Rich-M
Well-Known Member
I know this user so we need to take this seriously....
Rich-M
My First-Ever Virus Alert
Submitted by Ken Dwight on Tue, 07/15/2014 - 07:33
Share to: Facebook Twitter Google Plus LinkedIn Digg Delicious
In the 12+ years I’ve been operating as The Virus Doctor™, I have never issued a general Virus Alert to all of my clients and subscribers to my e-mail list – until now. In the past week I have learned of a very widespread virus outbreak that could ensnare even the most cautious users of the Internet and e-mail.
This outbreak crippled a major hospital in the Texas Medical Center, in Houston, and surely many other computer users around the United States. But unlike some viruses you may have heard about on the evening news, this one has gone mostly unreported in the news media.
Going a step further, only one computer security vendor, to my knowledge, has published anything about it. And even at that, it took some serious digging through their web site before I was able to uncover more details of this infestation.
But what I found was very troubling, on multiple levels. This is a very sophisticated attack with multiple ways of infecting computers, multiple ways of appearing to be legitimate, and multiple payloads (ways of making money by infecting your computer).
I’ll start by describing the attack in layman’s terms, which I hope will be understandable to “normal” computer users who are not geeks. Then I’ll provide more details for the techie readers who want to know more about how the attack works and why I’m so concerned about it.
The first thing you need to know is that this virus infects computers that have been used to research any of at least 15 different travel destinations. It has been able to accomplish this by infecting the web sites that people use to find more information about specific cities or areas. Here are some of the sites that were infected:
In most cases of a web site being compromised by criminals, it is still necessary for the user to click on an infected link on that page in order for their computer to become infected. That is not the case with this exploit, though – as soon as that page opens in your browser, your computer is infected.
As if that weren’t enough bad news for this exploit, it gets even worse. Because of the way this infection enters your computer, the attack won’t be recognized or blocked by most anti-virus, firewall, or Internet Security software. Even Malicious Web Site Blocking in Internet Security software is likely to treat these as legitimate sites, unless they analyze the actual behavior taking place on your computer when you go to those sites.
It appears that this attack originated in the Ukraine, and the exact number and identities of all the infected web sites may not be known. The hosting companies for all of the known sites have been contacted, so some of the sites should have been fixed by now.
The payload, or objective, of this attack falls into several broad categories. These are discussed in more detail in the “For the Geek” section, below. But here is the short version:
For the Geek
This attack is delivering the Nuclear exploit kit to the infected computers, without the user doing anything that could be considered “wrong” or inappropriate. If they do a Google search on Houston, Texas, for instance, and click on one of the top search results, their computer could become infected.
Here are the actual components of the attack:
Rich-M
My First-Ever Virus Alert
Submitted by Ken Dwight on Tue, 07/15/2014 - 07:33
Share to: Facebook Twitter Google Plus LinkedIn Digg Delicious
In the 12+ years I’ve been operating as The Virus Doctor™, I have never issued a general Virus Alert to all of my clients and subscribers to my e-mail list – until now. In the past week I have learned of a very widespread virus outbreak that could ensnare even the most cautious users of the Internet and e-mail.
This outbreak crippled a major hospital in the Texas Medical Center, in Houston, and surely many other computer users around the United States. But unlike some viruses you may have heard about on the evening news, this one has gone mostly unreported in the news media.
Going a step further, only one computer security vendor, to my knowledge, has published anything about it. And even at that, it took some serious digging through their web site before I was able to uncover more details of this infestation.
But what I found was very troubling, on multiple levels. This is a very sophisticated attack with multiple ways of infecting computers, multiple ways of appearing to be legitimate, and multiple payloads (ways of making money by infecting your computer).
I’ll start by describing the attack in layman’s terms, which I hope will be understandable to “normal” computer users who are not geeks. Then I’ll provide more details for the techie readers who want to know more about how the attack works and why I’m so concerned about it.
The first thing you need to know is that this virus infects computers that have been used to research any of at least 15 different travel destinations. It has been able to accomplish this by infecting the web sites that people use to find more information about specific cities or areas. Here are some of the sites that were infected:
- www (dot) visitmyrtlebeach (dot) com
- www (dot) visithoustontexas (dot) com
- www (dot) seemonterey (dot) com
- www (dot) visitannapolis (dot) org
- www (dot) bostonusa (dot) com
- www (dot) tourismvictoria (dot) com
In most cases of a web site being compromised by criminals, it is still necessary for the user to click on an infected link on that page in order for their computer to become infected. That is not the case with this exploit, though – as soon as that page opens in your browser, your computer is infected.
As if that weren’t enough bad news for this exploit, it gets even worse. Because of the way this infection enters your computer, the attack won’t be recognized or blocked by most anti-virus, firewall, or Internet Security software. Even Malicious Web Site Blocking in Internet Security software is likely to treat these as legitimate sites, unless they analyze the actual behavior taking place on your computer when you go to those sites.
It appears that this attack originated in the Ukraine, and the exact number and identities of all the infected web sites may not be known. The hosting companies for all of the known sites have been contacted, so some of the sites should have been fixed by now.
The payload, or objective, of this attack falls into several broad categories. These are discussed in more detail in the “For the Geek” section, below. But here is the short version:
- A downloader that downloads and installs additional pieces of malicious software
- A rootkit that makes the infection invisible to most security software and support techs
- A component that attempts to steal user credentials and hijacks the computer into a botnet
For the Geek
This attack is delivering the Nuclear exploit kit to the infected computers, without the user doing anything that could be considered “wrong” or inappropriate. If they do a Google search on Houston, Texas, for instance, and click on one of the top search results, their computer could become infected.
Here are the actual components of the attack:
- Zemot – the downloader that downloads and installs additional pieces of malware
- Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection
- Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDoS attacks
They forever frustrate me with their computing habits. They have a penchant for disabling any and all protection I install on their computers.
