Jump to content

Recommended Posts

Posted

I know this user so we need to take this seriously....

Rich-M

My First-Ever Virus Alert

Submitted by Ken Dwight on Tue, 07/15/2014 - 07:33

 

 

Share to: Facebook Twitter Google Plus LinkedIn Digg Delicious

In the 12+ years I’ve been operating as The Virus Doctor™, I have never issued a general Virus Alert to all of my clients and subscribers to my e-mail list – until now. In the past week I have learned of a very widespread virus outbreak that could ensnare even the most cautious users of the Internet and e-mail.

 

This outbreak crippled a major hospital in the Texas Medical Center, in Houston, and surely many other computer users around the United States. But unlike some viruses you may have heard about on the evening news, this one has gone mostly unreported in the news media.

 

Going a step further, only one computer security vendor, to my knowledge, has published anything about it. And even at that, it took some serious digging through their web site before I was able to uncover more details of this infestation.

 

But what I found was very troubling, on multiple levels. This is a very sophisticated attack with multiple ways of infecting computers, multiple ways of appearing to be legitimate, and multiple payloads (ways of making money by infecting your computer).

 

I’ll start by describing the attack in layman’s terms, which I hope will be understandable to “normal” computer users who are not geeks. Then I’ll provide more details for the techie readers who want to know more about how the attack works and why I’m so concerned about it.

 

The first thing you need to know is that this virus infects computers that have been used to research any of at least 15 different travel destinations. It has been able to accomplish this by infecting the web sites that people use to find more information about specific cities or areas. Here are some of the sites that were infected:

 

  • www (dot) visitmyrtlebeach (dot) com
  • www (dot) visithoustontexas (dot) com
  • www (dot) seemonterey (dot) com
  • www (dot) visitannapolis (dot) org
  • www (dot) bostonusa (dot) com
  • www (dot) tourismvictoria (dot) com

Making matters worse, users were directed to these sites through promotional e-mails that actually came from legitimate sites that the users had opted-in to receive. Some of the promotional e-mails included references to 4th of July activities, while others were general travel-related content, so the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen this time of year.

 

In most cases of a web site being compromised by criminals, it is still necessary for the user to click on an infected link on that page in order for their computer to become infected. That is not the case with this exploit, though – as soon as that page opens in your browser, your computer is infected.

 

As if that weren’t enough bad news for this exploit, it gets even worse. Because of the way this infection enters your computer, the attack won’t be recognized or blocked by most anti-virus, firewall, or Internet Security software. Even Malicious Web Site Blocking in Internet Security software is likely to treat these as legitimate sites, unless they analyze the actual behavior taking place on your computer when you go to those sites.

 

It appears that this attack originated in the Ukraine, and the exact number and identities of all the infected web sites may not be known. The hosting companies for all of the known sites have been contacted, so some of the sites should have been fixed by now.

 

The payload, or objective, of this attack falls into several broad categories. These are discussed in more detail in the “For the Geek” section, below. But here is the short version:

 

  • A downloader that downloads and installs additional pieces of malicious software
  • A rootkit that makes the infection invisible to most security software and support techs
  • A component that attempts to steal user credentials and hijacks the computer into a botnet

In short, this attack follows “Best Practices” to make it likely to infect the maximum number of computers, generate as much profit for the criminals as possible, and avoid detection and removal by any but the most skilled IT Support technicians.

 

For the Geek

 

This attack is delivering the Nuclear exploit kit to the infected computers, without the user doing anything that could be considered “wrong” or inappropriate. If they do a Google search on Houston, Texas, for instance, and click on one of the top search results, their computer could become infected.

 

Here are the actual components of the attack:

 

  • Zemot – the downloader that downloads and installs additional pieces of malware
  • Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection
  • Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDoS attacks

For more technical details, you may want to read the article by Proofpoint, here: http://www.proofpoint.com/threatinsight/posts/travelers-targeted-by-infected-travel-websites.php

  • FPCH Admin
Posted
Wow, this one sounds pretty intricate and as the article states, sophisticated. I wonder what Gene and Pete have to say about this one. They are always up to date with this sort of thing.

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Posted
I posted it on CHF as well hoping one of them would reply. Ken Dwight is a serious Pro who travels around the country giving classes in Malware Removal and is supposed to have a completely different technique he uses so his training is in one day long seminar and its not cheap, but he is quite successful.
  • FPCH Admin
Posted
My son and his family are going to Myrtle Beach next week for four days before they make settlement on their new house. When I read this, this afternoon, I called my daughter in law as she made the reservations online this past weekend. She assured me she didn't use the www (dot) visitmyrtlebeach (dot) com link. She's bringing her notebook over for me to check out anyway. :omg: They forever frustrate me with their computing habits. They have a penchant for disabling any and all protection I install on their computers.

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Posted
Yeah and I can tell you if Ken is sending this email, we can bet this will be a "biggie". He never has paid any attention to any of this prior to the Cryptolocker virus last year, and he still never sent a mass email about that one.
Posted

Supposedly, the Russians are famous lately for hacking, and they are also supposedly famous for the best anti-virus. Imagine that right? Here is my advice. Don't ever install an Russian made AV out of principle. I have a lot more to say about it but I can't say it here and I can't explain it in detail here security is not my thing here. KAV and NOD32 are both excellent, because they are both from the same regions where most of the viruses are written, again, imagine that. Supply. Demand.

 

Hey - when it comes down to it it's all about money and pretty much everything is fixed to a degree. not to be a Debbie Downer, but don't believe everything you read. It's been this way for eons.

 

Real stuff remains real only until the offer comes along (like spyware apps that advertisers buy out with obsfucated initial install to install "spyware") to ruin the app and kill the pureness of the product. Seems everyone has a price but the few that have real integrity which is so rare especially when everyone is out to make a quick buck.

Posted
I run Nod32 and Mbam Pro but there have been times where I ran no Av recently and I am not convinced an experienced user needs one. I have been running Emsisoft as a test for 4 months now and am quite impressed with it for both. I also run WOT (Web of Trust) in all browsers as well as Adblock Plus and with all that my web life is a bit boring.
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...