Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

2 Warners Contribute to the Diary today - Surfers beware

Published: 2008-12-23
Last Updated: 2008-12-23 22:03:11 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

Thank you Warners! And all of you family IR staff get ready for the Holidays!

Gary Warner has posted "More than 1 Million Ways to Infect Your Computer" an interesting look at how "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus".

And earlier today, after a bout with some nasty malware, Joe Warner sent us Holiday wishes in the following Christmas story about Antivirus 2009.

An early present from the makers of Antivirus 2009!

Dear handlers,


Twas five days before Christmas and all through the house, no malware was detected on Windoze or MacOS.  When all of the sudden and to my surprise, my Daughter shouted "Dad!!!!!" with big/frightened eyes!  "I just wanted to play fashion dress-up and powder my virtual nose but when I went to the site, the Internet Explorer froze!  It then launched another window with scantily-clad girls and now nothing works, I can't even change my curls!!  Oh please help me fix this, did I do something bad?  Oh please help me Daddy and please don't get mad."

Indeed, it's with humble embarrassment that I report the first infection of any of my PC's in almost ten years.  Working in IT and following your advice over the years, I thought I was pretty much on top of things.  Sure, me and my Wifes main computers are Mac's, leaving my Daughter with a PC running XP Pro but I've been pretty good about keeping that PC current on patches and antivirus updates.  I also had the router's firewall and the Windows one running but I found out, painfully, that that wasn't enough.

I'm sure you are all too familiar with the Antivirus 2009 virus?  Well, I'd never heard of it until last Saturday and wished I hadn't.  It blew right by my firewalls and install of McAfee, trashed IE, imbedded itself in the taskbar, Documents and Settings, Windows\system32 and other crannies.  It wiped system restore and spawned processes that were impossible to kill.  A scan with McAfee didn't find anything.  Kapersky's online scan found 6 infected files and showed me their locations but didn't provide any hints on how to get rid of them.  All the files were attached to running processes, so it wouldn't let me delete them + wouldn't let me kill the processes.

The next morning, after quite an exhaustive search with Google, I came across Avira's free rescue CD:

http://www.avira.com/en/support/support_downloads.html

I powered up another Windows PC that we don't normally use, made sure it was current on patches, downloaded and burned the Avira image.  Then, I booted the infected PC off the CD, waited for it to detect my Internet connection and update it's signatures.  After that, I had it run it's scan and in a short time, it finished saying it had detected 13 infected files.  It said it couldn't delete them but renamed them, placing a .XXX at the end.  I was then able to boot the PC, perform a search for those files using *.XXX and delete them.  After that, I performed a scan with F-Secure's Blacklight rootkit detection and elimination tool: http://www.f-secure.com/security_center/ , which found no malware.

I removed the shortcuts to IE, installed Firefox with noscript, cleared out all temp folders and deleted the bookmark to the infected Fashion-Dressup site my Daughter had visited.

My PC appears to be back to normal now but after a compromise like that, I just don't trust that something wasn't overlooked.  So, I'll be reinstalling Windows again soon.

I hope you all enjoyed my little story, which proves that patches, firewalls, antivirus and proactive security measures aren't always enough.  On the lighter side, how is it that someone can program such nasty malware and not know how to spell?  AV 2009's popup windows displayed so many misspellings, it was actually quite comical.  I mean, it's pretty bad when you can't even spell the word "unauthorized" correctly.  Wow!

Merry Christmas to all at the ISC and may no malware byte!  ;-)

Joe

I've had reports of excellent, free help for removing rogue antivirus from Microsoft's technical support - "Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates".

Other links to descriptions containing information on parts of what Joe ran into;

CA;
http://community.ca.com/blogs/securityadvisor/archive/2008/12/12/identifying-and-removing-antivirus-2009-rootkit.aspx

MS;
http://blogs.technet.com/mmpc/archive/2008/12/10/win32-yektel-the-other-kind-of-rogue.aspx

http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan%3aWin32%2fFakeXPA
 

Keywords:
0 comment(s)
Diary Archives