Last night I was researching some information about Vista. I went to
a legitimate help site I’ve used before. As soon as I clicked on the
site my machine became infected with “Antivirus XP 2008”. I have a
current CA Antivirus 2008, Windows Defender, and my firewall is active.
I immediately ran full system scans with CA and Defender in Safe Mode
with Networking. Nothing was detected. I found removal instructions at
bleepingcomputer.com using a free product called Malwarebytes’
Anti-Malware and it worked like a charm. Then I had to fix a missing
Desktop Tab in my display dialog box as well as edit the registry to
make the display wallpaper functional again. All of this leads up to my
I’ve been hearing a lot about “Antivirus XP 2008” recently, and it
seems to be active out in the wild.
The questioner goes on to ask 4 very good questions about this
particular attack, and web-site based attacks in general, and I want to
address each one individually.
Become a Patron of Ask Leo! and go ad-free!
First, if you’re dealing with “Antivirus XP 2008”, here are a couple
of resources to get you fixed up:
How to remove Antivirus XP
2008, the article the questioner references at
information at Symantec’s Security Response center.
Antivirus XP 2008
details at Computer Associates
On to the specific questions.
Why didn’t my CA AV and/or Windows Defender stop this attack? This
That’s a very good question. As you can see, I included a link above
to information on this specific threat on the CA website. Among other
things, that site includes the specific version of the CA anti-virus
database to which detection of “Antivirus XP 2008” was added: roughly a
month prior to getting the question (and updated about a week or so
What this leads me to wonder is whether or not you are, in fact,
getting the latest database updates automatically. If not, this could
be a classic case of why you should always make sure that all
anti-malware software is updating its database regularly: new threats
show up all the time. Regardless, it’s the first thing I would
should always make sure that all anti-malware software is updating its
database regularly …”
Second, in some variations of this threat you must actually
click on the bogus warning message presented by the malware in order to
be infected. If you saw that message, and ran your scans prior to
dismissing or clicking on the message, you might not yet have been
But my money’s on the issue somehow being the database updates.
How did the malware get onto a legitimate website? Hackers? The site
You didn’t indicate the site (I’ll assume it wasn’t mine
), so I can’t comment on its
legitimacy. Obviously, the webmaster can do pretty much anything. In
some cases, the webmaster it not necessarily the site owner, but rather
a employee or a contractor, so I suppose there’s always some level of
risk, but I don’t consider it to be all that high – again, if this is a
truly legitimate site.
More commonly, the culprit is a hacker.
In the past, we’ve associated hackers with destructive behavior;
things like defacing a site, deleting the site contents, or putting up
offensive material in its place. Lately, the tactics have shifted so
that a hacked site isn’t quite as obvious to the owner as it once was.
Hackers now do it with a purpose: to spread malware, or to game the
search engines. Depending on the underlying technologies used to
implement the web site, there may be security vulnerabilities that
would allow a knowledgeable hacker access in such a way that they could
quietly manipulate the site contents to include things like malware
This is the reason that contacting the site owner is exactly what
you should have done. It’s on them to listen to you, and I hope they
do, since I consider this the most likely vector for this particular
problem to have happened.
Another newly emerging class of attack vector is advertising.
Occasionally, malicious folks will actually purchase ads into which they
place the first step of their attacking code. Most ad networks will
immediately reject these types of ads, and actual successful use of
this approach has so far been very rare.
Do websites use any kind of anti-malware programs to keep from
Not really, since the threat is … different. There are certainly
things that could be scanned for, and as this threat is on the rise
this type of scanning is happening more and more. However, the web isn’t
quite like your PC. A “hack” could be a simple link or single line of
real “virus” is then referenced from a different website completely,
when your browser references that link.
The real solution for web sites, which will sound very familiar to
PC owners, is to stay aware of vulnerabilities discovered in the
software used to implement the web site, and to keep that software up
to date. In addition, website designers have the additional burden of
coding and configuring their websites properly to avoid common exploits
like SQL-injection, and malicious HTML posted in comments.
Is there any program or tool available to scan websites before
No and yes.
No, in the sense that I’m not aware of a reliable service that does
this. There have been attempts, but they’ve typically caused more
problems then they’ve avoided. They unfortunately have a record of
“false positives”, flagging totally safe and legitimate sites as
somehow bogus, and raising so many false alerts that users ignore them
totally if they actually want to get anything done. (Yes, one did for a
while flag Ask Leo! as a malicious site, and nothing could be further
from the truth. No, I’m not bitter. Much.)
Yes, in the sense that ultimately these types of infections happen
like any other: a program gets downloaded and run on your machine. That
means that an up-to-date and properly configured anti-virus program
should catch it as it attempts to happen.