Antivirus 2009/2010/2012

[StarsFan4Life]

Our company has a bit of a problem going on that I have seemed to help with, but we want to fix it for good.

Antivirus 2009/2010/2012 - Need I say more?

I have been able to successfully remove it by installing and running the following:

* CleanUp 4.5.2

* Malwarebytes Anti-Malware

* SpyBot Search and Destroy

This, for the majority of the machines, has rid of this crappy Antivirus 2009 software. My questions for you guys is this:

1. How is it installed?

2. Where does it come from?

3. What is the "services" name for it so we can attempt to block it?

4. Have any of you guys been able to block it from being installed in your network?

If anyone has any suggestions, I would greatly appreciate it!

 

[Crusty]

One of the ways I've seen it get installed is that a popup shows up when browsing to questionable sites that says "You've been infected, click here to clean your computer".. bam you're infected.

Are your users running as local admins? :Q

 

[compman25]

Does your firewall not inspect for virus/malware/spyware?

 

[StarsFan4Life]

Some are, some are not.

How can we block this thing network wide?

 

[StarsFan4Life]

Originally posted by: compman25
Does your firewall not inspect for virus/malware/spyware?

Yes.

We have Symantec Endpoint installed and Webroot SypSweeper....none of these catch this crap.

 

[techmanc]

Not sure how those are configured but you need to tighten your web browser security.

 

[wayliff]

on the machines that have been infected - have you looked at the history see what has been visited?
perhaps OpenDNS could help - establish some webfiltering rules. Block what is not appropriate for the network.

what software does your firewall use for inspection? is it up to date?

 

[wayliff]

Originally posted by: StarsFan4Life

1. How is it installed?

2. Where does it come from?

3. What is the "services" name for it so we can attempt to block it?

If anyone has any suggestions, I would greatly appreciate it!

Google the name of the virus \ infection and you'll find all these answers.

 

[Quiksilver]

Originally posted by: StarsFan4Life
1. How is it installed?

User Interaction with a rogue popup or site.

2. Where does it come from?

Varies sites and rogue popups.

3. What is the "services" name for it so we can attempt to block it?

Google can help you with this one.

4. Have any of you guys been able to block it from being installed in your network?

Does not apply to me.

 

[Swampster]

Sorry to say, but the best defense for this type of problem is in user education.

The pop-up is not a virus or spyware, so none of your security programs will alert on it.

Remember, a button in a window does what it does because that is what it is programed to do. Therefore, there is no problem in programming the "X" (close button), for example, to do any number of things.

In the case of the Windows AntiVirus 200x, everything in the window is booby-trapped. I give my users a printout of what legitimate pop-ups and/or notifications they can expect on their system, based on installed software. I instruct them not to touch any window not listed as OK in the printout and to instead right-click on the task bar and select Task Manager and use that to close the window. This seems to make better sense to non-power users than trying to explain how to do the more traditional three-finger salute.

This is the same old "Social Engineering" we have been dealing with for quite a while, only taken to a slightly higher level. In the above example, it will corrupt your antivirus and firewall, leaving it ineffective, but not to the point where Windows Security Center reports it, then it silently downloads and installs its payload.

There are even versions of this that use a rootkit as part of its protection system . . . which can drive you crazy the first time you encounter it.

 

[wayliff]

Originally posted by: Swampster
Sorry to say, but the best defense for this type of problem is in user education.

The pop-up is not a virus or spyware, so none of your security programs will alert on it.

Remember, a button in a window does what it does because that is what it is programed to do. Therefore, there is no problem in programming the "X" (close button), for example, to do any number of things.

In the case of the Windows AntiVirus 200x, everything in the window is booby-trapped. I give my users a printout of what legitimate pop-ups and/or notifications they can expect on their system, based on installed software. I instruct them not to touch any window not listed as OK in the printout and to instead right-click on the task bar and select Task Manager and use that to close the window. This seems to make better sense to non-power users than trying to explain how to do the more traditional three-finger salute.

This is the same old "Social Engineering" we have been dealing with for quite a while, only taken to a slightly higher level. In the above example, it will corrupt your antivirus and firewall, leaving it ineffective, but not to the point where Windows Security Center reports it, then it silently downloads and installs its payload.

There are even versions of this that use a rootkit as part of its protection system . . . which can drive you crazy the first time you encounter it.

Education is part of the problem but education by itself is not the solution.
In this particular case, I'd say education is secondary.

You cannot trust the user to always do the right thing...

 

[Red Squirrel]

The only solution would be to switch to a non IE browser, but doubt that would pass through management, and it probably would not completely solve the issue.

We have the same problem here where I work and on most of our customer sites. Users are just too stupid and click on these things. I'm sure even with firefox it probably warns you before but if you click ok it will download it too, I never tried, I don't even know where people FIND these things. They should be working, not surfing porn sites.

I've also noticed it does not matter if you run as admin or not, it just uses privilege escalation to infect the machine anyway. We have a fairly secure setup here as far as policies and all that go, and nobody runs as admin but IT, yet people still manage to infect the whole machine real good with that crap.

 

[LuDaCriS66]

Originally posted by: RedSquirrel
The only solution would be to switch to a non IE browser, but doubt that would pass through management, and it probably would not completely solve the issue.

We have the same problem here where I work and on most of our customer sites. Users are just too stupid and click on these things. I'm sure even with firefox it probably warns you before but if you click ok it will download it too, I never tried, I don't even know where people FIND these things. They should be working, not surfing porn sites.

I've also noticed it does not matter if you run as admin or not, it just uses privilege escalation to infect the machine anyway. We have a fairly secure setup here as far as policies and all that go, and nobody runs as admin but IT, yet people still manage to infect the whole machine real good with that crap.

Browser choice shouldn't make a difference since these infections are predominantly social engineering based as far as I can tell.

Software restriction policies may help. Don't allow executables to be launched from anywhere except C:\Windows and C:\Program Files. This is especially so executables can't be launched from browser cache folders.

As for administrative privileges, I'm not sure they use privilege escalation. Limited user accounts, by default, still have access to various autostart entries. I don't know them by heart but closing them off may help, although I have yet to test them myself.

 

[techmanc]

I have used Firefox for years and it is definitely a safer browser that IE is. The few places is need IE for like some MS sites I can use the Firefox Addon IE Tab. There are a lot activex websites that IE is vulnerable to that its not funny. As a standalone solution for my unknowing customers I use Zone Alarm Security Suite and while it might slow there systems a bit it seem to offer the best protection as long as its configured properly.

 

[Chadder007]

It seems to bypass Mcafee Enterprise and CounterSpy also.

 

[AsianriceX]

Remove administrative privileges and follow mechbgon's guide on software restriction policy.

http://www.mechbgon.com/srp/index.html

 

[wayliff]

Originally posted by: AsianriceX
Remove administrative privileges and follow mechbgon's guide on software restriction policy.

http://www.mechbgon.com/srp/index.html

good stuff on the site - thanks for the link.

 

[The Keeper]

Originally posted by: StarsFan4Life
we want to fix it for good.

Solution: http://www.ubuntu.com/

 

[techmanc]

No one that offers alternative choices for OS to fix problems with Windows say how the going to retrain the people to there OS or how to cover all the software thats Windows only.

 

[LikeLinus]

Originally posted by: techmanc
No one that offers alternative choices for OS to fix problems with Windows say how the going to retrain the people to there OS or how to cover all the software thats Windows only.

Or the downtime to change out all the systems. The loss of work hours and money from having to retrain people and get their workflow and efficiency up to what it was with Windows. Trying to make sure drivers and external hardware works with the system. Not to mention having to hire IT people who can use and deploy linux.

Yeah, Linux is free!!!!

Idiots like The Keeper are just running their mouths without any actual experience or intelligence. Ignore them.

 

[nerp]

Originally posted by: The Keeper

Originally posted by: StarsFan4Life
we want to fix it for good.

Solution: http://www.ubuntu.com/

This is for a company. Your suggestion is useless and does nothing for the linux community other than to make it look clueless.

 

[mechBgon]

Originally posted by: RedSquirrel
The only solution would be to switch to a non IE browser, but doubt that would pass through management, and it probably would not completely solve the issue.

We have the same problem here where I work and on most of our customer sites. Users are just too stupid and click on these things. I'm sure even with firefox it probably warns you before but if you click ok it will download it too, I never tried, I don't even know where people FIND these things. They should be working, not surfing porn sites.

I've also noticed it does not matter if you run as admin or not, it just uses privilege escalation to infect the machine anyway. We have a fairly secure setup here as far as policies and all that go, and nobody runs as admin but IT, yet people still manage to infect the whole machine real good with that crap.

Wow, what a nice pile of misinformation.

Most of the top preventive steps have already been mentioned.

1) use non-Admin user accounts. If you went down the list of Registry and file-system changes these malwares make, you'd find that they run into dead ends without Admin powers on tap. Sorry, nope, you're not registering yourself as a Service or sticking files in the System32 directory, homies... you stole an unloaded gun :evil: Nice try.

2) if it's available, use Software Restriction Policy. This will knock down both user-initiated and exploit-driven executables if you do it right, as well as generating events in the Windows event logs to inform you what's been going on.

3) keep the systems patched (duh) including browser add-ons that you can't get rid of, since they're a primary attack vector IRL, regardless of your browser of choice. We're talking RealPlayer, QuickTime, Sun Java, Adobe Reader, Adobe Flash Player, etc. Reducing your attack surface in this way reduces the likelihood of an exploit being used to attempt to launch a trojan/downloader.

4) if your users are trainable at all, then educate the users with some screencapture video (here's a sample at YouTube) or live demonstrations, including how to kill the web browser using Task Manager. Encourage them to approach you with anything that makes them suspicious, and don't come down on them when they report stuff. Be positive about it.


Since fraudware sites are planted en masse in search engines, promoted by hacked everyday websites, sneaked onto legit websites using "malvertisements" or exploits, and even promoted by means of fake parking-violation notices in parking lots (believe it!), I feel that the best foundation to build upon is SRP + low-rights accounts.

 

[mechBgon]

Originally posted by: Chadder007
It seems to bypass Mcafee Enterprise and CounterSpy also.

If you cannot implement Software Restriction Policy, then consider creating a suite of behavior-blocking rules in VirusScan Enterprise that perform a similar function on the user's profile directory.

Namely, make a list of all likely filetypes that could launch an attack (.exe, .com, .pif, .scr, .bat and so forth), and for each of these filetypes, create a rule that forbids them being executed (and/or created, if you like) from within the C:\Documents and Settings directory. You'll get notifications in your ePO logs when systems trip these rules, which really helps keep tabs on what's going on.

Also make sure you've enabled all the optional threat categories; they weren't enabled by default in VSE 8.0i.

That said, my experience is that McAfee is not able to keep up with the fraudware scene. Their detection rates are horrible, and they don't analyze malware samples that are sent in to them. I liked the administration and reporting features, but not the actual antivirus software. If you're stuck with McAfee, make lemonade from your lemon by using the behavior-blocking capabilities.

 

[The Keeper]

The OP asked for a long-term solution against malware, the best solution is obviously a platform that is immune to said malware. Now, actual deployment of linux in his company is completely different topic, and I'm sure he has enough initiative to start asking questions if need be. Deploying linux in a company is not easy or cheap, but it is possible and doable with help from professionals for hire. There are plenty of options to run windows applications, like Wine or running Windows inside virtual machine. However, I'm not implying that linux is perfectly secure. No modern OS ever is.

It is a shame that few of you had to resort to calling names, but don't worry. I'll forgive you.

 

[tcsenter]

Windows Defender and Malicious Software Removal Tool have been targeting these variants for a few months now and are getting pretty good at it.