Issue 9 Oct 2010 | Page - 1

Issue 9 Oct 2010 | Page - 2

We fear viruses so much that now we are

falling in for fake anti-viruses. This issue of
CHMag will try to put light on the issue of
Fake Anti-virus. This issue will cover more
insight on Fake Anti-viruses in Tech Gyan &
how to be safe from there. Accordingly even
I made the poster say "Don't click it, Don't
close it, Task manage it" and similar more
ways to prevent you from getting infected
with Fake Anti-virus in our Mom's Guide
section. Removing Fake Antivirus using
Malwarebytes
in
Tool
Gyan.

Non related topics in

this issue will be
Cyber Squatting in
Legal Gyan and
secure file wiping in
command line.
BTW,
are
you
coming to meet
Bruce Schneier this
December
at http://clubhack.c
om/2010 ???

Issue 9 Oct 2010 | Page - 3

Fake Antivirus
Introduction
A sudden injection of fear is a very useful
tool for getting people to do what you want.
While surfing the Web you must have seen
the above pop-up message or similar
advertisements. A free PC scan or an offer to
clean your computer which it claims to be
infected, is usually an attempt by fraudulent
person
to
install
malicious
software(malware) such as Trojan horse,
keylogger , or spyware. Such software is
referred to as Fake Antivirus also known as
Rogue Antivirus. Google analysis of 240
million web pages over the 13 months of
study uncovered over 11,000 domains
involved in Fake AV distribution or,
roughly 15% of the malware domains
detected on the web.

Possible names:
Antivirus XP, Antivirus 2009, Antivirus
2010, Security scan 2010, Winfixer,
DriveCleaner, Internet security 2010, XP

Antivirus Pro, XP-shield, PC Clean Pro,

Data Protection, etc

Possible Images
There are many variations of Fake Antivirus
from nano to pro till defenders and some
alerts and warnings. You can see them all
below.

Issue 9 Oct 2010 | Page - 4

Issue 9 Oct 2010 | Page - 5

Issue 9 Oct 2010 | Page - 6

Issue 9 Oct 2010 | Page - 7

Issue 9 Oct 2010 | Page - 8

Issue 9 Oct 2010 | Page - 9

How can a sysyem get infected?

The most common way Fake Antivirus
software gets on your system is the result of
you clicking on
malicious link in an
advertisement or similar pop-up message.
The advertisement or the pop-up is usually
alarming, made to get your attention and
attempt to convince you to scan your PC or
clean it immediately with the given tool. The
given tool is mostly very cheap and
sometimes free too hence making the user
to use it. If you click to a link you might link
to a website similar to one in the image to
the left . As you see in the image above this
is on a web browser, it is not on screen from
my computer but the website designer
makes it look like my computer. You will
also notice that it shows 100% scanning for
Virus, but when you want to do scan using
online scanner, then it must install some

component in your PC, usually Active X, but

here it did not ask you to install anything
and scanner cannot detect Malware when
nothing is installed inside the PC. Mostly
user will get tricked and press start
protection to remove the threats which
actually do not exist. Then the browser will
pop up a message that says program wants
to install do you wants to continue, then the
user again tends to say yes and hence falling
into the trap.

Issue 9 Oct 2010 | Page - 10

Infection Vectors
1.Exploit kits
There are exploit kits which are released
targeting pdf vulnerabilities. One of the
recent one is Phoenix. The Fake Antivirus
spread is made through Phoenix Exploits
kit. Phoenix Exploits kit spreads a Trojan
downloader exe.exe which establishes a
connection to a particular host from which
it downloads and executes the fake
antivirus.

attackers target the popular search terms

and when the users search for these terms
the results will redirect users to malicious
website.

4.legitimate looking websites

While searching for a genuine Antivirus, the
Fake AV may appear in the search result
which looks like a legitimate one.

5.Social Networking Sites

Social Networking sites such as Orkut,
Facebook, Twitter, etc can also be used to
post the link to the users like a post saying
After checking out the reviews of many
professionals I decided to use the following
AV: http:// _____ AV.com and thus giving
out link which leads to Fake AV website.

6.Fake Codecs
Codecs are often designed to emphasize
certain aspects of the media, or their use, to
be encoded. Thus codecs are needed to play
media files some types of media files.
Attacker use this method by Making fake
codecs which infact is a Fake AV installer
and thus trick the users to install Fake AV.

7.compromised websites
2.Spam emails
Fake Antivirus is usually sent to the victim
as a attachment or a link in a spam message.
The spam messages use social engineering
techniques such as password reset, your
wife photos, you have received an
ecard,etc to trick the users to run the
attachment or click on the link.

3.Search engine optimization

poisoning
Search Engine Optimization is a process of
improving the visibility of the website to
improve its ranking and traffic thus
appearing among the top search results. The

Users can sometimes be redirected to Fake

AV websites by browsing legitimate websites
which have been compromised, where
IFRAME codes have been injected or even
some
malicious
advertisement
in
compromised websites may lead to the
installation of Fake AV.

Issue 9 Oct 2010 | Page - 11

Effects of Fake Antivirus on your

computer
Fake Antivirus can affect your computer in
various ways, It makes changes to the
system on which it is installed by installing
malwares hence controlling and monitoring
the users actions and steal the user
credentials like credit card details,
passwords, etc. The malware may also use
the users system as a platform for
compromising other systems in your
network. It may flood your system with popup windows with false or misleading alerts.
It may also slow down your system, corrupt
files, disable updates of windows, disable
legitimate antivirus and block some
websites hence preventing the victim to visit
legitimate antivirus websites. It may also
alter system files and registry entries so that
even if you remove the Fake AV some of the
infected files and the registry entries may
remain and due to this after reboot the Fake
AV may again be activated.

Pankit Thakkar
pankit@chmag.in

Issue 9 Oct 2010 | Page - 12

Preventing Fake
Antivirus
Introduction
The threat of viruses has increased and
computer users have fear of getting affected
with viruses thus the attackers knowing this
concern of users attackers have come up
with this Fake Antivirus which you may
come across while surfing the internet
through pop-ups or advertisement or
through a link on your mail which claims
that your system is infected and this AV will
clean up your system. Dont be fooled!
actually it offers no security and instead
affect your computer with malwares. Users
should be aware of this threat since not only
it affects your system but also a user can
compromise on their credentials like credit
card details or their important passwords.
One important thing they should keep in
mind is a legitimate antivirus company
would never market its product using popups or emails.

How to Identify a Fake AV

1. You may get a pop-up alert warning
you that your system is infected and
it claims to clean up your system or
similar fear injecting pop-ups. As I
said before a genuine antivirus
would never advertise using popups.
2. You may be invited for a free
security scan.
3. You
may
come
across
an
advertisement clean your system or
to clean your registry or to enhance
your computer performance, etc.
4. You may come across a website
which claims that it has scanned
your computer and asks you to
download a software.
5. If an attempt is made through e-mail
the message is not addressed to the
user receiving the mail instead it
would be like to the account holder,
dear customer, etc.

Issue 9 Oct 2010 | Page - 13

6. As you can see in the above image

this is on a web browser, it is not on
screen from my computer but the
website designer makes it look like
my computer.
7. Injecting fear into the users mind
and prompting Buy it right now, a
genuine antivirus always lets you
download a free version before you
buy it.
8. If your system has been infected, the
Fake AV would slow down your
system.
9. Other signs of infection include new
wallpaper, new desktop icons,
change of your default homepage,
even when you are not online pop-up
alerts may appear.

To close the pop-up

If you come across a pop-up claiming you
are infected, what would you do? Close it by
clicking on X ? that would be your first
and the last mistake. Dont click on No or
Cancel or even X on the top right corner
of the pop-up. If You click it you will open
the door to malware as some of the
malwares are designed in such a way that
any of those buttons can activate it. What
should you do then? First close the browser,
then If you using windows:
1. Press Ctrl + Alt + Del and open the
task manager.
2. Scroll down the dialog box and find
the name of the pop-up window and
select it.
3. After you have selected it, click on
the end task.
If you using Mac press Command +
Option + Q + Esc to force quit.

Issue 9 Oct 2010 | Page - 14

Fake Antivirus prevention tips:

1. Think before you click on a link.
2. Dont open an email attachment
unless you are sure about the source.
3. Do not click on the pop-ups alerts.
4. Use browsers like Mozilla which
block the pop-ups. For Mozilla, go to
tools -> options. Click on the content
tab, and uncheck Enable JavaScript.
5. Check out the list of Fake Antivirus
to be aware of them.
6. Do not download freeware unless
you are sure about the source.
7. Check on search engine before
downloading anything.
8. Keep your antivirus updated. Also
use a good firewall.
9. If your antivirus software does not
include antispyware software, you
should install separate software with
antispyware support.
10. Turn off ActiveX and scripting or
prompt their use thus if you visit a
compromised website accidently this
would not allow the scripts to run.
11. Disable JavaScript on adobe acrobat
reader. To do this, click on Edit ->
Preferences -> JavaScript and
uncheck Enable Acrobat JavaScript.
12. Regularly scan and clean your
computer.

Pankit Thakkar
pankit@chmag.in

Issue 9 Oct 2010 | Page - 15

Malwarebytes to
remove Fake
Antivirus
Introduction
To remove Fake Antivirus and similar
malwares you can use Malwarebytes. It is
easy to use and effective. For removing Fake
Antivirus it is not necessary to buy the full
version, the free version is sufficient. You
can download the free version of malware
bytes from http://www.malwarebytes.org/
Support for Windows 2000, XP , Vista, and
7 (32-bit and 64-bit).
If you are infected with Fake Antivirus boot
the computer in safe mode. Once you have
downloaded malwarebytes, double click the
downloaded file and follow the steps to
install the application on your system. Once
the application is installed, double click on
the malwarebytes icon on your desktop to
start the program.

Update
If you did not check for tht updates during
the install process, go to the updates tab
where you can see the current database
version, associated date and the number of
malware signatures. Click on Check for
Updates to update the database.

Issue 9 Oct 2010 | Page - 16

to be scanned, select the one which you

want to be scanned and click Scan.

Scanning
Once the application database is updated,
you can start the scan. You can either go for
a quick scan or a full scan. Select one of
them, click on Scan to start the scan. If you
go in for a full scan you will see the pop-up
window as shown in the fig. to the right
asking you to choose which drives you want

Issue 9 Oct 2010 | Page - 17

Once
the
scanning
is
completed,
malwarebytes will display the number of
objects scanned, the number of objects
infected and the time taken as shown in the
above image. Click on OK to close the scan
completed message.

Removal of the malware

Click on Show Results you will see the
below window displayed with the list of
malwares found with its location on your
system. For now No action taken is listed
for all da infected objects so that you can
check if anything has appeared in the list

Issue 9 Oct 2010 | Page - 18

which you dont want to remove. Once you

go through the list and checked the objects,
click Remove Selected to remove the
malware from your system. The below
image shows how the removal process looks
like.

After Malwarebytes is
done with removal of
malwares,
it
will
automatically display
a scan log as shown
beside.

Issue 9 Oct 2010 | Page - 19

In the end it would ask you to reboot your

system. Click Yes to the reboot you
system.

Pankit Thakkar
pankit@chmag.in

Issue 9 Oct 2010 | Page - 20

Cyber Squatting

What is Cyber Squatting?

Domain names serves as an identity on the
Internet. They can be closely identified with

Introduction
Idea of Cybersquating was originated at a
time when most businesses were not savvy
about the commercial opportunities on the
Internet. Some criminals registered the
well-known companies names as domain
names with intent of selling them back to
the companies when they finally woke up.
With increasing use of online business for

the company, as customers surfing Internet

believe that domain reflects companys
name,

as

the

courts

suggested

in

MTV Networks Inc v/s Curry*(S.D.N.Y.

1994), that, A domain name is mirroring a
corporate name may be valuable corporate
asset, as it facilitates communication with a
customer base.

of

A Cyber Squatter identifies popular trade

products, domain names of companys

names, brand names, trademarks, & even

gained equal value as of Trademark. Like

names

increase in other Cyber Crimes, matters of

Sushmita

infringement of Trademarks & passing off

Cybersquatting] & registers domain name

are also increasing. This is called as

on their name with the malicious intention

Cybersquatting. Existing Laws are still

of extorting money from persons who are

learning how to deal with Cyber Squatters.

associated with that domain name.

advertising,

promotion

&

selling

of

celebrities
Sen

was

[Miss

also

Universe
victim

of

Issue 9 Oct 2010 | Page - 21

In the famous case of Intermatic Inc v/s

First country to have legislation on this is

Toeppen

United States of America, they have

(USPQ2d1412),

the

court

expressed its opinion about Cyber squatters

introduced

as :

Consumer

They are the persons who attempt to profit

from the Internet by reserving & later reselling

or

licensing

domain

names

(incorporating a famous mark) back to the

companies

that

own

the

mark.

Anti-Cybersquatting
Protection

Act,

1999

Under this Act a cybersquatter can be held

liable for actual damages or statutory
damages in the amount of a maximum of
$100,000 for each name found to be in
violation.

In this sense Cybersquatters are violating

Australia also

has

a law

to

prevent

fundamental rights of trademark owner to

Cybersquatting. It entitles the interested

use their trademark.

person to register business name with an

Australian Business Number (ABN)
issued

International Scenario

by

the

Australian

Taxation

Office. However, this has failed to protect

Internationally, the United Nations agency

Australia from such cybersquatting acts.

World

Property

Any Australian citizen over the age of 16 can

Organization [WIPO] has been working

obtain an ABN (which is free) and use it to

since 1999 to provide an arbitrational

register as many domain names as he/she

system where a trademark holder can

wishes.

Intellectual

register a claim against squatted site.

Considering the number of cases filed with

Keeping in view the practical difficulty in

WIPO, in 2010 1796 cases are filed with

traditional litigation, ICANN (Internet

WIPO while in 2009 and 2008 it was 2107

Corporation for Assigned Names &

and 2329 respectively.

Numbers)

approved

the

UDRP

(Uniform Dispute Resolution Policy).

However, one of the shortcomings is that it
just focuses on arbitration of dispute, not

On average, 84% of claims are decided in

the complaining party's favor. (Source
WIPO Website)

litigation. Further decisions of UDRP can be

overruled by traditional courts.
Some

countries

have

specific

Indian Scenario
laws

Indian

judiciary,

after

realizing

the

concentrating on Cybersquatting along

importance of domain names have woke up

with the traditional Trademark laws.

&

responded

strongly

against

Cybersquatting. They have formulated some

Issue 9 Oct 2010 | Page - 22

legal

principles

regarding

this

ever

increasing crime.

There after till date around 150 cases are

filed under INDRP policy.

.IN is India's top-level domain (cTLD) on

the Internet. It is governed by the official

Conclusion

.IN registry. IN registry was appointed by

There must be some uniform law on this

the government of India, and is operated

highly increasing crime as it affects the

under the authority of NIXI, the National

goodwill of the owner of Trademark as well

Internet

India.

as it will increase many other crimes like

The registry has formulated many policies

Credit Card fraud, cyber bullying & even

for the registration and administration of

pornography & ordinary people will suffer a

.IN domain names. Most important policy is

lot.

Exchange

of

.IN Dispute Resolution Policy (INDRP). It

has been formulated in line with UDRP, and
with the relevant provisions of the IT Act.
Under INDRP there are two important
documents:

Talking about India, currently cases relating

to Cybersquating come under Tort of
Passing off & infringement of Trademarks.
It is not a quick process & a speedy trial. To
fight

with

it

the

The .IN Domain Name Dispute

Trademark/Copyright

Resolution Policy (INDRP)

amended to include Cybersquating as an

INDRP Rules of Procedure

offence.

Act

current
should

be

One of the major problems is about applying

NDRP disputes are decided as arbitration

procedure.

punishment:
One view says that, though Cybersquatting

On my best knowledge the first reported

is a frame of blackmailing; it will be too

Indian case on the topic is

harsh to apply criminal punishment of

blackmailing

Yahoo

Inc. v/s Akash Arora, 1999

Defendants

domain

for

the

offence

of

cybersquatting.

name

Yahooindia.com was identically similar

Another

to plaintiffs business name Yahoo. Court

cybersquatting is a crime affecting society,

expressed their views that though Yahoo

its basic victim is Trademark owner & he

is a dictionary word, it has acquired

should apply for Permanent Injunction

uniqueness & moreover it is a business

restraining its use.

name of plaintiff. Such words have received

maximum protection.

view

says

that

though

Issue 9 Oct 2010 | Page - 23

Better solution for this is to make blacklist

Many times people find that paying the

of cybersquatters. ICANN can create such a

cybersquatter is the easiest choice. It may be

policy that punishes anyone found by Court

a lot cheaper and quicker to come to terms

of Law to have cybersquatted. It may be

with a squatter than to file a lawsuit or

loosing domain name registrations incl.

initiate an arbitration hearing, these court

those which are legal & take off all other

processes will save substantial time &

benefits which he would probably receive

money.

from the use of Internet. This would serve

Trademark owners should get unite &

as

decide not to fulfill Squatters demands.

deterrent

cybersquatters

on

because,

other

Future

infringing

the

benefits from the use of Internet would

definitely harm anyone in todays world.

This

should

be

stopped.

All

If we see WIPOs experience, it shows that

UDRP disputes are mainly concentrating in
the .com domain. Attention must be paid to

Moreover, the process of registration of

establish preventive mechanism against

Domain Name is not as strict as that of

illegal registration in new generic top-level

Trademark. Anyone can approach a Domain

domains [gTLDs]. E.g. in 2005, ICANN

Name Registrar & register any available

approved creation of new gTLDs like .travel,

domain name.

.jobs etc. If there is no strict policy for its

Delhi High Court in Aqua Minerals Limited

v/s Pramod Borse [2001] PTC 619 (Del.)
observed that,

assignment, Trademark owners have to

compete with cybersquatters for their own
Trademark.

If any person gets the domain name

registered with the Registering Authority,
which is actually the trade name of some
other person, the Registering Authority
cant inquire into it to decide whether the
Domain name was registered before as a
Trademark & belongs to some other
person.
Such

an

inquiry

is

necessary.

Most important thing is that, there must be

co-ordination

between

Registering

Authority of Domain Names & Trademark

Registration Authority.

Sagar Rahurkar
sr@asianlaws.org
Sagar is a Law graduate. He is Head at Asian
School of Cyber Laws(Maharashtra). He
specializes in Cyber Law, Intellectual
Property Law and Corporate Law. He
teaches at numerous educational institutions
across India.

Issue 9 Oct 2010 | Page - 24

Wiping files
securely
Introduction
This issue Command Line Gyan is not
directly related to Fake AntiVirus but still
we have something interesting for you
The idea this time is to delete a file and
make sure its not recoverable (easily). We
all know kind of deletion is called as wiping
the file. We also know that there are a bunch
of freeware & commercial tool to do so, but
the idea is to achieve this from built-in
commands/utils in a system. Remember
you might get stuck on a machine where you
dont have your favorite tool and might not
be connected to internet to download the
same.
So lets see how we can achieve the same
from built in commands/utilities in both
Windows & Linux environment.

Windows
What we have to start is by first deleting the
file and then overwriting the area again and
again to make it unrecoverable
To achieve the same, in windows youll find
a command called cipher.
C:\> cipher /w:c:\windows

This command will cause overwrite on ALL

unallocated space (available unused space
only) within the volume which holds the
folder c:\windows.
The directory specified can be anywhere in
a local volume. If it is a mount point or
points to a directory in another volume, the
data on that volume will be removed.
Dont worry, this wont delete c:\windows
or even any content inside.
Pretty neat, loved it. But the only problem
here is this command will cause overwriting

Issue 9 Oct 2010 | Page - 25

of the space only thrice. First time by all

zeros, second time by all ones and the third
time by random numbers.

you wont have to delete the file first & then

overwrite, this itself will take care of all
# shred -n 3 -z -u myfile

Ok, I got your concern & even I have read

that you should overwrite a space atleast 25
times to make the data unrecoverable. So
lets see how we can exploit this to achieve
that.
3 * 8 = 24
3 * 9 = 27
I think even if we repeat this whole
operation 8 times, it will suffice. You can
choose 10 or 12 iterations also but
remember the time taken is directly
proportionate to size of volume & free
unallocated area.

Ok, very obvious from the command itself

that n -3 means 3 iterations which can be
changed to 25 as per above scenario. -z
specifies that zeros are to be overwritten in
final iteration so that it looks like blank & -u
to remove the file.
Pro I dont need to do it on the whole
volume, just the file
Con This command is for file, what about
the whole disk
Con! Did I hear a con in Linux
environment?? No way. Heres the solution

So for the sake of our example, well do it 8

times.

# shred -n 3 -z /dev/sdc

C:\> for /L %i in (1,1,8) do

@cipher /w:c:\windows

If you notice we havent specified u here,

so it wont delete the file pointer itself from
the system.

I remember those college days when we

used loops to make life easier. IN this
example well run the same process of
cipher in 8 loops making it 24 iterations in
total. Now Im sure youll be happy that data
has been wiped properly.

What if the shred itself is not installed, now

in such case, please it

Remember I have cautioned you. The time

taken is directly proportionate to size of
volume & free unallocated area.

Linux
I loved it this time cause windows method
wasnt that difficult. But Linux is always
easy.
The command here is shred which is
there in most of the distros. In case of shred

Rohit Srivastwa
rohit@clubhack.com

Issue 9 Oct 2010 | Page - 26