Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Rootkit / Malware outbreak in December 2011 - Fake AV and Google Redirects

  1. #1
    Join Date
    Jan 2007
    Posts
    1,510

    Exclamation Rootkit / Malware outbreak in December 2011 - Fake AV and Google Redirects

    I got hit last week browsing SomethingAwful.com and spent days restoring my systems with clean backup images. I later found out that this seems to be affecting a lot of people and started at the end of November 2011.

    The infection will happen simply by web browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search results, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).

    This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you manage to find the infected files (I found one using TDSSKiller) and upload them to VirusTotal.com, only the uninfected portion of the file will be uploaded and it will return a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.

    If you do get hit, you will be able to remove the fake AV programs and fix your registry (they change some registry keys so that any program or .exe file will start them up), but the Rootkit will remain on your system and redownload and rerun the scareware .exe's hours to days later, as well as continue to redirect Google search results. This is EXTREMELY SERIOUS because it means that it can run executables at any time. Essentially, someone somewhere has complete control of your PC.

    So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.

    If you do get hit, barring a reformat, I would suggest:

    ComboFix: Save to the desktop. Boot into Safe Mode with Network Support, but disconnect your modem or router from the net. Run ComboFix from the desktop

    Reboot, then do TDSSKiller, then finally MalwareBytes.

    Some other tools I would suggest trying if you have problems:

    HitMan Pro 3.6

    McAfee Rootkit Remover (released recently and is supposed to clean all versions of the ZeroAccess rootkit that they know about)

    Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using. Make sure you go to windowsupdate.microsoft.com and do a manual check there to insure you have everything.

    Make sure you update Flash, Java, Adobe Reader, Shockwave Player, and you have everything from windowsupdate.microsoft.com. Install AdBlock Plus and use the Easylist subscription. If you're on IE like me, use an IE Ad Blocker with Easylist; I used Simple Adblock which is $30.

    http://blogs.mcafee.com/mcafee-labs/...ned-installers (This talks about a variant of this infection that runs from digitally signed standalone installers, like Adobe Flash.)

    http://www.zdnet.com/blog/bott/micro...-net-hole/4305 (Microsoft .NET out of band critical updates released Thursday 12/29/11.)

    http://nakedsecurity.sophos.com/2011...lanta-georgia/ (Atlanta Hospital had to shut down because all their computers got hit with Malware in December 2011.)

    I have not seen anything this nasty since the days of IE6. In fact, even with the crap back then, it usually wasn't so bad that nothing could fix it except a complete reformat.

    HEADS UP!
    Last edited by Pelvis Popcan; 2nd January 2012 at 19:36.

  2. #2
    Join Date
    Jan 2007
    Location
    UK
    Posts
    3,621

    Default

    Quote Originally Posted by Pelvis Popcan View Post
    very little is known on where this infection is coming from
    Stuff like this (normally) comes from visiting dodgy websites or installing rogue software.

    I guarantee it wont affect me
    It's not copying... it's backing up
    Download AnyDVD HD - Get The Latest Stable Version HERE

  3. #3
    Join Date
    Jul 2008
    Location
    Over The Edge
    Posts
    1,936

    Default

    AVG , Advast, Malwarebytes anti-malware are all doing a good job against virus, and rootkits and Microsoft malious software removal tool.

    Advast will show you any undesirables that are knocking on your computers door and blocked from being installed, so you can see what has come against you.

    I had a few knocking at my computers door in December 2011 but none were installed.


    Another reason, to keep your antivirus and rootkit software programs up to date either automatically or manually and definitions updated twice each day.
    Last edited by fast eddie; 2nd January 2012 at 08:30.
    Fast Eddie

  4. #4
    Join Date
    Jan 2007
    Posts
    1,510

    Thumbs down

    Quote Originally Posted by mike20021969 View Post
    Stuff like this (normally) comes from visiting dodgy websites or installing rogue software.

    I guarantee it wont affect me
    Oh how lovely. First reply is from someone who indirectly accuses me of being a filthy pirate. I should have known better than to post this here.

    I got hit while doing nothing more than browsing the somethingawful forums. No other browser window was open.

    I heard from many other people who were hit when browsing imgur.

    A lot of people see the fake scareware/malware and are able to read and figure out how to remove it, and figure it was an easy fix, and don't realize the rootkit is still on their system and that it's wide open. Their antivirus won't alert on it.

  5. #5
    Join Date
    Jan 2007
    Posts
    1,510

    Default

    Quote Originally Posted by fast eddie View Post
    AVG , Advast, Malwarebytes anti-malware are all doing a good job against virus and rootkits and Microsoft malious software removal tool.
    Please re-read the post.

  6. #6
    Join Date
    Jan 2007
    Posts
    1,510

  7. #7
    Join Date
    Jan 2007
    Location
    UK
    Posts
    3,621

    Default

    Quote Originally Posted by Pelvis Popcan View Post
    indirectly accuses me of being a filthy pirate.

    I got hit while doing nothing more than browsing the somethingawful forums. No other browser window was open.

    I heard from many other people who were hit when browsing imgur.
    No-ones accusing anyone. I didn't even mention piracy.

    It's quite possible those two sites you mentioned have been hacked somehow? (A radio station site I've been a member of for over 7 years was hacked a few months ago resulting in it been shut down by the owners until the problem was sorted).
    Regarding software, I've heard that some sites who re-host genuine programs may alter executables.
    Last edited by mike20021969; 2nd January 2012 at 10:46.
    It's not copying... it's backing up
    Download AnyDVD HD - Get The Latest Stable Version HERE

  8. #8
    Join Date
    Jan 2007
    Location
    The Beaches of NH
    Posts
    6,347

    Default

    Quote Originally Posted by Pelvis Popcan View Post
    Oh how lovely. First reply is from someone who indirectly accuses me of being a filthy pirate.
    No one accused you of being a pirate - filthy or otherwise.
    And I personally have no interest in the hygene of a poster.

    Question? Is there a simple way without tools to test for the rootkit?
    ie Will it still impact Google results once you remove the scareware?

    -W

  9. #9
    Join Date
    Mar 2007
    Location
    Toronto, Ontario, Canada
    Posts
    2,263

    Default

    It's quite sad when malware author get upper hand. But what is even more dangerous is few days ago I was reading blog in which talk about malware which reside in BIOS and is also rootkit based and that is really big concern.

    So even format the harddrive won't help. Lucky for us It only affect limited set of motherboard.

    Anyways good to know my computer is set up in such a way that it is immune to these pesky problems. In last seven years I never had a single virus on my system.
    Last edited by Hawk; 2nd January 2012 at 16:05.
    If you fail to plan...you plan to fail would you not agree..Think about it

  10. #10
    Join Date
    Jan 2007
    Posts
    1,510

    Default

    Quote Originally Posted by Hawk View Post
    In last seven years I never had a single virus on my system.
    Same here, more or less. Until last week.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •