While searching for tips on removing malware, your chances of encountering bad and malicious ads or links increases greatly. In fact cyber-criminals use Search Engine Optimization or SEO, as their prime method of gathering Web surfers. Last April a Top Ten List of celebrity searches was published claiming that surfers were more likely to land on either fake sights or hijacked sites. They listed Jessica Biel as the number one celebrity search in 2009 most likely to land you on a bad site with malware. But you would never be searching for news on celebrities, right? Recently someone I know was searching Old English literature and was the recipient of a drive-by download of the famous WinAntiVirus2009. My point is any search can produce a site that is either infected, hijacked or redirects you to another site with bad intentions.
If searches are dangerous, just how do you search for solutions to an infection on your computer? In my opinion, only research how to get rid of malware on a clean machine. Very often the malware will be coded to intercept or redirect browsing when trying to go to the major anti-virus vendors or related sites. Searching for methods to rid a computer of malware on an infected machine will usually only get the user more chances for further infection.
Does this mean an end to searching on Yahoo, Bing or Google? Of course not. It simply means that the more informed you are the better off you will be and the better you can protect yourself and your computer.
Let's break down one of the typical scareware or malware sites that people often see just before infection occurs. In the image I have circled some of the key points and will break them down in order from top left to bottom right. Let's begin (click the image below to enlarge it).
1. The first real indication that this is a fake begins at the address bar. Notice it gives a Web site address, yet the premise is to get you to believe this is your My Computer screen in Windows XP. This template is very typical of those associated with WinAntiVirus 2008, 2009 or 2010. This screen shot shows Internet Explorer and I have also seen this on a Mac Pro running Safari. The very same type of screen along with the tiny animation, which I'll discuss later, was displayed on screen. Thankfully for them it was painfully obvious that it was a hoax trying to induce action.
2. The next items are the drives and folders. The number of threats found is extremely high to have been suddenly found. Most scans take several minutes at best on the high capacity drives we use today. A question to ask yourself if you see this is, do you have multiple drives? Some of us do, most folks don't. If you are in the latter group this should be a dead giveaway. The second question you need to answer is, is that my optical drive type? A straight DVD-RAM drive is not near so common as DVD-RW type drives.
3. Next we see the animation in real time. In this picture it is shown at the end of the very short animation. The idea is to trick you into thinking that a real scan is taking place. In reality a real scan would never be that quick and in this case the number of threats found was already listed under the folders. Another dead give away for those that are informed.
4. The number of threats are given as 527 underneath the scan bar. The numbers under the folders add up to 595 if my math is correct. It is very common to find little errors such as these in the fake sites. An observant and informed eye will catch these quickly.
5. The next item is one that follows suit with item number four, bad grammar. In case you can't see the text I will reproduce it here. "Your computer remains infected by threats! They might lead to data loss and file structure damage, and needed to be heal as soon as possible." (space) "Return to Personal Antivirus and download it secure to your PC." I'm not an English major but I can see the mistakes made in the grammar and structure of the sentence.
6. Lastly we have the payload button, "Full System Cleanup". Up to this point we only have a Web page, one that may or may not be designed to continue to come up long after you leave the infected site. This is one of the reasons a lot of anti-malware products do not pick up on the threat until it is too late. So far nothing more than viewing the site has happened. If they succeed in getting you to click this button watch out. The code it will download will be very small and very fast. It will most likely install in mere seconds and disable any built in protection. You will definitely need the anti-malware tools to get rid of it if you click this button.
While this breakdown doesn't cover all scenarios, it is very typical of the types of scareware tactics being used. Always be wary of a sites that claim to see your drives and the contents inside. Look for what's out of place or doesn't feel right. Keep on the lookout for logos of major publications or sites that appear with endorsements. The fake ones will not link to the real site and usually won't link to anything.
I hope you have found this post helpful and it is my hope that together we will all have a safer Internet experience. If you have questions on this post, please ask them in the comments and I will do my best to answer them.