Virus Woes

[Perineum]

I don't run a firewall, other than my router.

[_dangtx_]

had a physical/hw firewall setup once. asked some uni screw heads to get tru it(since theyve been boasting there capabilities like flies on proverbial ahem)..poor bastuges gave up after a few weeks lol...i think it was a p1 or so running linux.

[Perineum]

Quote:

Originally Posted by Kayen

Was on 780tuners.com
facebook, and msn and youtube.

Oh, and I'd love to hear every one else's theories on this but I'm 99% positive it's coming in via advertisements.

People who have gotten variants of this "virus checker that blackmails you into buying their shitty software" app seem to have been on regular websites that they always use and that are safe.

Too many people who I know that are careful seem to have been hit by this.

What does everyone else think of this theory?

[sswilson]

Not completely sure where they come from, but IMO they're coming in through the browser as a script of some form rather than as a virus file that can be caught by a traditional AV. My own personal advice is to do a hard shut-down as soon as the first pop-up shows it's ugly face... clicking on anything in the initial box gives it permission to install.

Pretty sure that the malicious software removal tool which comes in monthly through windows updates addresses a lot of these threats.

[LaughingCrow]

Quote:

Originally Posted by Perineum

Oh, and I'd love to hear every one else's theories on this but I'm 99% positive it's coming in via advertisements.

People who have gotten variants of this "virus checker that blackmails you into buying their shitty software" app seem to have been on regular websites that they always use and that are safe.

Too many people who I know that are careful seem to have been hit by this.

What does everyone else think of this theory?

Yes. Known to be true. Some of Google's banner ads were known to carry virus some time ago (can't recall offhand). Some of these work via the PDF vulnerability. There's a lot of people who just don't know anything technical about computers and the Internet and they fall victim to the fake anti-virus testers, phishing, etc...

And even if you're well informed, the bad guys know one thing - they only have to succeed once where a security system has to be perfect 100% 24/7

Here's a link about an ad from Facebook that carries a virus:
Attention: New Facebook Virus Spreading Via FarmTown Ads – SoftSailor

Sneaky New Virus Spreads via Ads - PCWorld

and an ad from November 2009 on the New York Times:
New online virus threat comes via banner ads - Monsters and Critics

[Kayen]

Yeah, i've noticed a few friends who don't know too much about PC's being nailed by this. I promptly forwarded this to them as soon as you guys helped me out with it !

[Killswitch]

Quote:

Originally Posted by Kayen

Anywho, problem solved! Thanks guys .

If I were, you I'd back up anything you might have that's important now that things are running "normal", and do a complete format and re-install of your OS. But that's just my opinion..... I'd feel dirty running a PC that just had a virus removed. Think of having a girlfriend that "had" syphilis earlier today, but now she doesn't. Yuck. Do over!

[burebista]

Quote:

Originally Posted by Kayen

Any firewalls you'd reccomend i run ?

I'm very happy with Comodo Internet Security. Is doing a great job keeping a clean computer clean.
Also you can try PrivateFirewall, Online Armor (for x32), Outpost Firewall, PC Tools Firewall & Threatfire. All those are free and have a HIPS component.
If you're close to paranoia you can use Sandboxie too.
I'm also using Comodo Time Machine which is a Windows Restore Point with steroids. But be warned that on some configs things can go wrong with CTM. Very wrong.
And I always have an HDD image from Seven build-in Backup feature and one from Macrium Free.
And of course browsing the net with Firefox+NoScript+AdBlock and trying to surf on the green side of the net and not clicking/opening unknown links in mails and messenger.
Trouble free for almost 13 years of surfing the net.

[Perineum]

Quote:

Originally Posted by LaughingCrow

Yes. Known to be true. Some of Google's banner ads were known to carry virus some time ago (can't recall offhand). Some of these work via the PDF vulnerability. There's a lot of people who just don't know anything technical about computers and the Internet and they fall victim to the fake anti-virus testers, phishing, etc...

And even if you're well informed, the bad guys know one thing - they only have to succeed once where a security system has to be perfect 100% 24/7

Here's a link about an ad from Facebook that carries a virus:
Attention: New Facebook Virus Spreading Via FarmTown Ads – SoftSailor

Sneaky New Virus Spreads via Ads - PCWorld

and an ad from November 2009 on the New York Times:
New online virus threat comes via banner ads - Monsters and Critics

Hey, thanks for this!

It seemed to be the only common denominator between all the events so I had a hunch I never followed up on.

Quote:

Originally Posted by Killswitch

If I were, you I'd back up anything you might have that's important now that things are running "normal", and do a complete format and re-install of your OS. But that's just my opinion..... I'd feel dirty running a PC that just had a virus removed. Think of having a girlfriend that "had" syphilis earlier today, but now she doesn't. Yuck. Do over!

I think that's a bit overkill. Once you've got the main (or main 2 or 3) executable(s) the virus is disabled. Your A/V will pick up the stragglers over the next few weeks as it updates.

I've never had a problem.

Most people are uninteresting enough that bad people aren't going to do some custom job in order to backdoor their machine in a way that a virus checker isn't going to be able to clean up.

Also, you're free to read up on the virus and learn how it works....

[DCCV44.2223]

Quote:

Originally Posted by Perineum

Too many people who I know that are careful seem to have been hit by this.

What does everyone else think of this theory?

Malware can be installed on systems with or without any user interactions.

With "drive bys" where a victim only has to "land" at a malicious site, all you need is to get them to click on a link, which is fairly easy to do with social networking and URL shortening. However, in order for a malicious site to install code without user interaction/knowledge, it usually has to exploit some software vulnerabilities.

People know to keep Windows updated, but many malicious sites now exploit Flash, Acrobat and Java vulnerabilities to get their junk installed, many people neglect those and other plug-ins (though later versions of Firefox will check some of them).

For malware installations that require user interactions, it may vary from a few clicks to manually downloading a file and then installing it.

Most browsers will give pop-up warnings for potentially dangerous scripts/actions, however, badly coded webpages or vulns on the servers may allow hiding of those pop-ups and clickjacking of any user action. So a victim may think s/he was simply closing a "site survey" pop-up.

Manually downloading and installing something may seem inexcusable, but there maybe extenuating circumstances, remember how long it took to get people to stop executing email attachments.

Many people still think that they can only get infected by going to porn, warez and other "risky" sites but as you know nowadays most web borne malware are installed from compromised legitimate sites. The list of well known sites that had been compromised in the past is long and include ASUS and NY Times. Many of those were from malvertizement (which may require the user to click on the ad) but users associate it with the landing site.

Secondly, people are told how easily Windows can get infected and how essential it is to have an up-to-date antivirus. Now imagine a user visiting a legitimate site s/he has been to before and suddenly there's this pop-up saying his/er system is infected and they need to download and run this file -- which their AV say is clean -- to remove the virus.

I can certainly understand why some people will download, run and even pay those FakeAVs.

As for defending against these threats, IMO most important is user education, making sure the system is patched up-to-date and use a restricted user account for day-to-day computing.

With antivirus, effectiveness against such web borne malware varies greatly -- HTTP traffic needs to be scanned before it reaches the browser but some AVs still only scan files during disk I/O. Even if HTTP traffic is scanned, it's easy to bypass the signature detection engine by encoding scripts (some are generated dynamically) and updating the malicious payloads quicker than the AV vendors can update signatures.

AV/suites that include behaviour blockers (BB)/HIPS are much better equipped to deal with such threats, I personally don't recommend any AV that doesn't include them, but they are not foolproof either (since most require user interaction) and have not be as extensively tested as signature detection -- so there's no way to tell if the BB/HIPS in any of the AVs is as good as advertised.

Firewalls are not a good choice against these kind of attack. Inbound firewall doesn't block them. Outbound firewall may catch some components but HIPS and BB are better and have less potential to cause conficts.

Blocking scripts and Flash is great if you can live with blocking them on ALL sites, otherwise, while it does lessen the overall exposure, there's no way to tell if a legitimate site that scripting and flash is permitted by rule/user has been compromised.

And I never thought I'd say this, but with Vista and W7, IE is actually a fairly secure browser because it runs in "protected mode" and has much less privilege than Firefox and Opera. Chrome is pretty good too in that respect but then there's the privacy thing.

However, all the technology above is useless if the user finds it annoying (UAC get disabled in many systems), doesn't know the security apps' limitations and is convinced that they need to install that piece of software.

As for cleaning up, the only practical way to *guarantee* that an infected sysem is clean is to nuke and reinstall. However, that's usually not practical. Normally with FakeAV what you see is what you get but that doesn't mean the bad guys won't/haven't change their tactics and piggy back other stuff with it. In addition to basic removal I would recommend at least changing any password that's stored in the browser, and for the paranoid run AV scans from a Linux boot disc.