RE: FakeAlert virus removal

["Sam Stern" <samstern () samstern net>]

> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
> Behalf Of Alexander Swensen
> Sent: Tuesday, December 02, 2008 4:03 PM
> To: security-basics () securityfocus com; john.b.williams () gmail com
> Subject: Re: FakeAlert virus removal
>
> On Tuesday 02 December 2008 3:07:34 pm John Williams wrote:
> > Dear LIst,
> >
> > I am working with a small local police department to resolve a malware
> > issue on their police web site. When the web site is access directly
> > from a browser address bar, the web site displays properly. But when
> > the web site is accessed via a google search, the "FakeAlert" virus
> > for AntiVirus 2009 takes over the browser. I am interested in a)
> > understanding how this virus operates, and b) advice for removing the
> > virus from the web site.
> >
> > Thank you in advance for your expert advice.

Hiya,

First, it would help to provide the google link that displays the error.
Once we know HOW the infection is occurring, we can help you with removing
the infection. If you can not provide this information, then carefully
examine where the Google link leads to (using linux + firefox + html
inspection tools). Locate the infection by checking for iframe
contamination, cross site scripting of the infected website -- it's likely
not the website you want but rather looks like the web site or infected
advertising and the like. I am assuming the google search is providing a
fake website else going to the website directly would also yield the
infective agent. Thus I suspect you wont be able to remove the infection
from your web site -- your website is probably not infected. You'll instead
need to deal with the toxic link. There is the possibility that the computer
you're doing the searches from is infected by a rediector class infection
(ie.monster.b is the redirector that causes Windows Antvirus 200x infections
under the name of Windows AntiMalware 2009). Does the search from other
systems also yield an alarm?


Basically speaking, Antivirus 200x is a mix of an extortion scheme (pay us
money or your computer will be unstable and we will assault you with popups
and your system will be unstable) and a "protection racket" (pay us money
and we will protect you and nothing bad will happen to your computer). The
goal of the virus is to coerce the victim into providing billing information
in exchange for activating their (that is the Viral) antivirus -- which is
itself a virus. The infection begins either by a drive by install via a
flash, pdf or other method (usually via a infected advertising site) or by
presenting a misleading popup advertising various "registry cleaners", "anti
spyware" or "anti malware" services. The latter form is a confidence game --
social engineering causing the victim to actually run the program and thus
infect themselves. Regardless of how the user is infected, once they are
infected if they provide payment information or surf to any website with
financial or sensitive data, the victim should assume that their identity is
now stolen and should take appropriate steps to contain the damage.

The infection is setup by the virus by inserting about 30-50 scheduled
tasks, inserting a bho, inserting 4-5 device drivers, and a startup item.
Additonal infective agents will require more work as they will use different
methods to infect the target system.

Once infected AV 200x will disable most anti-virus software and begin to
harass the user into paying monies for it's "services". While so haranguing
the user, the virus will also sometimes (but not always) download and
install a key logger or two and a url redirection  agent. This only makes
the victim more annoyed. Sometimes the virus will also install a root kit.
This is critical to know since AV 200x is not itself a root kit -- however
it does download more malware that only complicates the removal of the
infection. To further complicate removal, av 200x will prevent most cleanup
tools from running unless those tools are renamed. On occasion, a secondary
infection will cause the victim to be unable to use http to download
anything -- the victim needs to use ftp to download cleanup tools.

HTH

Sam S.