Heads up - FPS banana and viruses

The Resident

2009-01-04 06:30:33

Heads up. Looks like FPSbanana or its ad server was hacked and is sending java and acrobat files loaded up with Virtumonde, smitfraud and a bunch of other great programs.

L2k

2009-01-04 09:06:26

the plus of running noscript and adblock in firefox :)

thanks for the heads up though for those who are not using it

keefy

2009-01-04 09:18:43

I have adblock so is that why nothing happens?

The Resident

2009-01-04 22:13:34

Ugh. This new Virtumonde is pretty sinister. I was only able to clean it by booting from CD and editing the registry with the hard drive in slave-mode. That finally killed Virtumonde, but so far I've run SpybotS&D, Ad-Aware, Avira, and Malwarebytes AM and each one finds different crap leftover.

And to top it off, my system makes an audible error chime about a half-hour after boot. Yeah, that isn't disconcerting at all. :?

Yeah, Adblock probably saves you from these drive-by infections, so it's a good first line of defense, but definitely upgrade java and Acrobat, because the root security defect is otherwise still there.

[EYE] Valar

2009-01-05 01:11:52

updated FF with these addons now. thx L2K. GJ.

G

2009-01-05 08:57:21

I still have a little bit of that virtumonde shit left on my system actually, tough to get rid of.

badinfluence

2009-01-05 17:45:18

Good thing I only browse trusted sites on my good pc. I browse everything else on the shit one.

The Resident

2009-01-06 03:57:23

G,
If you actually have an infection, and the anti-spyware programs don't seem to be removing it, here's what I did to kill one of the variants: http://bbayles.googlepages.com/antivundo.html

I had to follow the "If the files wouldn't rename or delete" section, and then had to reboot and move/delete the files by hand... MoveFile didn't seem to actually delete them. That works if the variant you have is the one that hooks into the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. You'll know it's there if there's a value that says "rundll32 \windows\system32\<random junk>.dll" The <random junk> part will match the dlls that you found while following the directions in that page.

There's another variant that's a whole shitload tougher to remove. It will show up in the ListDlls list, but MoveFile won't help at all. PM me if you need help.

haymaker

2009-01-06 05:32:47

If you end up like me and have a crippled registry after a malware infection, this saved my virtual ass. Won't be as fast as a brand new Win install but still fixes a ton of other issues as well

http://www.informationweek.com/shared/p ... tid=603082

Simple and takes about 15 min

L2k

2009-01-06 08:27:05

Along the lines of registry repairs and preventive maintenance is this great little program called Erunt. It's free and basically I run this about once a month creating a backup image of my registry or after doing any major updates/additions ect. When things like this malware screw up your registry you simply can run Erunt to rewrite your registry to the last good save you have, if you are vigilant about doing it often its very nice to have. The program also comes with NTregop a nice little registry optimizer, which I also use about once a month.

Fearsome*

2009-01-06 10:20:00

Why is it that this virus can even work? I mean you should not be able to get infected simply by browsing a website.

[EYE] Valar

2009-01-06 15:12:22

Fearsome* wrote:Why is it that this virus can even work? I mean you should not be able to get infected simply by browsing a website.
of course you can.

keefy

2009-01-06 15:33:35

pretty sure when just browsing a website you are downloading various files to a temp folder.

SND

2009-01-06 16:16:21

this is very anoying even when you don't download dodgy stuff you can still have virus end up on your system. I started to notice viruses poping up even when I have been carefull on what sites i go on they usually catch you out wth a site that allows third party advertisement.

that why you should you all three levels of protection and don't use internet explore and stick to firefox with adblocker plugin and possibely there clear privacy and non-script for those control freak out there.

[EYE] Valar

2009-01-06 17:06:50

i'm afraid yesterday's control freaks and talented kids are today's savvy IT dev background ppl. this is a huge industry. have no mistake.
your private information is worth much more than a "yay, i got'em" from a kid behind his desktop.

L2k

2009-01-06 20:05:25

I'm no expert in this area, but it is my understanding that when you visit a site if that site has any java script running on the page, it is possible for malicious code to be contained within that java script. Java keeps updating to try to prevent this but it seems people keep finding ways around it. I never realized how much java script is being used out there until I started running no-script, and seeing how many things it was preventing from displaying or working. At first you will be thinking to your self this is a pain in the ass, every site I go to I have to manually ok things for it to work, but then you get to the point where you are asking your self is it really needed to see all of this site of just what is important to me, and you selectively ok things as needed (if you trust the site, like this one). For trusted sites you can just permanently ok them.

keefy

2009-01-06 20:27:07

used that no script and it did annoy the heck out of me so not used it since. It dissables youtube as well if I rememeber correct.

G

2009-01-07 00:03:54

The help I have received is much appreciated <333333333333333333333333333333333333333

seriously though thanks

[EYE] Valar

2009-01-07 00:12:37

keefy wrote:used that no script and it did annoy the heck out of me so not used it since. It dissables youtube as well if I rememeber correct.
it blockes the ying thingie or whatever its call. just enable it. is all.
noscript is great.

Ko-Tao

2009-01-07 03:51:34

Fearsome* wrote:Why is it that this virus can even work? I mean you should not be able to get infected simply by browsing a website.
The website contains a java applet that, using one of javas many security holes, gives itself admin level permissions and edits the users winlogon and select other files, which then open the door for the trojan to be automatically downloaded.

Disabling scripting of java applets obviously foils this particular malware, but tbh so many users allow automatic scripting of applets, running / dling of activex controls, installation on demand or no prompt for file / font downloads, that its no surprise at all that people are constantly getting hit with driveby malware infections.

The Resident

2009-01-07 06:32:06

Fearsome* wrote:Why is it that this virus can even work? I mean you should not be able to get infected simply by browsing a website.
Ko-Tao is right. I've seen it happen with a Java exploit, and this last one was an Acrobat exploit. I only noticed it because Acrord32.exe suddenly started up while I was browsing maps on FPS banana and I had Java disabled.

The "root-cause" security defect is in Java or Acrobat itself, and maliciously crafted jar or pdf files can exploit those defects to run arbitrary code (install viruses, download more stuff, rootkit, basically do anything).

The key is if Java or Acrobat are enabled as web browser plugins, and the browser automatically runs embedded applets or Acrobat files, then there's a risk of drive-by infection. By default, I know that Firefox won't even prompt you. It'll just load jar or pdf files, fat-dumb-and-happy, even if it comes from a site's advertiser.

So it's not actually just simply browsing the site, it's also the loading of less-than-secure plugins and automatic d/l and running of embedded media.