Red Cross Antivirus

Hi all:

New here, and not sure if this is the proper place to post this. But I just got hit with something called the "Red Cross Antivirus." It was ugly.

A quick Internet search returns lots of information about it (i.e.: http://www.2-viruses.com/remove-red-cross-antivirus).

My question is: shouldn't my NOD32 (the latest version) have detected and prevented something like this from happening?

 

assuming that you have a modern OS fully patched and latest Eset AV product on that machine deployed the answer probably would be yes. yet, the setup of your Eset installation would come into play as well.

and not the least to say the user of the computer at the time of infection, since it does not look like a drive-by but something that was probably downloaded and executed on the machine with the consent of the user. this should not be offending, as most users expect 100% safety from their AV products, something of an illusion though.

there are many constantly evolving/morphing fake/rogue AV/scareware kits out - number constantly growing, hard for any AV vendor to keep track and none of them actually able to combat 100%. moreover those kits are not per se malicious in a sense of entirely compromising the machine but rather extorting small amounts here and there from users who would fall for it.

you may contribute samples and thereby helping the Eset community.

an additional safety feature might be sandboxed web browsing and execution of untrusted files. afaik the latest chromioum based browsers support the sandbox model for browsing - my favourite is SRWare Iron, else sandboxie application might help. or simple restore points prior executing unkown software and roll-back if the turn out is malicious.

above all and considering the reports only known here in the forum of NOD missing a growing number of threats in this league it would be highly appreciated if the detection technology/rate could take a bit of a leap forward - also sandbox might be an idea here

 

Removal guide Here Please do so with the assistance of a security professional.

 

Thanks. A systems restore took care of the problem.

But the question I'm trying to get answered is whether NOD32 should have prevented the problem in the first place. If so, why didn't it? If not, why not?

It's up-to-date, seems to be installed correctly and tells me that it's "...providing maximum protection for [my] computer".

 

As vtol wrote, rogue malware authors continually adjust their creations to evade detection by security solutions and test them before they release them. That's why it is important to care about security and not to rely on the antivirus itself to catch every single malware. Of course, every company acts proactively as much as possible and does its best to make it as hard for malware authors as possible but there's always one a step ahead. Sandboxing and HIPS improve protection but still are not a solution to preventing every malware infection.

 

thinking/speaking in the right direction, though I am not too sure about HIPS, however where is the development of NOD heading? speaking of which the 4 branch out for a while and no 5 branch for beta testing on the horizon, facilitating sandbox and some other features from the wish list?

not wanting to derail the thread but just musing why? is it fun,challenge or the the money in for the black hat? reckon that the AV engineers are top notch too and able to match the technical skills of the bad boys but lacking the creative mind of the dark side? is it against ethics to head-hunt a black hat to work for the other side or too risky of a cross that AV intelligence would leak?

 

Hello,

You shouldn't just rely on Windows own System Restore every time a Fake AV hits your computer nor on your Anti-Virus software.

As I keep saying, one ounce of prevention is much better than a pound of cure.

Here, PREVENTION is the key. If some thieves broke into your home and stole your property, you need to learn how to prevent this from happening in the future. Perhaps, you already had a home alarm installed but that did not deter the bad guys from breaking into. The same for the Anti-Virus [such as ESET NOD32]. They are just a layer of protection but you, as the user, are the one who can prevent fake AVs from infecting your computer.

Actually, as far as I know, nearly all the fake AVs out there are delivered through an EXPLOIT KIT [Eleonore, Phoenix, Zombie, CrimePack, etc.].
These so called exploit kits target mainly 3 vulnerabilities on your system: [1] Adobe Reader [PDF], [2] Java Runtime and, [3] Adobe Flash Player. You have to make sure that your computer is running the very LATEST versions of these 3 applications. If you don't have the latest versions of these 3 programs you can install Secunia Personal Software Inspector and scan your PC at least once a week for outdated programs or missing patches.

What those exploit do is when you are browsing a web-site, they scan your computer [through your browser] looking for outdated versions of the 3 aforementioned programs; if found, then they can crash your browser and deliver the exploit PLAYLOAD. The playload can be the Zeus v2 Trojan, the Rootkit TDSS, the Red Cross FAKE Antivirus and many more.

How to avoid this? Well, you could disable JAVA SCRIPT on you browser [Internet Explorer] since all these exploits need Java Script to exploit vulnerabilities in your browser and deliver the fake AV. But, disabling this is not practical in my opinion because nearly 90% of all web-sites need Java Script to render correctly in your browser. You then could switch browsers and use Firefox instead of MS Internet Explorer. If you install Firefox, install a very valuable extension to this browser. It's called NOSCRIPT. It will block JavaScript about 95% of all the web-sites with very few exceptions [Google, Msn, Yahoo, etc.]. For all the other web-sites, if you see they aren't working correctly because Java Script is disabled, just right-click on the page and from the drop down menu, select NOSCRIPT and “Temporarily Allow all this page”.

But...there is a catch here. If you allow the web-site to run Java Scripts in your browser, and the site had already been compromised [even being a legit one], you are out of luck.
Here is where SANDBOXIE makes its entrance. You can download Sandboxie and install it on your PC. Now, every time you want to start your Firefox browser, you may as well right click on its icon on your desktop and select : “Run Sandboxed”.

Now, every time you grant permission to a web-site to run Java Script on Firefox [through NoScript, of course], even if the site is compromised, Sandboxie will not allow you computer to be infected through an Exploit Kit and thus, the Red Cross AV.


I hope this helps.



Carlos

 

Perhaps some known Rogues could be added to the existing Rogue removal tools