Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Out of the Blue

A reader sent along a note yesterday to warn me his machine picked up a virus infection from a page on CVG after following a link to there from here. I was skeptical this was the case on such a major site, so I visited the page to see what was up. A couple of minutes later I got an antivirus pop-up that started scanning, saying I was infected with a virus, except this was not actually from my AV software. I killed this with the task manager, and removed the infection using Malwarebytes, and restored my system from earlier in the day. I got some weird responses from my antivirus software, and the infection recurred, so I realized the AV software got hijacked along the way, and I repeated that procedure adding an uninstall and reinstall to the checklist, which seems to have cleared things up, ending my tale of woe.

You hear stories about being able to get a virus payload from visiting a page and not even clicking links, but I never knew anyone who actually experienced that (until now), with the weird part being I must have visited the site to post the link in the first place, without incident. Anyway, I notified CVG about the problem, and can only hope that not many of you were impacted by this, and if you were, you managed to clear things up without having to do anything drastic.

R.I.P.: Marvin Isley, Isley Brothers Bass Guitarist. Thanks Mike Martinez.
R.I.P.: Jack Harrison, the last survivor of The Great Escape dies at 97. Thanks Joker961.

Links: Thanks Ant and Mike Martinez and Acleacius.
Play: R-Type: Stage 01.
The Spline.
Kill The Weeds. Thanks Javier.
Links: This Is Pete Rose's Corked Bat. Thanks nin via Dubious Quality.
6 Companies That Make Money Solving Problems (They Made Up). Thanks Joker961.
The Most Expensive and the Coolest Home Theatre in the World. Thanks Digg.
Stories: Lost WWII battlefield found - war dead included. Thanks Joker961.
Banks Paying Colleges For Students Who Rack Up Credit Card Debt.
Dogfish Head Unveils Miles Davis-Inspired Beer, Bitches Brew.
Science: Do aliens live on a Saturn moon? Thanks Kxmode.
Heart attack admissions fall after smoking ban.
Crocodiles Can Surf Across Oceans, Scientists Say.
Images: The Women of Steampunk 2010.
Meet the Tiger Dog- Chinese owners dye pets to look like wild animals.
Camping Newbies Are Always Easy To Spot.
Media: You Became A Meme.
Follow-up: Ocean Saratoga: Another Oil Spill In The Gulf? Coast Guard Investigates.

View
34 Replies. 2 pages. Viewing page 2.
< Newer [ 1 2 ] Older >

14. Re: Out of the Blue Jun 9, 2010, 12:09 brother19
 
Mr. Blue: Task Manager won't do it. I dodged this once ("Security Tool") by immediately cutting the power to my system, then booting in safe mode and running malwarebytes, followed by a Symantec av scan. Quite some time ago I was not so lucky. As other posters have remarked, clicking on anything, or using task manager, is futile. Security tool may introduce a whole host of malware and some are very difficult to remove. In my first encounter with security tool, I spent several hours cleaning up my system. If you note any browsing problems you may have to replace your windows host file, as I did. Good luck! brother19  
Reply Quote Edit Delete Report
 
13. Re: Out of the Blue Jun 9, 2010, 11:52 Verno
 
That's what nin is referring to where they have their own app to monitor what you launch, the GPO method I mentioned would prevent you from ever opening Task Manager in the first place. Permission to launch it is literally disabled in Windows itself, you'll know you have it by the legitimate Windows error message "Task Manager has been disabled by your Administrator". It's about the truest form of hijacking I've seen, they basically lock you out of any administrative functions on your own machine. I'm annoyed but continually amazed at how advanced these things are becoming.

If you ever run into it and chances are you will, its becoming increasingly common and they target sites like this, you can restore it by booting into safe mode, killing off non-Windows related executables(they try to prevent you from running gpedit or regedit) then rebooting normally, go into Start->Run->gpedit.msc and set User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager to "Not Configured".
 
Avatar 51617
 
Playing: The Last of Us Remastered
Watching: Intruders, Coherence, The Rover
Reply Quote Edit Delete Report
 
12. Re: Out of the Blue Jun 9, 2010, 11:44  Blue 
 
Verno wrote on Jun 9, 2010, 11:38:
Actually they're even more advanced than that now, most ransomware will now just disable Task Manager and other similar functionality via the Group Policy Editor which makes restoring things a royal pain in the ass.

Yes, this one did that -- the first time I was able to pull up the task manager and kill it, but the second time I guess it got a bit further before I got to it, and the task manager would pop up and then close again, but luckily my repeated tries seemed to cause the app to crash.
 
Avatar 2
 
Stephen "Blue" Heaslip
Blue's News Publisher, Editor-in-Chief, El Presidente for Life
Reply Quote Edit Delete Report
 
11. Re: Out of the Blue Jun 9, 2010, 11:38 Verno
 
Actually they're even more advanced than that now, most ransomware will now just disable Task Manager and other similar functionality via the Group Policy Editor which makes restoring things a royal pain in the ass.  
Avatar 51617
 
Playing: The Last of Us Remastered
Watching: Intruders, Coherence, The Rover
Reply Quote Edit Delete Report
 
10. Re: Out of the Blue Jun 9, 2010, 11:30 nin
 
This infection took a while to clear up, but it was not that difficult, so I guess I'm lucky... This fake AV was far more elaborate than the type I've previously experienced, which was what my past comment was based on: I've seen simple HTML pop-up windows claiming to have detected an infection, but (as I guess you are aware), this was a full-blown Java dealie that mirrored a complete AV application.

Some of the more popular ones will actually kill the task mangler, by either graying out the button on the ctrl-alt-del screen, or killing the process as soon as you click the button. Others will delete mbam.exe as soon as it's copied locally (so you have a folder of installed files, but missing what you need to run it). I've even seen a few that manage to run in safe mode, which makes cleaning them a lot harder.

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
9. Re: Out of the Blue Jun 9, 2010, 11:28 Verno
 
These things are actually very common these days, I'm a member of some larger forum based communities(SomethingAwful, Arstechnica, etc) that subsist on ads and we see stuff like this almost weekly. Most of the user base has ended up using AdBlock as a result.

The advertisers can't really help it either, you would need to manually approve each ad(something Ars does with Conde Nast) and you will still miss stuff. These guys buy a banner campaign slot and don't slip the adware in until after it's been approved.

And yeah, having VMWare as a site owner is almost a necessity these days. If nothing else it would let you test compatibility issues between browsers and operating systems.
 
Avatar 51617
 
Playing: The Last of Us Remastered
Watching: Intruders, Coherence, The Rover
Reply Quote Edit Delete Report
 
8. Re: Out of the Blue Jun 9, 2010, 11:27 fyrestorm
 
Dear Blue,

When experimenting with potentially viral/malicious software, a good alternative to test it with is a virtual machine!

Another helpful tip from your friendly internet hero fyrestorm.
 
Reply Quote Edit Delete Report
 
7. Re: Out of the Blue Jun 9, 2010, 11:15  Blue 
 
mch wrote on Jun 9, 2010, 11:03:
I'm familiar with the fake AV stuff...cleaned a laptop that belonged to my gf's coworker and it was pretty trashed. I remember my first virus - got it from the Eraser bot many years ago. That one was a bit of a pain to get rid of. Glad to hear things cleaned up well

That's kind of funny, because the one other time I got infected was the exact same incident, and it unfolded in a manner eerily similar to this one: I uploaded a local copy of that virused Eraser bot, and when someone told me it had a virus I ran the installer to prove it didn't and got an infection (which did completely trash my machine). Doh!

nin wrote on Jun 9, 2010, 10:46:
This is the sort of malware we were telling you about a couple of weeks ago. (edit: I believe SOMEONE hinted that as long as your AV was up to date, you'd be fine, but I don't have the exact quote in front of me. ) It masquerades as some sort of AV software, but gives a false positive and will claim to fix your problems once you buy their software. It's digital extortion, basically: You pay them, and they (allegedly) go away.

Yes, I am painfully aware of having been hoisted by my own petard on this one, and yes, I got infected in spite of having up-to-date AV software, so I have to eat some crow. This infection took a while to clear up, but it was not that difficult, so I guess I'm lucky... This fake AV was far more elaborate than the type I've previously experienced, which was what my past comment was based on: I've seen simple HTML pop-up windows claiming to have detected an infection, but (as I guess you are aware), this was a full-blown Java dealie that mirrored a complete AV application.
 
Avatar 2
 
Stephen "Blue" Heaslip
Blue's News Publisher, Editor-in-Chief, El Presidente for Life
Reply Quote Edit Delete Report
 
6. Re: Out of the Blue Jun 9, 2010, 11:05 Ant
 
Mr. Tact wrote on Jun 9, 2010, 10:48:
Very interesting, Blue.

As you are/were I have been very skeptical about reports of getting a virus from just landing on a web-site. I've had my own PC since 1991 and to date (knock on wood) I've never had a virus -- despite a lot of web surfing.
Me too. I always keep my softwares updated (e.g., yesterday's MS updates), run firewalls, NAT, scan and clean often with various programs (NAV, SuperAntiSpyware, AntiMalware, mrtscan.exe's full scan, etc.), use non-administrator accounts, avoid Internet Explorer, etc.
 
Avatar 1957
 
Ant @ The Ant Farm: http://antfarm.ma.cx and Ant's Quality Foraged Links: http://aqfl.net ...
Reply Quote Edit Delete Report
 
5. Re: Out of the Blue Jun 9, 2010, 11:03 mch
 
I'm familiar with the fake AV stuff...cleaned a laptop that belonged to my gf's coworker and it was pretty trashed. I remember my first virus - got it from the Eraser bot many years ago. That one was a bit of a pain to get rid of. Glad to hear things cleaned up well  
PSN: CaseDesignate
Reply Quote Edit Delete Report
 
4. Re: Out of the Blue Jun 9, 2010, 10:58 nin
 
I got a virus once by visiting Foxnews.com

One could argue that foxnews is one giant festering virus.

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
3. Re: Out of the Blue Jun 9, 2010, 10:57 Necrophob
 
I got a virus once by visiting Foxnews.com (for amusement, not news). Turns out their ad rotator would occasionally serve up a virus rather than an ad.  
Avatar 55616
 
Reply Quote Edit Delete Report
 
2. Re: Out of the Blue Jun 9, 2010, 10:48 Mr. Tact
 
Very interesting, Blue.

As you are/were I have been very skeptical about reports of getting a virus from just landing on a web-site. I've had my own PC since 1991 and to date (knock on wood) I've never had a virus -- despite a lot of web surfing.
 
Truth is brutal. Prepare for pain.
Reply Quote Edit Delete Report
 
1. Re: Out of the Blue Jun 9, 2010, 10:46 nin
 
A couple of minutes later I got an antivirus pop-up that started scanning, saying I was infected with a virus, except this was not actually from my AV software.

This is the sort of malware we were telling you about a couple of weeks ago. (edit: I believe SOMEONE hinted that as long as your AV was up to date, you'd be fine, but I don't have the exact quote in front of me. ) It masquerades as some sort of AV software, but gives a false positive and will claim to fix your problems once you buy their software. It's digital extortion, basically: You pay them, and they (allegedly) go away.


 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
34 Replies. 2 pages. Viewing page 2.
< Newer [ 1 2 ] Older >


footer

Blue's News logo