400,000 PCs Infected With Fake "Antivirus 2009" 353
nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."
Tomorrow's Headline (Score:4, Funny)
"over 394,000 PCs report massive amounts of virus infections due to the accidental removal of Antivirus 2009"
When will the Malcious software removal tool... (Score:4, Funny)
Remove my win32 directory?
Re: (Score:2, Funny)
Re: (Score:2)
... and load a Ubuntu installer?
Re:The relationship between Windows 95/98 and DOS (Score:5, Interesting)
This page [microsoft.com] has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.
If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.
Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.
If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.
Re:The relationship between Windows 95/98 and DOS (Score:4, Interesting)
Try deleting the hidden system files (.SYS) in the root of your boot drive and see how far Windows 9x gets while booting.
The 9x Windows did ride on top of DOS, but replaced (and I'm using the word very loosely) DOS with its own kernel and drivers. DOS was still there, hiding in the background, but most everything was handled by the 32-bit protected mode code of 9x.
Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.
Renaming autoexec.bat and config.sys would have no bearing on the Windows environment because once Windows took over, it used its own .ini files and the registry to store and retrieve hardware and software configuration information.
Any drivers/TSRs run before Windows started would still be present after Windows loaded. In fact, one simple change to a single file cause Windows to not even load, booting instead to a plain old C:\ prompt. One could then later start Windows by executing WIN.COM.
Even Windows ME had DOS still hiding underneath it all. Windows versions based on the NT kernel are the only ones that did not rely on some version of MS-DOS to bootstrap Windows.
I really don't think you know what you are talking about.
Re:The relationship between Windows 95/98 and DOS (Score:5, Informative)
To me, the fact that the DOS 7 kernel IO.SYS is used to bootstrap Windows 95 does not indicate that 9x "rides on top of DOS" any more than the fact that LILO or GRUB might be used to bootstrap Linux means that Linux "rides on top of" LILO or GRUB.
The fact that legacy DOS device drivers can be loaded during the real-mode portion of the 9x boot process (but need not be kept around afterwards, and by default are not) only indicates that Windows has been designed to tolerate DOS device drivers in order to provide backwards compatibility.
This is a big difference between 9x and 3.x, which requires DOS drivers for sound and CDROM support. This is also the biggest difference between 9x and NT as regards DOS support - NT will not tolerate legacy DOS device drivers at all. This fact makes it perfectly clear that NT does not "ride on top of" DOS, while the fact that 9x is built to tolerate DOS drivers muddies the waters as to whether or not 9x "rides on top of" DOS. To me, the fact that these legacy drivers are not required indicates that 9x is an OS rather than a GUI, and that is the point I was getting at with the CD-ROM driver example.
Taking this reasoning a step farther, the fact that 32-bit hard disk drivers are available under Windows 3.1 leads some to consider 3.1 itself to be somewhat of an OS (or, along with DOS, one of the two components of an OS) rather than simply a GUI, because previous GUIs such as GEM for DOS had no device drivers of their own and relied entirely on DOS for driver support. There is some merit to this argument, and my take on the situation is that there isn't a clear line between GUI and OS where early versions of Windows are concerned, but rather a gradual shift from total reliance on and tolerance of DOS for bootstrapping and drivers in early versions of Windows (which were mere window managers like GEM) to a total lack of reliance on DOS code for these functions in later versions starting with NT 3.1, which first used NTLDR to begin the boot process. Windows 95's place on this spectrum is that it requires some DOS code to boot, but afterwards doesn't require any non-32-bit device drivers at all.
If, when we say that Windows 3.11 "rides on top of" DOS 6, we mean that Windows 3.11 is an application environment which takes advantage of the filesystem and driver support provided by DOS, I don't think that we can accurately say the same thing about Windows 95, which is an OS with a 32-bit kernel and some 16-bit components which uses DOS for bootstrapping but does not need any DOS filesystem or driver support once it's up and running. To me this doesn't equate to having DOS "hiding underneath" Windows 9x. It seems more accurate to me to say that Windows 9x has built-in support for DOS drivers and apps for backwards-compatibility reasons, and uses it during the boot process.
Malwarebytes (Score:5, Informative)
Agree! (Score:3, Informative)
Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.
Re:Agree! (Score:5, Informative)
Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.
I swear by them. In fact, I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus). I use Windows Defender to monitor system changes and do periodic sweeps w/ Malwarebytes. System is much faster now and still clean.
Re: (Score:2)
I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus)
I don't personally use Symantec anything but the word is for the 2009 version, they completely rewrote everything from scratch with an emphasis on speed that seems to have worked according to PCmag [pcmag.com].
Re: (Score:2)
Re: (Score:2)
1. Can't help you there!
2. ubuntu-studio *
* (or, look for the ubuntu-studio audio metapackage. make sure you get linux-rt and the associated kernel headers etc as well)
Re: (Score:3, Informative)
Yup, and AV 2009 is about the worst spyware there is. It installs a God damn driver just so that DNS queries to antivirus sites don't resolve, even though your hosts files stay clean.
Re: (Score:2)
We use Super Antispyware and Spybot Search & Destroy ourselves, running from the Ultimate Boot CD for Windows: http://www.ubcd4win.com/ [ubcd4win.com]
Re:Malwarebytes (Score:4, Funny)
the wooshing noise you heard was the sound of thousands of linux boot disks flying over your head.
Re: (Score:2)
You don't get good malware-removal tools running on Linux, tard. ClamAV doesn't count, because it's not very good about detection.
You get good malware-removal tools on Windows because you get almost all of your malware on said OS, and because that OS is very popular hence has many developers.
Re:Malwarebytes (Score:4, Insightful)
The annoying thing though, most of them installed it themselves, deliberately, thinking they were doing "good".
Bah. Hang the authors of "Antivirus 2009" up by their nadgers.
Combofix was the only thing that worked for me (Score:5, Informative)
Re:Combofix was the only thing that worked for me (Score:4, Informative)
rename the spybot exe name. you can do the same with hijack this.
That way you can eradicate the registry entries, then DO NOT REBOOT but yank the power cord.
Most ickies will rewrite their registry entries when they see a shutdown started.
Avast! free home edition has protected against that nasty ever cince they updated the name from 2008 to 2009.
Re: (Score:2)
I've used Malwarebytes to fix this nasty little bugger too, several times. It seems to work pretty well.
I've had times where it's been necessary to rename the mbam-setup.exe to something like mbs.exe, and the main .exe to a different name, too. Some of these malwares do block access to known removal tools.
Re: (Score:2)
We use it at my job too (phone support) and most of the time it gets rid of it. Occasionally though, even that can't get rid of it. Even when it does seem to clean it, sometimes it misses a few files. My personal method is to first check the malware hiding places manually and eradicate anything I find, and then let Malwarebytes scan to see if I missed anything.
But yes, I can attest to the widespread plague of Antivirus 2009 and its associates.
Re: (Score:2)
Oh yes, and one thing I forgot to mention that I found particularly interesting is how they manage to get so many people infected. They do it via google-bombing. I had been puzzling over how even careful users were getting infected, until I saw it happen on my own laptop: I was running a search on a black friday laptop model for more info, and the first search result on google gave me a panic popup (which I axed from task manager) and sent me to an Antivirus 2009 page. Naturally, knowing how to avoid their
Re: (Score:2)
One of the potential dangers I've read about with this type of malware is that the google-bombed links don't just display popups - they also include things like hidden embedded PDF files that exploit vulnerabilities in older versions of Adobe [Acrobat] Reader to install the rest of the malware components. So even if you don't do anything wrong - even if you're running Firefox instead of IE, as long as you have an old version of Reader installed you're vulnerable.
I suspect this can be mitigated by turning of
Re:Malwarebytes rocks! (Score:2)
My girlfriend's laptop got infected before i knew this was a common virus (i just found that out) so i was searching all over. Most virus scanners and malware programs missed it (trendmicro online scanner, norton online scanner, Ad-Aware) but MalwareBytes found it all and killed it! I was so happy when it worked!
-Taylor
Re: (Score:2)
That advice works wonders when the file won't delete while it's in use and the registy entries rewrite themselves after you delete them.
Re: (Score:2)
Re:Malwarebytes (Score:5, Informative)
This doesn't work with some variants I've seen. The malware is running as the system, but there are also components that are running as the current user.
Set the permissions to deny SYSTEM access to that key, and the user components change the permissions back before you can delete the key. Killing the user components is useless, as the system components restart them. Killing the system components blue screens the machine, as some are linked into winlogon, and you can't kill that.
Denying your own user write access to the startup keys to get around all this is, obviously, useless.
Offline scan/deletion is the only way to go with this crap.
Re: (Score:3, Informative)
Well, let's see: I could spend who knows how long poking at this, in the hope that I might end up with a clean system(as opposed to a more subtly infected one), or I could just send down an image, and have the system running like new in 20 minutes, 18 of them unattended. Not a hard choice.
Take off and nuke the site from orbit, it's the only way to be sure.
Re: (Score:2)
home users and very small outfits; but it is situations like that where imaging tools are far more useful.
Especially if the home user is cute and wearing the small outfit. The imaging devices (camera etc) are very useful.
Re: (Score:3, Informative)
Process Explorer is your answer to this, from Sysinternals. Suspend, not kill ass the problem processes, then go into properties for winlogon, explorer, etc and the problem dlls will have their own threads inside the process. Suspend the individual threads, then go back and kill everything you suspended. Memory is now clean, go kill the problem files off disk and out of startup entries, then reboot.
Re:Malwarebytes (Score:4, Informative)
That's what Unlocker is for. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]
Re: (Score:2)
I did this crap with Blaster back when that was new. I've since reinstalled to greener pastures (leave it at that).
What I did was use a fancy tool to shred the module's drive space allocated to the file. Note that I did NOT use the filesystem API for anything but to find which clusters to hose. Hex editors are fun.
After this was done, a hard reset ensured the process died without having time to do anything useful.
Re:Malwarebytes (Score:5, Informative)
Try this instead.
1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
2. Install Unlocker. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]
2. Browse to locations of files linked to by suspicious startup entries. Check date created.
3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
4. Do the same in Windows\System32.
5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
6. Now delete the original malware folder.
7. Delete the startup entries with Hijackthis.
8. Restart computer. Should be clean.
The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.
Re: (Score:2)
Certainly, try Safe Mode.
You might actually have to configure the drive as a slave in another machine to get rid of it, using an offline scan. It's definitely the easiest way to eliminate stuff like this.
I've also seen AV2009 install a rootkit, which can't even be detected by most tools, let alone removed.
You can go to the link in my sig if you can't get it removed. I get rid of this crap for a living, and I'm working on a project currently that will allow me to do offline scans remotely. Cool stuff.
Wait a pain... (Score:4, Informative)
I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.
Re: (Score:3, Interesting)
Wildly annoying one. (Score:5, Insightful)
I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).
Re: (Score:2)
It's probably the ad providers, but the really disturbing thing is it may be legit. Well-known (I can't quite call something like doubleclick "reputable" but you get the idea) advertising companies have pushed ads for malware sites before. In fact, they've even pushed ads that actually contain malware (Flash-based exploits, mostly - it's a sad day when AdBlock actually improves security as well).
For that matter, while Google doesn't generally do the pop-up-flashing-in-your-face ads, I've seen many examples
Re: (Score:3, Interesting)
I uploaded a few parts of this malware to virustotal.com a few weeks ago, it was picked up by 11% of the av engines tested, ie a very small percentage...
I got it from a machine that had mcafee installed, it didn't detect anything...
They seem to update this malware regularly to avoid detection, and there are typically several versions circulating at any one time. This particular machine had several versions installed which all pointed back to the same bunch of sites...
Good job Microsoft! (Score:5, Funny)
Now let's hope Symantec is not going to sue them... :)
how many users will complain about removal? (Score:5, Interesting)
I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR
iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs
It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....
One can always dream.
-I'm just sayin'
Heh, what an excellent thought.. (Score:2)
To take into 2009 :-)
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
An amusing notion, but it'll never happen for two reasons:
1) EULAs may or may not be enforceable in their usual sense, but a requirement that you can't remove the software doesn't even make sense. The concept of a EULA is that you must agree to the terms in order to use the software. If you're not using the software (i.e. you remove it) you're not bound by the terms anymore.
2) Since this is intentionally malicious software and almost certainly constitutes at least one form of fraud, the owner publicly ident
Re:how many users will complain about removal? (Score:4, Funny)
iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs
But if you remove it, you're in violation of the EULA, and therefore are not allowed to use the program, so you must remove it!
Absolutely no problem there.
Re: (Score:3, Interesting)
Well, it's malware, not scareware. That is, it only acts scary to get it downloaded/installed, not to get money. Otherwise, they would have tracked down the payments by now. And if they had paid for it, the customers probably used a credit card. So a large number of them could get it refunded because of the fraud involved.
Is this troublesome to anyone else? (Score:3, Insightful)
The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
Will they always do it correctly (no collateral damage)?
Re:Is this troublesome to anyone else? (Score:5, Insightful)
Well, the reason you install these programs like Defender is so it deletes the malware for you.
Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.
Re: (Score:2, Informative)
Re: (Score:2)
Do you worry about Symantec AV removing malware from your machine too, in case their definition differs?
Re: (Score:2)
First, you don't have to run the MSRT I suspect you can even blacklist it, but leave Windows Update running normally and automatically otherwise. I don't recommend doing so, but it's your system.
Second, if it did damage your system, you could probably make a civil case about it. This makes it somewhat unlikely MS is ever going to risk actively causing a problem for any significant number of users. I suppose an accident could happen - after all, real antivirus programs have been known to have false positives
Re: (Score:2)
When will their idea of malware differ from mine?
Sometime, perhaps.
Will they always do it correctly (no collateral damage)?
Probably not always.
The question is what alternative do you have? If you know enough to turn this off and install a 3rd-party solution you're probably fine. If you're in the lower 99.8% of Windows users, Microsoft knows way more about what it's doing with Windows than you do.
So, the question isn't whether Microsoft will be perfect but whether you're, on average, better with this than
Re: (Score:2)
Just wait, soon the following will be on their malware list.
anydvd
dvd decryptor
dvd shrink
ISObuster
Those programs have no legitimate purpose and only C R I M I N A L S would have them. you'll be lucky that they only delete it and all *.mp3 and *.mkv files it finds.
Re: (Score:2)
Take off your tin foil hat, man. Put down the gun. Seriously.
MS has been using MSRT for years and no one has targeted your little cd apps.
If youre this paranoid, then dont run it. Uncheck it from automatic updates.
Re: (Score:3, Interesting)
The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
I had to use Real VNC at my last job and Windows Live OneCare (or whatever it's called) detected and removed it. I would think MRT would ignore questionable software, but for apps/services targeting Joe Sixpack, don't be surprised to see some things like VNC or IRC software flagged as malware.
Re: (Score:2)
Microsoft Forefront does this with VNC too. Drives me nuts.
Re: (Score:2)
Dunno about ForeFront, but there's a whitelist for OneCare. Given hat ForeFront is a business app, I'd expect it to have some centrally configurable whitelist.
A lack of software freedom should trouble everyone (Score:2)
There's no way to know unless you're running free software (software you're free to inspect, share, run, and modify) to do that job.
By the same token, any proprietary software (regardless of its purported task) should be troublesome. Technically there's nothing that prevents a proprietary statistical analysis program from doing things you wouldn't want done without your full consent such as removing programs, altering files, opening a remote access point for someone, or sending information about your compu
Re: (Score:2)
Dont run it then. Uncheck it from automatic updates. No one is putting a gun to your head.
Understating the menace. (Score:5, Insightful)
This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.
Re:Understating the menace. (Score:5, Informative)
nobody I know actually uses MSRT
You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.
On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...
Re: (Score:2)
Out of curiosity, when do you have Windows Update scheduled (controllable from the Change Settings dialog on the side of the Windows Update window in Vista)? It only takes a few minutes to run the MSRT most of the time, and a couple minutes of disc thrashing at 5AM isn't likely to be a problem.
Re: (Score:3, Interesting)
Literally every single Windows user I know has been infected with this. I removed it several times over the holidays. My wife (and many of her coworkers) where infected...
I know it's not necessarily a representative sample, but I'd be shocked if it was only 400k machines in total.
Re: (Score:2)
Actually, probably most people you know run the MSRT without even noticing. It's a default part of Windows Update and has been for years. Unless you specifically de-select it every month (or blacklist it) it will run automatically.
400,000 is probably the number of computers that got infected but were still sufficiently operable to run Windows Update on automatic, with perhaps a handful of people who manually ran it off a flash drive or similar (it doesn't need to be installed, and it might be possible to re
Re:Understating the menace. (Score:5, Interesting)
>simply because nobody I know actually uses MSRT
MSRT is packaged with windows update. If they have automatic updates set as theyre supposed to then they run it every month. Its just not obvious to the end user. MS uses MSRT for a lot of things. Last time they took down one of the bigger botnets.
Ive seen PCs with "Antivirus 2009" and its precessors still able to use automatic updates. Im sure malware writers will now just disable the service. I believe some versions of Antivirus 2009 did shut down the service.
That said, the real problem here is why legitimate sites are service up the pop-under ads for antivirus 2009. Ad networks need to start vetting their clients. People should just start blocking all ads as a security threat.
family tech support (Score:5, Informative)
Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.
I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).
Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).
I should have brought round a ubuntu live cd with me.
Re: (Score:2)
MS patting themselves on the back (Score:2, Redundant)
Anyone besides me concerned though that this piece of shit malware was eliminated on that many PCs? Doesn't that just scream that there is something fundamentally wrong with the browser and/or the OS?
Re: (Score:2)
People actually pay to install it and then manually do so. There's not a lot the OS can do when the user is specifically enthusiastic about installing the malware. That is, there's not a lot the OS can do until the malware is specifically identified for removal.
Re:MS patting themselves on the back (Score:5, Informative)
Nope. Try a little research, please. This program spreads through two methods, Trojans and scareware (tricking the user into thinking that his computer is infected, so he buys and installs AV2k9 as a "fix"). Such software can do anything the user can (which, provided you run the program with root/Administrator credentials - like you would if installing something - is anything at all).
In either case, it's a simple matter of Problem Exists Between Keyboard And Chair. The prevalence of malware for Windows does make scareware more likely to work, but in the end it's still a matter of the user telling the OS to do something stupid (run a malicious program) and the OS obeying just like it's supposed to.
Re: (Score:2)
If software can be installed, then your average user is going to do something bad.
Best answer is a web appliance that does email and web browsing and NOTHING ELSE and CANNOT have anything installed on it, no matter how attractive is sounds.
This is all 99% of the "home computer using population" needs. The other 1% can have computers they can screw up to their hearts content. The problem is today this move would put all of the PC manufacturers out of business. It would also put anyone who gets paid for cl
When will people learn (Score:4, Informative)
I'm tired of users like you (Score:4, Insightful)
I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.
Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?
Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.
Re: (Score:2, Informative)
Yeah, good luck catching rootkits with an online scanner. If you can even get to one once the malware takes over your network stack.
And is that router of yours just a Linksys NAT router or a real UTP device?
Spend a few years fighting this stuff pretty much full time and you'll see how foolish your assumptions are about both the ability of this stuff to find a way into your system, and your ability to detect it and kill it once its there.
Re: (Score:3, Informative)
From the CBL a few months back:
News Alert - 2008/09/22 - A/V is not keeping up
It has become apparent that reliance on Anti-virus software for protection against spam bots is increasingly ineffective, and is reaching "disaster" status.
A large non-profit security organization has recently reported that only 23% of the 30,000 "unique" infections they see per day are detected by _any_ of 35 of the most popular A/V products, and percentage only reaches 50% after the infections have been in the wild for a month. And this includes well-known long standing botnets like Srizbi or Storm.
Many of our correspondants have told us that they've run a whole battery of A/V products on an infected machine that are provably infected with a known bot (by the email they emit), and not found anything.
Given the failure of A/V to help identify/eradicate infections, we can only continue to assert that the best way to prevent bot emission (and CBL detection) is to secure your networks so that ONLY mail servers can send email to the Internet.
Spam bots are out-pacing AV software by leaps and bounds.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
This.
Re: (Score:2)
Because a computer is too complex for these people. Cripes they have to put a warning label on a curling iron to NOT stick it into any bodily orifices.
if our consumers are stupid enogh to stick a hot curling iron in their ass, ear,mouth, nose ,etcc... then they certianly are not smart enough to be near a computer.
People expect computers to be toasters. They are not, they are highly complex devices.
It does not stop me from collecting all the malware infected dells that are 1yr to 6 months old. I sell th
Re: (Score:2)
Substitute Vista for XP and add the Windows Firewall (which is much better on Vista than XP) since I'm on a laptop that's not always behind a router, and this is true for me as well. There's always the risk of a 0-day exploit, but those are less and less common and there are mitigations for them (like NoScript or other forms of Flash blocking, plus don't run everything as Administrator). Unfortunately, as the software security gets better, it seems the user security gets worse.
It really is a problem of educ
I used to think this way too (Score:2)
Fast forward to work a couple weeks ago, running IE7, Norton Anti-Virus, and the typical corporate firewalls. All I did was have a pop-up ad from a boring site and my
At least Zunes are safe (Score:5, Funny)
Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.
Very few PCs run Windows? (Score:4, Funny)
Re: (Score:3, Informative)
The malware may try and stop Windows Update from running (many of them do). For that matter, the kind of people likely to install something like this (it spreads either through Trojans or as scareware, not through system exploits) are probably statistically more likely to have Windows Update turned off entirely. For that matter, this isn't a worm that spreads automatically - it takes substantial user error to get infected in the first place.
All this means that the only infections the MSRT can get to were ei
Why do they know this? (Score:5, Interesting)
Depends (Score:4, Informative)
Some do, some don't, some are configurable. A lot of companies want their tools to check in so that they can measure how widespread something is and react accordingly. For example NOD32 can be configured anywhere from submitting no information to submitting anonymous statistics as well as files it flags as potentially unsafe but can't identify. They want the information because it helps them better update their virus database and respond to new threats faster.
Also many corporate AV/AM products can do very full reporting back to the central server. They'll check in and say when they ran, what they found, where it was, etc.
it got me (Score:2, Insightful)
One rogue program removed per month? (Score:4, Insightful)
So how long will it take to clean up the entire population of Windows PCs?
This kind of propaganda is counterproductive. First of all, this is a negligible effect, secondly it pretends that MS takes care of Windows users, and thirdly it doesn't emphasize that safe computing is far more important than all security software in the world.
Re: (Score:2)
While I would in no way consider myself a computer expert of any sort, I do think I'm more informed than a good number of PC users, yet I managed to get infected. I was running antivirus and a firewall, run adaware and spybot regularly, run opera with popups blocked instead of internet explorer, never download anything from e-mail, and thought I was being careful about what I downloaded. Yet I got infected with an annoying one. Still not sure how that happened. Not looking for advice here, so I'm not going
I'm not sure how they install this (Score:2)
Our website got hit by a AV2k9 redirect issue (Score:3, Informative)
I'm not sure how this happened. Our personal little website (prestopnik.com), got hit by these guys. The put some redirect rules into our .htaccess file, such that if you were visiting our site from one of about 6 different domains, it redirected you to their site. We didn't see it for a long time, because we usually just visit our site directly, but if you were coming from a link in yahoo mail, or found it via google or something you got redirected.
Our hosting tech support said one of our computers was infected, but from looking online, I didn't see signs of an infection on our side, but I'm still not 100% sure what happened, and if we are clean now. I think we run on our shared machine for hosting (linux though), maybe they got in like that?
Re:Our website got hit by a AV2k9 redirect issue (Score:4, Informative)
They may have keylogged you, and got your password to the hosting machine...
Or they could have exploited vulnerable webapps on it...
Unusual for a linux hosted website to get hit by something like this, but not unheard of. You need to make sure the machine wasn't rooted tho, and reinstall if it was.
Time for Linux (Score:4, Interesting)
Re:Time for Linux (Score:5, Interesting)
Sorry about your wife's laptop, but this doesn't happen without the user specifically installing the software.
Even on Linux, she won't be any safer if she isn't instructed not to click on crap and install it.
You would be safer running Vista, as this malware (not virus) was not able to get installed on Vista even when users told it yes. If by chance it even did get installed on Vista, it would have had limited damage compared to XP; things like redirect the web sites, turn off anti-virus etc. (Vista users basically didn't have this problem)
So you convince her to move to Vista yet?
You could also set her up as a 'user' and not let her run crap in administrator mode, and if she needs something installed, have her do the run as and actually type in the password so she knows that she is modifying the computer. (Yes on XP)
On, Vista, have her run as User as well, the password prompt is just automatic and doesn't require her to do 'run as'...
---
I love the stories of 'the last straw' and how horrible Windows is, especially when it is something users have done to themselves. If Windows or MS is guilty of anything here, is that they made Windows too easy for users and hasn't educated people enough. (Like you should have done for your spouse.)
PS She should smack the crap out of you for not explaining what to click on and what not to click on to install, especially from the internet.
Beyond Annoying (Score:3, Informative)
I just had to deal with a new version (friend's PC)- Spyware Guard 2008. What a pain in the ass. This version installed a rootkit, a device driver, locked the HOSTS file, added hidden registry entries, hidden services, parent and child services, downloading stubs to update it to stop detection...antiviruses stopped updating.
I was determined to kill it though. I got SuperAntiSpyware Free edition- free for personal use. Picked up all of the entries (rootkit, files, registry, etc.) and removed them after a reboot, no safe mode necessary. A standalone A/V scan (McAfee boot disc with latest definitions, and a rootkit scan from an OS outside of Windows) turned out clean, which impressed me.
I've also used Malwarebytes on a few PCs- very efficient and effective. I have to PayPal some money to these developers, as these two tools are great and allow even users who were decieved into running this crap to disinfect their own PCs. It also makes a techie's job much easier- a few minutes of running tools versus hours of trying to hack at the thing manually.
I hope whoever is contributing to this P.I.T.A. malware has karma bite them in the ass.
Re: (Score:3, Interesting)
Re: (Score:2)
My continuing policy for repeat infected users is to install Ubuntu or Mandriva. Granted, I'm not sure if you're talking about a corporate user here or not, but all my friends and relatives are getting Linux now.
I'm tired of seeing the disappointment and terror of people who get this shitware on their computers. I'm tired of spending hours trying to fight the damn things, reinstall Windows, update Windows, reinstall apps, wash, rinse, repeat.
So I'm done - either Linux, I tell them, or buy a Mac. Those who h