Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 1797 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FakeAV spreading like wildfire

MawfTech

Hi,

Anyone else noticed that the Mal/FakeAV variants are really going hammer and tong at the moment? I think I've cleaned up about 15 or so in the last week, all new variations on the same thing. One client caught the virus while browsing the Orange.co.uk home page in it seems these are exploiting vulnerabilities in the Java engine as far as I can tell. There are a few basic versions of this but for the most part, these change the wallpaper to a blue background displaying WARNING! You are in danger; your computer is infected with Spyware. After this, a popup window appears seemingly scanning and finding many viruses on your machine called 'System Tool'. Eventually if you follow the somewhat broken english, you're persuaded to hand over payment to clean up the infection.

The above is relatively easy to find and cleanup, the virus seems to deposit a randomly named folder with executable in the c:\documents and settings\all users\application data folder on XP/2000 and c:\users\xxx\appdata\local for vista and 7 (have seem various other locations but these are the most common). Easy enough to search for exe files modified around the time the infection was first noticed (minus a day). The exe can simply be renamed in a dos prompt and then the machine rebooted, Sophos springs back into life, can then be updated to the latest protection and a scan can then be run which almost always detects and alows it to be cleaned up.

Problem is though that on a few systems I've seen the FakeAV variant introduce a new version of TDSS onto systems and it bolts itself directly into the MBR of the machine and we all know just how good the TDSS system is at hiding itself away. Neither the Sophos AV or rootkit scanner were able to find the Troj/TDLMBR-B variant found on a machine infected by the Mal/FakeAV-IU virus until I physically removed the HD from an infected machine and scanned it externally after seeing suspicious web redirections following a successful cleanup of the FakeAV variant. This trojan sits in the master boot record and randomly redirects websites, terminates AV products (mostly unsuccessfully) but very successfully hides itself.

The only cure I've found so far is to rebuild the MBR (with a vista/7 repair or recovery console, fixmbr on XP/2000) or the TDSS killer from rivals Kaspersky seems to work very well too.

Why can't Sophos create a tool like Kaspersky to deal with rootkits properly or a decent bootable standalone package that can actually cleanup rootkits or MBR infections?

Matt

:10167


This thread was automatically locked due to age.
Parents
  • 0

    Hi Christian,

    Yes, many samples submitted and all variations of the FakeAV I've seen are now on the protected list. It's the TDSS variants these introduce when Sophos is down that are extremely difficult to find and deal with. I ran a full scan on a system today using both SAV and the very latest SAR package and neither reported any failures (ok, SAR reported a few hidden internet cache files - not unusual). I've a request in for the standalone installer (which runs on a bootable Linux variant) so I can double check a few clients machines I've dealt with recently.

    The real issue here is why are other vendors able to spot these MBR infections running on an infected machine and Sophos isn't. It can detect it if I scan the HD on another machine i.e. physically remove the disk and scan via USB cable etc. In this instance, I simply used the Kaspersky TDSS killer tool they freely provide on their website. It found the MBR infection and just dealt with it in one easy move on the infected machine. I'd like that sort of capability from Sophos - even just the ability to actually spot the virus would be a useful start.

    Matt

    :10173
Reply
  • 0

    Hi Christian,

    Yes, many samples submitted and all variations of the FakeAV I've seen are now on the protected list. It's the TDSS variants these introduce when Sophos is down that are extremely difficult to find and deal with. I ran a full scan on a system today using both SAV and the very latest SAR package and neither reported any failures (ok, SAR reported a few hidden internet cache files - not unusual). I've a request in for the standalone installer (which runs on a bootable Linux variant) so I can double check a few clients machines I've dealt with recently.

    The real issue here is why are other vendors able to spot these MBR infections running on an infected machine and Sophos isn't. It can detect it if I scan the HD on another machine i.e. physically remove the disk and scan via USB cable etc. In this instance, I simply used the Kaspersky TDSS killer tool they freely provide on their website. It found the MBR infection and just dealt with it in one easy move on the infected machine. I'd like that sort of capability from Sophos - even just the ability to actually spot the virus would be a useful start.

    Matt

    :10173
Children
No Data