Submit a Threat
Submit a threat to be reviewed by our research team

Submit a Threat
Spyware & Adware Categories we scan
   
List of Spyware &
Adware we remove
Testimonials
Request for Software to be Removed from our Database

Let us know if your software is detected by Spyware Detector and would like our research team to review it.

Submit a False Positive
 
March 6, 2008

Complex and Generic Spyware Detection...

This year has begun with alarming data: with growing percentage of Fake Anti-Spyware close to 25% in January and about 12% in February. Most of them download while browsing some websites on their own, scan your system immediately and scare you to purchase a copy by giving false Scan results. Most of them also show system tray alerts with some messages such as showing critical error or Your PC in infected with Trojans etc. These messages look authentic and appear to come from Windows operating system. You can read more about them at some of the links on this blog here and here and here .

We started "Weekly Most Prevalent section" to notify our users about such prevalent fake-AntiSpyware and other threats summarized weekly as reported by our Spyware Research lab. You might have also noticed the daily updates on the left section of this page under the "Daily Threat definition updates" for those of you who are interested in knowing what all is updating on your PC through Spyware Detector live update. This section has lot of datai!s including names of spyware, their original release dates.

Here is the summary on the Spyware Categories and their Data processed for Spyware Detector Live Updates in Jan and Feb of this year:

    Jan 2008 Feb 2008
1 Adware 25.43% 11.96%
2 Backdoor 14.86% 18.28%
4 Dialer 3.55% 3.20%
5 Downloader 1.31% 2.21%
7 Fake Anti Spyware 5.98% 11.58%
18 Spyware 11.06% 1.37%
19 ToolBar 2.84% 0.91%
22 Trojan 17.35% 26.12%
23 Worm 5.98% 9.67%

Many Fake Anti-Spyware were analyzed in detail. We found that they are continuously evolving and releasing new versions almost every week and doing so to defer detection by signature methods commonly used by Anti-Spyware products. While Complex Spyware handling team at Max Secure is working towards finding a generic solution to nip them in bud without the need for database updates, following is the long list of some of the Fake-Anti Spyware analyzed and patches already released for their removal in the last 2 months:

1 FakeAntispyware.Cleanator
2 FakeAntispyware.StopingSpy
3 FakeAntispyware.XP Antivirus
4 FakeAntispyware.Win ReAnimator
5 FakeAntispyware.DriveCleaner
6 FakeAntispyware.SystemDoctor
7 FakeAntispyware.PrivacyConductor
8 FakeAntispyware.MalwarePro
9 Fake Anti Spyware.Swift Cleaner
10 Fake Anti Spyware.Spyburner
11 Fake Anti Spyware.RaptorDefence
12 Fake Anti Spyware.PerformanceOptimizer
13 Fake Anti Spyware.WinPerformance
14 Fake Anti Spyware.SystemDefender
15 FakeAntispyware.VirusHeat
16 Fake AntiSpyware.TrustedAntivirus
17 Fake AntiSpyware.AdvancedCleaner
18 Fake AntiSpyware.SystemErrorFixer
19 Fake AntiSpyware.MalwareCrush
20 Fake AntiSpyware.BestSeller

...and the list goes on.

More on Complex Spyware Handling...

Some Spyware showed complex tactics, specific code was written and updated in the Spyware Detector through Live Update to facilitate their removal. 

Smoking Gun, a Keylogger belonging to PC Sentinel Software company showed random names in the program file folder, some ini files in windows folder and a registry key.

Red Handed, another keylogger from PC Sentinel Software exhibits similar properties having a random folder name in the program files with the name like PC??? and similarly randomly named ini files and several random registry keys.

Third variant of the same family of keylogger from the same publisher, PC Sentinel Software called PCBursted with similar random folder, file and registry keys, as follows:

C:\Program files\PCS-*** (random 3 digit number)

C:\WINDOWS\pcmn***.INI

C:\WINDOWS\pcln***.INI

 HKLM\SOFTWARE\Microsoft\Windows\Current Version\App Paths\PCBusted***.exe}

Some of the Fake Anti-Spyware are generating random Registry Keys to make them hard to detect, such as Malware Bot (shows random class id):

C:\Program files\MalwareBot

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\******************\InstallProperties" ( random CSLID)

Another set of Fake Anti-Spyware who are releasing  new versions almost every fortnightly to escape detection using signature database scans, such as:

AntiSpyKit 5.2 and 5.3, AntiSpyGolden 3.9, 4.5, 4.8 and MalwareCore 7.3, 7.4.

These Fake-AntiSpyware are not changing much in functionality but minor changes in the folder names, and sometimes graphical user interface is made or a new version or altogether a product with a different name is launched to fool users into buying them.

Keeping up with the momentum of adding generic scanners, we added generic detection of spyware toolbars and move closer to the zero day threat detection.

We appreciate any feedback on our products from our valuable customers. You would also notice daily news updates on our Spyware patch releases. You will also find more detailed information on the Spyware Encyclopedia pages which can be reached either from Spyware we Remove Link or by clicking on the Spyware Detector itself after a particular Spyware is detected, by clicking on Threat Information Link right next to the name of the Threat detected.

Please continue to support this effort by reading this blog for latest information on new spyware releases. We will not rest until Spyware writers give up and let the users of PCs enjoy their computing as it was intended to be without any slowdown, without fear of losing Privacy and with no advertisements or other unwanted nuisances. 

Rachna Pradhan
CTO
Max Secure Software

Post a Comment

Your Name*
Company Name*
E-mail Address*

 
Your Comments
Message*
Home | About Us | Purchase | Contact Us | Affiliates | FAQ | Awards | Testimonials | Privacy Policy