Pelvis Popcan
Well-Known Member
Thread Starter
- Joined
- Jan 28, 2007
- Messages
- 1,676
- Likes
- 60
I got hit last week browsing SomethingAwful.com and spent days restoring my systems with clean backup images. I later found out that this seems to be affecting a lot of people and started at the end of November 2011.
The infection will happen simply by web browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search results, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).
This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you manage to find the infected files (I found one using TDSSKiller) and upload them to VirusTotal.com, only the uninfected portion of the file will be uploaded and it will return a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.
If you do get hit, you will be able to remove the fake AV programs and fix your registry (they change some registry keys so that any program or .exe file will start them up), but the Rootkit will remain on your system and redownload and rerun the scareware .exe's hours to days later, as well as continue to redirect Google search results. This is EXTREMELY SERIOUS because it means that it can run executables at any time. Essentially, someone somewhere has complete control of your PC.
So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.
If you do get hit, barring a reformat, I would suggest:
ComboFix: Save to the desktop. Boot into Safe Mode with Network Support, but disconnect your modem or router from the net. Run ComboFix from the desktop
Reboot, then do TDSSKiller, then finally MalwareBytes.
Some other tools I would suggest trying if you have problems:
HitMan Pro 3.6
McAfee Rootkit Remover (released recently and is supposed to clean all versions of the ZeroAccess rootkit that they know about)
Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using. Make sure you go to windowsupdate.microsoft.com and do a manual check there to insure you have everything.
Make sure you update Flash, Java, Adobe Reader, Shockwave Player, and you have everything from windowsupdate.microsoft.com. Install AdBlock Plus and use the Easylist subscription. If you're on IE like me, use an IE Ad Blocker with Easylist; I used Simple Adblock which is $30.
http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers (This talks about a variant of this infection that runs from digitally signed standalone installers, like Adobe Flash.)
http://www.zdnet.com/blog/bott/microsoft-releases-out-of-band-security-update-to-plug-net-hole/4305 (Microsoft .NET out of band critical updates released Thursday 12/29/11.)
http://nakedsecurity.sophos.com/2011/12/13/malware-shuts-down-hospital-near-atlanta-georgia/ (Atlanta Hospital had to shut down because all their computers got hit with Malware in December 2011.)
I have not seen anything this nasty since the days of IE6. In fact, even with the crap back then, it usually wasn't so bad that nothing could fix it except a complete reformat.
HEADS UP! :bang::bang::bang:
The infection will happen simply by web browsing. Executable code runs then installs a rootkit which so far seems to be redirecting Google search results, as well as running fake scareware antivirus program .exe's (name depending on your OS; "XP/Vista/Windows 7 Security 2012", it might be called something else like "Cloud AV" as well).
This outbreak appears to affect every version of Windows (including Win7 x64), and every browser (including Chrome, Firefox, and IE). It also appears that MalwareBytes, MSE, and most all other real time malware protection programs do not stop the infection. HijackThis won't show it. If you manage to find the infected files (I found one using TDSSKiller) and upload them to VirusTotal.com, only the uninfected portion of the file will be uploaded and it will return a clean scan. That's why it's a rootkit. Your system appears clean and all affected files have clean checksums, when in fact they don't.
If you do get hit, you will be able to remove the fake AV programs and fix your registry (they change some registry keys so that any program or .exe file will start them up), but the Rootkit will remain on your system and redownload and rerun the scareware .exe's hours to days later, as well as continue to redirect Google search results. This is EXTREMELY SERIOUS because it means that it can run executables at any time. Essentially, someone somewhere has complete control of your PC.
So far, very little is known on where this infection is coming from and how it's running executable code just by browsing. Everything from ad banners to imgur to reddit to servers on various websites have been suggested, as well as Flash, Java, Javascript, Microsoft .NET, and Adobe Reader.
If you do get hit, barring a reformat, I would suggest:
ComboFix: Save to the desktop. Boot into Safe Mode with Network Support, but disconnect your modem or router from the net. Run ComboFix from the desktop
Reboot, then do TDSSKiller, then finally MalwareBytes.
Some other tools I would suggest trying if you have problems:
HitMan Pro 3.6
McAfee Rootkit Remover (released recently and is supposed to clean all versions of the ZeroAccess rootkit that they know about)
Microsoft did release four updates to .NET on 12/29, which is not only an out of band update, but one that must have required Microsoft employees to come in over the holidays to work on. I read on ZDNet the holes they patched do in fact allow arbitrary code execution, and that it affects every version of Windows from XP to 7 (workstation and server of all versions), so it certainly seems possible that could be the back door this infection is using. Make sure you go to windowsupdate.microsoft.com and do a manual check there to insure you have everything.
Make sure you update Flash, Java, Adobe Reader, Shockwave Player, and you have everything from windowsupdate.microsoft.com. Install AdBlock Plus and use the Easylist subscription. If you're on IE like me, use an IE Ad Blocker with Easylist; I used Simple Adblock which is $30.
http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers (This talks about a variant of this infection that runs from digitally signed standalone installers, like Adobe Flash.)
http://www.zdnet.com/blog/bott/microsoft-releases-out-of-band-security-update-to-plug-net-hole/4305 (Microsoft .NET out of band critical updates released Thursday 12/29/11.)
http://nakedsecurity.sophos.com/2011/12/13/malware-shuts-down-hospital-near-atlanta-georgia/ (Atlanta Hospital had to shut down because all their computers got hit with Malware in December 2011.)
I have not seen anything this nasty since the days of IE6. In fact, even with the crap back then, it usually wasn't so bad that nothing could fix it except a complete reformat.
HEADS UP! :bang::bang::bang:
Last edited: