hi guys,

I'm assuming this happens at the same time worldwide. We've always had a lot of fake anti-virus issues to deal with on customer computers (Antivirus 2010 etc) but in the past few weeks we've had a huge increase, particularly with the one that modifies the registry key that opens applications so you can't run any of your programs. Malwarebytes Anti-malware sorts this out and everything else I've thrown at it but i was wondering if anyone knew the primary delivery mechanism of this type of malware. Is it email based (dodgy link or attachment) or web based (infected when visiting an infected page) or does it exploit OS or browser flaws etc?

cheers
nathan

It seems like its all java based installs. We did a test and went to the fake websites themselves with java disabled and they could not install it on our system.

natrat...What I think is when you visit those fake website they make a registry change on you computer, for example internet explorer, .exe, fire fox so that when you open internet explorer you will be redirected to a different page than that of your home page and any programs wont open since .exe file association has been hijacked, what I usally do is open my computer and type www.google.com for example which will brings me google. but if i had used internet explorer it wont bring goolgle since the home page in ie registry has been hijacked, then i run also exe file association fix from a good website http://www.dougknox.com/xp/file_assoc.htm
or i myself open note pad and save the file as .reg
and then install malware bytes,spybot with tea-timer,
finally if you immunize the system with spybot this fake alerts usaully..wont come ...
I dont know if this might help ...

@nattivillin,
but you need java to run lots of programs?

@ Yaredo

Yeah, i know. I didnt say it was a good solution........lol

I I only browse the web with a script blocker active. I then enable the scripts on a website if it has flash or java content that i actually NEED to use. If not, i just read the text.

It amazing how many background scripts and crap are running on some of these websites. Sometimes i get an alert with 5-15 scripts that my browser blocked. I feel safer this way.

I know how to fix the problems on client computers. I'm wondering how they get it in the first place. What sites and links in emails they commonly receive that they are inadvertantly visiting or clicking on. Clients always ask, and I can't give anything more concrete than "you must have clicked on a link or opened an attachment in an email that you shouldn't, or visited a dodgy site". Is there anything more specific than that? They always say they don't do tinhgs like that.

They always click some links.
Facebook links are the one . we get problem from links thru facebook and social networking sites
Have you tried opendns btw?

the win antivirus pro was very good at injecting its redirection url into legitimate google listings. When someone would search for a site and locate the one they wanted and then click on it, even though it appeared to be the correct address, it would immediately pop up with "your machine may be infected...2000 trojans" loaded from a different website. We have not seen this type of infection in several months though so i am assuming google fixed their search bot. Most of the fake AV infections are coming in through simple web browsing tho, staying off the "adult" sites will help... but I guess you can't tell that to all clients.. ;)

It is a mess. I know it keeps us "employed" but when it cant be fixed in a reasonable amount of time, you end up with very upset customers. It can take 2-4 hours to clean some of these systems out.

From a business standpoint the cost of new computers are dropping each day. 2-4 hours on-site can easily cost more than a new system.

As customers begin to realize this, our phone will stop ringing as people will just go get new systems. Not good at all.

True but in a business its not as simple as just buying a new PC. Then it needs apps installed, connecting to the domain, configuring xyz etc, so i don't think we're in any trouble yet. Businesses need to understand if they want the minimum amount of downtime then they need to pay the hourly rate. We give them the option - hourly rate to fix onsite, or we take it away and clean it for a fixed fee. Then its just our boys in the workshop doing it over 24 hours where they are working on multiple repairs at once so even if it takes 3 hours a flat fee is still feasible.

I agree. Businesses are still going to choose repair for the foreseeable future. Its the home users who i am seeing a drop off in repairs for.

yeah. I pretty much never do onsite virus removal for homes, always take it back to the workshop or get them to drop it off. We charge around $130 flat fee for removal in the workshop if they bring it to us, so its still hugely more economical than replacing a PC. Its an easy sell - $130 flat fee and without the PC for 24-48 hours, or $110 per hour for onsite removal which may take 1-3 hours and 90% of that time our tech would be staring at a screen doing nothing.