Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 1797 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FakeAV spreading like wildfire

MawfTech

Hi,

Anyone else noticed that the Mal/FakeAV variants are really going hammer and tong at the moment? I think I've cleaned up about 15 or so in the last week, all new variations on the same thing. One client caught the virus while browsing the Orange.co.uk home page in it seems these are exploiting vulnerabilities in the Java engine as far as I can tell. There are a few basic versions of this but for the most part, these change the wallpaper to a blue background displaying WARNING! You are in danger; your computer is infected with Spyware. After this, a popup window appears seemingly scanning and finding many viruses on your machine called 'System Tool'. Eventually if you follow the somewhat broken english, you're persuaded to hand over payment to clean up the infection.

The above is relatively easy to find and cleanup, the virus seems to deposit a randomly named folder with executable in the c:\documents and settings\all users\application data folder on XP/2000 and c:\users\xxx\appdata\local for vista and 7 (have seem various other locations but these are the most common). Easy enough to search for exe files modified around the time the infection was first noticed (minus a day). The exe can simply be renamed in a dos prompt and then the machine rebooted, Sophos springs back into life, can then be updated to the latest protection and a scan can then be run which almost always detects and alows it to be cleaned up.

Problem is though that on a few systems I've seen the FakeAV variant introduce a new version of TDSS onto systems and it bolts itself directly into the MBR of the machine and we all know just how good the TDSS system is at hiding itself away. Neither the Sophos AV or rootkit scanner were able to find the Troj/TDLMBR-B variant found on a machine infected by the Mal/FakeAV-IU virus until I physically removed the HD from an infected machine and scanned it externally after seeing suspicious web redirections following a successful cleanup of the FakeAV variant. This trojan sits in the master boot record and randomly redirects websites, terminates AV products (mostly unsuccessfully) but very successfully hides itself.

The only cure I've found so far is to rebuild the MBR (with a vista/7 repair or recovery console, fixmbr on XP/2000) or the TDSS killer from rivals Kaspersky seems to work very well too.

Why can't Sophos create a tool like Kaspersky to deal with rootkits properly or a decent bootable standalone package that can actually cleanup rootkits or MBR infections?

Matt

:10167


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Yes, these are just visit hits, no clicking on the add. As I said, I watched one kick off from the orange.co.uk home page by just visting it.

    Yes, it's update 24 that's applied to the java engine. Really is full of holes and about tim they patched it more quickly. I guess the best common platform I've found so far is that all these are with IE v.8 and MS have just released a patch for this yesterday/today which seems plausible thatit could be what was being exploited to trigger the Java exploit. I hope it is the fix!

    I can say for sure that at the time of attack, Sophos did not detect the virus as I've moved the FakeAV folder to the root of the after finding it. Sophos scan doesn't see it. Update Sophos and it then detects it. So these are always new exploits not detected at the point of attack by EPS 9.5 - even by HIPS.

    I'll look at the browsercheck site but I'm dubious of this kind of tool that requires adding and add-on to run a check. Quick VM sandbox test should give me some insight into exactly what it's testing though.

    Matt

    :10195
Reply
  • 0

    Hi,

    Yes, these are just visit hits, no clicking on the add. As I said, I watched one kick off from the orange.co.uk home page by just visting it.

    Yes, it's update 24 that's applied to the java engine. Really is full of holes and about tim they patched it more quickly. I guess the best common platform I've found so far is that all these are with IE v.8 and MS have just released a patch for this yesterday/today which seems plausible thatit could be what was being exploited to trigger the Java exploit. I hope it is the fix!

    I can say for sure that at the time of attack, Sophos did not detect the virus as I've moved the FakeAV folder to the root of the after finding it. Sophos scan doesn't see it. Update Sophos and it then detects it. So these are always new exploits not detected at the point of attack by EPS 9.5 - even by HIPS.

    I'll look at the browsercheck site but I'm dubious of this kind of tool that requires adding and add-on to run a check. Quick VM sandbox test should give me some insight into exactly what it's testing though.

    Matt

    :10195
Children
No Data