Rootkit / Malware outbreak in December 2011 - Fake AV and Google Redirects

[Pelvis Popcan]

I got hit last week browsing SomethingAwful.com and spent days restoring my systems with clean backup images. I later found out that this seems to be affecting a lot of people and started at the end of November 2011.

The infection will happen simply by web browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search results, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).

This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you manage to find the infected files (I found one using TDSSKiller) and upload them to VirusTotal.com, only the uninfected portion of the file will be uploaded and it will return a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.

If you do get hit, you will be able to remove the fake AV programs and fix your registry (they change some registry keys so that any program or .exe file will start them up), but the Rootkit will remain on your system and redownload and rerun the scareware .exe's hours to days later, as well as continue to redirect Google search results. This is EXTREMELY SERIOUS because it means that it can run executables at any time. Essentially, someone somewhere has complete control of your PC.

So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.

If you do get hit, barring a reformat, I would suggest:

ComboFix: Save to the desktop. Boot into Safe Mode with Network Support, but disconnect your modem or router from the net. Run ComboFix from the desktop

Reboot, then do TDSSKiller, then finally MalwareBytes.

Some other tools I would suggest trying if you have problems:

HitMan Pro 3.6

McAfee Rootkit Remover (released recently and is supposed to clean all versions of the ZeroAccess rootkit that they know about)

Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using. Make sure you go to windowsupdate.microsoft.com and do a manual check there to insure you have everything.

Make sure you update Flash, Java, Adobe Reader, Shockwave Player, and you have everything from windowsupdate.microsoft.com. Install AdBlock Plus and use the Easylist subscription. If you're on IE like me, use an IE Ad Blocker with Easylist; I used Simple Adblock which is $30.

http://blogs.mcafee.com/mcafee-labs/...ned-installers (This talks about a variant of this infection that runs from digitally signed standalone installers, like Adobe Flash.)

http://www.zdnet.com/blog/bott/micro...-net-hole/4305 (Microsoft .NET out of band critical updates released Thursday 12/29/11.)

http://nakedsecurity.sophos.com/2011...lanta-georgia/ (Atlanta Hospital had to shut down because all their computers got hit with Malware in December 2011.)

I have not seen anything this nasty since the days of IE6. In fact, even with the crap back then, it usually wasn't so bad that nothing could fix it except a complete reformat.

HEADS UP!

[mike20021969]

Quote:

Originally Posted by Pelvis Popcan

very little is known on where this infection is coming from

Stuff like this (normally) comes from visiting dodgy websites or installing rogue software.

I guarantee it wont affect me

[fast eddie]

AVG , Advast, Malwarebytes anti-malware are all doing a good job against virus, and rootkits and Microsoft malious software removal tool.

Advast will show you any undesirables that are knocking on your computers door and blocked from being installed, so you can see what has come against you.

I had a few knocking at my computers door in December 2011 but none were installed.


Another reason, to keep your antivirus and rootkit software programs up to date either automatically or manually and definitions updated twice each day.

[Pelvis Popcan]

Quote:

Originally Posted by mike20021969

Stuff like this (normally) comes from visiting dodgy websites or installing rogue software.

I guarantee it wont affect me

Oh how lovely. First reply is from someone who indirectly accuses me of being a filthy pirate. I should have known better than to post this here.

I got hit while doing nothing more than browsing the somethingawful forums. No other browser window was open.

I heard from many other people who were hit when browsing imgur.

A lot of people see the fake scareware/malware and are able to read and figure out how to remove it, and figure it was an easy fix, and don't realize the rootkit is still on their system and that it's wide open. Their antivirus won't alert on it.

[Pelvis Popcan]

Quote:

Originally Posted by fast eddie

AVG , Advast, Malwarebytes anti-malware are all doing a good job against virus and rootkits and Microsoft malious software removal tool.

Please re-read the post.

[Pelvis Popcan]

http://forums.liveleak.com/showthread.php?t=87673
http://www.reddit.com/r/pics/comment...lware_on_imgur
http://www.bleepingcomputer.com/forums/topic433323.html
http://forums.somethingawful.com/sho...readid=3455642
http://forums.somethingawful.com/sho...readid=3456579
http://forums.somethingawful.com/sho...readid=3451059

[mike20021969]

Quote:

Originally Posted by Pelvis Popcan

indirectly accuses me of being a filthy pirate.

I got hit while doing nothing more than browsing the somethingawful forums. No other browser window was open.

I heard from many other people who were hit when browsing imgur.

No-ones accusing anyone. I didn't even mention piracy.

It's quite possible those two sites you mentioned have been hacked somehow? (A radio station site I've been a member of for over 7 years was hacked a few months ago resulting in it been shut down by the owners until the problem was sorted).
Regarding software, I've heard that some sites who re-host genuine programs may alter executables.

[Clams]

Quote:

Originally Posted by Pelvis Popcan

Oh how lovely. First reply is from someone who indirectly accuses me of being a filthy pirate.

No one accused you of being a pirate - filthy or otherwise.
And I personally have no interest in the hygene of a poster.

Question? Is there a simple way without tools to test for the rootkit?
ie Will it still impact Google results once you remove the scareware?

-W

[Hawk]

It's quite sad when malware author get upper hand. But what is even more dangerous is few days ago I was reading blog in which talk about malware which reside in BIOS and is also rootkit based and that is really big concern.

So even format the harddrive won't help. Lucky for us It only affect limited set of motherboard.

Anyways good to know my computer is set up in such a way that it is immune to these pesky problems. In last seven years I never had a single virus on my system.

[Pelvis Popcan]

Quote:

Originally Posted by Hawk

In last seven years I never had a single virus on my system.

Same here, more or less. Until last week.