If you’re the one in your family with the computer know-how, relatives may call on you as a sort of personal Geek Squad. So it was with my father-in-law, deeply troubled last week in the face of a spirited badware attack. Many of us have been asked to spend an afternoon cleaning spyware off the parents’ or grandparents’ family computer, and know a little judicious application of Avast!’s free active defense and the classic Spybot usually does the trick and doesn’t fail to impress.
Not so, however, with the beastie I tried to outwit for half a Saturday recently. It’s important you be aware of this one, too, as it’s still infecting machines.
XP Antispyware 2010 has been around a couple of years under a range of disguises. Its origins are Ukranian. In the space of about a year scammers in the U.S. bilked more than a million consumers into buying XP Antispyware, one of its variants or a similar bogus spyware cleanser, according to the FTC, which asked a local court to halt advertising campaigns via Google ads and elsewhere.
The agency settled in June with some of those involved for $1.9 million and no admission of guilt. (Interesting to note its creators used the site of our old friends Glavmed, Russian purveyors of illegal pharmaceutical operations, as a marketing tool).
How was this “scareware” so effective? Three ways: One, it taps into novice computer users’ fear of badware and stories they’ve heard about it. Two, it uses professional-looking pop-ups that simulate Microsoft dialog boxes and simulated scans that depict a host of “infections.” Users are convinced they have a problem, and are encouraged to spend $40 or more for a bogus software product to fix it. The version that attacked my father-in-law’s machine had more or less taken it over, bombarding him with fake “scans” for fake “infections” even at the browser level when he tried to open new Web sites.
But it’s number three that’s most fascinating and annoying: XP Antispyware 2010’s authors engineered it to combat other programs launched to fix it. Ultimately, we had to download Malwarebytes’ Anti-Malware, and were interested to observe the rogue XP Antispyware was able to stop us launching Anti-Malware through an installed desktop icon.
Had I not been some guy who writes about this kind of thing, I would have probably given up. But we eventually defeated XP Antispyware by launching Anti-Malware from the Windows’ start menu “run” command. (By the way, if downloading Anti-Malware isn’t enough to fix your problem, there’s a more detailed and advanced set of possible fixes here.) Suffice it to say that most computer users would at least have shelled out some money they didn’t need to spend.
It should be said my father-in-law uses an ancient machine, and he had let his active anti-virus program expire. But I’ve run into sophisticated computer users whose machines have been sidelined by some disc-thrashing piece of badware.
It’s a violation of simple decency. Those who might take mercy on XP Antispyware’s creators because their work can be regarded as an elaborate exercise in adware and creative Internet marketing — “scareware” that doesn’t leave malicious programs behind (that we know about) — are misguided. And those who defend adware on a free-speech basis have been spending too much time listening to desperate ad department Powerpoints about opening new revenue streams.
By the way, Google the words “defense adware” and you’ll see a sponsored link to the right for a “Free Adware Remover” called AntiMalware Pro. Don’t download it! Note the host site, www.anti-malware-2010.org, is blind-registered to a private proxy service, always a sign shenanigans are afoot. Symantec listed anti-malware-2010.org as a dangerous site hosting rogue program; and that AntiMalware Pro is, in fact, another bogus badware-as-badware-cleaner that leaves behind more unpleasantness.
Reports on various spyware bulletin boards say it’s the latest iteration of Antispyware 2010 and that it’s meant to confuse seekers of Malwarebytes’ Anti-Malware. The FTC’s consent decree obviously hasn’t stopped this scam.