Yesterday saw a call to Redcoat Computer Services from a customer who, appropriately, was concerned about a warning given by MS Security Essentials about an unknown Trojan infecting the machine. This sounded, as first hearing, like a good catch on MSSE behalf but given that I'd seen this machine about a month earlier I knew that MS Security Essentials wasn't actually installed!
The symptoms included an official looking popup window saying that there was an infection and an online scan would be required by suggested scanner providers (which ultimately require payment) because the infection couldn't be removed. The fact that the popup couldn't be dismissed, and attempts to run task manager would fail strongly suggested foul play. Addtionally, the internet connection was apparently down although this proved to be a Domain Name Server hijack where the trojan prevents the computer from interacting with its usual search and internet provider servers.
Reaching for safe mode still showed the presence of the trojan, the popup still appearing and attempts to run RKill (a great utility that kills malware processes) were outwitted by the virus. TDSSKiller identified and killed a rootkit called tdl3 but it required some manual intervention from HiJackThis to remove the DNS hijacks and nasty stuff. Once this was done, updates to AV definitions and an install of SuperAntiSpyware resulted in identifying and removal of a variety of infections.
Once the machine was apprarently clean, I installed the real MS Security Essentials and made sure the definitions were up to date, as well as installing Apple's Safari browser since the Internet Explorer experience seemed to be causing repeat infections.
These fake security alerts are proving to be quite common and I think that there's a duty of education to inform people about the risks and signs that something is not quite right. Being prompted to pay money to fix a problem with the computer and an indication that only specific anti-virus scanners will do the job is a red flag. Not being able to run the Task Manager or update virus definitions is also another sign to watch for.
Nasty pieces of work!
No comments:
Post a Comment