Friday, October 16, 2009

The latest in malware: Security Tool is Impressive!

The "ransom-ware" application Security Tool impresses me--and that's a really bad thing.  This rogue application is quite slick.  Although it doesn't pretend to be part of the official Windows notification process as Antivirus 2009 and its ilk do, Security Tool would be quite convincing if it weren't so "over the top" and overbearing.  Once infected, your computer will bombard you with fake scans and messages that you're infected and need to purchase the full version of their product immediately.  My favorite is the taskbar balloons that say things such as, "malware.trojan is attempting to send your bank account information to a remote site!  Click here to prevent this."

Like most modern malware, Security Tool is not easily removed.  I used a combination of booting from BartPE, Spybot, Webroot, and Hijack This to slow it down and eventually (I believe) stop the little bugger.  Sadly, a reformat remains the only method of knowing with 100% confidence that all traces of the beast are gone.

After years of disinfecting computers, I finally witnessed a rogue app in action on my own computer a couple of weeks ago.  No, we didn't get infected, but it was close.  Annie clicked to allow a little app in Facebook (something I've done myself a dozen times or more) and it threw a little alert box up on the screen telling her the computer was infected--click OK to disinfect.  Annie didn't fall for it but called me over to see.  Now, if that can happen on my computer, which is fully patched and protected, it can happen anywhere.  I always knew that, but somehow it's different when you see it with your own eyes.

   --Rodger Ling


  1. I'm stating to build virtual machines for most of my web surfing. First I create a base model, and then I just replace it every now and then.

  2. Great idea: a virtual machine would limit the damage and make the clean-up painless.

    Meanwhile, yikes! Security Tool still had a hidden process running somewhere, because after hours of running the test machine, the evil beast tried to reinstall itself. The attempted failed, but the root process is still out there. There's a good chance that I could track it down and kill it, but that could take many hours and we STILL couldn't be sure. It's time to quit playing around and reformat.