Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue. The more links there are to a site, the more popular the search engines …
Great article. Very useful and detailed. Thanks
Cleaned this from my girlfriends cousins laptop. For those wondering, it does infect Vista. Of course I would not had to have done this if there was a virus guard on the machine. The young lady protested that she ran a full system scan twice a week and could not understand how she got infected. After a short investigation it became clear that she had mistook the defrag utility for AV. As I live and breath !!!!
She now has AVG-Free, Spybot S&D, Adaware and Microshaft MRT, keeping an eye on her but I know this will not be enough.
Check this out
I just typed in 'antivirus' into google.co.uk and guess what the top sponsored link was?
Antivirus XP 2008
BestAntivirus2009.com Highest protection… …with lowest resource usage!
Web hosting @bruceld
"I'd say, the best way to nip this type of activity in the bud is to go after their web hosts (which themselves are probably involved in the scam), then perhaps even their uplink providers. Doing a traceroute shows exactly where and when data flows throughout the internet and can be followed through IP addresses. It is actually very possible to pull the plug on their web sites anywhere along the traceroute.
Why isn't anyone using this technique to track the criminals?"
Oh, many people are, believe me.
The majority of these sites are hosted in the former Soviet Union, where they're beyond the reach of US law enforcement. I've seen these sites hosted on ISPs in Latvia, Moldova, and other former Soviet-bloc countries.
The political reality is that law enforcement in these places simply does not care. In fact, it's quite likely that law enforcement in these countries, such as it is, is highly corrupt and easily susceptible to influence from these same organized crime gangs. The Storm gang even appears to have allies in the highest levels of Russian government, for instance.
In many cases, these Eastern European ISPs receive their connectivity from an American outfit called WV Fiber (wvfiber dot com). WV Fiber responds to abuse reports by saying "We're not doing anything wrong; it's the ISP in Latvia that has the problem, not us." (When they respond to abuse complaints at all, that is. Mostly, they don't.)
Similarly, the domain registrar of choice, EST Domains, is headquartered in the US but responds to abuse complaints (on those rare occasions when they respond at all) by saying "Take it up with the hosting company, not us. We're not hosting them, we're merely providing registration service. What they do with it isn't our problem."
Another side Effect
This program also messes with Symantec Anti-Virus (Version 10 At least) We by default install NAV on all of our Corperate PC's and last week, I received a support call regarding this exact piece of Mal-ware, Upon further investigation, I found that the mal-ware had managed to disable the Symantec real time scanning, as well as the Auto-update, so no matter how long after the Mal-ware was installed, Symantec would never detect it.
Where are Microsoft's lawyers?
There is a lot of infringement of Microsoft's copyrights going on there. It's going on in a context that damages the value of Microsoft's brands: a worse example of "passing off" is hard to imagine. So where are Microsoft's lawyers? Surely it's possible for the combined legal might of the Microsoft Corporation to accomplish something even in relatively hostile juristictions such as the Ukraine?
Or is it a black-helicopter job? Microsoft wants XP dead, and its security is different to Vista, so they're actually turning a blind eye and will later do something to make Vista more "secure" while leaving XP to be killed by the parasites?
get a page filter
like proxomitron, and block local file access, until the option is in your browser activeX/java settings. then you`ll just have a crap app in your temp files you wont even know about
What if these predators refine their scam by correcting their English and interface errors?
They could probably also include code to detect the OS and send the appropriate crap. This could become "cross-platform" .....
How rampant could this get if they take care of all the obvious red flags?
BTW - I'm still not the original Paris quipster but I'll take a shot:
Paris, because even she knows this could be "hot".
Thanks for a great piece
Fantastic this one. Getting forwarded now
If all the points you raise were covered, then indeed these bunch of crims would increase the number of machines exploited. I guess there will always be trusting/gullible types who will install software without first checking it for peer review via Scroogle or similar search.
If one does a search for antivirus2009 and it's relatives one would not install it. It is well documented as malware. I do not install anything on any of my machines without first looking it up for reviews, checking Bugtraq and looking further afield for any exploit related to the software. But then again I don't trust the Internet or what is available on it period. Maybe I am just lucky, perhaps what some would describe as paranoia covers my ass, but the last machine I owned which got exploited/infected was my Amiga, anyone remember the Saddam virus?
This kind of social engineering exploit is not going away, and as systems get more secure, which is the general trend. The weakest point of any system (the user) will become the increased focus of attack. So admins lock down them boxes, enforce a strict security policy and educate. Your users ARE your biggest security risk.
If security policy is lax enough to allow users to install software, at least ensure users are trained to research the software they want to install, before they install it. A stitch in time....
good stuff (and some advice)
Well done - an excellent article.
I encountered similar problems with a friend's computer - they downloaded a rogue spyhunter app to deal with a long-time resident dialer - the rogue was NOT detected by Norton 360 - it intoduced a number of trojans which ...
a) redirected google searches as you state;
b) replaced the desktop image with one sta\ting the system was infected;
c) prevented browsing to anti-virus sites such as aVG, f-secure, trend micro etc.
d) prevented existing a/v tools from updating.
I downloaded various apps with another computer and brought them to the infected machine with a USB key.
Uninstalling Norton 360 took about 45 minutes - very slow; AVG installed OK but would crash on scanning the boot sector.
Various other apps (from f-secure etc.) would not run unless I changed the executable name e.g. from fsbl.exe to fslbabc.exe and even then wouldn't execute properly.
So what worked ?
Malwarebytes' Anti-Malware app executed and found 39 trojans/malwares in a few minuted - it deleted these
Gmer found another two (but its not for novices and I was reluctant to use it to remove one)
SuperAntiSpyware was slow but detected another three
and finally AVG (now able to run) found another one (only 4 hits in Google and all dating from Aug 26th) that the others failled to find.
... and all these apps will be run again tonight!
Good luck and thanks again for a superb analysis - apologies for the non-specificity of my own notes above re exact versions/trojan names etc.
In a corporate setting you shouldn't need to send a warning round. Anyone who has the rights to install anything on their computer shouldn't be the sort of person who'll fall for this.
Which reminds me - adnim - you're nearly on the money, but not quite. In my experience, the biggest security risks are stupid software vendors who still - even with Vista and its UAC - haven't figured out yet that their software has to run without requiring an admin security context. Worst offenders here are scanner software (why, HP, what on earth does the software need to do that requires these rights?) and PDA connection software.
The other security risk is of course IT Staff who forget to de-elevate users after having to elevate them to get PDA software installed (which often requires to be installed as the user who's going to make use of it - who must therefore be an administrator. Fuckwits!)
Penguin because this sort of "Let's all have root" fuckwittery was never allowed in Linux and letting it happen with Windows was one of Bill's mob's worst mistakes.
Update - Now AntiVirus 2009
Thanks for a great article. I now have a user (as of today) who has this on their machine. It is displaying the same symptoms but with AntiVirus 2009 instead of 2008.
hats off for such thorough investigation and reporting.
I was very impressed by the depth of this article. It appears the generic hackers are becoming more sophisticated. Those screen shots blew me away!!!
The usual stilted English and grammar errors were not present except in a few areas, too few to matter. This article actually scared the hell out of me!!
Thanks again for wonderful work!!
Nice article. I had a customer who paid for XpSecurityCenter, thinking he was buying from Microsoft. He printed out out the payment and it looked official, except in fine prints, the company was located in Moscow. The computer was supposed to have been cleaned by the software on friday, but on monday his ISP called him to say they cut their Internet access, because their computer was used in an attack (as a zombie) and they needed a proof of cleaning from the technician to reinstall the access.
As usual, solution was to format the hard drive, to make sure there is no root kit left over in the computer. I trust anti-spyware and anti-virus BEFORE the infection, not AFTER.
Thanks again for taking the time to write a nice detailed article
A most excellent and timely article. I just spent the better part of two days researching, scanning, and cleaning up a laptop infected w/ a variant of this crap! (His desktop system is scheduled for a purge on Tuesday -- long weekend here in the West.) It's nice to know that (so far, anyway) this junk is just trying to extort cash. It'll suck when they start using stuff like this to root around our disks for data and send keystroke logs back to the mothership.
I just wish our anti-virus software had caught the Trojan EXE *before* the user executed it.
Wow! Everyone is focusing on their personal experiences eradicating this crap-ware. Shouldn't we look at the bigger picture and concentrate on educating users? That is our only hope against social engineering scams like this.
I'm with you mate. This is too invasive to rely on cleaning alone. Having spent between two and three hours removing a variant once, I now simply back up data off line and reinstall. Using XP with SP3 slipstreamed in and then restoring the data is much quicker and guaranteed to work.
The experience of reinstalling all their apps is usually a salutary lesson as it takes the user some time of their own
I've had 2 clients infected with this crap & found that desktop been hijacked with warning image and the desktop tab in display properties missing so that you cannot restore your own
desktop background. It has used a folder called rhcnkrj0etfg in Programs which alerts you immediately it is not a genuine program. Used AVG to clean also cleaned registry,but still had problems. Had to do reformat / reinstal XP
Just posting to add...
...just seen this on a users personal laptop, and the Malwarebytes Antimalware (malwarebytes.org) software worked a treat.
I had a couple of hours free this morning so I decided to duplicate the excellent work by Mr Johansson. I got almost the same results on a perfectly clean XP install.
At the same time, on my main machine, I was looking for some information on a unrelated issue on Google Groups when I clicked on a link that took me to an almost identical site. It detected over 35 viruses and spyware and told me it could fix the issues no problem. This is despite the fact that I am running Linux :)
I have to say that both sites were very professional looking and I believe that a lot of people are going to be taken in by these scam artists, I wonder if the credit card companies could do anything about it?
Great article - one point
I thoroughly enjoyed reading through your article, I have often wondered how deep the rabbit hole goes, as it were, with these viruses. I have never had the time to do it myself, so thank you for a most interesting walkthrough, One point though, you say the rest of the dialogues were well written but in all of them my eye spotted at least one spelling mistake or grammatical error [often missing conjunctives such as 'the']. (I'm sure the more obsessive-compulsive of the Reg readership will sympathise with me, as I am sure they do when reading BOFH, with it's frequent mistakes [but then it is written by the BOFH, isn't it? He is clearly not the type to niggle.])
I must also say, for the sake of scores, I am writing this from an Aspire One (in blue).
If you think of it, this model is actually 100% replica of the War on Terror. Present nonexisting enemy, and get paid. The only difference is that this thing is about one-time purchase, while War on Terror is ongoing.
THey tried this on my Ubuntu - FAIL
I was on planetemu.net the other day, and this got pushed to me - very amusing watching the fake scanner etc. I was running Ubuntu! It was very determined though - almost every action pushed up another dialog, as specified in this article. I right clicked the tab and closed it. My Dad however got fooled by this and I had to remove it. He thankfully didn't purchase though!
And getting the user to click OK beforehand?
Does it act as some kind of legal protection, even though it's practically impossible to cancel without killing the browser?
ITACS have a radio slot on Radio 4 "You and Yours" this Friday and a slot on Five Live this Saturday "Breakfast show" about this very problem. Thanks for all your coments. I will use them on the shows.
Had another 2 instances to clear this week, 1 again had the RootKit and it was much harder to shift this time.
Malware Bytes (http://www.malwarebytes.org/mbam.php) and FixIEDef (http://www.malwareteks.com/FixIEDef.php) shifted the XP AntiVirus infection.
Malware Bytes couldn't update until we had run through 1 scan and rebooted, it then updated, we ran a second scan and it shifted the rest.
FixIEDef sorted IE out.
Ran GMER (http://www.gmer.net/files.php) to check for Rootkits as we've had one as part of XP AntiVirus before and again found one this time.
Machine had loads of Hijacked Services which GMER and HIJACKTHIS (http://www.majorgeeks.com/download3155.html) shifted.
Every instance I've seen is slightly different to the previous one, this truly is a Tw@t to shift!
This is precisely why I won't give my g/f admin access
She's been pestering me for months for admin access to my spare pc so she can install some games and other bits & bobs. Of course, I won't give her and no matter how often I explain why she cannot understand. This is perfect for illustrating why.
The upside of course, is that my spare pc rarely ever crashes and just runs and runs and runs...because it's locked down so tightly.
As ever - the biggest risk is the user.
What a good article
Thanks for writing such a good article, I too have seen this on several computers and marvelled at how well written it was, other things I saw this malware do once installed
1) disconnect ethernet adapters
2) display a "your machine is infected" screen when you browse to any web site
3) suppress opening AVG Free and Spybot
4) Fake blue screen of death's (ctrl+alt+del and then cancel to get back to your desktop)
In the end I downloaded malwarebytes ant-malware and installed that (first killing the antivirus 2008 process in task manager) Malwarebytes successfully detected and removed over 20 malicious files from one machine.
The user claimed to have been infected after clicking a link in a spam about a reciept for airline tickets that I know has massively been doing the rounds.
Once again what a good document.
BBC picks up the story
Listen to Five Live This Saturday and Radio 4 You and Your Midday Monday.
Story built around this blog with a bit of personal experiance built in. I have a computer shop and we have had close to 50 customers with this problem.
Thanks Bill for business.
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Is that a 64-bit ARM Warrior in your pocket? No, it's MIPS64
- Apple 'fesses up: Rejected from the App Store, dev? THIS is why