Saturday, April 25, 2009

The Malicious Anti-Malicious

I have a hard drive from another system that has been infected with the fake virus alert virus/malware. You know, the one that says you have thirty-some infections and click here to download... then it asks you for $35 or something to remove all of these threats (classic protection scheme if you ask me). The system had other issues as well - including something blocking me from installing any anti virus/spyware/malware programs. I ended up connecting it to my computer and scanning it externally.

I recall reading an article several years ago about a test one of the magazines had done on antispyware software (SpyBot Search & Destroy and the like). What they found was that no single product caught all of the spyware they had purposefully infected a test machine with. Whereas multiple anti-virus programs will interfere with each other, they recommended having more than one anti-spyware program. With the level of infection this hard drive had, I decided to take that approach.

There are two tools I currently use and trust for anti-spyware. One is Malware Bytes and the other is the classic SpyBot Search & Destroy. SpyBot is free and always has been. Malwaare Bytes has a free and a paid version. The free version is fully functional as far as scanning and removal but it's locked into a manual mode. You have to manually download updates and manually run scans but it works pretty well. The paid version updates automatically and has a component that watches activity and automatically catches problems. Wanting to take the multiple-attack approach, I downloaded Malware Bytes and SpyBot and a couple of others including one that kept appearing in searches called Malware Removal Bot (MRB).

After an anti-virus scan, I installed and ran Malware Bytes followed by SpyBot. It looked like the drive had been pretty well cleaned by this point but I wanted to continue bombarding it so I launched the installer for MRB. SpyBot popped up and said 'you'd better not'. Knowing how programs of this type can think other programs of this type are trying to infect your system, I went ahead and Googled 'malware removal bot'.

The results were not what I expected. I saw links from with a description of "We Bought It And Tried It. Guess What We Found Out?" and saying, "Don't Be Foolish! Learn The Facts About Malware Removal Bot." But when I clicked on them, that's when I got the real surprise. I was taken to the official MRB description and download page. What appears to have happened is that these sites shut down for one reason or another and MRB bought and redirected the domains/links (or they are somehow hijacking them).

I finally clicked on one that gave me the real skinny. According to, MRB exhibits behavior exactly like the virus that got me started scanning the drive in the first place!
Malware Removal Bot (also known as Malware RemovalBot, MalwareRemovalBot, MalwareRemoval Bot) is a malicious anti-spyware software. Malware Removal Bot uses aggressive tactics to scare and trick user’s by displaying fake malware detection reports and fake warning messages so that the user will pay $49.99 to remove these imaginary threats. Malware Removal Bot can cause system crashes, hardware problems, system errors and even computer slowdowns. Malware Removal Bot can appear in the user’s computer system after a fake video codec installation, through email or via a Trojan (like Zlob) and malware. Malware Removal Bot should be deleted as soon as possible!
The really scary thing was that there was a banner add immediately below this paragraph to download MRB! (this is why I didn't link directly to the warning) Thank goodness I ran SpyBot first. Watch out for this one, folks.

No comments: