Rogue av reinfections increasing

[DavidF]

Till now we've successfully been using a cocktail of combofix, mbam and a range of .bat and .reg files to get rid of the vast majority of rougue av's.
I've had 4 machines come back reinfected with the same problem in the last two weeks.
I'm in the process of finding the reason and was wondering if anyone else is seeing a rise in reinfections in order to figure out if there is a trend forming or if there is a problem with our methods.
Thanks

 

[TechguyUK]

I'm not actually seeing an increase at the moment but these rogue AV infections are by far the vast majority of the malware i'm removing for customers - some infections are worse than others. I've also had a couple of customers get re-infected quite quickly. I suspect by visiting the same infected site or email. Always check for root-kits as well, as I've seen a couple of machines that I thought i'd cleaned only to discover a root-kit lurking there that the usual apps hadn't picked up.

My advice to my customers at the moment is to be VERY aware of what AV software they are running and what it's (and MS/Defender pop-ups etc) actually look like and NOT to click on any other pop-up telling them malware has been detected on there machine.

The one question I keep getting asked is how to prevent infection and appart from offering the above advice I liken it to asking a garage how to prevent another car crash when you pick up your freshly repaired car....you need to be very aware of whats going on around you and try to avoid running through red lights.

 

[MobileTechie]

I would say that the reason the infections are increasing are because the attacks are increasing. It's organised crime vs the geek vandalism of old.

I don't think the methods of removal are likley to be the problem, it's more likely to be the protection and user behaviour. If the AV they have wasn't enough to stop it last time then it won't be again. If they behave in a way that makes them likely to get infected, and they don't change that behaviour then they will get infected again.

If you put on better protection and educate the users successfully (not easy) then the reinfections probably won't occur.

Normal AV is of little use against many of these attacks. You need HIPs or sandboxing of some sort. Some of the internet suites offer it or apps like DefenseWall, GesWall, SandboxIE, Online Armor etc provide a much better degree of protection.

 

[Larry Sabo]

Sell them MBAM or SAS. It's an easy sell after a rogue infection because the price of either is cheaper than another service call/repair.

 

[MobileTechie]

As much as I like those two apps for removing malware, I'm not convinced of their efficacy in preventing infections in the first place.

 

[atlanticjim]

Are the "link scanners" we see with the upgraded AV suites useful to flag these as they arrive? I am thinking of Norton and TrendMicro and AVG specifically.


N.B. I don't sell or recommend Norton, but I have many clients who have it already resident on their machines. They usually get a call from me about a week before their subscription expires so that I can recommend a better solution.

 

[MobileTechie]

Norton Suite comes up pretty well in the tests I've looked at. Personal experience says it's not awful like McAfee. But like all protection containing a firewall it causes problems with networked apps.

I think the link scanners are useful. Clearly it's better to prevent someone visiting an infected site than try to block or clear it up later. As usual they are likely to struggle against zero-day malware if all they are doing is looking for signatures.

I think the future lies with HIPS like Geswall and Defensewall. I trialled GW and couldn't get my machine infected from known infected websites no matter how hard I tried. However it did end up causing other problems with Windows so I had to uninstall it.

 

[Galdorf]

Cleaning them is not enough they get in via exploit whether it is flash,pdf,java,javascript,itunes you need to update and patch the exploits the simplest way to do this is to use securnia psi install the software and apply the patches this will prevent re-infection.

Btw there is a new expoit using itunes i got this in mail today with a zipped attachment:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.


iTunes Store.