Advice on preventing Internet Security 2010, Sysguard, etc.

[rshendrix]

We are having a few users continually getting infected with some of the latest security hoax trojans. What are others using to prevent this sort of thing?

We have Trend Micro AV installed and try to constantly educate on not clicking on every thing that pops up. Just looking for some advice on how others are handling this.

Thanks.

 

[ghost123uk]

I too have been trying to find a "proactive" defense against this one.

I (we) do not have a problem fixing it (on customers machines, 50/50 Home & Small Business) using a either use a Linux "quarantine" PC (re-imaged each use) with a variety of tools. Even booting on the host PC and running "the usual suspects", i.e. Malwarebytes, Spybot S&D, Hijack this etc will usually get shut of it.

However non of the A/V / Security products we have tried seem able to stop it getting onto a PC. This includes Norton, AVG's "Site adviser" or any of the other common products ( Kaspersky, McAfee,NOD etc )

The good advice above re keeping EVERYTHING up to date and perhaps using Firefox does not stop it either !!

It would be nice if we could find this elusive "Proactive Defense"

John in the N.W. UK - trading as "Small Business Computer Support"


JB - N.W. - UK....
If at first you don't succeed, keep at it until you can't even think straight !

 

[goombawaho]

I see this every day and would love to be able to tell people how to avoid getting it. Everyone has the Vundo trojan (behind the scenes) and then something like Antivirus something something or Security Center or Personal Antivirus popping up in their face on the screen or taskbar whining that they are infected.

 

[ronin77]

@ghost123uk...

Just out of curiosity, is there any correlation between the people who get the infections, and their use of PDF documents?

 

[ghost123uk]

@ghost123uk...

Just out of curiosity, is there any correlation between the people who get the infections, and their use of PDF documents?

No I don't think so.

My elderly mother got it a couple of weeks ago and she does not use PDF's, I don't think she even has Adobe reader on her laptop. She only opens emails she knows the origin of and only visits very ordinary websites (BBC, & flower arranging sites mostly !!)

One of our engineers got it on his gaming PC, not used for online games, just installed from CD/DVD games, though it is on the WAN of course.

We know it is a Vundo based thing but I don't think Vundo has to be present before the "Fake Antivirus" shows as many clean ups we have done do not show Vundo being present.

I am only guessing now (based on what we have learned along the way) but we reckon it arrives as a "drive by attack" from an infected website.

It seems pretty random though as we have never had it on the 2 Office PC's and they are allowed to go anywhere on the net (and often do :0 )

85% of the PC's we work on (and own) have Kaspersky 2010 installed (this does not prevent infection). AVG's "site advisor" (the green tick alongside URL's in IE and Firefox searches) does not prevent or alert either.

JB - N.W. - UK....
If at first you don't succeed, keep at it until you can't even think straight !

 

[kjv1611]

If like some previous versions of the fake AV apps, I don't believe they are all website based. I think some of them are getting onto PCs just via random pings for systems with just the right port open at just the right time.

For instance, about a year or two ago now, I setup a new media PC for our church's media ministry. At the end, I hadn't gotten on a website at all for a day or two, at least, and just had it connected to my home router... literally seconds from disconnecting it, shutting it down, and taking it to the church.

Next thing I know, whammo! Antivirus 2008 or 2009 or whatever it was at the time is trying to control the machine. So I figured, oh well, I'll just start over again. No way I'm going to chance something being left on a machine I'm taking to my church.

--

"If to err is human, then I must be some kind of human!" -Me

 

[2ffat]

This ComputerWorld Article suggests the 81% of infections come from PDF's, I personally have not seen it. Mostly I see these come from emails and websites.

James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[kjv1611]

I was already leary of "statistics", and with one like that, I'm even more leary. Those stats just don't make sense in the real world.

--

"If to err is human, then I must be some kind of human!" -Me

 

[ghost123uk]

If like some previous versions of the fake AV apps, I don't believe they are all website based. I think some of them are getting onto PCs just via random pings for systems with just the right port open at just the right time.

I think I am with you kjv1611 on this one (at least leaning that way )

It would explain why even "non surfers" such as my mother managed to get it.

Note to self - No don't even think about ZoneAlarm = hate it !!

Mind you, if that is the case, I wonder how it gets past the firewall in the router - afaic that should not allow incoming only traffic (pings etc) onto the PC's ports.

Interesting stuff

Keep it coming...


JB - N.W. - UK....
If at first you don't succeed, keep at it until you can't even think straight !

 

[2ffat]

I was already leary of "statistics", and with one like that, I'm even more leary. Those stats just don't make sense in the real world.

Wasn't it Mark Twain who said, "There are lies, damn lies, and then there are statistics" or something to that affect? ;-)



James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[ronin77]

The only reason I consider PDF's as a possible vector, is that when I clean up PC's that have had these infections, I almost always find at least one read-only PDF file with a "gibberish" name, in one or more of the temp folders -- which I rarely find when tuning up a non-infected PC.

This seems a little strange, although I suppose they could be legitimate. Next time, I'll snag some and take a closer look...

FYI, I don't believe anything I read on the Internet unless I can verify it through trusted sources. I'd like to point out that security software developers have a vested interest in NOT explaining their statistics. (Then again, they also have a vested interest in lying -- which anyone can get away with on the Internet.)

That's why I don't share info with AV developers... because they don't share any information back!


90% of being smart is knowing what you're dumb at.

 

[ronin77]

Speaking of sharing, I had a very rewarding virus-hunting experience today. Today, I documented some substantial evidence of how this fraudware is loading.

Initial symptom: Every time the customer powered up his laptop it would eventually display:

"Error loading c:\windows\system32\tihunedo.dll The specified module cannot be found."

I immediately recognized (and verified) that DLL as one of the infamous infections. However, other than that, there were no other symptoms of infection. He simply clicked "OK" and continued. There were no virus detection notifications. The system ran slower than it should, but other than that, it was ok.

Checking the registry, I found the value:

"wxvault.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL vunakifa.dll c:\windows\system32\tihunedo.dll"

Under the key:

"hklm\software\microsoft\windows nt\currentversion\windows"

vunakifa.dll...
...is another confirmed Fraudware component. (Prevx)

GOEC62~1.DLL ....

" ...is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software." (Prevx)

"... is located in a not identifiable folder. The file size on Windows XP is 0 bytes.
The program has a visible window. The application has no file description. Note: File does not exist any longer. The application is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs). goec62~1.dll is not a Windows core file. Therefore the technical security rating is 25% dangerous, however also read the users reviews." (file.com)

wxvault.dll...
...is both listed as a "harmless" component, and a Vundo malware component. The "legit" description is that it is an encryption engine "related to Embassy Security Suite that comes installed on Dell Lap tops. [per]

http://www.dell.com"

I'm not going to say more than this. You high-level techies will be able to figure this out, and understand why I'm keeping my mouth shut...

Hope this helps!

90% of being smart is knowing what you're dumb at.

 

[goombawaho]

2ffat: "Mostly I see these come from emails and websites."

How have you managed to trace the source of the infection?? What is the method that can tell you where the malware came from?

I was not aware that you could trace the source unless someone was looking over your shoulder.

 

[2ffat]

I was not aware that you could trace the source unless someone was looking over your shoulder.

Which is exactly how I did it. Technically, I don't trace the exact source, I just see the results on certain web sites and from certain emails. Just this week, my wife kept getting this "warning" every time she clicked on a certain email. She didn't even have to open an attachment, just the email. By revisiting those sites or looking at those emails, I can reproduce this @#$%^ junk warning. That's one way I can trace it.

I've learned that no matter what you click on in their warning, it tries to download. I go into task manager and cancel it from there.

James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[goombawaho]

Right - that's what I do. Anything suspicious Process Explorer or Task Manager and start killing stuff off ASAP.

That's where most people can't/don't react and just get the junk installed.

 

[ghost123uk]

So, do we think that when the Fake Antivirus / Security alert 2010 (or what ever it calls itself this week) appears on the screen it is still possible to kill the process and remain un-infected.

Personally ( and imho of course )- I think not.

As I mentioned further up ^^ - we had a customer with a clean machine (checked by us the day before) and they got this, they turned it off straight away and brought it to us. We found it was infected with 6 infected files and 600 odd infected registry keys. We kept a copy of the Malwarebytes log file from this one in case it might help identifying what went on (but it doesn't :0 )

JB - N.W. - UK....
If at first you don't succeed, keep at it until you can't even think straight !

 

[2ffat]

So, do we think that when the Fake Antivirus / Security alert 2010 (or what ever it calls itself this week) appears on the screen it is still possible to kill the process and remain un-infected.

Yes. As long as you are quick enough to kill the process via task manager. If you click anything on the pop up, however, you'll start the download(s).


James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[goombawaho]

I think that when it pops up and says "scanning your computer - 544 threats found" it's way too late. You have to catch it before it has installed or not give it permission to install by NOT clicking on a strange prompt.

But even at that point, SOMETHING is on your system.

 

[ghost123uk]

I think that when it pops up and says "scanning your computer - 544 threats found" it's way too late. You have to catch it before it has installed or not give it permission to install by NOT clicking on a strange prompt.

But even at that point, SOMETHING is on your system.

I reckon this is true.

Still, back to the subject, how the flip can we block it from getting in in the first place.

This reminds me of the Blaster virus that came onto your machine just "by be being on the NET", (not dependent on looking at an infected website or anything like that).

MS produced a patch for that one !!
Should we hope they can do the same for this too (holds breath)

JB - N.W. - UK....
If at first you don't succeed, keep at it until you can't even think straight !

 

[ronin77]

I have found common registry installation points for these infections. If someone can find a way to block these keys from changes, lock out new entries -- or the equivalent -- it would go a long way towards a fast-and-simple solution. (Of course, it may not be possible -- this isn't my area of skill.)

1.) The USERINIT registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\WINLOGON >> C:\Windows\system32\userint.exe
is changed to
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\WINLOGON >> C:\Windows\system32\win32logon.exe

2.) The following VALUE is added as either an APPDLL key, or a BHO key:

C:\WINDOWS\SYSTEM32\WIN32EXTENSION.DLL

3.) The LSP provider HELPER32.DLL is added.


NOTE: If the infection execuables/extensions are deleted without correcting or deleting the corresponding registry key, the system may either BSOD on boot, or boot to a logon screen and loop back to the logon screen every time a logon is attempted. This appears to be because the registry keys are altered BEFORE the executables/extensions are downloaded AFTER the registry changes are made.


90% of being smart is knowing what you're dumb at.

 

[ronin77]

@ Ghost...

Today I had a very similar situation to the one you described where a customer reported that their PC had been reinfected. She said that since I had cleaned it, she had only visited foodnetwork.com, and checked her email on Yahoo Webmail (through her pop.att.yahoo.com webmail account.) she's a neighbor, and I believe her.

Any overlaps with what you're seeing?

90% of being smart is knowing what you're dumb at.