• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Tracking Malware Sources

CMacDady

Thinker
CMacDady
Joined
Aug 12, 2010
Messages
193
Lately I have come across a rather horrid piece of Malware calling itself "vista internet security 2011". From what I have read it also names itself after Windows XP and Windows 7 as well. None the less, it manages to completely block you from accessing programs or the internet less you purchase software.

After tracking down a method of getting rid of it, I have managed to get the same damn piece of Malware back onto my computer. So now I know there is a common source that keeps infecting me, I want to know if there are methods of tracking which sites gave me the Malware, so I can stay far away.

Is there any free software that checks sites for infections such as this one, or methods of tracking to see where it came from manually?
 
It's possible -- I don't know of software that can do it for you, though. My understanding (which could be wrong) is that you'd have to do it "manually".

It could be a cross-site scripting vulnerability, it could be simply an ad banner that's been compromised on an ad server somewhere. How have you hardened your system since the last two incidents? It might also be easier to go through a webfilter proxy like opendns.
 
The most common way is to look up images on Google Image Search. Malicious websites use scripts to seed commonly-sought pictures into the top tier of hits. When you click on one, it re-directs you and tries to install the malware. Best option is to not search for images that way, or use Firefox with NoScript installed. If you DO get redirected to a site, use Task Manager to close the browser manually.

Source: I remove this stuff for a living as a help desk tech.
 
I never remember being re-directed during time of attack. One minute I have Firefox open and the next I have the malware opening pop ups on my desktop out of no where.
Does NoScript still stop Malware from being installed if a new site is not opened?

Also @ The Norseman. I have only downloaded Spyware/Malware removal software since the first attack. It does an excellent job at getting rid of the bad files but has no active protection.
 
Vermonter said:
The most common way is to look up images on Google Image Search. Malicious websites use scripts to seed commonly-sought pictures into the top tier of hits. When you click on one, it re-directs you and tries to install the malware. Best option is to not search for images that way, or use Firefox with NoScript installed. If you DO get redirected to a site, use Task Manager to close the browser manually.

Source: I remove this stuff for a living as a help desk tech.
Click to expand...

Yes. And Avast catches a lot of these and using a good Hosts file can help
 
CMacDady said:
Lately I have come across a rather horrid piece of Malware calling itself "vista internet security 2011". From what I have read it also names itself after Windows XP and Windows 7 as well. None the less, it manages to completely block you from accessing programs or the internet less you purchase software.

After tracking down a method of getting rid of it, I have managed to get the same damn piece of Malware back onto my computer. So now I know there is a common source that keeps infecting me, I want to know if there are methods of tracking which sites gave me the Malware, so I can stay far away.

Is there any free software that checks sites for infections such as this one, or methods of tracking to see where it came from manually?
Click to expand...

Tough question, there are toolbars that supposedly do so, but I have not found them effective.

JREF member Rat has recommended Firefox with NoScript as a way to avoid such things. As someone pointed out it can also be ad banners, usually however the culprit tells you right away that it is there. As the pop up usual starts right away.
 
CMacDady said:
I never remember being re-directed during time of attack. One minute I have Firefox open and the next I have the malware opening pop ups on my desktop out of no where.
Does NoScript still stop Malware from being installed if a new site is not opened?

Also @ The Norseman. I have only downloaded Spyware/Malware removal software since the first attack. It does an excellent job at getting rid of the bad files but has no active protection.
Click to expand...

Um, when you say redirection, do you mean the scareware pop ups?

Because if you are having your google searches redirected that is a bad sign of the TDSS/TDL/Alureon rootkit , then it takes a little more effort to remove.
 
CMacDady said:
Lately I have come across a rather horrid piece of Malware calling itself "vista internet security 2011". From what I have read it also names itself after Windows XP and Windows 7 as well. None the less, it manages to completely block you from accessing programs or the internet less you purchase software.

After tracking down a method of getting rid of it, I have managed to get the same damn piece of Malware back onto my computer. So now I know there is a common source that keeps infecting me, I want to know if there are methods of tracking which sites gave me the Malware, so I can stay far away.
Click to expand...
I just eliminated this one from my girlfriend's father's machine. It actually took control of the computer so that even if you clicked on Malwarebytes the malware anti-virus would open up instead, and if I stopped the process in task manager Windows would tell me the anti-virus was deactivated and prompt me to turn it back on! And virtually any click of the mouse would turn on the fake anti-virus again. This happened even in safe mode.

The cure was to run Malwarebytes as an administrator, which then opened properly and zapped the fake anti-virus.

I doubt there's a way to track sites which host them, many sites probably don't even know they're hosting malware.

Best practice is to not get tricked into installing it in the first place. No anti-virus protects you from your own actions.
 
WildCat said:
I just eliminated this one from my girlfriend's father's machine. It actually took control of the computer so that even if you clicked on Malwarebytes the malware anti-virus would open up instead, and if I stopped the process in task manager Windows would tell me the anti-virus was deactivated and prompt me to turn it back on! And virtually any click of the mouse would turn on the fake anti-virus again. This happened even in safe mode.

The cure was to run Malwarebytes as an administrator, which then opened properly and zapped the fake anti-virus.

I doubt there's a way to track sites which host them, many sites probably don't even know they're hosting malware.

Best practice is to not get tricked into installing it in the first place. No anti-virus protects you from your own actions.
Click to expand...

So you know first hand how bad this malware program is. Nasty isn't it. Remember to clean the registry after wards. There have been cases of this one coming back after being removed.
Here is the kicker. The second time it hit, I did not let it install; I was wise to recognize that install window when it came up again. After having vista stop the installation, it still installed anyway.

Also I had Avast before these attacks and it does nothing to stop it.
 
Dancing David said:
Um, when you say redirection, do you mean the scareware pop ups?

Because if you are having your google searches redirected that is a bad sign of the TDSS/TDL/Alureon rootkit , then it takes a little more effort to remove.
Click to expand...

I mean I did not click a add banner or random picture on a site, and be re directed to a site that strictly hosting the malware instead of opening the picture/banner that was intended to open.
Every time I have been attacked I have had multiple sites open that I thought I could trust. Then out of no where it was installed on my computer, without any other sites being auto-opened.
 
CMacDady said:
I mean I did not click a add banner or random picture on a site, and be re directed to a site that strictly hosting the malware instead of opening the picture/banner that was intended to open.
Every time I have been attacked I have had multiple sites open that I thought I could trust. Then out of no where it was installed on my computer, without any other sites being auto-opened.
Click to expand...


In some cases, it doesn't matter if you actually click on an ad banner. When your computer calls the webpage you want, and that webpage calls the ad banner server, the ad server sends over the malware which is essentially run by you as a normal process of loading the ad banner in your browser.

It's still somewhat rare, AFAIR. Basically, it's not cnn.com that's been compromised per se, but it's the ad server that's been compromised. If cnn.com (or whichever website you are visiting) isn't picky or is very lax in keeping tabs on ad servers, then it can hose a lot of people.

-------------------
IF YOU KNOW ABOUT DNS AND HOSTS FILES, PLEASE SKIP NOW :D

I always recommend a local hosts file in addition to any other set up which I've explained in the past. Basically, if you're unaware, a hosts file is taking advantage of the built-in process that every browser on every platform performs by first looking locally (your computer) for web address resolution.

A hosts file is a text file which is like a simple DNS server on your personal computer. When you type in "www.google.com" into your browser, the browser will first look in your hosts file, then whatever DNS servers your ISP uses to find out what IP address "www.google.com" really is (what it "resolves" to).

If there is no entry in your hosts file, it will move on to the DNS servers.

If there is an entry, it will follow what is written there and ignore any other IP fetching/resolution.

So, an example:

You type in "www.google.com"

No entry in your hosts file.

Your ISP's DNS servers says
8.8.8.8 google.com

Your browser fetches and displays the basic search page of Google.

--------

You type in "www.google.com"

Your hosts file has this written in it:
67.228.115.46 google.com

Your browser fetches and displays the homepage of randi.org even though you typed in "google.com" and wanted to visit Google's page.



Some malware will write in the hosts file, doing this very thing; you'll type in "www.google.com" and since your browser will automatically look in the hosts file first, it will then return whatever IP address is written in the hosts file. But, a hosts file is mainly a good thing if you populate it with ad servers and known malware sites and redirect them to 127.0.0.1.
 
Last edited:
There are programs that populate the Hosts file with known malware servers/sites for you is there not? It seems like a good idea, using the hosts file before malicious software does, a double edged sword that most don't know about.

I just wouldn't know about adding particular addresses to re direct elsewhere, when I do not know the address in the first place.
 
Ah, yes.

http://winhelp2002.mvps.org/hosts.htm

This website helps explain the process and has a very comprehensive pre-populated hosts file. I use this hosts file exclusively (and occasionally add to it myself).

What it does is redirect the ad server to your local machine -- 127.0.0.1. This means that your browser will first check the hosts file for the IP address of the ad server and -- lo and behold! -- the browser is told that the address is *your machine*! The browser then dutifully checks your machine for the ad content and... there isn't any. So the browser displays... nothing!

The beauty is, is that this only takes fractions of a second because the browser doesn't ever leave your own computer to discover this information and return a blank.

So while you are getting the information from the server that hosts randi.org, if randi.org has ad servers that it calls that you happen to have in your local hosts file, you'll still get the randi.org information but nothing at all from the ad servers.
 
Last edited:
The Norseman said:
Ah, yes.

http://winhelp2002.mvps.org/hosts.htm

This website helps explain the process and has a very comprehensive pre-populated hosts file. I use this hosts file exclusively (and occasionally add to it myself).

What it does is redirect the ad server to your local machine -- 127.0.0.1. This means that your browser will first check the hosts file for the IP address of the ad server and -- lo and behold! -- the browser is told that the address is *your machine*! The browser then dutifully checks your machine for the ad content and... there isn't any. So the browser displays... nothing!

The beauty is, is that this only takes fractions of a second because the browser doesn't ever leave your own computer to discover this information and return a blank.

So while you are getting the information from the server that hosts randi.org, if randi.org has ad servers that it calls that you happen to have in your local hosts file, you'll still get the randi.org information but nothing at all from the ad servers.
Click to expand...

Thank you for the link. Ill get right on adding this extra bit of protection.
 
Good on ya!


And, as an aside, I've mentioned before; the downside to the hosts file is that it's only updated when you think to update it. The upside is that it works will all browsers equally on that computer, whereas with AdBlock and similar programs only work with Firefox.

But I'm an enthusiastic supporter of "defense in depth" so I say, why not run it all! Go with FF and AdBlock and NoScript as well as a good hosts file.

I think that Chrome and FF is working on sandboxing their browsers too, so that's an additional bonus.
 
You must log in or register to reply here.

Back
Top Bottom