Antivirus XP 2010 not blocked?

Hi,

One of our users managed to get duped into installing XP Antivirus 2010 yesterday. It's an XP Pro machine and they're running EAVBE 4.0.474.

I find it very worrying that a user can click a link and install XP AntiVirus 2010, and ESET didn't block anything?

Needless to say, the only safe solution was to wipe and reinstall their PC, which I did last night. But surely such a well-known malware like this should have been blocked?



Jim

 

If the user allows to run an installation, and the program itself causes no harm - it only displays false positives to force user buying the full version or whatever - there is no real threat.
If you want to detect it by heuristics you will be having milions of false positives, and if you add it to virus definition, there are lot of different versions each day. So it would be impossible to keed track on all of them and real threats would have more free space if developers are focused on users "click everything that says OK" attitude.

So the only reasonable solution is for the user to read properly what he or she is agreeing on.

This is clearly users responsibility.

btw here is a howto remove XP antivirus 2010

 

Same happend here few weeks ago with Antivirus Plus.

Scanned the machine with Avira from a bootable CD and it quarantined the program files.

 

timid, sorry but I disagree. Many users are quite naive and when they see the web page with a fake virus scanner running, they click the button to install. Education, I know, but I'm still very surprised that ESET didn't even flinch.

XP Antivirus 2010 takes over a system. It links into Windows Security Centre, the av.exe process restarts after it's killed, etc. You can't seriously say that it's not a nasty program?





Jim

 

it's not a dangerous program, but it blackmails/scams the user - if that's not the very definition potentially unwanted, I don't know what is.

 

Exactly. And we have the "potentially unwanted" option selected.


Jim

 

Yes, we had this happen last week also but it was labeled Antivirus SE. Unfortunately MalwareBytes completely deleted the files so I wasn't able to submit them to be analyzed.

 

There is a long related thread here
The Rogue remover may work. As previously posted in this thread there are instructions how to remove this rogue Noting that no AV can detect everything.

Regards,

 

Why does the user have Administrator rights in the first place? If they're incapable of telling the difference between a fake antivirus popup, I can't imagine why it would be a good idea to allow them admin rights on the local machine.

Secondly, I understand the frustration, but no AV provides immunity. I had this same infection on a user's laptop that was running AVG Pro, it didn't catch it either.

 

Legacy software. Datafile and Sage (their version) won't run without admin rights.


Jim

 

The user in my organization that received AntiVirus SE does not have administrative rights to the computer however AntiVirus SE still made it through. The machine is running Windows XP SP3 fully patched. My guess is the exploit came through Adobe Flash, since Flash was a couple versions behind.

If only we could get rid of Adobe Flash once and for all........

 

Hello,

It really upsets me when I read people with apparently some computer knowledge affirming that people that get infected by these kind of threats are “happy clickers” [ people that click on everything they see on their computer screen].

Even when I have never been infected by this kind of Internet garbage I have been on the verge of getting infected. For example, the other day I was searching for some information about computers power supplies at Google and I came across with a link that seemed to benign and and clicked on it only to realize that it landed me straight on a Fake Scanner page. I was prompted to choose one of two things by the Fake Scanner page dialog box [1]-Click OK or [2]-Click Cancel; either decision would have had exactly the same effect, to download and install a Rogue AV on my computer without my knowledge.

Because I was smarter than that I just right clicked on the Windows taskbar and Started the Task Manager effectively killing the iexplore.exe process and avoiding myself a headache.
How many people would know exactly what is the right thing to do upon being prompted by a Fake Scanner page? At least my 86 years old grandma wouldn't.

I think that Sandboxing the broweser would be a good start but also I would recommend my folks ESET employees to come up with some kind of refined heuristics so they can detect EVERY variant of the same Rogue AV. What is the point of issuing a new signature for every single variant of the SAME Fake AV? If you keep doing like this you will need to have 10,000,000 of signatures to be able to catch just ONE of hundreds of Fake AVs out there. [e.g.: the Rogue AV named “Security Tool” has more than 100 variants and at least between 5 - 10 appear daily]

I have observed MBAM [Malwarebytes Antimalware which happens not to be a full flagged AV] to wipe out every single Rogue AV you throw at it and it doesn't need to issue a new signature when the Rogue AV writers change the MD5 of their nasty creation.

How can ESET make NOD32 better than it currently is? Please, give it a thought


Regards,



Carlos



P.S.: Please, stop claiming the Rogue AVs are harmless applications because they are installed on your PC through Trojan Downloaders and they in turn also come bundled with Vundo virus, Koobface worm, TDSS rootkit and many more garbage.

 

That's 100% right. You do not need to be running as Adminstrator on the local computer for those Rogues to install. At the department of the company I work for, last week 14 people got hit by “Cleanup Antivirus” Rogue and none of them were running as Administrators on their PCs.


Regards,

Carlos

 

Exactly......what it tells me, is that they are "wanna be" IT people, that they don't actually have a good grasp on the subject.

So many people think it's the end users fault that they got infected. "Ahh..shouldn't have gone to that midget porn website" or "shouldn't have installed that waterfall screensaver" or..."Shouldn't have downloaded that 'free' movie and codecs.." While many of those are true....the way rogue/fake alerts are working these days is targeted at the average "safe" web surfer. The people spreading these rogues are hacking websites out there...legit ones, websites people go to all the time. Or working through ad banners. One day you could go about on your normal daily morning surfing through your usual 10x websites that you go to every morning..the same ones you've been going to every day for years...and one of those websites could have been hacked last night..and BAM...you're infected.

I myself, last winter, while surfing the united auto workers website during the "big 3 gov't buyout" debate...I was using Firefox...BAM, personalantivirus (PAV..one of the common rogues last year) jumped up on my screen. My eset didn't even notice it. Luckily, due to my job...I had huge experience with rogues, I recognized what it was, within milliseconds I was shutting it down via task manager, and going to check the usual spots on my computer where PAV infected you...because I had it memorized after many months of cleaning infected rigs, even though Eset hadn't yet recognized it..lol.

The other thing I notice...so many people are quick to claim "what are they doing with local admin rights?". I see home users who think they know a little bit of computers always say this, and I see IT guys from big enterprise often say this. If we're talking about an SMB setup here (small to medium network)...it's accepted common practice for domain users to have local admin rights. Lots and lots of LOB (Line Of Business) software requires this. Sorry, but it's true. SMB is too small to have full time IT staff to perform upgrades and maint on this software. It's accepted and common practice that they take care of themselves, calling in a consultant only for big jobs...as their budget allows.

 

I apologize for the miscommunication. I wasn't trying to imply that removing admin rights makes a user immune to virus/malware infection. I was merely commenting on the fact that the OP commented on the fact that his users were naive and didn't know better than to click 'OK' on a fake scanner dialog box. I can only assume that these users probably also have every single IE toolbar known to man and every other piece of junk that gets bundled with certain applications. (This is just commentary, I'm not pointing fingers at anyone, just commenting on what was said previously)

To the person that commented on Malwarebytes picking up every variant, that is not true. I've had several removal troubleshoots where I had to use something other than Malwarebytes to detect and remove the infection. (Albeit 98% of the time Malwarebytes gets the job done)

I do find it extremely hard to believe that people are getting infected without any user interaction. I run my home PC without any AV, or personal firewall and have done this for over 10 years now. I've never been infected in my entire life without willingly clicking on something or downloading something that I was about 90% sure was bad idea to do. I've never seen an infection just magically spread to users because they browsed to a legitimate website and didn't click on something. Can someone link me to evidence otherwise?

 

As mentioned above, a simple Google search can land you on a compromised/fake website. They usually use Javascript or vulnerabilities in acrobat/flash plugins to initiate a drive-by download.

 

>> It's an XP Pro machine and they're running EAVBE 4.0.474.

Running a server version on a client machine?

Then - have you considered to give user a LUA (limited user account)?
And let him elevate some programs to admin level with "run as.."?
The GPO is a powerful option for that.
On the other hand - using a secure browser?
The trouble here seems that user clicked without any thought on OK.
Either user missed it by accident - or he should be limited coz user is
no pro or poweruser to help himself to get rid of.

 

Indeed. It looks like it was a toolbar called "Alot", which I've never encountered, that let it in.

Errm.......eh? ESET AntiVirus Business Edition. Has exactly what to do with being a "server version" please?



Jim

 

I'm not sure if linking to off-site pages is permitted on these forums, but a quick google search for IE toolbar vulnerabilities will point you to quite a few known issues with IE toolbars that allow for malicious attacks.

As stated before, no AV provides 100% immunity. So coming to the forums and complaining because something slipped through (that has also been shown to be slipping through other AVs) is pointless. I don't understand how you expect ESET to somehow prevent a user from willingly clicking and installing malicious software 100% of the time. AV software is security IN ADDITION to having a fully patched machine. The system still needs to be fully patched and kept up to date with software updates.

On a side-note, I tried running a Malwarebytes scan on this exact variant that you are discussing, and it did not detect it. AVG Pro also did not detect or remove it. So I don't see how you can argue that "other AV" solutions are doing a better job, when in fact they are not.

 

"Business" runs also on Windows Server, not only on client Windows.
It was ostensible build for server use - in combination with a license file to
download updates and share it in intranet with clients.
BE also contains remote access to clients - not sure if that feature is
activated with a license file - my home does not have it.

ofc - there no limit to use BE on a client - with a license file home and BE
will act same and can mirror updates.

 

There is such a lot of nonsense being written in this thread. There are people with "a little IT knowledge" criticising others who they claim only have, err, a little IT knowledge".

The rogue infections are getting more sophisticated all the time. They are dangerous - they succeed in conning lots of users into releasing their credit card details. They also do not just infect users running with admin rights - more and more infect users running in restricted accounts just as easily. These polymorphic infections change routinely in ways sufficient to bypass most all signature-based AVs - by the time signatures have been added and pushed out to users, the rogues have morphed sufficiently to make those signatures all but useless. One AV vendor has reported approx. 60,000 new variants of these nasties every day. I'm afraid the answer is not (yet) sandboxing - today's sandboxing product offerings are beyond the understanding/capabilities of the average computer user. Any product which requires the user to have IT knowledge beyond that required for the user to use their IT is a non-starter in my book. You don't have to be a mechanic to drive a car, so why do vendors believe you have to be an IT whizzkid to use computers?

I clean these rogues off of (my clients') computers every day - I never rely on automated tools to do the job for me, because I know there is none that will reliably succeed. MBAM is good at what it does, but it is far from 100% effective. No, I boot the client's machine into a custom-built WinPE-based rescue CD or USB stick, unhook the rogue from the client's registry and delete the rogue's primary files and folders. Then I boot back into the client's Windows and remove the important remnants (like proxy server settings, local policy settings, etc.) and use tools like MBAM to finish off the now-orphaned bits and pieces. Knowing how these rogues hook themselves in is key to this approach, and I have been (so far) 100% successful in removals.

In the (current) absence of any effective tool to deal with rogue infections, the best way I have found to tackle this issue is by targetted user education: i.e., to undo the social engineering these rogues use to further themselves. The idea is simple: make sure the user is familiar with what their own security software looks like - this is actually quite an easy task. Then, any security alert that is not from their own (known) software is - by definition - fake. Drill into them the need to react properly the first time: as Zyrtec recognised, it is crucial the user does not interact with the initial fake alert in any way. Train the user to go straight to their start button/orb and restart their computer. More often than not, this will stop the rogue taking hold.

Training users on an individual or group basis is easier than you think - it only takes a few minutes. Of course, training the masses is another matter altogether...

 

erm - how do you get that? i never had any in years...
further

how can you be sure that those "infections" does not leave any crap behind after "cleaning"?
is "cleaning" really possible?

disagree - sorry - thats the same if a child hides its eyes with hands and think its unvisible
no restart or hard reset will prevent installing or working that crap.
the security vulnerability is still present and it needs to be focussed.

 

Sorry, but you are talking rubbish.

EAVBE is for a business environment, requires a minimum of five licenses (we have 122), can be administered by ERAC/ERAS etc. It works on servers, yes - but you cannot "Running a server version on a client machine". That's pretty much like saying that notepad.exe and appwiz.cpl are server versions.

Thank you for your input, but as others have said in this thread - a little knowledge is a dangerous thing. Please don't post if you're posting incorrect information, it's of no help to anyone.



Jim

 

Who is this knucklehead? I smell troll. Begone!

 

I am talking about new clients, who come to me after they get infected. I am not talking about existing clients who get infected.

Because I understand Windows, and the different ways that software can integrate itself. As I said, to date I have had a 100% success rate. On no occasion has a cleaned machine ever shown any symptoms of continued infection.

Mmm, you don't really understand the process of infection, obviously. You present yourself as a 'support specialist', but - as evidenced by your expressed opininons and complete lack of understanding of what EAVBE is - I am having a hard time accepting your 'status'.