Had another user who had been infected by the Antivirus XP 2008 malware, I noticed they had both hit the same website at least once, myspacecdn.com, I haven’t checked it yet as I don’t have a machine handy that I can blow out, so I will have to check it later. The main install file seems to be ccwjgn.dll which gets run from the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify, it runs the popup from a program in the TEMP folder in Windows to get you to launch the install. The process is listed as a .tmp in Task Manager, usually with a weird name like ttC.tmp.exe or something similar.
On this machine, however, they set a explorer.exe registry key here, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and Windows explorer could not run, I am assuming they were redirecting it to run some other malware and then starting explorer, but Virusscan deleted the file they were using, so, Windows just sat there. You could run Task Manager by hitting control-alt-delete, so that allowed me to run regedit, navigate to the key and delete the explorer.exe value out, which then allowed Windows explorer to run. After the desktop loaded, the Antivirus XP popup came up, I ended the process using Task Manager, I deleted all the files out of the Windows temp folder, found the programs/dll files in the System 32 folder, two of them this time with the lphctp9j0ea5j.exe and blphctp9j0ea5.scr type of names and after rebooting I was able to delete the ccwjgn.dll file.
I then ran the latest version of Spybot, which found some other stuff and removed them. No more popups or nag screens trying to get her to install their malware.
Update: I thought I had it until I updated to Windows XP Service Pack 3 and after rebooting I received the daggon popup again. More deleting and rebooting, after awhile I gave up and tried the free version of AVG, it found about 40 or so driver files that were infected and cleaned those and she has been running Antivirus Xp 2008 free for a couple hours now. So, for everyone who just wants it removed without knowing how or why, run AVG as Spybot doesn’t seem to clean it yet.
The other day I had a user call me to let me know their PC was getting an error message and that her co-worker had tried to fix it for her but couldn’t. The computer was off when I got there and when it booted up, it went to a blue screen of death with the problem listed as “Panic Stack Switch”, and, although that is an actual error message, it made me believe that it was a fake message, as I had never seen it before and had not searched for any occurrences online. While I was reading the error message though, the user hit her spacebar and the blue screen immediately went away to show me one of those your infected backgrounds that malware, such as Win Antivirus 2008 uses. You can imagine my surprise as the computer should not boot into windows after a blue screen of death, so this was yet another indicator that malware was involved, so I just went about cleaning the machine.
It was infected with the AntiVirus, or Win AntiVirus, XP 2008 malware, and was surprisingly simple to remove, certainly a lot easier than other infections I had dealt with, probably because Spybot and her antivirus software was blocking portions of it. All I had to do was delete the folder the malware was in, I believe it was called rchpcg or something similar, I used the Sysinternals program autoruns to remove any programs that were set to run automatically that shouldn’t, a couple had names something like blphctp9j0ea5.scr or lphctp9j0ea5j.exe or something similar, don’t quote me on those, and I went ahead and removed some of those programs that run in the background just to check to see if their software needs updated, etc, stuff no one really needs running all the time.
A great write-up on the Google Online Security Blog about the percentage of each web server platform that is distributing malware or hosting browser exploits that lead to drive-by-downloads.
We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads. The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators.
Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. Amongst Microsoft IIS servers, the share of IIS 6.0 and IIS 5.0 remained the same at 80% and 20% respectively. Source: Web Server Software and Malware
Now, I can already here the Linux and Mac crowd going, of course they are number one, their security sucks, etc, etc. What is interesting about this post, is the breakdown by country of origin.
See that? Almost all of the IIS web servers in China and about 75% of them in South Korea are distributing malware or hosting browser exploits. They attribute that in the article to software piracy, mostly because you can’t update it if it is pirated, of course, but I am sure part of it is that it makes it easier to host the browser exploits and malware, etc. Although, in Germany, Apache is the most likely web server to get you infected, in contrast to most other areas. Always try to keep your web server software as patched as you can, and only host with companies that are proactive about doing such things, if there are any out there.
There are several tools out that can help you check your website to see if it is ditributing malware, one such tool is Spybye, and on their site they list a couple others.
During HotBots last month, I presented a paper on a systematic approach for detecting malware on the web called “The Ghost In The Browser”. The paper enumerates all the different ways in which a web page can become malicious and contains some measurements on the prevalance of drive-by-downloads; an in depth analysis of 4.5 million URLs detected 450,000 that were surreptitiously installing malware. All the more reason for tools such as SpyBye. Fortunately, I am not the only one working on such tools. Christian Seifert from the New Zealand Honeypot Alliance recently announced a web interface to their Capture honey client which runs a browser against URLs specified by you. In a similar vein, Shelia is a tool that scans your mail folder and follows URLs contained in it for malware and exploits. Source: SpyBye: Finding Malware
I believe the author was one of the writers of the Ghost in the Browser paper, I first mentioned here.
How does Windows Vista stand up to the current crop of malware and crapware coming from the Internet? Pretty good if you ask Jim Allchin, in a recent post he talks about a comparison that Sophos did. In it’s monthly report they track the top ten threats reported to them for that month, so Sophos tried to see if Windows Vista was vulnerable to them. Straight out of the box with the default settings, Windows Vista was not vulnerable to any of them. But not according to Sophos.
These are listed as, Virus and then the percentage of reports to Sophos.
Source: Top Ten Threats for November 2006.
This is the article, here, that Sophos posted saying Windows Vista was vulnerable to 3 of the top 10 malware threats, and here is an excerpt,
Sophos experts note that on the launch date of Microsoft’s Windows Vista operating system, three of the top ten – including Stratio-Zip – are capable of bypassing the operating system’s security defenses and infecting users’ PCs. The Vista-resistant malware – W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – comprise 39.7% of all malware currently circulating.
The results showed that while the Windows Mail email client (Vista’s upgrade of Outlook) was able to identify and halt all of the threats, W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – each of which are commonly disseminated via email – were able to bypass the defenses when accessed via a third-party web email client. This represents a serious issue for businesses who allow employees to access their personal email at work, as well as for companies that are considering adopting an alternative email client.
“There has been much speculation about whether Vista would render existing malware extinct, and the news is now in – it won’t,” said Carole Theriault, senior security consultant at Sophos. “While Microsoft should be commended for the huge security improvements it has made in Vista, running separate security software is still essential to eliminate the risk of infection. On top of this, cyber criminals will already be looking at creating Vista-specific malware. Users need to think carefully about whether their current solution is going to offer sufficient protection against such emerging threats, given that some vendors continue to experience problems adapting their software for the Vista operating environment.” Source: Three of the top ten malware threats run on Microsoft Vista, Sophos tests show
So, Jim Allchin set his team to testing these malware apps in Windows Vista themselves to see how the affected the operating system, and they say, if you are using only the software in Windows Vista, meaning the mail client and no other security software, then it is not vulnerable.
In order to understand what was really going on here, I asked the team to go look at the technical facts behind the story, and that started in the lab. We began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software. What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.
If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block. In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that’s contained inside the .ZIP file — there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D. Source: Windows Vista and protection from malware on the Windows Vista team Blog.
So, the difference is, if your email client allows the zip format and if it allows it, you still have to open the zip and then run the executable. So, while Sophos tests show that Vista is vulnerable to three of them, apparently, they left out the fact that they actually had to open up the allowed zip files and they installed Microsoft Outlook and did not use the Windows mail client. So, is this a case of Sophos trying to sell more software, or do they just never tell exactly how they test software? I noticed that there are a couple links to their Windows Vista version of their anti-virus software on this “press release”.
Just read this article called Windows Vista crack is actually a Trojan, which talks about a new crack making the rounds trying to take advantage of users trying to use pirated copies of Windows Vista. The only good advice is to not use any cracks from any sites, and especially none from sites you don’t know. More than likely, most files of these types will contain malware, adware, or worse yet a rootkit that will turn your computer into a slave for another “administrator”.
Malware makers are starting to take advantage of the number of users searching for cracks for the pirated copies of Vista floating around.
A new download has started circulating around the crack boards called “Windows Vista All Versions Activation 21.11.06″. It purports to be an activation crack for any version of Vista.
This has been the case for a long time, there is no way I would download a crack from some of these sites that say they are legit. You are far better off in the long run to use an evaluation copy, to test something out, or to just purchase it. That article links to the original interview, which has a lot more information in it than that little quote, so, if I was you, I would read the original interview with Microsoft Australia Technology Specialist for Windows Client, John Pritchard.
I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.
The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.
Authentium said its workaround allows it to access the kernel without incurring the shut-down.
The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek
Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,
At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.
Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,
The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.
PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.
The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!
HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.
McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.
Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?
Seeing quite a few searches on the site for a W32.Kmeth removal tool. X-Cleaner will remove the Kmeth worm. It is one of the best spyware removal tools on the internet, it is updated constantly, and, if for some reason it won’t clean your computer, they will walk you threw removing it manually. The guys who make this software are also the guys who find lots of these malicious programs, so they know exactly what they do and how to remove them. Use Coupon Code: TPS-4NS3-DR and save $7.49 off the normal price of $29.95, for a final price of only $22.46!
Virus-like program that spreads automatically to other computers by sending itself out by email or by any other means. A program that propagates itself by attacking other machines and copying itself to the affected machine.
Remember to Use Coupon Code: TPS-4NS3-DR and get it for only $22.46!
Are screensavers really a problem? Asks a siteadvisor blog entry, and according to their results, they are, big time.
We counted 318 children?s television programs currently airing on English language networks in the United States. We decided to search for screensavers for each of these shows to see how risky it is to put a Rugrat, a Powerpuff Girl or a Flintstone on a desktop.
Each of the three aforementioned programs all returned 50% or more risky sites on Google’s first page of search results. And that’s just the tip of the iceberg. A staggering 85% of all kids TV show screensavers searches returned at least one dangerous site on the first page. 20% of all shows returned search results where half or more of the sites were risky. A child or parent who searches for a Gilmore Girl or Kenny the Shark screensaver and clicks randomly on the results has a 60% chance of landing at a risky site.
The Power Rangers were number one with 81.8% of sites in the results leading to sites with red links and yellow links.
Some adults may take the time to learn about these programs. But children are especially vulnerable to blindly clicking yes at each prompt & then the family PC is infected with adware and worse.
And thats how lots of adware gets on pcs at home, kids don;t know any better and blindly click yes to prompts that pop up, just because they want whatever they were searching for.
This article references an article that I wrote at Realtechnews.com called Warner Bros Partners with 180Solutions, that I followed up at Revenews.com called More on WarnerBros and 180Solutions. One of these years, we may be able to get rid of adware and spyware, if more merchants, like WarnerBros, will end their relationship with them.
It used to be malware, such as viruses, trojans, spyware, etc, were mainly used to garner attention or to expose exploits missed by software creators. Not today, today, 70% of malware is used for financial gain
Seventy percent of malicious software being circulated is linked to various types of cybercrime, a study by security firms Panda Software showed.
The report, based on a survey in the first quarter of 2006, suggested that “financial profit has become a priority” for creators of “malware,” which includes viruses, worms, trojans and spyware, the company said.
“Activities which were previously motivated by the egocentric or narcissistic natures of certain individuals seeking notoriety or looking for a platform to demonstrate their technical know-how, now have a single objective: fraudulently profiting by exploiting the latest technology.”
The report also suggests that hackers are moving away from e-mail worms to forms of malicious code more difficult to detect.
About 40 percent of the problems detected by Panda was spyware, a type of malicious code designed for financial gain, primarily through collecting data on users’ Internet activities.
Another 17 percent was trojans, including “banker trojans” that steal confidential data related to bank services, others that download malicious applications onto systems.
Eight percent of the problems detected were “dialers,” malicious code that dials up premium-rate numbers without users’ knowledge; “bots,” a scheme involving the sale or rental of networks of infected computers, accounted for four percent of the total. Source: Yahoo
It’s only going to get worse and worse, as more and more money is funneled into online advertising, more advertisers and consumers will get taken advantage of by malware. As soon as merchants realize they need to police who is advertising their products and how they are doing it, maybe it will start declining.
Well, this is a good idea and a long time coming, I’m sure everyone has been confused at some time in the past with viruses and their names, variants, etc. The Common Malware Enumeration initiative is meant to reduce the confusion caused by the different names security companies give viruses, owrms, and other pests.
“There is a lot of confusion over the way that malware is referred to,” Desiree Beck, the technical lead for the CME initiative, said in an interview. “We’re trying to alleviate that by giving malware a common identifier, so everybody is talking about the same thing when some malware event happens.”
The antivirus industry has tried, and failed, before to agree on common naming for worms and viruses. This time, US-CERT, the part of the U.S. Department of Homeland Security that coordinates response to cyberattacks, is running the show. With that in mind, and because the plan allows companies to keep their own naming by assigning an ID rather than a common name, security software makers are hopeful that the effort will be a success, and they’re eager to participate.
CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware. Instead, CME is working with the security community to facilitate the adoption of a shared, neutral indexing capability for malware. An example of a CME identifier would be: CME-123.