Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Pretty Sneaky Sis - MS Antivirus and others w/ slick looks

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
Fledermaus
Newbie


Joined: 03 Sep 2008
Last Visit: 26 Mar 2009
Posts: 4

PostPosted: Wed Sep 03, 2008 12:50 pm    Post subject: Pretty Sneaky Sis - MS Antivirus and others w/ slick looks Reply with quote

I know you guys have probably seen this one, but thought I'd comment on it because these guys are really quite slick and I've had a recent outbreak on 3-4 workstations that has been somewhat tedious to clear up.

Basically on startup you get a popup that is nearly identical to the Windows Security center control panel interface telling you you're at risk and need to install/buy MS Antivirus right away. A fake scan occurs and several keyloggers and so on are "discovered". They even use the little yellow systray balloon popup (a la Windows Tour) to warn you about your security problem. I've seen a lot of "hard sell/panic" spyware but this is the most smooth looking thus far. Examples of XP Antivirus which is nearly identical here: h**p://www.bleepingcomputer.com/malware-removal/remove-ms-antivirus

I took care of it with an initial A2 scan and then used SDFix to take out some bad winlogon services that may or may not have been related. Bizarrely enough nobody (also tried CounterSpy and Windows defender) detected the exe's, only the dll's. I took care of those myself since they were easy enough to find from the million reg entries in HijackThis; my flavour was about 30 files named VIxxx.exe in \system32 with either no icon or an X icon.

Anyway, this isn't a removal thread since I took care of it, but I did have some questions:

- Does anyone know how new this is, or if it's related to XP Antivirus? Most of the discussion around MAS that I've found is around 2-3 months old, and I'd never encountered it before and then 4 of my stations get it in one day.
- Are there other "slick" spyware like this out there I should be aware of? Theoretically even a beginner-intermediate user could get pulled in by the Windows style formatting and quasi-official text, and I'd like to be forewarned. (I tried to find a list but when searching for discussion about spyware you more often seem to find how to remove it)
- From a copyright perspective isn't this treading on the big M's trademark? Has microsoft ever tried to claim MS in any context? Faint hope but maybe it'd be enough to get these guys shut down.

As a general comment this seems like a much more concerted effort to deceive the user than other spyware (well, properly adware I guess) I've seen in the past. It seemed like the older spyware was more about a technical solution; get embuggered in the user's system as much as possible. This seems almost more of a social engineering hack (combined with embuggerance it's true). It makes me wonder what other routes they could take.

Since this is adware the incentive is purely to sell the product by presenting a perceived threat. However for purely non-"legitimate" purposes (e.g. bot army, zombies, etc.) how hard would it be to fake out say, a Windows update? Flash player update?
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 24 Oct 2014
Posts: 10331
Location: at the beach

PostPosted: Wed Sep 03, 2008 3:50 pm    Post subject: Reply with quote

Moved to more appropriate forum.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
wyrmrider
Warrior Addict


Joined: 25 Jun 2004
Last Visit: 17 Jan 2009
Posts: 730

PostPosted: Thu Sep 04, 2008 7:10 am    Post subject: Reply with quote

If you could post up the hits and the locations we might be able to ID your MS variant
Back to top
View user's profile Send private message
datababe
Warrior


Joined: 13 Dec 2004
Last Visit: 10 Oct 2012
Posts: 217
Location: Inside your head

PostPosted: Fri Sep 12, 2008 7:59 pm    Post subject: Reply with quote

I do consider El Reg to be a bit of the Nat'l Enquirer of online tech rags, but they get interesting tidbits and there was a great write up on this here:

ttp://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

Your experience sounds to me like another flavour of the same. I played with the same variant bug the author of the article did, and since my "dumpster diver" test machine was A) "real" (not a VM sandbox), and B) had no network connections, I got to see some interesting behavior. ET *did* try to phone home, and *did* attempt to hijack my browser (Firefox), even after it informed me that "for technically reasons, XP Antivirus cannot install" (thank you so much for that, fellas). There's more to this than meets the eye at first glance.

I've mopped up several variants of this at my place of work with a combination of Malwarebytes Anti-Malware, Ad-Aware, Superantispyware (I keep wishing they'd chosen a less hokey title...), and some old fashioned elbow-grease directory sweeping and registry scrubbing. YMMV.

FWIW, the thing can't even get started on Win 2000/98/95; the install bombs harmlessly. Let's hear it for security by obscurity! Well, in THIS case anyway... Wink

There's also linkage between this and the clipboard hijinks, so I've come across. This is a concerted effort, and one of the most underhanded and determined to cross the wires of late. I've terms for these people, but I'll stop here. I don't want Suzi to have to edit or moderate my post.

(********)
_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Sep 15, 2008 9:10 am    Post subject: Reply with quote

i have had my head in the sand doing artwork and delving into ubuntu.

and i,m months behind on security issues . found this to be an eyeopener !!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Fledermaus
Newbie


Joined: 03 Sep 2008
Last Visit: 26 Mar 2009
Posts: 4

PostPosted: Mon Sep 15, 2008 3:57 pm    Post subject: Reply with quote

Thanks for the heads up Datababe. The register article was interesting. I guess that's what struck me about this one, is that there were so many lines of attack instead of the traditional one or two.

My users picked up another 2 infections last week and this one was even worse; it grabbed the LSP stack and was using that to prevent people from going to legitimate anti-spyware sites. Any time you typed in an address to go somewhere helpful you'd get redirected to a "the site you are trying visit may be insecure!" warning. (a squared, mcaffee, counterspy, even zerospyware (are they even relevant anymore?)). I don't know if Suzi should be pleased or insulted, but it didn't try to block spywarewarrior.

Pulling it out of LSP broke the stack and I had to LSPFix it. SDFix also detected a root kit that wasn't in the previous week's infection. This one also broke the reg link to explorer.exe so if you were to try and remove this normally:
- Explorer wouldn't run
- Network wouldn't work

Which I could see being pretty scary to a newbie, especially since for this one I just tried CounterSpy by itself first to see if it would take care of it.

Again though what I find most pernicious is the fakery associated with it; if someone with a real mad on to just do damage instead of peddling crap could really hurt someone's computer by taking this approach.
Back to top
View user's profile Send private message
Daveski17
Warrior


Joined: 17 Oct 2008
Last Visit: 17 Jan 2013
Posts: 118
Location: Rainy Olde England

PostPosted: Fri Oct 17, 2008 2:47 pm    Post subject: Openoffice.org ?? Reply with quote

wawadave wrote:
i have had my head in the sand doing artwork and delving into ubuntu.

and i,m months behind on security issues . found this to be an eyeopener !!



Is there anything wrong with Openoffice.org? I use this, it was a freebie with a Java update. I actually prefer it to MS Word.
Back to top
View user's profile Send private message
old_spyer
Newbie


Joined: 14 Jun 2009
Last Visit: 30 Aug 2010
Posts: 5

PostPosted: Mon Jun 15, 2009 5:54 am    Post subject: Reply with quote

Yeah, all of this occurs every time. I was hit with rogues too.

To the person who said that some users were infected again with 2 pieces of malware: Extract Explorer.exe from XP CDs!
Back to top
View user's profile Send private message
datababe
Warrior


Joined: 13 Dec 2004
Last Visit: 10 Oct 2012
Posts: 217
Location: Inside your head

PostPosted: Wed Jul 22, 2009 9:36 am    Post subject: Reply with quote

^^^^ What old_spyer said. We've been seeing machines with explorer.exe replaced with the miscreants own version, which can lead to some interesting behavior indeed. Brick wall

LSPFix is one of the tools I put on every toolkit thumb drive I build. Don't leave home without it! Very Happy
_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com
Back to top
View user's profile Send private message Visit poster's website
bhaalor
Junior Member


Joined: 20 Oct 2005
Last Visit: 24 Aug 2009
Posts: 25

PostPosted: Mon Aug 24, 2009 1:07 am    Post subject: Reply with quote

I just had to help a computer illiterate friend pull this off his PC (or at least something very like it). He only really uses his PC at home for peeking at sports scores, email, and playing Second Life. I'm willing to bet it came with one of the various problems he's picked up while playing SL.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group