This weekend I got a call from my father, who wanted my advice as the computer security guy in the family. It seems that my younger sister's laptop had become infected with a nasty little virus called Block Watcher, which had popped up a series of messages telling her that her computer was infected with a virus, and that she should go and purchase their product - for the low, low price of $30 - in order to clean her machine. Recognizing that something wasn't right, my sister called my father, who had in turned called me with his theory on how to best remove Block Watch, since his early attempts had been unsuccessful.
I quickly suggested that he Google for a removal tool, since modern malware is much more difficult to remove than anything he'd be familiar with (his last experience removing a virus was some time in the early-to-mid 1990's). A half-hour or so later, he called back, and said that while he'd found a removal tool, something about the site made him uneasy, and he wanted me to take a look and see if I could tell whether it was legitimate. When I pulled up the site - hxxp://removal-tool.com (WARNING: LIVE MALWARE!) - it seemed just as odd to me as it had to him, so I decided to do a bit of research on the site itself. When I put the domain name itself into Google, one of the first hits was a blog post from respected malware researchers TrendMicro showing how this exact site was delivering malware itself!
I downloaded a copy of the executable that the site suggested could be used to remove Block Watch and ran it through the free ThreatExpert.com analysis tool; the results are here. In addition to creating several files and registry entries on the target machine, the program opened up UDP port 1053 - as clear of a sign of a back door as you'll ever get (in fact, SANS shows a recent uptick in activity on this port, and lists a pair of trojans associated with it.
The question I'm sure you have by now is, "So what? Why do I care?". The answer is simple: this sort of fake anti-virus scam is on the rise, and many users on networks that you run and/or are charged with defending aren't as suspicious as my father and my sister. In fact, according to a recently released report from Symantec, there were roughly 43 million attempts to install fake anti-virus software between July 1, 2008, and June 30, 2009. If you're watching over even a moderately large network, chances are that at least a few of your users have run across something like this.
Clearly, it's in your best interests as a network security professional to educate your users about scams like these - perhaps with the simple rule of thumb that "if any program on your system tells you that you have a virus, contact the IT department immediately." It doesn't hurt to run the VRT Certified rule set, either, since our spyware category contains rules for some of the most prevalent threats, like Spyware Guard 2008 (SIDs 16134 & 16135).
Oh, and whatever you do, don't trust McAfee's SiteAdvisor for a determination on whether a particular web site is clean - they rate removal-tool.com as clean, despite the fact that 11 of the 17 user-submitted reviews on McAfee's own page say the page contains "Adware, spyware, or viruses". Clearly someone over there isn't paying attention. ;-)