Rogue Windows Optimization Center

New fake MSE alert.

protect.exe - 10/43 - MD5 : 4f0ad8a4812ebb5eddbf42acecb14b59

 

Hi Franklin,

Nice screen shots!

How would a user encounter this fake alert in the first place?

thanks,

rich

 

@Rmus

Hope you and Franklin don't mind me chipping in answering that question..

Source: http://www.articlesbase.com/securit...ation-center-easily-from-your-pc-3899447.html

Social engineering. Your mantra of default-deny and robust AE should easily block this unless the user himself allowed it
And I believe Sandboxie ought to contain this easily too...so Franklin can stay happy.

 

Thanks, safeguy.

-rich

 

On re-reading the article, I think that in order to install a codec, the user must give administrator rights. Therefore, the malware files get installed automatically.

I'm not sure how a Sandbox would help in this case, but the average user who gets hit with this stuff is not likely to use such a product.

These tricks came up the other day with some MAC users, and social engineering exploits have been noted in the past, eg:

DNS changer Trojan for Mac (!) in the wild
Published: 2007-11-01
http://isc.sans.org/diary.html?storyid=3595

Indeed they will!

----
rich

 

@Rmus

No doubts you've got a point there. Which is why I've explicitly stated "unless the user himself allowed it" and in that case, nothing can stop what an online acquaintance of mine termed as "Stupid Administrator Syndrome" (SAS).

Social engineering is the hardest thing to teach users to prevent themselves from imo. The only thing an Admin can do is to deny the user any rights to install anything (perhaps by not sharing the credentials) if the user doesn't own the PC. In that case, the user can't proceed with the installation and the malware game is over most of the times.

If the user himself is the Admin of his own PC, then nothing can ever stop him/her from doing whatever he/she wants to do if he/she is adamant not to practice all those safety lessons that has been repeated/nagged upon every now and then...no amount of security software can help since they'll just ignore/disable it.

 

That would seem to be the case, but doesn't *have* to be, IMO.

Looking at the current rogue exploit - for me, the key part of the article you cited is

Now, this scenario goes back at least six years, and the MAC exploit I cited above is from 2007, perhaps the first against MAC users.

I asked myself years ago, Under what conditions would I or anyone whom I've worked with, visit such a web site? The answer is, Never.

So, in this case, there was nothing to teach, since that situation was/is not within the realm of experience for us.

Another scenario perhaps more likely is if I or someone I've worked with is confronted with a pop up, as one might encounter on a social networking site. Do you remember Koobface?



There are two easily teachable policies that prevent this exploit from succeeding,

1) Disregard any message to install anything you didn't specifically go looking for

2) Download updates only from the vendor's site, using one's own bookmark to go to the site, rather than a link from any other source.

One other scenario is email-ladden exploits. From my Yahoo account Spam folder recently,



All of the links in the email pointed to this same .ru address which led to a Pharmacy site:



The policy of not clicking to Log In to *any* site from a link other than one's own bookmark easily takes care of this scenario. I keep a collection of screen shots as above to show people what some of these "enticements" are. A visual aid is much more effective than just spouting a "Thou shalt not."

When I look closely at all of the social-engineering, so-called, exploits, I find that they are really no-threat to someone who follows secure policies and procedures.

DISCLAIMER:

The above comments are from my own experiences with people, whom I've not found hard to teach, and are not meant to be necessarily applicable to anyone else who has no inclination to learn safe computing habits.

So, I'll take this opportunity for my yearly suggestion to all knowledgeable Wilders Members, to "adopt a user" -- one who will listen, of course -- and show her/him how easy it is to morph these types of exploits into no-threats!

Happy and Secure Computing In The New Year.

----
rich

 

Rmus will always, in an indirect manner try to illustrate in these threads the fact that so many of these so called diabolical exploits get installed by unwitting and careless users who unfortunately for them hold the admin key to do so. It's usually that simple.

 

And a lot of these rogues install to user's files and not system files.

XP standard account:

 

A software restriction policy might help in this situation. The malware would land in user space but wouldn't be able to execute unless it uses some kind of escalation of privileges exploit.

 

The damage it can do in user space is significantly less than that in the admin space. At least clean up is easier. Still, a better informed and especially careful user will not download and install this kind of crap anyway.

 

I've been wondering about something, for quite some time now, when looking at such rogue software.

One thing they all have in common - at least, I haven't come across a different situation - is that they are in English.

What I've been wondering is what would be/ what is the % of people, non-English speakers, and who do not understand English, that would be victims of such infections? (Considering such rogue crap would need the users to install them.)

Perhaps the only words they would be aware of would be words like "Caution", "Attention", which they are used to see in house devices, manufactured by foreign companies.

Quite recently, upon visiting certain websites, people would (still are, I guess) see similar (99,99% the same, expect for an Upgrade link) to the warnings their browsers display when visiting a known bad website. Obviously, these people would be using their own browser language version. How many would, unwillingly, fall for such similar warning, which AFAIK, would be displayed in English?

These sort of things make me wonder. I don't know if you ever wondered about it.
It would be interesting if such test would be conducted to see how people would react in such situations.

 

Article

 

So just keep some Russian-based cookies and temp files around and we have nothing to worry about. Cool

 

Thanks for that article. It was interesting to read.

But, as far as my English allowed me to understand, I don't think that it answered my doubt (If I may call it this way).

All it is said, is that the rogue will try and detect if the user has visited the mentioned sites. If yes, it will not infect the system. But, this is trying to detect if the user is Russian or from on the those neighbor countries.

My doubt is: Upon an alert of an infection, which so far I have only seen in English, would a person who does not understand English, be tricked into installing it, when visiting a bad website/hacked website? Or, would this person simply close the tab or web browser, because this person has no idea what it is; it's in a foreign language he/she cannot understand? Or, would they actually feel compelled to install, due to the way such warning would be presented to them, that mimics other malware alerts, that perhaps these people are used to see?
It would be interesting to know how they would react upon such situation.

Human mind is tricky to understand, that's for sure. Each person would react differently upon such situation; but, what would be the true % of people who fall for it...

 

m00nbl00d you're probably over-analyzing things. Either the user installs it or does not install it, based on their combined level of common sense, knowledge and intelligence. If it installs then it's caused most exclusively by PEBKAC.

 

If you trying to play a video and its coming up asking for codec to be downloaded and installed, most would likely allow. And I might be wrong, but doesn’t Windows Media Player by default installation automatically download and apply codec?

 

I could as well be... So, don't take this too serious. I just fell like sharing, though... Who knows what could/can come out of it... lol

And, I agree with you, in such situation the problem would be the user... but, what made this user be tricked into such?

I guess this is just my past brief psychology studies that makes me wonder.

But, taking the example of the web browsers security alerts that were/are being mimic by malicious websites/hacked websites. They're in English; and, except for one little detail, they look 99,99% exactly like the real ones.

Would a person who does not understand English, instantly react to the fake alert and click the Upgrade link that appears in such fake alerts, without even realizing the all text is in a foreign language they do not even understand?

I mean, all these tricks to make people believe something is must be done, they do work... Such tricks aren't blindly come up with; they have a reason to exist and to be successful.

They don't necessarily mean lack of judgment by the people who fall for this, though. They just fall for it. They just aren't trained to look at these little details.

Anyway, I don't want to go further on this topic, though. There's not much to discuss... other than I wished to expose what I was thinking/wondering about. lol

 

Yummo, prono time.

systemupdate107_231.exe - 6/42 - MD5 : 846f3641b9cad85a089796518bebe4b2

 

Most likely overwhelmed with excitement at the prospect of seeing porn? The prospect of watching a popular movie they'd otherwise have to pay to watch? Just a few thoughts. The brain becomes clouded with emotions and that's when the blunders occur. I'm not sure that language of the warnings has anything to do with it, but maybe it does to some extent.

**EDIT** I see Franklin's already on the pron tanget

 

-edit-

Don't mind the edit... I just couldn't post this reply with just the lol

1. The message you have entered is too short. Please lengthen your message to at least 5 characters.

 

Language has nothing to-do with it when the rogue comes as a malicious codec upon attempting to play a video.

 

I was only responding to m00nbl00d's querry. I'm not sure how wmp handles the codec functionality, only that it can automatically download whatever it supports, afaik. The other night I came across one that I was "advised" to install (not for potential pron viewing ), named something along the lines of: "video-codec411e57.exe". No, I did not install it. MBAM flagged it as a trojan downloader of some sort. Even if it had found nothing on it, I would not have installed it, other than maybe in the vm for curiosity purposes if I was so inclined. BTW, aren't the most common - and safe - codecs for wmp already installed on the computer in the first place, or is this not the case?

...............never mind, I see under Help->about wmp->Technical support info, that many indeed are already installed.

 

Third-party media players installs the codecs that allows also WMP to play the videos, then there are those who likes installing popular codec packages. If you use a codec package, pointless to have a Media player to download and install codecs, if you can’t play a video after installing a codec pack, you best throw the video away!

 

Yeah, I just find that the default codecs are enough for most anything I'd view. Only divx is one that comes to mind that I had to install some time ago, and I endeavored to acquire it form a reliable source, and there were no problems with it. To a much lesser extent I've also used the 3rd party QT Alternative media player.