The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
MS Antivirus aka XP Antivirus aka Antivirus Pro aka... (rogue scareware)
I know how to remove these. Removal isn't a problem.
I'm looking for a reliable way of preventing them.
Forcing the user to run with user permissions rather than administrator permissions helps as it prevents the scareware from installing to any system folders, but it doesn't stop the popups. They seem to go right past the legit antivirus software my customers are running.
I'm seeing PCs come back two, three, or four times with the same scareware infections and I need a better condom.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Don't know what your enterprise is like, but my company dealt with this sort of thing on a daily basis until we locked down all workstations to revoke admin rights. That said, it doesn't stop the popups. What sort of internet filtering are you running? Presumably your users are visiting certain sites with suspicious ads and the like that are prompting the popups.
The most obvious and common infection/exploit vectors are outdated Java/Flash/Adobe PDF plugins. Usually PDF Reader, if there is any way you can use an alternative (like Foxit or PDF Xchange), do that. I blame the Acrobat plugin on my having lost most of my hair before I've even turned 30.
edit: If your place is still using IE6 or 7 that's another easy infection waiting to happen. If policies mandate you to use either of those browsers, I suggest you find a new job or swallow some buckshot.
yotes on
[SIGPIC][/SIGPIC]
0
TetraNitroCubaneNot Angry...Just VERY Disappointed...Registered Userregular
edited August 2010
A good method of mitigation is to whitelist javascript and flash to known domains. Most of the time when these popups deliver their payload, they leverage either javascript or flash on a "known safe" page - But the first thing they do is redirect the user to a different domain that launches the popup. If javascript or flash are denied on these other domains by default, usually the payload won't be delivered. Sometimes you'll get a blank white popup that can't do anything.
It's not bulletproof, though. These scareware scams are launching in new ways. Every time there's something new on Metasploit, that's one more way for scareware to get through any boundary without user intervention. And anti-virus suites, no matter how good, are terrible at catching rogue anti-virus scareware for some reason. Plus, if your end-users aren't sure which sites need javascript or flash, then you might get more complaints about websites being 'broken' than you were getting about infected computers prior.
There are two other options that would help considerably, but they have varying degrees of annoying associated with them. The first would be to use some kind of sandboxing solution. Either a straight-up virtual machine, or else using a program like Windows Steady State (XP only), Returnil, or Shadow Defender. You can also appeal to Sandboxie for an even more transparent approach, as it will only sandbox the browser. Even if the popup strikes, you can purge the sandbox and be rid of any payload delivered.
The best option (Particularly in an enterprise setting!) would be to set up a Software Restriction Policy along with those limited user accounts. SRP and LUA together are known to be pretty good at preventing anything from getting through. The popups will still strike, but they'll be toothless, since they can't execute - even if they launch from a know exploit. If you're using XP or Vista on these machines, take a look at Sully's Pretty Good Security. If you're running Windows 7, take a look at Applocker.
Don't know what your enterprise is like, but my company dealt with this sort of thing on a daily basis until we locked down all workstations to revoke admin rights. That said, it doesn't stop the popups. What sort of internet filtering are you running? Presumably your users are visiting certain sites with suspicious ads and the like that are prompting the popups.
I should have specified that I'm not talking about an enterprise environment. I work for a small firm that does small office / home office IT. We're talking organizations of 1-50 users. Some of our customers are not under contract and pay us on an hourly basis.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
overnight put them all on that ubuntu skin that looks like win7!
Ok serious advice, how about user education? Just teach the problem children how to press ctrl alt delete all at the same time, and say "Whenever you see any popup that looks remotely like this, ctrlaltdel and kill IE"?
Lykouragh on
0
amateurhourOne day I'll be professionalhourThe woods somewhere in TennesseeRegistered Userregular
edited August 2010
1) Remove all admin rights, and power user rights. It's a pain in the ass, but in an office of 500 I usually only see one or two machines a week that get hit, and they're laptops going home with employees after hours.
2) Always make sure every java and flash update is applied as soon as it's released
3) Make sure your company firewall blocks facebook, myspace, and any flash game site. (we don't block facebook and it's like 90 percent of our problem zone)
I've honestly never seen that crop up through facebook. Here it's usually like, whitepages.com or some other site that gets hacked and then shows up in Google search results for unrelated topics.
Tofystedeth on
0
amateurhourOne day I'll be professionalhourThe woods somewhere in TennesseeRegistered Userregular
I've honestly never seen that crop up through facebook. Here it's usually like, whitepages.com or some other site that gets hacked and then shows up in Google search results for unrelated topics.
With all of the new flash based facebook apps and plugins I've seen it pop up more and more lately. Usually turning off admin and power user rights can stop it though.
amateurhour on
are YOU on the beer list?
0
SpudgeWitty commentsgo next to this blue dot thingyRegistered Userregular
edited August 2010
This is what I did to remove this threat from my (previous) company:
I Websensed the FUCK out of 'em. If it wasn't business related (directly) they couldn't go to it. Included the VPs, CEO, CFO, everyone. Nipped it right in the bud
Spudge on
Play With Me
Xbox - IT Jerk
PSN - MicroChrist
I'm too fuckin' poor to play
WordsWFriends - zeewoot
Posts
edit: If your place is still using IE6 or 7 that's another easy infection waiting to happen. If policies mandate you to use either of those browsers, I suggest you find a new job or swallow some buckshot.
It's not bulletproof, though. These scareware scams are launching in new ways. Every time there's something new on Metasploit, that's one more way for scareware to get through any boundary without user intervention. And anti-virus suites, no matter how good, are terrible at catching rogue anti-virus scareware for some reason. Plus, if your end-users aren't sure which sites need javascript or flash, then you might get more complaints about websites being 'broken' than you were getting about infected computers prior.
There are two other options that would help considerably, but they have varying degrees of annoying associated with them. The first would be to use some kind of sandboxing solution. Either a straight-up virtual machine, or else using a program like Windows Steady State (XP only), Returnil, or Shadow Defender. You can also appeal to Sandboxie for an even more transparent approach, as it will only sandbox the browser. Even if the popup strikes, you can purge the sandbox and be rid of any payload delivered.
The best option (Particularly in an enterprise setting!) would be to set up a Software Restriction Policy along with those limited user accounts. SRP and LUA together are known to be pretty good at preventing anything from getting through. The popups will still strike, but they'll be toothless, since they can't execute - even if they launch from a know exploit. If you're using XP or Vista on these machines, take a look at Sully's Pretty Good Security. If you're running Windows 7, take a look at Applocker.
I should have specified that I'm not talking about an enterprise environment. I work for a small firm that does small office / home office IT. We're talking organizations of 1-50 users. Some of our customers are not under contract and pay us on an hourly basis.
the "no true scotch man" fallacy.
Ok serious advice, how about user education? Just teach the problem children how to press ctrl alt delete all at the same time, and say "Whenever you see any popup that looks remotely like this, ctrlaltdel and kill IE"?
2) Always make sure every java and flash update is applied as soon as it's released
3) Make sure your company firewall blocks facebook, myspace, and any flash game site. (we don't block facebook and it's like 90 percent of our problem zone)
With all of the new flash based facebook apps and plugins I've seen it pop up more and more lately. Usually turning off admin and power user rights can stop it though.
I Websensed the FUCK out of 'em. If it wasn't business related (directly) they couldn't go to it. Included the VPs, CEO, CFO, everyone. Nipped it right in the bud
PSN - MicroChrist
I'm too fuckin' poor to play
WordsWFriends - zeewoot