited by Floating_Red on 09-02-2009 11:27 PMMessage Edited by Floating_Red on 09-02-2009 11:29 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: What To Do When Scareware Strikes

There have been a number of posts here recently from people asking for help in removing rootkits and scareware.  How confident should I be that NIS09 will stop these threats?Message Edited by car825 on 09-02-2009 06:38 PM
Kudos0

Re: What To Do When Scareware Strikes

right click anywere in blue system tray, left click on task manager in popup window, click on end task in task manager
Kudos3

Re: What To Do When Scareware Strikes

Great article sendofjive! Very informative.

 

car825,

 

Keep in mind that no security program is perfect and all of the people in these forums who have been infected with a threat NIS cannot detect/remove together represent (my guestimate) less than .001% of all norton users worldwide (especially if you count both personal and corporate computers running symantec/norton products).

 

NIS09 is a very good security program and will do its best to keep your computer from becoming infected. As I believe floatingred pointed out before, alot of times if the scareware is occuring inside your browser you are not yet infected, at first it is just a show. This actually happened to me about a week or two ago. A site I navigated to had a malicious banner ad that essentially played a video designed to make me believe my computer was being infected and at the end of the sequence get me to download a fake AV program.

 

That is why it is called scareware. It is meant to scare you into infecting your own computer by mistake. The hacker pulling the strings want you to do all of the work for him/her.

Kudos0

Re: What To Do When Scareware Strikes

I think symantec's slogan for Norton 2010 Products should be:

Next-Generation Security Product - Today!

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: What To Do When Scareware Strikes

A while back (after I downloaded Internet Explorer 8), I created a one-click "Kill Internet Explorer" script that does the same thing as closing the process in Task Manager, except that all you need to do is click on the icon for the script.  The reason I created it was to close Internet Explorer when it locked up, but it can also be used to QUICKLY close IE in an emergeny such as this (where malware is attempting to infect you computer).  The script is written in the AutoIt language and it only contains one line.  Just download AutoIt (free program) and compile the script and call it "Kill Internet Explorer.exe".  Then put it in your Quick Launch area.  Here is the script:

ProcessClose("iexplore.exe")

Kudos0

Re: What To Do When Scareware Strikes

Coincidentally, yesterday after reading the posts in this topic, while viewing a page at the NY Times site I got my first pop up scare ware, tried Ctrl F4 and Alt F4 nothing happened except the My Computer window appeared with a scan bar running. I immediately physically disconnected from the internet and ran a full system scan with NIS 2009 16.7.2.11; the only item found was a tracking cookie. Figured I was good to go and didn't do anything else.

Today I again was viewing pages at the NY Times and got another pop up scare ware, again no joy with either Ctrl F4 or Alt F4, disconnected cable and ran a quick scan with SUPERAntiSpyware, un-updated. The results surprised me, see attached screen shots.

 

SUPERAntiSpyware required a restart to complete and on restart the screen came where I had to use the last known good configuration. After restart connected to internet, updated SUPERAntiSpyware, ran full scan and came up clean.

Restarting Firefox shows "My computer online scan" in the history for today but not for yesterday.

The NY Times main page had seemed for the last few weeks to running oddly but now it appears to be working fine.

I like to thank the forum posters as I probably would not have physically disconnected if I had not read that recommendation in these posts.

Window XP SP3, all updates

NIS 2009 16.7.2.11

Firefox 3.5.3

Kudos0

Re: What To Do When Scareware Strikes

Hi pete_t,

 

That is shocking news. I never would have guessed that there would be scareware on a reputable site like nytimes.com

 

The scareware likely originated from a banner ad that slipped past whoever supplies the ny times site with ads. Out of curiosity, could you please post what version of adobe flash player you were using when you encountered the scareware? The last time I got scareware I was using the 10.0.22.87 version. Then a week or two later they came out with 10.0.32.18. As far as I know the newer version wasn't designed to put a stop to scareware but it would be interesting to know if it helps.

 

 

Pexley

Kudos0

Re: What To Do When Scareware Strikes

Is NIS 2010 better at stopping Scareware than NIS09?

Kudos0

Re: What To Do When Scareware Strikes


car825 wrote:

Is NIS 2010 better at stopping Scareware than NIS09?


Yes and no. What makes scareware such an usual threat is that when it first strikes it is in no way trying to harm your computer, therefore NIS doesn't detect anything wrong. What hackers do with most types of scareware is embed them in banner ads and other parts of websites that use adobe flash, and when you navigate to the site the banner ad essentially plays a video designed to make you believe you have been infected (i.e. minimizes your browser and shows you what supposedly is your my computer window being scanned and multiple virusses being found).

 

Once the scareware has run its course and effectively "scared you" then it will tell you to download an obviously fake AV program to remove the infections that are not even there. The fake AV program is the actual threat to your computer. A combination of having a fully patched browser and NIS running should be enough to keep you from being infected or even finish the download of the fake AV for that matter.

 

NIS 2010 is supposed to be better overall at protecting you from threats (sonar 2, program insight, etc) than NIS 2009. Assuming you do not physically tell it to finish the download and install the fake AV program you should not have any problems with scareware. Of course, whenever you encounter some it is always a good idea to physically pull the plug on your internet connection and run a full system scan with norton and at least one other on demand scanner.

 

Pexley

Kudos3

Re: What To Do When Scareware Strikes

Hi pete_t,

Heres's some news about the scareware you encountered at the NY Times:

Rogue ad hits New York Times site

Kudos0

Re: What To Do When Scareware Strikes

pexley

Thanks for the info.

SendOf Jive

Thanks for the link.

After my prior post I returned to the NY Times and after 4 or 5 pages views I got the pop up again.

Again CtrlF4 and Alt F4 were no joy so pulled the cable once more, restarted in safe mode, turned off system restore, emptied cache, deleted temp files and scanned with both NIS and SAS, they both came up clean.

In the future I'm just going to pull the cable.

Thanks again.

Kudos0

Re: What To Do When Scareware Strikes

Thought I'd add my own first scareware experience to this great thread - although it is such a long time ago - about two years ago. I had Windows XP Home back then...and Norton AntiVirus 2003. Ancient, I know, and insufficient with regard to the threat landscape in 2007 ;-D

I remember surfing on mugglenet.com (Harry Potter fansite...) and clicking on a link which was supposed to provide information on the latest book rumours when this Errorsafe window popped up, claiming that my computer was infected with trojans, viruses etc. I knew that it was a nasty pop-up - but I didn't know that one shouldn't click on the "x"  to close it. I clicked on the x - and my browser was dragged off to the Errorsafe website which sported a progress bar, giving one the impression that it was scanning one's computer; it also recommended purchasing Errorsafe software in aggressive font. I managed to close that window immediately and terminated my browser via Task Manager. I ran a full system scan and I also ran Lavasoft Ad-Aware, which I used to have back then, and both scans came up clean, fortunately. I got off very lucky, considering my Norton version was so outdated.

The next time I encountered that pop-up - it was on the same website - I physically disconnected from the internet and terminated the browser via Task Manager - I managed to avoid interacting with the pop-up that way, contrary to the first time. On contacting mugglenet.com to tell them that their website was infested with Errorsafe pop-ups, all I got was a cold response saying that mugglenet was not responsible for the actions of third-party-software/ads. I never visited that website again. 

More on Errorsafe can be found on the Symantec website:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99

Kudos3

Re: What To Do When Scareware Strikes

Thought I would post a link to more info about the recent NY Times website malware problems. Things are heating up, people are not happy. After the article scroll down and read some of the comments, a lot of them come from people running Norton security products.       NY Times

Replies are locked for this thread.