How are these rogue AV's getting into systems?

D

DavidF

New Member
Reaction score
0
Location
Brisbane Au
Invariably after we remove a rogue AV the EU asks how it managed to get into their system.
Not all that long ago you could point to limewire, kids clicking OK when they should ask someone who knows, hanging around dodgy websites, clicking on dubious ads or links on social networking sites and a slew of other vectors.
Since about November I've had little old lady's and Mum and Dad PC's infected and I'm confident they have browsing habits bordering on paranoid.
I've been asking them what they were doing at the time of infection as well as the websites they frequent but I can't find a common denominator.
I've been researching it myself and there is plenty of information about the vectors used but none that I can see as a likely means for infection in these instances.
Of course EU's lie but I don't think it likely in the majority of the cases I'm thinking of.
Is there some gaping hole in Windows I'm not aware of?
I originally thought it was an IE issue but several of the most recent infections have been EU's instructed to use FF/Chrome/Safari etc.
I'm tired of giving them educated guesses, can someone throw me a line here pls.
 
I have had several customers pick this up and the only website they ever visit is FaceBook. So im lead to believe this is a big cause of alot of it.
 
Usually X'ing out of the first popup/warning is enough to install. They think they are doing the right thing...
 
there are a ton of ways to get onto a computer. Do they always update their Java and Acrobat Reader?

While I know you may say they are paranoid, but do you know they wouldn't click "OK" to a window telling them their Flash is out-of-date and needs to be updated?

They are the same ways of getting onto a computer, the malware writers are just getting better. More and more rogue antivirus programs look like legit applications. One I removed a while back looked a lot like AVG. I don't understand why they just haven't flat out stolen the look and name of Norton or Kaspersky, etc. It's not like they are trying to run a legit business.
 
I had a custmer infected by just going onto a cookery website, most of these rougeware are getting past most antivirus software and cant be stopped.
 
They are everywhere. I can't see any rhyme or reason. My wife actually got one visiting a site about insects. Picked the wrong computer that day.
 
Exploits are very popular now, so it's very important to keep all software (particularly web browsers, quicktime, and ugh... flash) up to date. I've been infecting a virtual machine, and got two fake antiviruses just by visiting a website, I didn't have to click anything, nothing appeared on screen, but then it was too late ;). Also, advertisements can be infected, so even legitimate websites can harbour infections.
 
There is also another site where I have seen that people are getting hit with the fake Av's. The site is called www.migente.com. Its a website for Spanish people, something like facebook.
 
Re:

It's funny how they work. For instance, it can come up when you click on a link or it can download silently onto your machine and after the 3th or 4th reboot, it pops up, maybe let's say 10 minutes after you open your Internet Explorer.
I have played around with these. You can program it that way. If I remember well, it's called TurkTrojan or something. Fuzzy on the name, but you get the hint. In this way, you can not trace back to the source of the infection.
 
my girlfriend was on youtube and my AV picked up a cross site script and blocked it from installing, most likely from a user comment or something, but yeah youtube and facebook are the two most common i think.
 
facebook is the most common that i have seen...
and i htought it was the common denominator for a while, but then i got some people who were like 'no we have NEVER used facebook' and I get some people lie about going on porn sites, but usually not facebook.

I understand the ones where you click a pop up or answer yes or w/e, but I had Norton catch one where i mearly opened a legit website and started reading, no pop ups no links, no other clicking... I believe norton classified it as a Browser Hijacker... this was in firefox with adbocker plus, and no other clicking that visiting the site.

I remember when everyone and their cousin knew about the conficker virus... can we get some sort of nation wide alert telling people to update their service pack, update the adobe, and update their java... that would hopefully put a big hiderence on these viruses.. sure takes some business away from us, but im getting sick of them.
 
I was on my girlfriends computer and she had one of those annoying pop ups that says "WAIT ARE YOU SURE YOU WANT TO CLOSE?" no matter what you hit it will always reopen, or link you to the next bs.

I clicked "okay" by mistake (really don't like touchpads) all of the sudden she had a rogue antivirus. Needless to say she made fun of me.

After realizing what I had done, I decided to just end task firefox. And what do I spot in the process list that I did not initiate? Adobe Reader :( I've heard of malware using adobe to exploit your system, but never have seen it first hand.

Ironically enough I had just uninstalled her McAfee to put on ESET and this happened in between.
 
I'm sorry, but I find McAfee to be the most commonly present AV when these happened, they seem to usually get disabled or partially uninstalled. Used to think it was the free ones like AVG and Avast, but now I think its McAfee.
 
Had one last week, same old question. Told him I'd been hearing more and more about how PDFs are being used to target specific types of people (spear-phishing).
Anyway, he was the first person I'd met who actually said, "Really? It was right after opening a PDF that all this started." Usually, they never 'fess up to anything.
 
I have been researching for months go to malware domains and look it up its one of 5 things.

1) java exploit this is the most common form of malware injection with outdated java.
2) flash exploit the number 2 most common form of malware injection with outdated flash ie 9 or less.
3) pdf exploit this is most common with people with older adobe readers.
4) Trojan downloaders they catch people with no av or outdated or free av's
5) OS exploit not so common they try to catch people that don't have security updates.

To prevent all the above you need to update java,flash,shockwave,quicktime,itunes,windows updates and have a good av if you are not sure use securina PSI.
 
Secunia Personal Software Inspector would protect against almost all of these. It's free and easy-as-pie for even novice users to use. I take a minute to explain to them that all it takes is a single click to install the update/patch, plus the fact that it's constantly monitoring for new vulnerabilities and patches in the background. It should be part of every OS, in my view.
 
iisjman07 said:
I've been infecting a virtual machine, and got two fake antiviruses just by visiting a website, I didn't have to click anything, nothing appeared on screen, but then it was too late ;). Also, advertisements can be infected, so even legitimate websites can harbour infections.
Click to expand...


This is critical to realize. I myself, as a singular alone person, once ventured to Yahoo.com. Upon my arrival the yahoo site opened with flashing banners, exotic flash news, and legitimate advertising bouncing up and down like a basketball in the corner.

One of the advertisers that yahoo let on their site to advertise, had a banner that was infected with a java script virus.

Avast antivirus proxies everything you see on the web through it's web proxy scanner, so it immediately picked this up. I spoke to many of my internet friends, and they went to yahoo, and their antiviruses picked up nothing. But they were not using avast.

It did turn out to be legit.

I no longer use yahoo.

I use google.

Set on plain jane settings.

It says google with a little box [__________________] and that's all.

So I tried to warn people, nobody listened. It stayed like that for nearly 2 weeks on yahoo.com LOL. o well.
 
Whauh?

PcTek9 said:
One of the advertisers that yahoo let on their site to advertise, had a banner that was infected with a java script virus.

I spoke to many of my internet friends, and they went to yahoo, and their antiviruses picked up nothing.

It did turn out to be legit.

So I tried to warn people, nobody listened. It stayed like that for nearly 2 weeks
Click to expand...
Not sure what you're saying here:
You found a virus and then sent your friends to get infected but then it wasn't a virus and then you were surprised that the not-virus wasn't taken down?
 
Galdorf said:
I have been researching for months go to malware domains and look it up its one of 5 things.

1) java exploit this is the most common form of malware injection with outdated java.
2) flash exploit the number 2 most common form of malware injection with outdated flash ie 9 or less.
3) pdf exploit this is most common with people with older adobe readers.
4) Trojan downloaders they catch people with no av or outdated or free av's
5) OS exploit not so common they try to catch people that don't have security updates.

To prevent all the above you need to update java,flash,shockwave,quicktime,itunes,windows updates and have a good av if you are not sure use securina PSI.
Click to expand...

Awesome writeup. I would like to add that the rank of the top 3 will change based on your customers habits, and new vulnerabilities. IE if there is a new Acrobat exploit you will see a spike in malicious PDF's sent via email, or available for download.

Another note, Virus/malware/trojan/crapware writers have been running packers (like zip) some multiple times, they are also mutating the executables (to help evade AV/AM/IDS) and if that is not enough they obfuscate the code, which makes it hard/ nearly impossible to read the code and figure out what is actually happening.
 
Most of the infections i am seeing are from advertising one customer was constantly getting infected and i set out to see where this was happening it was happening on facebook advertising Farm Town.

Update Malicious Facebook ad redirected to fake antivirus software
During my investigations most people were infected on facebook.
new facebook social features secretly add apps to your profile
I have had customers delete their facebook account and had me block the website they have not been infected since then.
 
Last edited:
You must log in or register to reply here.

Similar threads

D
How are you folks handling Scam Popups
Replies
10
Views
1K
Markverhyden
Markverhyden
britechguy
How in the world does one boot from USB these days?!!
2 3
Replies
48
Views
2K
lan101
lan101
callthatgirl
New Outlook Information Survey for Techs
Replies
0
Views
219
callthatgirl
callthatgirl
HCHTech
Narrowing down a internet issue
Replies
5
Views
522
YeOldeStonecat
YeOldeStonecat
PcTek9
Blink Camera Systems - Do Not Buy!
Replies
4
Views
891
britechguy
britechguy
Back
Top