Monday, August 3, 2009

If you can read this, thank a philosophy major

A Windows box in the house recently had a nasty case of the scareware, one of those fake virus removal thingies that pops up all kinds of frightening messages about how your computer is infected and you need to act now because, well, if your computer is acting like some rogue program has taken over, the only sensible thing to do is follow that program's instructions to remove the threat, right?


It's not just some web site gone amok. This thing has installed itself in the start menu. Shutting down the browser does no good. Rebooting does no good. Big-name virus checker is up-to-date, but says the computer is still vulnerable to intrusion. Offers a handy "fix" button for that. Which does nothing.


So, shut down the machine and go googling. A bunch of people are recommending roughly the same thing: download XYZ removal tool (a couple of people advise using some sort of "remove me" feature that the scareware authors have thoughtfully provided -- yep). One of the major publications appears to have given XYZ a good review. I visit the publication's site -- directly, not through a link, of course -- and the review seems to be there. So I go to the XYZ site. Um, is there an SSL certificate on this download site? Um, no. For that matter, was there one on the major publication's site? Um, no.


Further down the list of hits, a couple of sites have instructions for manual removal: delete a suspicious-looking entry from the Windows registry. Delete some files that don't look like they belong there anyway. Fortunately, this isn't one of those "delete *.dll from your SYSTEM32 folder and everything will be fine" scams. So I restart the machine in "safe mode", fire up regedit, delete the files in question, alias a few useless-looking sites to for good measure and reboot.

Problem solved. Unless it only looks like it's solved.


You know what really bothers me here? It's not the annoyance of the malware itself. It's the epistomological nightmare that ensues. How would I know that that download site was legit? Probably it was, but you'd think a security software provider would think to buy a certificate. But even if they had, how sure could I be?

What makes me think the manual removal instructions were legit (besides a rudimentary knowledge of how Windows works and the fact that the annoyance seemed to stop)? Do I know that the malware is really gone and not just gone into stealth mode? Was it a decoy for something else? Do I cut the red wire or the blue one?

Who knows?

Who wrote the malware? The straightforward theory is a bunch of criminals just trying to harvest credit card numbers. The sneakier theory would be the upstart security provider with the removal tool. Subtheory A: They're just trying to steal market share from the big guys. Subtheory B: They're distributing malware themselves, disguised as a removal tool for a fake removal tool. Clever, what?

But I say it was a philosopher. Somewhere in the basement of some liberal arts department, a bitter post-doc is howling with laughter as all the computer geeks that went on to lucrative engineering jobs get what's coming to them.

Well played, sir or madam.

1 comment:

David Hull said...

Note to self: Arguably we're in the same nightmare, not so much with malware as with information itself.