How to prevent getting infected by rogue security applications

My computer never got infected with a virus before, because I'm using Web of Trust browser plugin, sandboxie and Avast Free antivirus. But today, it got infected with a rogue security application called antivirus.net. I have already removed it using MBAM, SAS, and Kaspersky Virus Removal Tool.

And by the way, I was using MSE when my laptop got infected. Seems like the rogue application just killed off the MSE process. And I never even got a warning. I was using the wi-fi from our school, which I think is the cause since most of the computers in our laboratory has rogue applications on it.

My question is, how do I prevent this from happening again? It took me about 6 hours to disinfect my computer and I don't want it to happen again. Please enlighten me if these rogue applications really just pop out of nowhere.

Note

I'm not dumb enough to agree with installing rogue security applications. It just came out of nowhere. I'm happy with MSE, well not after it let antivirus.net penetrate my computer.

I've done a little bit of research and it says that it needs the permission of the user to actually install it in the computer:

http://www.net-security.org/malware_news.php?id=1245

http://en.wikipedia.org/wiki/Rogue_security_software

Is it possible that other computers in our school network have agreed to install those? Or maybe the network admin?

Wern Ancheta

Posted 2011-02-02T23:33:26.550

Reputation: 5 822

1See my answer. No one is saying you did it on purpose. – None – 2011-02-03T00:15:51.760

Answers

great question by the way.

The real answer to this situation, is somewhat simple, but you have to have the proper tools to control this situation. Simply put, basic antivirus programs such as Microsoft Security essentials will not help you when it comes to controlling similar situations (malware installs from nowhere, etc.)...

To really crack down on malware from the internet and other medias, you have to have a HIPS software on every computer (host) in your computer domain or personal network.

Host intrusion prevention/protection software/systems (HIPS - wikipedia) enable you to totally control what software is installed. Whether you are the administrator, a poweruser or a standard user, these solutions can be configured for your needs.

Sorry for not having a no cost solution, but I've been using these solutions for the past years and let me tell you that it makes a hugh difference and once installed, they really make a difference.

Many offerings are available from different vendors, so take your time and make sure you choose the right one for you and your group.

deijmaster

Posted 2011-02-02T23:33:26.550

Reputation: 212

There's nothing wrong with Microsoft Security Essentials in this case.

Antivirus.net is a Trojan horse, so it infected you when you clicked on something (and I've done it too, so I'm not saying it was intentional). It could have been an advert, or a file you downloaded, or whatever. The method of infection is devised to get you to click on it.

While many malware defence tools, including MSE, can detect a lot of these Trojans, they don't always get them, because the malware crowd is usually ahead of the game.

Also, it appears from your question that you had Avast and MSE installed at the same time. If this is the case, you need to pick one. It's a bad idea to have more than one antivirus tool running at the same time, because they can conflict and disable each other, amongst other unexpected things.

user3463

Posted 2011-02-02T23:33:26.550

Reputation:

I often download on megaupload, fileserve and hotfile. Everytime I click on the download button. An advertisement pop-ups – Wern Ancheta – 2011-02-03T03:34:09.870

Well that's where you got it from. When you stop downloading from those sites, you won't get infected. – None – 2011-02-03T04:09:55.637

See my answer, the cause was likely to be a drive-by infection from loading infected ads on reputable sites, so no clicking or dodgy behaviour necessary. – Lunatik – 2011-03-04T14:05:18.623

Just a pointer on this, I was infected today by this nasty piece of work - Rogue:Win32/Winwebsec or 'Security Tool'*.

After fixing it and some careful digging I know what it was that tricked me. Something similar has happened to me before, but on that occasion I wasn't aware of what I could have done to cause my PC to become infected.

What got me this time was I returned to my PC which was already powered up, logged in and immediately ~~saw a notification saying Windows had new updates. I clicked on that then Flash said it needed an update. I clicked on that and~~ BOOM! - that was me infected, Popup City, AZ.

~~They must've spoofed the Flash updater notification and I blithely clicked on it as you do. It certainly looked like the genuine Adobe Flash/Air updater~~

Pretty sneaky but I still don't know how it even got on my machine though - standard user account, UAC enabled, Windows Firewall enabled, MSE running and up to date, Windows fully patched etc. To my knowledge~~, even after clicking the button on the spoofed Adobe dialog box~~ I should've still gone through the UAC popup, but I didn't see one.

Where does this madness end?

Edit: Found out what caused this, adverts infected with malicious Java. See this story on The Regsiter for more information. Almost enough to make me want to use a noscript browser extension....

*For the benefit of anyone reaching this who is looking to clean their computer, I simply switched to a another account with basic privileges, ran MSE full scan (it wasn't blocked on that account), then switched back. ~~Much quicker and simpler than all the faffing about with Safe Mode & anti-malware programs that seems to be the recommended way of sorting these things out.~~ Naturally this didn't fix it completely, it came back after a reboot. Had to resort to anti-malware programs to resolve, as documented here.

Lunatik

Posted 2011-02-02T23:33:26.550

Reputation: 4 973

You have found your self the victim of what we describe as a drive by attack. In our EDU environment this is typically the result of routine web browsing to reputable sites where an advert exploits a hole in a browser plugin (typically for us its Flash or Java). The holes in the software allow even with standard user access to a machine the "install" of these fake AV applications. I state "install", because they are actually user based running from the user's profile space - in this case running as a limited user is not going to stop this.

As mentioned above standard virus scanning applications will not be able to prevent this type of attack. In our facility we've implemented AppLocker in Windows 7 to address this.

For a knowledgeable user who manages their own Windows environment I would recommend that you have multiple accounts on your PC. An administrator account (which can be used via UAC) for admin task and a standard user account that you could treat as a throw away. Keep all data outside a specific account to facilitate this.

edusysadmin

Posted 2011-02-02T23:33:26.550

Reputation: 2 158