MS Antivirus aka XP Antivirus aka Antivirus Pro aka... (rogue scareware)

FeralFeral MEMETICHARIZARDalong with you if I get drunk well I know I'm gonna be gonna be the man whoRegistered User regular
edited August 2010 in Help / Advice Forum
This is what I'm talking about:

http://en.wikipedia.org/wiki/MS_Antivirus_%28malware%29

I know how to remove these. Removal isn't a problem.

I'm looking for a reliable way of preventing them.

Forcing the user to run with user permissions rather than administrator permissions helps as it prevents the scareware from installing to any system folders, but it doesn't stop the popups. They seem to go right past the legit antivirus software my customers are running.

I'm seeing PCs come back two, three, or four times with the same scareware infections and I need a better condom.

every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
the "no true scotch man" fallacy.
Feral on

Posts

  • IronKnuckle's GhostIronKnuckle's Ghost Registered User regular
    edited August 2010
    Don't know what your enterprise is like, but my company dealt with this sort of thing on a daily basis until we locked down all workstations to revoke admin rights. That said, it doesn't stop the popups. What sort of internet filtering are you running? Presumably your users are visiting certain sites with suspicious ads and the like that are prompting the popups.

    IronKnuckle's Ghost on
  • yotesyotes Registered User regular
    edited August 2010
    The most obvious and common infection/exploit vectors are outdated Java/Flash/Adobe PDF plugins. Usually PDF Reader, if there is any way you can use an alternative (like Foxit or PDF Xchange), do that. I blame the Acrobat plugin on my having lost most of my hair before I've even turned 30.

    edit: If your place is still using IE6 or 7 that's another easy infection waiting to happen. If policies mandate you to use either of those browsers, I suggest you find a new job or swallow some buckshot.

    yotes on
    [SIGPIC][/SIGPIC]
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited August 2010
    A good method of mitigation is to whitelist javascript and flash to known domains. Most of the time when these popups deliver their payload, they leverage either javascript or flash on a "known safe" page - But the first thing they do is redirect the user to a different domain that launches the popup. If javascript or flash are denied on these other domains by default, usually the payload won't be delivered. Sometimes you'll get a blank white popup that can't do anything.

    It's not bulletproof, though. These scareware scams are launching in new ways. Every time there's something new on Metasploit, that's one more way for scareware to get through any boundary without user intervention. And anti-virus suites, no matter how good, are terrible at catching rogue anti-virus scareware for some reason. Plus, if your end-users aren't sure which sites need javascript or flash, then you might get more complaints about websites being 'broken' than you were getting about infected computers prior.

    There are two other options that would help considerably, but they have varying degrees of annoying associated with them. The first would be to use some kind of sandboxing solution. Either a straight-up virtual machine, or else using a program like Windows Steady State (XP only), Returnil, or Shadow Defender. You can also appeal to Sandboxie for an even more transparent approach, as it will only sandbox the browser. Even if the popup strikes, you can purge the sandbox and be rid of any payload delivered.

    The best option (Particularly in an enterprise setting!) would be to set up a Software Restriction Policy along with those limited user accounts. SRP and LUA together are known to be pretty good at preventing anything from getting through. The popups will still strike, but they'll be toothless, since they can't execute - even if they launch from a know exploit. If you're using XP or Vista on these machines, take a look at Sully's Pretty Good Security. If you're running Windows 7, take a look at Applocker.

    TetraNitroCubane on
    VuIBhrs.png
  • FeralFeral MEMETICHARIZARD along with you if I get drunk well I know I'm gonna be gonna be the man whoRegistered User regular
    edited August 2010
    Don't know what your enterprise is like, but my company dealt with this sort of thing on a daily basis until we locked down all workstations to revoke admin rights. That said, it doesn't stop the popups. What sort of internet filtering are you running? Presumably your users are visiting certain sites with suspicious ads and the like that are prompting the popups.

    I should have specified that I'm not talking about an enterprise environment. I work for a small firm that does small office / home office IT. We're talking organizations of 1-50 users. Some of our customers are not under contract and pay us on an hourly basis.

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • LykouraghLykouragh Registered User regular
    edited August 2010
    overnight put them all on that ubuntu skin that looks like win7!

    Ok serious advice, how about user education? Just teach the problem children how to press ctrl alt delete all at the same time, and say "Whenever you see any popup that looks remotely like this, ctrlaltdel and kill IE"?

    Lykouragh on
  • amateurhouramateurhour One day I'll be professionalhour The woods somewhere in TennesseeRegistered User regular
    edited August 2010
    1) Remove all admin rights, and power user rights. It's a pain in the ass, but in an office of 500 I usually only see one or two machines a week that get hit, and they're laptops going home with employees after hours.

    2) Always make sure every java and flash update is applied as soon as it's released

    3) Make sure your company firewall blocks facebook, myspace, and any flash game site. (we don't block facebook and it's like 90 percent of our problem zone)

    amateurhour on

    Arch wrote: »

    I never expected this burn from captain bushmeat
  • TofystedethTofystedeth veni, veneri, vamoosi Registered User regular
    edited August 2010
    I've honestly never seen that crop up through facebook. Here it's usually like, whitepages.com or some other site that gets hacked and then shows up in Google search results for unrelated topics.

    Tofystedeth on
    steam_sig.png
  • amateurhouramateurhour One day I'll be professionalhour The woods somewhere in TennesseeRegistered User regular
    edited August 2010
    I've honestly never seen that crop up through facebook. Here it's usually like, whitepages.com or some other site that gets hacked and then shows up in Google search results for unrelated topics.

    With all of the new flash based facebook apps and plugins I've seen it pop up more and more lately. Usually turning off admin and power user rights can stop it though.

    amateurhour on

    Arch wrote: »

    I never expected this burn from captain bushmeat
  • SpudgeSpudge Registered User regular
    edited August 2010
    This is what I did to remove this threat from my (previous) company:
    I Websensed the FUCK out of 'em. If it wasn't business related (directly) they couldn't go to it. Included the VPs, CEO, CFO, everyone. Nipped it right in the bud

    Spudge on
    Play With Me
    Xbox - IT Jerk
    PSN - MicroChrist

    I'm too fuckin' poor to play
    WordsWFriends - zeewoot
Sign In or Register to comment.