Rogue Antivirus Product Wars

As you may or may not know, Kotori Technologies, LLC uses Sunbelt Vipre for most of our clients’ Anti-Virus needs. Here is an interesting article from Sunbelt in reference to the Antivirus Product Wars:

All antivirus companies are being hit with the next wave of malware: Rogue antivirus tools like Antivirus 2010. This code throws messages on the user’s screen that they are infected, and “download here to get rid of the malware”. Sure enough, that gets the trojan installed.
Our CEO Alex wrote about this: “For what it’s worth, as someone who is on the inside of an AV company and is intimately familiar with these threats, the reality is that no AV vendor, ESET, McAfee, Sunbelt, Sophos, Symantec, etc. can give you 100% coverage against it.
These new fake antivirus variants are some of the most vicious, polymorphic trojans this industry has seen. They use extremely complex obfuscation techniques which make detection quite challenging by even the best antivirus engine. Many of these rogues are also service-side polymorphic. That means every time an exe is downloaded, it’s recompiled on the server-side into a different piece of code.
And, there are about 75,000 new tier-1 pieces of malware coming out every day. So your AV vendor, realistically, is only going to be one layer of protection, no matter what the sales guy might say. (That being said, AV is a must. Just look at viruses like Conficker, Sality, Virut, etc. These are viruses that the industry does a pretty good job at, and if they get into your network and you don’t have endpoint protection, it’s quite messy.)

Key things to do are:
a. No Admin Privs. Try to run as many users on Limited User accounts as you can (always difficult, I know). It won’t stop all infections, but it does make a difference — probably 80% reduced infection vector.
b. Patch aggressively. The key exploit vectors right now are PDF and Flash, then Windows/IE. When I browse the web, I obsessively check Adobe and Flash to make sure I’m fully patched, and I constantly check Windows update. If you’re tight on funds and can’t afford a professional patch management solution like Shavlik or Lumension, Secunia has an excellent free / inexpensive solution. Or do it yourself, which depending on your network size, can be challenging. However, it really is an absolute must.
c. Educate your users. The vast majority of infections these days are caused by social engineering. A user will get a funny video link on Facebook or some other social networking site, click on it, and it will say that they need to “install a special codec”, or “update Flash”. Or they will be doing a Google search and a malware site will have attached itself to an innocent keyword. The user will click and start getting crazy warnings that their machine is infected. This is the malware trying to get the user to install.
d. Do malicious web filtering. There are tens of thousands of pieces of malware daily, but only a few thousand new malware sites a day. Many endpoint protection tools, including ours, offer malicious web filtering. Or use a web gateway proxy. If you’re tight on funds, setup a simple Linux gateway and download URL block lists places like It’s not perfect but it’s not bad either.
e. Submit malware files to AV vendors. Most, if not all, AV vendors take customer submissions very seriously, and the internal escalations are always senior to anything else.

See original articel by Sunbelt at: