Malware: One Victim's Story

Tim, who suffers from spinal and liver cancer, visited a Web site he saw on TV and lost control of his computer to rogue antivirus software.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 13, 2008

4 Min Read

When you have spinal and liver cancer, computer infections are the least of your worries. But even the least of worries can diminish your quality of life.

Tim, a resident of Aberdeen, Wash., just wanted to play some online games, his friend Sharon explained over the phone on Tuesday. Sharon provided her last name and address, but asked that it not be published because Tim and she are dealing with identity theft, in addition to cancer.

Tim, she explained, saw a TV ad for an online bingo site,, while watching Fox News recently. Upon visiting the site, Tim lost control of his computer.

"My friend loves online games," said Sharon. "I'm always telling him to be careful. But when you see it advertised on TV, you figure it's safe."

Tim had been redirected to malware-alarm dot com, one of several variant Web domains associated with the MalwareAlarm rogue antivirus software. The site receives 31,147 unique U.S. monthly visitors, according to Quantcast.

MalwareAlarm presents visitors with a dialog box that asks permission to perform an antivirus scan. No matter what choice is made, MalwareAlarm opens a browser window and displays what looks like an antivirus scan. At the conclusion of the scan, the software claims that it has found malware and offers to install more software to fix the problem.

Roger Thompson of Exploit Prevention Labs has produced a video that shows how MalwareAlarm works.

It appears that there's nothing wrong with Spyware researchers at Sunbelt Software saw no evidence of malware at the site.

In an e-mail, Alex Eckelberry, CEO of Sunbelt Software, suggested that a malicious Flash ad may have been responsible for redirecting Tim to the MalwareAlarm site.

Malicious ads are a growing concern for Google and just about every other company that depends on Internet advertising. Google, in fact, just issued a report that found 2% of malicious Web sites were delivering malware via advertising.

"With the increasing use of Ad syndication (which allows an advertiser to sell advertising space to other advertising companies that in turn can yet again syndicate their content to other parties), the chances that insecure content gets inserted somewhere along the chain quickly escalates," Google's report says. "Far too often, this can lead to Web pages running advertisements to untrusted content."

According to Sharon, MalwareAlarm held Tim's computer hostage, providing no way to exit a maze of dialog boxes. A sophisticated computer user perhaps could have broken free, but Tim isn't an expert. His only option, as far as he could tell, was to pay $29.95 for 6 months of malware protection, $49.95 for 1 year of malware protection, or $79.95 for a lifetime of malware protection.

Sharon tried to contact the supposed company behind this purported service to ask for help removing MalwareAlarm from Tim's computer. She sent a note to the only address apparent with MalwareAlarm active, [email protected].

The reply she received read: "This is not our fault that our product is being installed on the PC over and over again. We work with hundreds of affiliated advertisers. This is possible that one of them uses illegal methods of advertising. We would appreciate your help in finding the criminal."

It's typical for the operators of malicious sites to respond to support e-mail with claims of innocence, Eckelberry said.

Sunbelt Software spyware researcher Patrick Jordan said that the group behind MalwareAlarm has a long history in the malware business. " is a part of the SpyWareNo family of rogues," he said in an e-mail. "[Its] DNS history shows ... it used was the first payment site for the SpyWareNo family of rogues which then transmits the actual payments through, which also has [had its] own line of rogues since November 2005 when the site was created."

According to Jordan, the malware group has been involved with rogue antivirus software since March 2005, with the release of SpyWareNo. In September 2003, the group created its first site,, under the alias of Alexandr Kruglov, he said.

Sharon said she hoped that by coming forward with her story, others might avoid the hassles she's facing. "Think of the billions of dollars that are being lost by innocent folks around the world," she lamented.

But even if Sharon can get Tim's computer cleaned up and restored, the damage has been done. She said she won't to conduct any kind of e-commerce online because she can't trust Web sites.

Which raises another question: How many billions of dollars are yet to be lost by online companies that stood by and watched consumer trust wither.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights