Rogue Windows Optimization Center

Discussion in 'malware problems & news' started by Franklin, Dec 24, 2010.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    New fake MSE alert.

    protect.exe - 10/43 - MD5 : 4f0ad8a4812ebb5eddbf42acecb14b59

    First 1.JPG

    1.JPG

    2.JPG

    3.JPG
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Franklin,

    Nice screen shots!

    How would a user encounter this fake alert in the first place?

    thanks,

    rich
     
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @Rmus

    Hope you and Franklin don't mind me chipping in answering that question..

    Source: http://www.articlesbase.com/securit...ation-center-easily-from-your-pc-3899447.html

    Social engineering. Your mantra of default-deny and robust AE should easily block this unless the user himself allowed it;)
    And I believe Sandboxie ought to contain this easily too...so Franklin can stay happy.:p
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, safeguy.

    -rich
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    On re-reading the article, I think that in order to install a codec, the user must give administrator rights. Therefore, the malware files get installed automatically.

    I'm not sure how a Sandbox would help in this case, but the average user who gets hit with this stuff is not likely to use such a product.

    These tricks came up the other day with some MAC users, and social engineering exploits have been noted in the past, eg:

    DNS changer Trojan for Mac (!) in the wild
    Published: 2007-11-01
    http://isc.sans.org/diary.html?storyid=3595

    Indeed they will!

    ----
    rich
     
  6. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @Rmus

    No doubts you've got a point there. Which is why I've explicitly stated "unless the user himself allowed it" and in that case, nothing can stop what an online acquaintance of mine termed as "Stupid Administrator Syndrome" (SAS).:p

    Social engineering is the hardest thing to teach users to prevent themselves from imo. The only thing an Admin can do is to deny the user any rights to install anything (perhaps by not sharing the credentials) if the user doesn't own the PC. In that case, the user can't proceed with the installation and the malware game is over most of the times.

    If the user himself is the Admin of his own PC, then nothing can ever stop him/her from doing whatever he/she wants to do if he/she is adamant not to practice all those safety lessons that has been repeated/nagged upon every now and then...no amount of security software can help since they'll just ignore/disable it.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That would seem to be the case, but doesn't *have* to be, IMO.

    Looking at the current rogue exploit - for me, the key part of the article you cited is

    Now, this scenario goes back at least six years, and the MAC exploit I cited above is from 2007, perhaps the first against MAC users.

    I asked myself years ago, Under what conditions would I or anyone whom I've worked with, visit such a web site? The answer is, Never.

    So, in this case, there was nothing to teach, since that situation was/is not within the realm of experience for us.

    Another scenario perhaps more likely is if I or someone I've worked with is confronted with a pop up, as one might encounter on a social networking site. Do you remember Koobface?

    koobface.gif

    There are two easily teachable policies that prevent this exploit from succeeding,

    1) Disregard any message to install anything you didn't specifically go looking for

    2) Download updates only from the vendor's site, using one's own bookmark to go to the site, rather than a link from any other source.

    One other scenario is email-ladden exploits. From my Yahoo account Spam folder recently,

    yahoo-fb1.gif

    All of the links in the email pointed to this same .ru address which led to a Pharmacy site:

    yahoo-fb2.gif

    The policy of not clicking to Log In to *any* site from a link other than one's own bookmark easily takes care of this scenario. I keep a collection of screen shots as above to show people what some of these "enticements" are. A visual aid is much more effective than just spouting a "Thou shalt not."

    When I look closely at all of the social-engineering, so-called, exploits, I find that they are really no-threat to someone who follows secure policies and procedures.

    DISCLAIMER:

    The above comments are from my own experiences with people, whom I've not found hard to teach, and are not meant to be necessarily applicable to anyone else who has no inclination to learn safe computing habits.

    So, I'll take this opportunity for my yearly suggestion to all knowledgeable Wilders Members, to "adopt a user" -- one who will listen, of course -- and show her/him how easy it is to morph these types of exploits into no-threats!

    Happy and Secure Computing In The New Year.

    ----
    rich
     
    Last edited: Dec 26, 2010
  8. wat0114

    wat0114 Guest

    Rmus will always, in an indirect manner :) try to illustrate in these threads the fact that so many of these so called diabolical exploits get installed by unwitting and careless users who unfortunately for them hold the admin key to do so. It's usually that simple.
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    And a lot of these rogues install to user's files and not system files.

    XP standard account:
    LUA.JPG
     
  10. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    A software restriction policy might help in this situation. The malware would land in user space but wouldn't be able to execute unless it uses some kind of escalation of privileges exploit.
     
  11. wat0114

    wat0114 Guest

    The damage it can do in user space is significantly less than that in the admin space. At least clean up is easier. Still, a better informed and especially careful user will not download and install this kind of crap anyway.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I've been wondering about something, for quite some time now, when looking at such rogue software.

    One thing they all have in common - at least, I haven't come across a different situation - is that they are in English.

    What I've been wondering is what would be/ what is the % of people, non-English speakers, and who do not understand English, that would be victims of such infections? (Considering such rogue crap would need the users to install them.)

    Perhaps the only words they would be aware of would be words like "Caution", "Attention", which they are used to see in house devices, manufactured by foreign companies.

    Quite recently, upon visiting certain websites, people would (still are, I guess) see similar (99,99% the same, expect for an Upgrade link) to the warnings their browsers display when visiting a known bad website. Obviously, these people would be using their own browser language version. How many would, unwillingly, fall for such similar warning, which AFAIK, would be displayed in English?

    These sort of things make me wonder. I don't know if you ever wondered about it.
    It would be interesting if such test would be conducted to see how people would react in such situations.
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Article
     
  14. wat0114

    wat0114 Guest

    So just keep some Russian-based cookies and temp files around and we have nothing to worry about. Cool :D
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thanks for that article. It was interesting to read.

    But, as far as my English allowed me to understand, I don't think that it answered my doubt (If I may call it this way).

    All it is said, is that the rogue will try and detect if the user has visited the mentioned sites. If yes, it will not infect the system. But, this is trying to detect if the user is Russian or from on the those neighbor countries.

    My doubt is: Upon an alert of an infection, which so far I have only seen in English, would a person who does not understand English, be tricked into installing it, when visiting a bad website/hacked website? Or, would this person simply close the tab or web browser, because this person has no idea what it is; it's in a foreign language he/she cannot understand? Or, would they actually feel compelled to install, due to the way such warning would be presented to them, that mimics other malware alerts, that perhaps these people are used to see?
    It would be interesting to know how they would react upon such situation.

    Human mind is tricky to understand, that's for sure. Each person would react differently upon such situation; but, what would be the true % of people who fall for it...
     
  16. wat0114

    wat0114 Guest

    m00nbl00d you're probably over-analyzing things. Either the user installs it or does not install it, based on their combined level of common sense, knowledge and intelligence. If it installs then it's caused most exclusively by PEBKAC.
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you trying to play a video and its coming up asking for codec to be downloaded and installed, most would likely allow. And I might be wrong, but doesn’t Windows Media Player by default installation automatically download and apply codec?
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I could as well be... So, don't take this too serious. I just fell like sharing, though... Who knows what could/can come out of it... lol

    And, I agree with you, in such situation the problem would be the user... but, what made this user be tricked into such?

    I guess this is just my past brief psychology studies that makes me wonder. :D

    But, taking the example of the web browsers security alerts that were/are being mimic by malicious websites/hacked websites. They're in English; and, except for one little detail, they look 99,99% exactly like the real ones.

    Would a person who does not understand English, instantly react to the fake alert and click the Upgrade link that appears in such fake alerts, without even realizing the all text is in a foreign language they do not even understand?

    I mean, all these tricks to make people believe something is must be done, they do work... Such tricks aren't blindly come up with; they have a reason to exist and to be successful.

    They don't necessarily mean lack of judgment by the people who fall for this, though. They just fall for it. They just aren't trained to look at these little details.

    Anyway, I don't want to go further on this topic, though. There's not much to discuss... other than I wished to expose what I was thinking/wondering about. lol
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yummo, prono time. :D

    systemupdate107_231.exe - 6/42 - MD5 : 846f3641b9cad85a089796518bebe4b2

    1.JPG

    2.JPG

    3.JPG

    4.JPG
     
  20. wat0114

    wat0114 Guest

    :D
    Most likely overwhelmed with excitement at the prospect of seeing porn? The prospect of watching a popular movie they'd otherwise have to pay to watch? Just a few thoughts. The brain becomes clouded with emotions and that's when the blunders occur. I'm not sure that language of the warnings has anything to do with it, but maybe it does to some extent.

    **EDIT** I see Franklin's already on the pron tanget :D
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    ;)

    -edit-

    Don't mind the edit... I just couldn't post this reply with just the ;) lol

    1. The message you have entered is too short. Please lengthen your message to at least 5 characters.

    :D
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Language has nothing to-do with it when the rogue comes as a malicious codec upon attempting to play a video. ;)

     
  23. wat0114

    wat0114 Guest

    I was only responding to m00nbl00d's querry. I'm not sure how wmp handles the codec functionality, only that it can automatically download whatever it supports, afaik. The other night I came across one that I was "advised" to install (not for potential pron viewing ;) ), named something along the lines of: "video-codec411e57.exe". No, I did not install it. MBAM flagged it as a trojan downloader of some sort. Even if it had found nothing on it, I would not have installed it, other than maybe in the vm for curiosity purposes if I was so inclined. BTW, aren't the most common - and safe - codecs for wmp already installed on the computer in the first place, or is this not the case?

    ...............never mind, I see under Help->about wmp->Technical support info, that many indeed are already installed.
     
    Last edited by a moderator: Dec 27, 2010
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Third-party media players installs the codecs that allows also WMP to play the videos, then there are those who likes installing popular codec packages. If you use a codec package, pointless to have a Media player to download and install codecs, if you can’t play a video after installing a codec pack, you best throw the video away! ;)
     
  25. wat0114

    wat0114 Guest

    Yeah, I just find that the default codecs are enough for most anything I'd view. Only divx is one that comes to mind that I had to install some time ago, and I endeavored to acquire it form a reliable source, and there were no problems with it. To a much lesser extent I've also used the 3rd party QT Alternative media player.
     
Loading...
Thread Status:
Not open for further replies.