Why Malwarebytes, SUPERAntiSpyware is popular?

My wife's laptop was infected with antivirus 2009. To this day, we don't know where it came. She said a popup appeared advising something about the computer being infected. She clicked the 'x' to get rid of the popup and next thing she knows, antivirus 2009 is installed. This is exactly what I would have done and probably most of us here would have done, unless we were familiar with that pest.

Four or five hours later, around 1 in the morning, I finally got rid of it via MBAM and SAS, which she now has on her computer along with Sandboxie.

 

I tested WAV 2009, and the download starts even if you click the "X". Only way to avoid the download is closing Firefox. But for WAV2009 to actually install, you have to open the downloaded exe.
Maybe you wife was sleepy at that time and doesn't remember well. Or maybe the sample she came across was indeed an automatic install and I tested another one.

 

Do you have access to any of of the win32.exe exploit drop sites ?

This drops hell on earth and Im not going to paste that kind of info here , you could kill a system with this easy .

If you are at all good at research it will be simple to track down a win32.exe file , this is very common and has many sources .

 

The autodownload fake scan sites install one version of the rogue and unless you have your browser configured wrong you do need to click yes at least once to get infected .

The version I am talking about comes in through VAC and other codecs and does not ask anything , it will just show up . The fact that exploit drops can install what is more or less the identical codec (in terms of fallout) means that these rogues can show up with 0 user interaction .

Zlob rogues were doing the same thing before from the same exploits before they switched payload . In between they were installing iedefender trojan codecs . Im sure that in a month the same exploits will have moved on again .

I wont tell you how to kill your system myself but if you want to look into it find yourself either an ieupdater.exe family exploit drop site or win32.exe exploit drop site and just let it run , you will have rogues installed that you clicked nothing to get .

If you do this be prepared for multiple rooters and sometimes even a MBR rooter and forget about VM , most of this stuff will know what you are up to and abort .

 

So if I'm not mistaken (please correct me if I am), this threats you talk about download and install rogues and oher nasties, BUT they must be installed first or not?
My guess is that at some point the user would have to download and run ieupdater or win32, so the original infection is really not automatic. Am I right?

 

One thing I think might be causeing some confusion here . This family of rogues has two forms for each version in almost all cases . One form comes in for a redirect pointing the user to a fake scan site that has various attempts to start a download automatically , the user has to click something to get these to run unless they have their browser set up to autorun these .

This is not what I am talking here . The ones I am talking about come in from other malware and the installer runs without a prompt (unless you have vista and UAC on) .

 

Okay, VAC and codecs. Are these things that can come as email attachments, such as audio or visual files?

That could be a possibility in our case, and it would mean one of my wife's friends may have infected a large number of other people unknowingly. The sad part is, we wouldn't know who the originator is, since she doesn't keep her emails.

 

Thes two infections are both exploit born and require nothing more than a hacked/intentionally malicious site , missing patches/updates and bad luck to start them off . The user needs to click nothing and confirm nothing . win32.exe and ieupdater.exe are both mass downloaders and pile it on in hopes that a small fraction of their payload takes through the user's AV .

Someone has asked for URLs through PM , I trust that no one will destroy their system with what I am giving them .

 

Okay, VAC and codecs. Are these things that can come as email attachments, such as audio or visual files?

That could be a possibility in our case, and it would mean one of my wife's friends may have infected a large number of other people unknowingly. The sad part is, we wouldn't know who the originator is, since she doesn't keep her emails. And, she is adamant that all she did was click the 'x' to close the box.

 

Yeah, I see that, but that first malware must be user-installed, or not?

 

Social engineering is what these use . In almost all cases its one of these :

You need this to see you clip
You need this to hear your music
You need this to crack your software

They use current events/software in most cases for new codecs/cracks , this is how iedefender trojan got started for example .

If you search for clips of the olympics or clips of a celeb pr0n you will get a high % of malware . Do the same on P2P and malware will likely be a higher % then actual clips .

They also use current events as a guid to what sites to hack into and add exploits . christmas they hack into santa wish list sites so that when mom and dad log into online vendors sites to buy the stuff the malware from the exploit drop can swipe their info . That is what these guys do , put the malware where you are going anyway .

 

If its from a codec , yes , the user has to run the codec and 50% of the time also click download first .

If its from an exploit nothing needs to be clicked/confirmed and there will be no prompt at any point . Open bad site -> get malware and rogue .

 

Thanks, nosirrah. We both remember she was checking her email prior to that thing appearing, and had watched a couple of humorous video clips of some kind, sent to her, and many others, by a friend. I don't know what the clips were or where they came from. I do know that only minutes after viewing the last one, antivirus 2009 was on her machine.

All the above is a guess on our part, of course. We do know at least two other people who've suffered that damned thing and we're all on each other's forward list, since we personally know all the people.

In any case, a popup box appeared and she clicked the x to close it. The thing might have already been installed for all I know. All I can say is, it took almost five hours to get rid of it. Much of that time was fooling with several flavors of antivirus scans.

 

So, the Symantec advisory above indeed may be misleading, since it doesn't mention that there are two versions - one which does require user interaction.

Now, this is just silly. The whole point of prevention is to keep this stuff off in the first place. I have no interest in what this malware does if it executes, just blocking it from executing.

Fair enough.

You show me a site with a remote code execution exploit and I'll give you 8 preventative solutions. As Ade is fond of saying, "if it can't execute, it can't infect."

The other attacks, as you point out, do require user interaction, and so we are back to my original premise that preventative measures and user awareness of these devious methods should be stressed as much as the detection/removal measures, wonderful as they are, and certainly needed at this stage of the game. No argument there, and certainly your product seems to be first rate, and for that I commend you.

I realize that this thread is discussing detection/removal techniques, but some readers might succumb to the subtle assumption that the user is at the mercy of this rogue program, as if it has unbriddled leeway to just hop aboard, which is just not correct.

regards,


----
rich

 

@nosirrah
I just tested win32.exe (BTW, this thread has gone far off topic, maybe mods could split it)
Going to the infected website opens a prompt asking to download (firefox3) or run or download (IE6). No automatic download.
Win32.exe downloaded. No automatic execution.
Win32.exe double clicked. Hell breaks loose! Lots of files in WINDOWS\system32. Rogues automatically installed (BraveSentry).
Nothing Sandboxie couldn't handle.
But as I stated in earlier posts, the user must download and install something first.

If screenshots are needed I'll attach them.

EDIT: If IE can be configured to run exes automatically (don't know, since I barely use it), this could be a no-interaction disaster.

 

As I said in the PM this is the link the exploit points to , not the site with the exploit .

If you go to any of the sites with the exploit you get no prompt for that exe .

 

PM sent earlier

 

Oh, I see. My bad.
I guess the exploits work only in an unpatched IE, so responsible users would be protected...

 

Here are examples that might clear things up.

Form 1

Fake Scan site. The site I looked at runs everything from javascript.
First, several files are downloaded:

Code:

<script src='fileslist.js'></script>
<script src='progressbar2.js?v=1.1'></script>
<script src='common.js'></script>

The fileslist contains the files that you see flashing by as the fake scan runs:

Code:

var progressbar;

[color=red]var scanedfilelist=[/color] = new Array();
[color=red]var viruses[/color] = new Array();

function stateaction(state, data)
{
	switch(state)
	{
		case 'BEGINSCAN':
			[color=red]startScan();[/color]

Code:

fileslist.js

scanedfilelist[0] = '$winnt$.inf';
scanedfilelist[1] = '12520437.cpx';
scanedfilelist[2] = '12520850.cpx';
scanedfilelist[3] = '6to4svc.dll';
....
scanedfilelist[1098] = 'mqperf.dll';
scanedfilelist[1099] = 'mqperf.ini';

viruses[1]="Spyware.IEMonster.b";
viruses[2]="Zlob.PornAdvertiser.Xplisit";
viruses[3]="Trojan.InfoStealer.Banker.s";
viruses[4]="Backdoor:Win32/Sivuxa.";
...
viruses[13]="Trj/Downloader.CYL";
viruses[14]="Spyware/Petro-Line";

By now, the intent is that the user is convinced that the computer is infected

Then comes the download prompt box, called by this function:

Code:

<SCRIPT language=javascript
function [color=red]crptr3455345345()[/color]
location.href="/_download.php?aid=77011807&dlth="+dlth;

If the browser is configured to auto-download, the file will download but not run unless the user d-clicks it.
If the user clicks "Open" then the file will download and run automatically.
If the user clicks "Save" then the file will download but not run unless the user d-clicks it.
If the user clicks anything else, including the X for the download window, the download prompt continues to reappear
trigggered by the same function crptr3455345345 () shown above. The same with the
popup alerts. Code excerpts:

Code:

function hideWarnDialog()
{
	if(confirm('Dont close this window if your want you PC to be clean.'))	{
		[color=red]crptr3455345345();[/color]

	}
	else	{
		alert_and_dl();
	};
};
function alert_and_dl(){
   alert("Harmful and malicious software detected. These programs may damage your computer 
and steal your private information. Online Security Scanner requires Antivirus 2009 components 
to repair your computer. Please click OK to download and install Antivirus 2009 components.");
	[color=red]crptr3455345345();[/color]

No matter what you click, you stay in a continuous loop. Because these popups take the window focus, it's a mess to exit out of it!

Form 2

The site runs a drive-by download, whereby an installer of some type is downloaded and automatically runs and installs the rogue software.

In a brief search I could not find such a site for ieupdater and win32, but I have an old attack. While the files are different, the effect is the same. Here, the rogue software is a Registry Cleaner.

eTrust had an analysis of the exploit:

Actually, these "forced installs," "drive-by downloads," "remote code execution attacks" -- however they are labeled-- are easier to deal with than those of Form 1 type if proper protection is in place, because at the outset, the attack will be aborted and denied by default:



(Such attacks have also been successfully denied by default when tested by a user with Software Restriction Policies in place)

That seems to be the case. I've not been able to get these types to run in Opera. (I have to keep my IE6 unpatched for these to run!)

One reference to ieupdater.exe said that it exploited a vulnerability in Internet Explorer.

The reason these attacks run automatically and avoid a download prompt box is that the vulnerability in the browser allows the action to be as if the user clicked "Run" or "Open" on the download box. Everything happens in the background.

In the attack I just showed, I believe the exploit was MS06-014, a still popular one even though patched now for two years!

EDIT:

Another form:

I missed this in reading the posts.

Preventative measures for all three Forms of this attack are pretty obvious.


----

 

This has become a very interesting thread.
As to:

?This is a bad thing ??
I presume you are referring to analysis/test in a VM ?

Can these exploits escape eg Sandboxie or DW or GesWall ooi?: as driveby exploit or even if click on "close button"

Thanks for keeping this going
Regards.

heh: the op has had a fairly full answer to his Q n'est pas

 

I think nosirrah refers to malware that can detect it's being run in a virtual machine (vmware, virtualbox, etc), and doesn't behave like it normally does--->ergo, user thinks it's safe and runs it in real computer.

 

Because they work.

 

My Opinion: There is NOT one AV/AS under the sun that can detect ALL MALWARE COVERED or can claim to detect all malware. Different Vendors have different ways of finding malware, and updating the sigs, etc. Even virus total won't detect all malware. Prevention (HIPS) Should be your first line of defense. Not just relying on detection technologies. MBAM & SAS Together do a great job by the way, they "DETECT" alot of things. Really are good ones.

Other people have different opinions this is mine.