BleepingComputer.com: Wanting information about these FakeAlert! strands

So, I work in the Oilfield industry.
A lot of these folks don't know much about computers. And they are all out in the field. (with the exception of those we have in our corporate and sales offices).

I'm getting a lot of these:

AntiVirus 2008 (Back when i started dealing with these)
AntiVirus 2009
AntiVirus 2010
Internet Security 2010 (trial)
System Defender

etc. I usually see anywhere between 1 -6 a week that come in. Obviously the antivirus our company is using (sadly is panda )
And I have no say in what the company orders.

I'm curious is there a similar method where people are getting these? I know its not over a network, or shared divises. I'd like to block some sites if possible in the host file if that'll help.

Or if anyone has an idea on the best "monitor" that would help against this. I realize, though, that its not possible to have total protection with one anti-virus software.

So my two questions are:

Where are these being generated from?
And what is the best method to guard against them?

Could be PDF exploits or fake online scanners. These rogues are trending to injecting malware/PDF exploits into legitimate ad streams on legitimate sites or using blackhat seo to get high into search results for trending topics (like haiti).

The best way to prevent this is education for the fake online anti-malware scanners and to make sure your computer is using up-to-date programs.

I recommend this program to search for outdated programs:

http://secunia.com/vulnerability_scanning/online/

Thank you for the info. I found out some of the following information based off what you said.


January 7th From TrendMicro: reported an article: Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

January the 13th Tech Target reports an article: Adobe issues patch fixing month-long PDF zero-day vulnerability

Adobe updated their security on the 12th or the 15th i can't really tell from their patch notes: Security updates available for Adobe Reader and Acrobat

Something I did find was a software called Web Historian by Mandiant

Not sure if any of this information is useful to anyone. I ran Web Historian. It was great to see all the History.cookies and files that were all downloaded. It pulls all the information from the index.dat file located in the users profile under (protected folder) Local Settings\History\index.dat

While looking over one of the infected machines that i'm testing this Historian file (i'm going to have to reimage the machine anyways) i came across this:

Visited: User@http://xxx.com/nte/GNH13.exe/oH8bb14314V0100f070006Rb4949b3f102Tc0fa78f7201l0409Kc59fc1a6317
(i changed user to protect our user)

I ran a search on GNH13 in google, and found on bleepingcomputer.com someone else posted something similar to this with Google Redirect.
I found several instances of this in one given day. In this case was 1/11/10

This post has been edited by Grinler: 15 January 2010 - 02:02 PM
Reason for edit: disabled hot link

Yup thats the one. Pretty sure it uses PDF exploit.

Can you pm me the link again?

Btw that installs Internet Security 2010.

Hi, I am a computer novice tp say the least. I am an office worker and business owner. I know more than the average but much much less that many. I downloaded IS 2010 from a fake UPS message with a pdf attached. I ran your malware program and it seemed to work pretty well. However, my screen still has a pink tint. Is this a result of the virus? Can you also recommend a good program for cleaning out my registry? There are so many useless ones out there.
Thanks for you help,
sdteejay

Hi and Welcome to BleepingComputer,

I do not know if that is the reason for your screen having a pink tint but I can tell you that BleepingComputer does not endorse the use of any registry cleaner. Using a registry cleaner is usually useless and can do more harm than good.

This post has been edited by Stang777: 17 January 2010 - 11:57 PM

Man these viruses coming in are kicking my butt!! - I'm getting like 6 machines a week with these viruses.

They're making me cry. Its not that i don't have a problem cleaning them... its keeping people from getting them! If I could just write a script that says do not write to disk <insert strange file name here>

I've looked into Shadow User By Storage Craft. But it's like $80/license. I'm sure that a Volume license isn't going to be that much cheaper. With over 300 machines out in the field ($24k). I don't think I'm going to get that kind of money approved. Especially since we just put in the new Barracuda. I'm just blubbering - more ranting probably. I realize this should be in my blog. But I guess i'm hoping for a solution to keep these from coming on. Or at least reducing the chances.

That url you sent me is 100% PDF exploit.

Yeah i figured it was. The interesting thing: I wonder if it is one of those redirects that some people are experiencing?
Obviously you just don't go to a numbered website. ... well in the case of some of my users... its possible....
But, yeah.

Also, i don't think that US Registrations allow for Number URL's?

This post has been edited by flex-it services: 18 January 2010 - 02:52 PM

Number urls are legal as afar as I know. I dont think this is a redirect. Prob an ad being injected into a legitimate sites ad stream. That is why you need to make sure you have the latest adobe reader installed.

I posted this on another thread.

I personally have used ESET NOD32 for a couple of years now. I found out that McAfee and Symantics Zero Day attack policy is far from perfect. I only recommend and install (on all systems I work on) ESET now. While the price is a little high, I have yet to have a problem with any type of Malware on my system. And with all of the online transactions going on now, I have the piece of mind that I could be on a torrent site as well as my bank at the same time and not worry one bit.

Just an FYI for all!! I have noticed an alarming trend for Wells Fargo internet bankers. The Vista Internet Security, Security Tools, AntiVirus 2009
AntiVirus 2010, Internet Security 2010 (trial), System Defender have been targeting an unusual amount of computers specific to that bank. Pass the word to all that bank with Wells Fargo. I have been tracking these viruses for a month now and the common thread keeps comming back to WELLS FARGO!