Spyware Recommendations

  • 3 Replies
  • 1803 Views
*

Offline jlehtinen

  • Bronze Member
  • 6
Spyware Recommendations
« on: October 01, 2010, 10:26:53 AM »
Hiya all,

Stumbled on these forums while doing some other spyware removal research.   I'm an IT tech by trade, and I do spyware cleanups on a regular basis (probably have done ~100 in the last year).

Has anyone else noticed an upward trend in the rootkit variant that disguises itself as Microsoft Security Essentials?   I've seen 5 computers infected with this in the last week.

Symptoms:
- Opening .exe's or Task Manager loads a window that looks exactly like MSE telling you it is an infected file
- Removal software will be blocked, programs will not open (malwarebytes, rkill, etc)
- Clicking Remove or Apply Actions on the MSE window gives you prompts to purchase software
- A batch file in %appdata% moves the spyware exe from %appdata%/temp to %appdata%, usually will be named "hotfix" or "scanner"

Removal:
- Use hijackthis to remove startup entries and dll hooks
- Reboot in safe mode
- Run rkill, and kaspersky's tdss killer
- Install/Run malwarebytes, newest definitions are necessary
- Reboot and rescan, also scan with ESET on-demand

Anyone else seen this trend or have any removal tips?

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: Spyware Recommendations
« Reply #1 on: October 01, 2010, 04:21:57 PM »
Hiya all,

Stumbled on these forums while doing some other spyware removal research.   I'm an IT tech by trade, and I do spyware cleanups on a regular basis (probably have done ~100 in the last year).

Has anyone else noticed an upward trend in the rootkit variant that disguises itself as Microsoft Security Essentials?   I've seen 5 computers infected with this in the last week.

Symptoms:
- Opening .exe's or Task Manager loads a window that looks exactly like MSE telling you it is an infected file
- Removal software will be blocked, programs will not open (malwarebytes, rkill, etc)
- Clicking Remove or Apply Actions on the MSE window gives you prompts to purchase software
- A batch file in %appdata% moves the spyware exe from %appdata%/temp to %appdata%, usually will be named "hotfix" or "scanner"

Removal:
- Use hijackthis to remove startup entries and dll hooks
- Reboot in safe mode
- Run rkill, and kaspersky's tdss killer
- Install/Run malwarebytes, newest definitions are necessary
- Reboot and rescan, also scan with ESET on-demand

Anyone else seen this trend or have any removal tips?
It's just another rogue. These things change colors all the time. The best tip I can give you is to keep abreast of the rogue removal tools. No big upswing in the forums regarding that particular rogue you've seen.

Those of us who work these various forums may see the 5 you mentioned, in one night just perusing the logs posted.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline jlehtinen

  • Bronze Member
  • 6
Re: Spyware Recommendations
« Reply #2 on: October 01, 2010, 09:45:00 PM »
Thanks for the reply 1972.

It must be a local trend among our userbase then.   Good to know, I'd love to isolate it.  I've noticed that we've been the target of a few surprisingly sophisticated phishing attacks in the last ~6 months, mostly from Russian and South American sources.   Most of these attacks use highly detailed spoofed emails from Amazon, Paypal or banking sites.     Without looking at source code, these emails are indecipherable from legit ones.    Clicking links in the emails brings the user to sites that run Crimepack et.al against their browser.

But what really stood out to me on this particular malware variant was the DETAIL that went into the replication of the MSE console.   It was 100% exactly correct in all graphics and wording.   While other rogue AV malware are often pretty close, they usually get a graphic a little wrong (colors are off, logo is crooked), or something in the text will be off (bad grammer, slight mispellings).     This one had none of that - spot on 100% clone of MSE. 

While I have seen the overall sophistication of malware increase over the last ~5 years, this was the first time where I've seen one that even had ME fooled at first glance.    When I first saw this one (last Friday) there was also zero detection rate from any of the scanning software.   It took until Wednesday before ESET, Symantec corp, or Malwarebytes was able to detect and remove.

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: Spyware Recommendations
« Reply #3 on: October 02, 2010, 06:59:13 AM »
You have a good eye there...one other tip, since you mentioned it is to ask the users to type the url into the browser rather than to follow any hyperlink that comes via email. Especially from an unsolicited source.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven