Results 1 to 13 of 13
  1. #1
    New Lounger
    Join Date
    Apr 2010
    Location
    laguna hills, california, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Over a week ago my teenager came running into my room and woke me from a sound sleep ( at 1:30 in the morning ) yelling "Help Dad, help... My computer is being attacked."
    Groggy and grumpy, I went over to the other side of the house to see what he was talking about. Yep, sure enough, he was infected. Every time he ran an EXE program this fake virus scan window popped up and reported he was infected with a dozen or so problems and that he REALLY needed to download ( and purchase with his credit card ) the removal tool to save his bacon.

    Thank God he's not a real dummy ( he's got his Mom's brains - not mine ) and he did not buy the bogus fix program. ( and he had un-plugged his network cable to the house intranet ) Yeah !

    I explained the only real fix is to low level format the drive and start over. The less than perfect fix was to restore a known good backup. He had a sad puppy dog face as he saw that his last backup was seven plus months ago. Darn, that program really needs to be on a schedule. What was the use of buying that extra hard drive and a copy of Acronis for ?

    The third option -and- a poor to mediocre fix was to try to CLEAN the software contamination off the system.

    *** Okay, here is the REAL question to this post. This box was running the full $$$ AVG suite ( version 9 ) and also had spybot search and destroy, and had all the latest and greatest Microsoft security patches from patch tuesday's past... And he had quit trusting ( and running ) internet explorer a couple years back and was running FireFox. How did the bad guys break in ? He swore that he had clicked on nothing. He was positive. He was an angry young man. I explained the newest exploit was "Drive By Infection". You just had to visit the wrong site and then you were in trouble. What more can you do ?

    That night was a long one. We ran MalwareBytes and then SuperAntiSpyware and it seemed to had gotten rid of it. We had to fix the registry and re-associate the EXE to running executables. Grrrr... the AVG did not do anything ( took many hours to find nothing ). And four days later the problem came back on that machine. The bad guys win again.

  2. #2
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Quote Originally Posted by Lon Rolland View Post
    That night was a long one. We ran MalwareBytes and then SuperAntiSpyware and it seemed to had gotten rid of it. We had to fix the registry and re-associate the EXE to running executables. Grrrr... the AVG did not do anything ( took many hours to find nothing ). And four days later the problem came back on that machine. The bad guys win again.
    You mostly did all the right things to fix this. Usually you don't have to reinstall the OS. I would additionally look up online the exact name of the fake A/V program and search for removal instructions. One of the more prevalent ones creates a directory under the root of C: with a random 6 or 8 digit number (I can't recall which). Simply delete that directory. For some reason none of the popular A/V & malware scanners can find this one easily. I gave up on AVG a few years ago when it failed to find a common virus on my daughter's machine that F-Prot had no trouble finding. F-Prot isn't free, but its cheap and is good for 5 PCs in the house. More recently I've become a Kasperky Internet Security user because as you've discovered, you need more than just standard A/V these days. So far I've been happy with it, but I can't say whether it would have found your particular issue. I don't believe any of the packages out there can offer 100% protection.

    As far as where it came from, its very likely he was on a perfectly legitimate web site that was the victim of a SQL Injection attack. With this it doesn't matter what browser you use. SQL Injection works like this. Lets say you're looking at an online catalog for your favorite hobby retailer. You search for an item and get a list of items. You click on one to get a photo, description, and price. The attack code intercepts the query request and injects a line of code that launches a download in the background. Viola! You've been hit with malware! And you still get the result you were looking for, so you have no idea you were hit.
    Chuck

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Lon Rolland View Post
    *** Okay, here is the REAL question to this post. This box was running the full $$$ AVG suite ( version 9 ) and also had spybot search and destroy, and had all the latest and greatest Microsoft security patches from patch tuesday's past... And he had quit trusting ( and running ) internet explorer a couple years back and was running FireFox. How did the bad guys break in ? He swore that he had clicked on nothing. He was positive. He was an angry young man. I explained the newest exploit was "Drive By Infection". You just had to visit the wrong site and then you were in trouble. What more can you do ?
    Suspects in order of decreasing probability would be out-of-date/vulnerable Flash player, Java Runtime Engine, Adobe Reader plugin, or RealPlayer plugin. Secunia PSI is useful in tracking down those types of issues. Although, at this point, you might as well just install fresh for all of them.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Chuck De La Rosa View Post
    SQL Injection works like this. Lets say you're looking at an online catalog for your favorite hobby retailer. You search for an item and get a list of items. You click on one to get a photo, description, and price. The attack code intercepts the query request and injects a line of code that launches a download in the background. Viola! You've been hit with malware! And you still get the result you were looking for, so you have no idea you were hit.
    A more traditional definition of SQL injection is that an attacker sends a dangerous query to the back end database. What you're describing sounds a bit more like a cross-site scripting (XSS) problem, where the page has been compromised because the site replays third party content without effectively scrubbing it. I suppose that could be accomplished through a SQL injection attack on the server.

  5. #5
    New Lounger
    Join Date
    Apr 2010
    Location
    laguna hills, california, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you all for your advise. We all run the Secunia PSI here at the house. Its a very good free tool. I am not sure when the boy ran it last on his box. Most likely too long ago. Another thing needing to be put on a scheduler...

    The software security person at where I work gave me some advise to try. What do you think ?

    He said to use OpenDNS and plug their IP's into the router. Is that going to make a difference ?

    Then he said a bigger step would be load in a free copy of VMware Player and then the boy would be browsing in a "sandbox". But that seems like a lot of work and I'm just naturally lazy... Is there a "VMware for Dummies" book ? Or a sandbox setup for the mentally challenged ? ( me, not the boy )

  6. #6
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Quote Originally Posted by Lon Rolland View Post
    Then he said a bigger step would be load in a free copy of VMware Player and then the boy would be browsing in a "sandbox". But that seems like a lot of work and I'm just naturally lazy... Is there a "VMware for Dummies" book ? Or a sandbox setup for the mentally challenged ? ( me, not the boy )
    Instead of VMware Player, use Sun Virtual Box. Its more comprehensive and more robust. Its perfect for a home user to virtualize an operating system. I can't say I know of a simple tutorial for virtualization. Its not really all that difficult if you already know how to install and configure an operating system. The hard part is getting the sense of how it uses the existing memory and CPU of the physical computer.

    Quote Originally Posted by jscher2000 View Post
    A more traditional definition of SQL injection is that an attacker sends a dangerous query to the back end database. What you're describing sounds a bit more like a cross-site scripting (XSS) problem, where the page has been compromised because the site replays third party content without effectively scrubbing it. I suppose that could be accomplished through a SQL injection attack on the server.
    You are correct. the method I described is one of the more common ones that affects end users, and its one they've been talking about a lot in security seminars the past year or so. The result in either case is that the attack goes unnoticed.
    Chuck

  7. #7
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by jscher2000 View Post
    A more traditional definition of SQL injection is that an attacker sends a dangerous query to the back end database. What you're describing sounds a bit more like a cross-site scripting (XSS) problem, where the page has been compromised because the site replays third party content without effectively scrubbing it. I suppose that could be accomplished through a SQL injection attack on the server.
    Cross Site Scripting can be largely thwarted in Firefox by using the NoScript plug-in, and being very careful as to when and where to allow a few necessary scripts to run. It takes a bit of practice, but there are very few sites which will not run with most of their scripts disabled.

    And in answer to the VM suggestion, this would almost insure that no updates would ever be applied to the underlying OS or software and plug-ins. Which actually raises the risk of a successful infection. Sandboxing has its places, but Windows security is not one of those places.
    -- Bob Primak --

  8. #8
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Marietta, Georgia, USA
    Posts
    296
    Thanks
    9
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Chuck De La Rosa View Post
    Instead of VMware Player, use Sun Virtual Box. Its more comprehensive and more robust. Its perfect for a home user to virtualize an operating system. I can't say I know of a simple tutorial for virtualization. Its not really all that difficult if you already know how to install and configure an operating system. The hard part is getting the sense of how it uses the existing memory and CPU of the physical computer.
    I am a die hard VMWare user, but I have read some VERY favorable discussions of Virtual Box.

    If you keep regular backups of your VBox files, you can easily recover after a virus attack.

    I maintain about 10 VMWare virtual machines, with backups on a separate hard drive. For the ones I use frequently, I make daily backups.
    Attached Images Attached Images
    Rick Groszkiewicz
    Life is too short to drink bad wine (or bad coffee!)

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Bob Primak View Post
    Cross Site Scripting can be largely thwarted in Firefox by using the NoScript plug-in, and being very careful as to when and where to allow a few necessary scripts to run. It takes a bit of practice, but there are very few sites which will not run with most of their scripts disabled.
    Perhaps I used the wrong terminology, but I meant something a bit different. There are ways to inject scripts into some web sites by passing certain parameters in the URL. These pass the "same origin" test, so are not blocked by NoScript if you allow scripts for the principal domain. One way that it can happen is when a web page replays some of your input without sanitizing it. I thought I had an example here, but I can't find it.

  10. #10
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by jscher2000 View Post
    Perhaps I used the wrong terminology, but I meant something a bit different. There are ways to inject scripts into some web sites by passing certain parameters in the URL. These pass the "same origin" test, so are not blocked by NoScript if you allow scripts for the principal domain. One way that it can happen is when a web page replays some of your input without sanitizing it. I thought I had an example here, but I can't find it.
    That's very worrisome. Is there any remedy which will not wreck web surfing?
    -- Bob Primak --

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Bob Primak View Post
    That's very worrisome. Is there any remedy which will not wreck web surfing?
    Well, you can be suspicious of long links, particularly user-created links in places such as blogs and blog comments. And if you see a vulnerability on a particular site, make sure to report it.

  12. #12
    Star Lounger
    Join Date
    Dec 2009
    Location
    Australia
    Posts
    70
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Lon said

    <We had to fix the registry and re-associate the EXE to running executables. Grrrr..>

    Could you tell me how to do this - I have restored from a Spotmau backup - everything worked fine - I rebooted - NO EXECUTABLES.

    Is there any fix for this or is a reinstall the only way ahead?


    Thanks

  13. #13
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    One thing which sets Super Antispyware apart from many malware removal programs is that, once it has been on your computer for awhile, it can restore Registry entries, files and many Windows settings which have been damaged in the course of cleaning up an infection. Avast also has this capability. This includes the type of damages seen here in this thread.
    -- Bob Primak --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •