Security Basics mailing list archives
RE: FakeAlert virus removal
From: "Sam Stern" <samstern () samstern net>
Date: Tue, 2 Dec 2008 17:03:33 -0500
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Alexander Swensen Sent: Tuesday, December 02, 2008 4:03 PM To: security-basics () securityfocus com; john.b.williams () gmail com Subject: Re: FakeAlert virus removal On Tuesday 02 December 2008 3:07:34 pm John Williams wrote:Dear LIst, I am working with a small local police department to resolve a malware issue on their police web site. When the web site is access directly from a browser address bar, the web site displays properly. But when the web site is accessed via a google search, the "FakeAlert" virus for AntiVirus 2009 takes over the browser. I am interested in a) understanding how this virus operates, and b) advice for removing the virus from the web site. Thank you in advance for your expert advice.
Hiya, First, it would help to provide the google link that displays the error. Once we know HOW the infection is occurring, we can help you with removing the infection. If you can not provide this information, then carefully examine where the Google link leads to (using linux + firefox + html inspection tools). Locate the infection by checking for iframe contamination, cross site scripting of the infected website -- it's likely not the website you want but rather looks like the web site or infected advertising and the like. I am assuming the google search is providing a fake website else going to the website directly would also yield the infective agent. Thus I suspect you wont be able to remove the infection from your web site -- your website is probably not infected. You'll instead need to deal with the toxic link. There is the possibility that the computer you're doing the searches from is infected by a rediector class infection (ie.monster.b is the redirector that causes Windows Antvirus 200x infections under the name of Windows AntiMalware 2009). Does the search from other systems also yield an alarm? Basically speaking, Antivirus 200x is a mix of an extortion scheme (pay us money or your computer will be unstable and we will assault you with popups and your system will be unstable) and a "protection racket" (pay us money and we will protect you and nothing bad will happen to your computer). The goal of the virus is to coerce the victim into providing billing information in exchange for activating their (that is the Viral) antivirus -- which is itself a virus. The infection begins either by a drive by install via a flash, pdf or other method (usually via a infected advertising site) or by presenting a misleading popup advertising various "registry cleaners", "anti spyware" or "anti malware" services. The latter form is a confidence game -- social engineering causing the victim to actually run the program and thus infect themselves. Regardless of how the user is infected, once they are infected if they provide payment information or surf to any website with financial or sensitive data, the victim should assume that their identity is now stolen and should take appropriate steps to contain the damage. The infection is setup by the virus by inserting about 30-50 scheduled tasks, inserting a bho, inserting 4-5 device drivers, and a startup item. Additonal infective agents will require more work as they will use different methods to infect the target system. Once infected AV 200x will disable most anti-virus software and begin to harass the user into paying monies for it's "services". While so haranguing the user, the virus will also sometimes (but not always) download and install a key logger or two and a url redirection agent. This only makes the victim more annoyed. Sometimes the virus will also install a root kit. This is critical to know since AV 200x is not itself a root kit -- however it does download more malware that only complicates the removal of the infection. To further complicate removal, av 200x will prevent most cleanup tools from running unless those tools are renamed. On occasion, a secondary infection will cause the victim to be unable to use http to download anything -- the victim needs to use ftp to download cleanup tools. HTH Sam S.
Current thread:
- FakeAlert virus removal John Williams (Dec 02)
- Re: FakeAlert virus removal Alexander Swensen (Dec 02)
- RE: FakeAlert virus removal Sam Stern (Dec 02)
- Re: FakeAlert virus removal Michael Kennedy (Dec 02)
- Re: FakeAlert virus removal Captain Quirk (Dec 02)
- RE: FakeAlert virus removal Mike Staples (Dec 02)
- <Possible follow-ups>
- Re: FakeAlert virus removal Alexander Swensen (Dec 02)
- Re: FakeAlert virus removal jfvanmeter (Dec 03)
- Re: Re: FakeAlert virus removal Anonymous1941 (Dec 09)
- Re: FakeAlert virus removal Ansgar Wiechers (Dec 09)
- Re: FakeAlert virus removal Alexander Swensen (Dec 02)