Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wanting information about these FakeAlert! strands


  • Please log in to reply
11 replies to this topic

#1 flex-it services

flex-it services

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Houston
  • Local time:08:40 AM

Posted 15 January 2010 - 11:55 AM

So, I work in the Oilfield industry.
A lot of these folks don't know much about computers. And they are all out in the field. (with the exception of those we have in our corporate and sales offices).

I'm getting a lot of these:

AntiVirus 2008 (Back when i started dealing with these)
AntiVirus 2009
AntiVirus 2010
Internet Security 2010 (trial)
System Defender

etc. I usually see anywhere between 1 -6 a week that come in. Obviously the antivirus our company is using (sadly is panda :thumbsup: )
And I have no say in what the company orders.

I'm curious is there a similar method where people are getting these? I know its not over a network, or shared divises. I'd like to block some sites if possible in the host file if that'll help.

Or if anyone has an idea on the best "monitor" that would help against this. I realize, though, that its not possible to have total protection with one anti-virus software.

So my two questions are:

Where are these being generated from?
And what is the best method to guard against them?
~~~
It's not what you say, it's how you say it.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 AM

Posted 15 January 2010 - 12:05 PM

Could be PDF exploits or fake online scanners. These rogues are trending to injecting malware/PDF exploits into legitimate ad streams on legitimate sites or using blackhat seo to get high into search results for trending topics (like haiti).

The best way to prevent this is education for the fake online anti-malware scanners and to make sure your computer is using up-to-date programs.

I recommend this program to search for outdated programs:

http://secunia.com/vulnerability_scanning/online/

#3 flex-it services

flex-it services
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Houston
  • Local time:08:40 AM

Posted 15 January 2010 - 01:40 PM

Thank you for the info. I found out some of the following information based off what you said.


January 7th From TrendMicro: reported an article: Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

January the 13th Tech Target reports an article: Adobe issues patch fixing month-long PDF zero-day vulnerability

Adobe updated their security on the 12th or the 15th i can't really tell from their patch notes: Security updates available for Adobe Reader and Acrobat

Something I did find was a software called Web Historian by Mandiant

Not sure if any of this information is useful to anyone. I ran Web Historian. It was great to see all the History.cookies and files that were all downloaded. It pulls all the information from the index.dat file located in the users profile under (protected folder) Local Settings\History\index.dat
~~~
It's not what you say, it's how you say it.

#4 flex-it services

flex-it services
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Houston
  • Local time:08:40 AM

Posted 15 January 2010 - 01:48 PM

While looking over one of the infected machines that i'm testing this Historian file (i'm going to have to reimage the machine anyways) i came across this:

Visited: User@http://xxx.com/nte/GNH13.exe/oH8bb14314V0100f070006Rb4949b3f102Tc0fa78f7201l0409Kc59fc1a6317
(i changed user to protect our user)

I ran a search on GNH13 in google, and found on bleepingcomputer.com someone else posted something similar to this with Google Redirect.
I found several instances of this in one given day. In this case was 1/11/10

Edited by Grinler, 15 January 2010 - 02:02 PM.
disabled hot link

~~~
It's not what you say, it's how you say it.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 AM

Posted 15 January 2010 - 02:05 PM

Yup thats the one. Pretty sure it uses PDF exploit.

Can you pm me the link again?

Btw that installs Internet Security 2010.

#6 sdteejay

sdteejay

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 17 January 2010 - 08:44 PM

Hi, I am a computer novice tp say the least. I am an office worker and business owner. I know more than the average but much much less that many. I downloaded IS 2010 from a fake UPS message with a pdf attached. I ran your malware program and it seemed to work pretty well. However, my screen still has a pink tint. Is this a result of the virus? Can you also recommend a good program for cleaning out my registry? There are so many useless ones out there.
Thanks for you help,
sdteejay

#7 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:40 AM

Posted 17 January 2010 - 11:56 PM

Hi and Welcome to BleepingComputer,

I do not know if that is the reason for your screen having a pink tint but I can tell you that BleepingComputer does not endorse the use of any registry cleaner. Using a registry cleaner is usually useless and can do more harm than good.

Edited by Stang777, 17 January 2010 - 11:57 PM.


#8 flex-it services

flex-it services
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Houston
  • Local time:08:40 AM

Posted 18 January 2010 - 11:53 AM

Man these viruses coming in are kicking my butt!! - I'm getting like 6 machines a week with these viruses. :thumbsup:

They're making me cry. Its not that i don't have a problem cleaning them... its keeping people from getting them! If I could just write a script that says do not write to disk <insert strange file name here>

I've looked into Shadow User By Storage Craft. But it's like $80/license. I'm sure that a Volume license isn't going to be that much cheaper. With over 300 machines out in the field ($24k). I don't think I'm going to get that kind of money approved. Especially since we just put in the new Barracuda. I'm just blubbering - more ranting probably. I realize this should be in my blog. But I guess i'm hoping for a solution to keep these from coming on. Or at least reducing the chances.
~~~
It's not what you say, it's how you say it.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 AM

Posted 18 January 2010 - 02:30 PM

That url you sent me is 100% PDF exploit.

#10 flex-it services

flex-it services
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Houston
  • Local time:08:40 AM

Posted 18 January 2010 - 02:50 PM

Yeah i figured it was. The interesting thing: I wonder if it is one of those redirects that some people are experiencing?
Obviously you just don't go to a numbered website. ... well in the case of some of my users... its possible....
But, yeah.

Also, i don't think that US Registrations allow for Number URL's?

Edited by flex-it services, 18 January 2010 - 02:52 PM.

~~~
It's not what you say, it's how you say it.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 AM

Posted 18 January 2010 - 06:03 PM

Number urls are legal as afar as I know. I dont think this is a redirect. Prob an ad being injected into a legitimate sites ad stream. That is why you need to make sure you have the latest adobe reader installed.

#12 MILGEEK

MILGEEK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 27 March 2010 - 09:48 PM

I posted this on another thread.

I personally have used ESET NOD32 for a couple of years now. I found out that McAfee and Symantics Zero Day attack policy is far from perfect. I only recommend and install (on all systems I work on) ESET now. While the price is a little high, I have yet to have a problem with any type of Malware on my system. And with all of the online transactions going on now, I have the piece of mind that I could be on a torrent site as well as my bank at the same time and not worry one bit.

Just an FYI for all!! I have noticed an alarming trend for Wells Fargo internet bankers. The Vista Internet Security, Security Tools, AntiVirus 2009
AntiVirus 2010, Internet Security 2010 (trial), System Defender have been targeting an unusual amount of computers specific to that bank. Pass the word to all that bank with Wells Fargo. I have been tracking these viruses for a month now and the common thread keeps comming back to WELLS FARGO!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users