Drive by virus

[OldOwl]

I'm always very cautious about where I go on the internet. THe local paper has an online version, and they were soliciting Christmas songs from local choirs, orchestras, bands and musicians. My wife suggested I submit a Christmas song I wrote and recoded last year, so I did. They asked for a bio to post with my song as they decided to use it, and it was then I noticed that the background photo was gone from my Myspace page where all my music is. So with my daughters help I went searching for places to find new BB codes. Found a cool photo from what looked like a legit place, copied the code, and pasted it in.

Right about then, all hell broke loose. 32 infections and it took over my AVS security system which has been fail proof for years. It is a nasty bugger. What its doing is soliciting a renewal fee for my security software through a fake page. I'm sure that many less savvy people give away all their credit card and personal information with this scam. They asked for everything except my car keys and a date with my wife. I'm quite sure when some unsuspecting person gives out than info their identity gets stolen their life is ruined and they STILL have the virus.

Took me three guesses to remember my password to get on here using the wifes computer, which is networked to mine. Amazing hers isnt infected too. My guy who built all 3 machines here said bring it over and he will try to save whatever he can off the machine tomorrow. He said these new viruses that take over your security are called drive by's and difficult to fix.

Soooo. Watch where you go on the web and write down any address you click on so you can warn people and report it as a hostile site. I didn't since my software ALWAYS caught whatever was thrown at it.

I'd love to draw a bead on these bastids. :angry:

 

[FN1910]

There is a lot of these out there and aggravating as a brady bunch petitioner. I have found the best protection is Microsoft Security Essentials and Malwarebyte's Anti-Malware. The MSSE running is probably the best behaved AV that I have found and does the best job of finding the stuff. However it cannot get rid of all of it especially the one that you describe. The steps that I use for most of these are:

1. Be sure that MSSE and MBAM is up to date. MSSE will update daily if you will let it and MBAM can be a weekly thing but just update it before you run it.

2. Once MSSE has stopped the thing (which it will usually do but doesn't completely get rid of it so iyt returns) reboot your PC in safe mode.

3. Run MBAM and let it find and clean anything it can.

4. Now you probably can't get on the Internet so you have to check the settings in your browser. Open your IE Browser and go to Tools=>Internet Options=>Connections=>Lan Settings and see if there is a check in Use a Proxy Server. Take that check out and you should be back in business.

Step 4 is what causes problems as even if you get rid of all the viruses and mal-ware you still can't get on the Internet until you change that.

Some of these seem to be embedded in ads that are displayed on legitimate sites (including msnbc.com) so you can't necessarily avoid them by staying away from funky sites.

Just be sure to have some kind of AV protection running and kept up-to-date. If it is over 24 hours olf then it is out of date.

I agree that whoever writes and distributes these things would make great targets for the next machine gun demo.

 

[Hatchet]

thats why i read every code i use... and i dont use myspace anymore... facebook is where its at..

 

[CathyInBlue]

That's why I use Linux and the Firefox plugins AdBlock Plus and Request Policy

 

[sFe]

That's why I use Linux and the Firefox plugins AdBlock Plus and Request Policy

Add noscript to the plugins. I don't even bother with av software, its about worthless unless the virus us known. Common sense goes a lot further.

 

[FN1910]

Add noscript to the plugins. I don't even bother with av software, its about worthless unless the virus us known. Common sense goes a lot further.

Do not get lulled into a false sense of security. I am the IT manager for a college I have seen viruses attack from every point possible and common sense is helpful but no guarantee at all. Linux is less prone due to the number of systems right now as it is not as profitable as attacking Windows. Macs the same way but there are viruses out there that affect both Mac and Linux as well as cell phone OS's.

As for a virus having to be known that isn't exactly correct as we are running two devices that can examine code that come through and catch it based on certain appearances whether it is known or not. Once a virus appears in the wild the turnaround time for it to be known and updates available is about 6 hours so that is the reason for updating your configuration at least every 24 hours. Some of hour update every hour.

On the common sense thing we have pretty much stopped the "virus" problem and really don't hae a problem with that. Our main problem is the malware that people actually download. I have seen a few that unless you are very familiar with how everything with the Internet works you can easily be fooled. Lots of these come through email and is almost impossible to determine the fakes from the real ones. Through my work I can assure you that I have seen more than the average person and more than most people and there is no one simple answer. We have even worked with the FBI on some of them and it even took their specialists several hours to find the code trying to hack the Feds computers.

 

[sFe]

I'm not in a false sense of security,though I think people with avs mostly are. i have yet to be infected unintentionally since building my comp in 01, and I run windows. When I said virus I meant any type of malicous code/software. As for the emails its easy to look at domain names of the sender, if that's what you're talkingt about. Most browsers and email programs even do the work for you now and say "you shouldn't be clicking this". Youre looking at code coming through where, and youre searcing for known code signatures correct?

 

[CathyInBlue]

I haven't found NoScript to be of a significant benefit for the aggravation it cases. When that changes, I'll install it.

Just for the sake of the conversation, where do USACarry users place ClamAV in the pantheon of usable/valuable AV packages?

 

[father-of-three]

The viruses just get nastier and nastier. I have gone through about 4 hard drives on 2 computers in my household this year. I saved one twice, but the bad ones have gotten so deep within my system, that they prevent things from running like system restore, resetting factory settings as well as other ways to make manual removals. The viruses know how to beat out "Medium-Tech" folks like myself.

I'm afraid to even look in my yahoo spam mailbox!

 

[sFe]

The viruses just get nastier and nastier. I have gone through about 4 hard drives on 2 computers in my household this year. I saved one twice, but the bad ones have gotten so deep within my system, that they prevent things from running like system restore, resetting factory settings as well as other ways to make manual removals. The viruses know how to beat out "Medium-Tech" folks like myself.

I'm afraid to even look in my yahoo spam mailbox!

You could've just formatted the drives..

 

[OldOwl]

Well, my guy took my machine today, ghosted the hard drive and we played a few games of 8 ball while waiting but then it got late and I left it with him to change the partitions and do some updates. I'm just glad it didn't get into the network and kill my wife and daughters machines. I guess it was contained in the operating system, so that's good news. Should have it back tomorrow. Probably have to pay him out of the cash I had saved for my new Saiga 12 Ga. Its always something. Also had to have both u joints replaced in my truck yesterday for $187 but they did it for free because I do them a lot of favors. That was nice. Woulda been a bad day otherwise.:hang3:

 

[Booga]

... As for the emails its easy to look at domain names of the sender...

Many spammer and virus emails can be spotted by looking at domain names. However, that is not 100% fool-proof. I deal with email at the server level and I can tell you that some spoofed emails are very deceptive, domain names included... Source IP is tougher to spoof, but almost nobody checks that. It would be trivial for me to send an email spoofing the source email address and domain.

Youre looking at code coming through where, and youre searcing for known code signatures correct?

He's referring to heuristics. It's helpful because it can sometimes catch slightly modified malware that has NOT had a known code signature documented yet. Basically it is a way to look for software the behaves like malware. It's been my experience that heuristics is a fairly minor boost in protection, but perhaps he's seen more of a benefit than I have.

My experience is mostly along the lines of administration/email/troubleshooting and can back FN1910's statement in general.

Literally 97% of the email that hits our network where I work is spam or a virus. It's amazing that anything legit makes it through at all.

 

[FN1910]

Your 97% figure for spam etc. is about right. We have a Barracuda box and that thing is well worth the money. Since we have installed it about 7 years ago I have seen the percentage of spam slowly rise. Right now about 95% is blocked immediately because of blacklist or similar identies. Another 1-2% is then blocked for meeting the spam filter settings of types of email. Another 1-2% is the passed through but flagged in the subject line of the email as possible spam. That leaves 1-3% as getting through without any flagging. Out of that 1-3% it includes, advertisements from legitimate vendors, jokes being passed around the Internet, and pictures of babies or such stuff. Out of all the mail sent to us from outside the network about 0.5% is actual useful work related email. :cray: Any time someone comes to my office complaining about spam in their email I just show them the graph from the Barracuda box and threaten to turn it off for them. :to_pick_ones_nose: Very seldom do I have any more complaints. leasantry:

I also have a Fortigate firewall that does some email and web filtering along with a monitoring server supplied by Homeland Security and the email server itself does some.

There are several different thigs that heuristics looks at including known and unknown codes. As you say it is marginal as to how much new stuff it finds. I think that is partly because the turnaround time on patches for new stuff is so quick that there is very little that hit our machines that is not known. The biggest problem is the intentional stuff that people download that opens holes for everything else. When I investigate an infected machine I usually find that it started when they downloaded some "cute" program or didn't pay attention to what it was asking. I have seen machines where there litterally was no room left on the screen to display a web page because of all the toolbars at the top of the browser. I didn't realize that there were that many available.

 

[sFe]

Your 97% figure for spam etc. is about right. We have a Barracuda box and that thing is well worth the money. Since we have installed it about 7 years ago I have seen the percentage of spam slowly rise. Right now about 95% is blocked immediately because of blacklist or similar identies. Another 1-2% is then blocked for meeting the spam filter settings of types of email. Another 1-2% is the passed through but flagged in the subject line of the email as possible spam. That leaves 1-3% as getting through without any flagging. Out of that 1-3% it includes, advertisements from legitimate vendors, jokes being passed around the Internet, and pictures of babies or such stuff. Out of all the mail sent to us from outside the network about 0.5% is actual useful work related email. :cray: Any time someone comes to my office complaining about spam in their email I just show them the graph from the Barracuda box and threaten to turn it off for them. :to_pick_ones_nose: Very seldom do I have any more complaints. leasantry:

I also have a Fortigate firewall that does some email and web filtering along with a monitoring server supplied by Homeland Security and the email server itself does some.

There are several different thigs that heuristics looks at including known and unknown codes. As you say it is marginal as to how much new stuff it finds. I think that is partly because the turnaround time on patches for new stuff is so quick that there is very little that hit our machines that is not known. The biggest problem is the intentional stuff that people download that opens holes for everything else. When I investigate an infected machine I usually find that it started when they downloaded some "cute" program or didn't pay attention to what it was asking. I have seen machines where there litterally was no room left on the screen to display a web page because of all the toolbars at the top of the browser. I didn't realize that there were that many available.

Seems like you can't install anything now without having to uncheck a toolbar box.