|Subject:||Fraud AV (ThinkPoint) not detected by Mbam|
|Posted by:||Virus Guy (Vir…@Guy.com)|
|Date:||Tue, 30 Nov 2010|
A co-worker brings in her PC yesterday. Apparently her SO was
web-surfing early yesterday morning and stumbled upon one of those fake
AV-scan web-pages, and must have accepted the download and install.
After that, it didn't want to boot properly (this is XP, either sp2 or
When booted up, a program called "ThinkPoint" ran and basically wanted
you to buy a license, giving you no real access to the computer.
We removed the drive and slaved it to a known/good PC running XP-SP3 and
NAV 2002. I updated the NAV definitions to yesterday's release (Nov 29)
and scanned the entire drive - it found nothing.
I then downloaded and installed Mbam on the known/good PC, updated it,
and it also found nothing when scanning the slaved drive.
I then searched the computer for "hotfix.exe", found it and moved it off
the drive (I have a copy of it). The computer then ran fine.
I uploaded hotfix.exe to virustotal and it was detected by 13 out of 43
apps. Strange that symantec was listed on VT as a positive hit, but
it's not detected by the Nov 29 NAV definition download. The machine in
question does run mcaffee, but it didn't detected it either.
So much for modern AV software...
I then got into a typical debate with another co-worker watching all
this (he's an apple fanboi). Naturally he laughs when ever this happens
to a win-PC. My position is that I don't see why a mac user, when
presented with a suitably-crafted web page purporting to be the
computer's own AV scanner, that the user couldn't also be tricked into
saying yes, ok, and yes - and hence infect his mac with one of these
fake av programs.
Does this phenomena not exist in the MAC world? Is there something
about the mac that would make it more difficult or impossible to
socially engineer the mac user into being tricked into downloading and
installing a piece of rogue software?