back to article Anatomy of a malware scam

Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue. The more links there are to a site, the more popular the search engines …

COMMENTS

This topic is closed for new posts.

Page:

  1. Jesse Bartholomew

    Another side Effect

    This program also messes with Symantec Anti-Virus (Version 10 At least) We by default install NAV on all of our Corperate PC's and last week, I received a support call regarding this exact piece of Mal-ware, Upon further investigation, I found that the mal-ware had managed to disable the Symantec real time scanning, as well as the Auto-update, so no matter how long after the Mal-ware was installed, Symantec would never detect it.

  2. Nigel
    Black Helicopters

    Where are Microsoft's lawyers?

    There is a lot of infringement of Microsoft's copyrights going on there. It's going on in a context that damages the value of Microsoft's brands: a worse example of "passing off" is hard to imagine. So where are Microsoft's lawyers? Surely it's possible for the combined legal might of the Microsoft Corporation to accomplish something even in relatively hostile juristictions such as the Ukraine?

    Or is it a black-helicopter job? Microsoft wants XP dead, and its security is different to Vista, so they're actually turning a blind eye and will later do something to make Vista more "secure" while leaving XP to be killed by the parasites?

  3. Zmodem

    get a page filter

    like proxomitron, and block local file access, until the option is in your browser activeX/java settings. then you`ll just have a crap app in your temp files you wont even know about

  4. Mark Hill
    Paris Hilton

    What if?

    What if these predators refine their scam by correcting their English and interface errors?

    They could probably also include code to detect the OS and send the appropriate crap. This could become "cross-platform" .....

    How rampant could this get if they take care of all the obvious red flags?

    BTW - I'm still not the original Paris quipster but I'll take a shot:

    Paris, because even she knows this could be "hot".

  5. John Foster

    Thanks for a great piece

    Fantastic this one. Getting forwarded now

    Cheers

  6. adnim

    @mark:whatif

    If all the points you raise were covered, then indeed these bunch of crims would increase the number of machines exploited. I guess there will always be trusting/gullible types who will install software without first checking it for peer review via Scroogle or similar search.

    If one does a search for antivirus2009 and it's relatives one would not install it. It is well documented as malware. I do not install anything on any of my machines without first looking it up for reviews, checking Bugtraq and looking further afield for any exploit related to the software. But then again I don't trust the Internet or what is available on it period. Maybe I am just lucky, perhaps what some would describe as paranoia covers my ass, but the last machine I owned which got exploited/infected was my Amiga, anyone remember the Saddam virus?

    This kind of social engineering exploit is not going away, and as systems get more secure, which is the general trend. The weakest point of any system (the user) will become the increased focus of attack. So admins lock down them boxes, enforce a strict security policy and educate. Your users ARE your biggest security risk.

    If security policy is lax enough to allow users to install software, at least ensure users are trained to research the software they want to install, before they install it. A stitch in time....

  7. Michael Slevin

    good stuff (and some advice)

    Well done - an excellent article.

    I encountered similar problems with a friend's computer - they downloaded a rogue spyhunter app to deal with a long-time resident dialer - the rogue was NOT detected by Norton 360 - it intoduced a number of trojans which ...

    a) redirected google searches as you state;

    b) replaced the desktop image with one sta\ting the system was infected;

    c) prevented browsing to anti-virus sites such as aVG, f-secure, trend micro etc.

    d) prevented existing a/v tools from updating.

    I downloaded various apps with another computer and brought them to the infected machine with a USB key.

    Uninstalling Norton 360 took about 45 minutes - very slow; AVG installed OK but would crash on scanning the boot sector.

    Various other apps (from f-secure etc.) would not run unless I changed the executable name e.g. from fsbl.exe to fslbabc.exe and even then wouldn't execute properly.

    So what worked ?

    Malwarebytes' Anti-Malware app executed and found 39 trojans/malwares in a few minuted - it deleted these

    Gmer found another two (but its not for novices and I was reluctant to use it to remove one)

    SuperAntiSpyware was slow but detected another three

    and finally AVG (now able to run) found another one (only 4 hits in Google and all dating from Aug 26th) that the others failled to find.

    ... and all these apps will be run again tonight!

    Good luck and thanks again for a superb analysis - apologies for the non-specificity of my own notes above re exact versions/trojan names etc.

  8. Anonymous Coward
    Linux

    @scarlet

    In a corporate setting you shouldn't need to send a warning round. Anyone who has the rights to install anything on their computer shouldn't be the sort of person who'll fall for this.

    Which reminds me - adnim - you're nearly on the money, but not quite. In my experience, the biggest security risks are stupid software vendors who still - even with Vista and its UAC - haven't figured out yet that their software has to run without requiring an admin security context. Worst offenders here are scanner software (why, HP, what on earth does the software need to do that requires these rights?) and PDA connection software.

    The other security risk is of course IT Staff who forget to de-elevate users after having to elevate them to get PDA software installed (which often requires to be installed as the user who's going to make use of it - who must therefore be an administrator. Fuckwits!)

    Penguin because this sort of "Let's all have root" fuckwittery was never allowed in Linux and letting it happen with Windows was one of Bill's mob's worst mistakes.

  9. Chris Johnson
    Thumb Up

    Update - Now AntiVirus 2009

    Hi.

    Thanks for a great article. I now have a user (as of today) who has this on their machine. It is displaying the same symptoms but with AntiVirus 2009 instead of 2008.

    Chris

  10. V.Srikrishnan

    Great article...

    hats off for such thorough investigation and reporting.

  11. Richard Claunch
    Thumb Up

    Well DONE!!!

    I was very impressed by the depth of this article. It appears the generic hackers are becoming more sophisticated. Those screen shots blew me away!!!

    The usual stilted English and grammar errors were not present except in a few areas, too few to matter. This article actually scared the hell out of me!!

    Thanks again for wonderful work!!

  12. Pierre Forget

    good article

    Hi,

    Nice article. I had a customer who paid for XpSecurityCenter, thinking he was buying from Microsoft. He printed out out the payment and it looked official, except in fine prints, the company was located in Moscow. The computer was supposed to have been cleaned by the software on friday, but on monday his ISP called him to say they cut their Internet access, because their computer was used in an attack (as a zombie) and they needed a proof of cleaning from the technician to reinstall the access.

    As usual, solution was to format the hard drive, to make sure there is no root kit left over in the computer. I trust anti-spyware and anti-virus BEFORE the infection, not AFTER.

    Thanks again for taking the time to write a nice detailed article

    Pierre Forget

  13. Don Buchholz
    Thumb Up

    excellent article

    A most excellent and timely article. I just spent the better part of two days researching, scanning, and cleaning up a laptop infected w/ a variant of this crap! (His desktop system is scheduled for a purge on Tuesday -- long weekend here in the West.) It's nice to know that (so far, anyway) this junk is just trying to extort cash. It'll suck when they start using stuff like this to root around our disks for data and send keystroke logs back to the mothership.

    I just wish our anti-virus software had caught the Trojan EXE *before* the user executed it.

  14. Mark Hill
    IT Angle

    User education

    Wow! Everyone is focusing on their personal experiences eradicating this crap-ware. Shouldn't we look at the bigger picture and concentrate on educating users? That is our only hope against social engineering scams like this.

  15. Damian Turner-Steele

    @pierre

    I'm with you mate. This is too invasive to rely on cleaning alone. Having spent between two and three hours removing a variant once, I now simply back up data off line and reinstall. Using XP with SP3 slipstreamed in and then restoring the data is much quicker and guaranteed to work.

    The experience of reinstalling all their apps is usually a salutary lesson as it takes the user some time of their own

  16. Anonymous Coward
    Anonymous Coward

    Nasty

    I've had 2 clients infected with this crap & found that desktop been hijacked with warning image and the desktop tab in display properties missing so that you cannot restore your own

    desktop background. It has used a folder called rhcnkrj0etfg in Programs which alerts you immediately it is not a genuine program. Used AVG to clean also cleaned registry,but still had problems. Had to do reformat / reinstal XP

  17. Steven Raith

    Just posting to add...

    ...just seen this on a users personal laptop, and the Malwarebytes Antimalware (malwarebytes.org) software worked a treat.

    :-)

    Steven R

  18. Cormie
    Linux

    Double hit

    I had a couple of hours free this morning so I decided to duplicate the excellent work by Mr Johansson. I got almost the same results on a perfectly clean XP install.

    At the same time, on my main machine, I was looking for some information on a unrelated issue on Google Groups when I clicked on a link that took me to an almost identical site. It detected over 35 viruses and spyware and told me it could fix the issues no problem. This is despite the fact that I am running Linux :)

    I have to say that both sites were very professional looking and I believe that a lot of people are going to be taken in by these scam artists, I wonder if the credit card companies could do anything about it?

  19. Nathanael Bastone
    Stop

    Great article - one point

    I thoroughly enjoyed reading through your article, I have often wondered how deep the rabbit hole goes, as it were, with these viruses. I have never had the time to do it myself, so thank you for a most interesting walkthrough, One point though, you say the rest of the dialogues were well written but in all of them my eye spotted at least one spelling mistake or grammatical error [often missing conjunctives such as 'the']. (I'm sure the more obsessive-compulsive of the Reg readership will sympathise with me, as I am sure they do when reading BOFH, with it's frequent mistakes [but then it is written by the BOFH, isn't it? He is clearly not the type to niggle.])

    I must also say, for the sake of scores, I am writing this from an Aspire One (in blue).

  20. Anonymous Coward
    Anonymous Coward

    Looks familiar

    If you think of it, this model is actually 100% replica of the War on Terror. Present nonexisting enemy, and get paid. The only difference is that this thing is about one-time purchase, while War on Terror is ongoing.

  21. Jon

    THey tried this on my Ubuntu - FAIL

    I was on planetemu.net the other day, and this got pushed to me - very amusing watching the fake scanner etc. I was running Ubuntu! It was very determined though - almost every action pushed up another dialog, as specified in this article. I right clicked the tab and closed it. My Dad however got fooled by this and I had to remove it. He thankfully didn't purchase though!

  22. Dan Silver badge

    And getting the user to click OK beforehand?

    Does it act as some kind of legal protection, even though it's practically impossible to cancel without killing the browser?

  23. Matt Woolley

    Antivirus 2007/8/9/Xp/Vista

    ITACS have a radio slot on Radio 4 "You and Yours" this Friday and a slot on Five Live this Saturday "Breakfast show" about this very problem. Thanks for all your coments. I will use them on the shows.

    Matthew Woolley

    Chairman ITACS

  24. David Adams
    Stop

    Evolving?

    Had another 2 instances to clear this week, 1 again had the RootKit and it was much harder to shift this time.

    Malware Bytes (http://www.malwarebytes.org/mbam.php) and FixIEDef (http://www.malwareteks.com/FixIEDef.php) shifted the XP AntiVirus infection.

    Malware Bytes couldn't update until we had run through 1 scan and rebooted, it then updated, we ran a second scan and it shifted the rest.

    FixIEDef sorted IE out.

    Ran GMER (http://www.gmer.net/files.php) to check for Rootkits as we've had one as part of XP AntiVirus before and again found one this time.

    Machine had loads of Hijacked Services which GMER and HIJACKTHIS (http://www.majorgeeks.com/download3155.html) shifted.

    Every instance I've seen is slightly different to the previous one, this truly is a Tw@t to shift!

  25. Nigel Wright

    This is precisely why I won't give my g/f admin access

    She's been pestering me for months for admin access to my spare pc so she can install some games and other bits & bobs. Of course, I won't give her and no matter how often I explain why she cannot understand. This is perfect for illustrating why.

    The upside of course, is that my spare pc rarely ever crashes and just runs and runs and runs...because it's locked down so tightly.

    As ever - the biggest risk is the user.

  26. Mike Bienvenu
    Thumb Up

    What a good article

    Thanks for writing such a good article, I too have seen this on several computers and marvelled at how well written it was, other things I saw this malware do once installed

    1) disconnect ethernet adapters

    2) display a "your machine is infected" screen when you browse to any web site

    3) suppress opening AVG Free and Spybot

    4) Fake blue screen of death's (ctrl+alt+del and then cancel to get back to your desktop)

    In the end I downloaded malwarebytes ant-malware and installed that (first killing the antivirus 2008 process in task manager) Malwarebytes successfully detected and removed over 20 malicious files from one machine.

    The user claimed to have been infected after clicking a link in a spam about a reciept for airline tickets that I know has massively been doing the rounds.

    Once again what a good document.

  27. Matt Woolley
    Gates Halo

    BBC picks up the story

    Listen to Five Live This Saturday and Radio 4 You and Your Midday Monday.

    Story built around this blog with a bit of personal experiance built in. I have a computer shop and we have had close to 50 customers with this problem.

    Thanks Bill for business.

Page:

This topic is closed for new posts.

Other stories you might like