PDA

View Full Version : Virus via banner ads



Silver_2000
09-23-2009, 05:14 PM
It looks like some of the recent virus/malware infections are coming from simply making the mistake of viewing an page with an infected banner ad or other infected content. You dont have to click or install anything to be prompted by a BUNCH of windows that say you have an infection the windows seem to cascade and grow, making it difficult to get away from them.

If you see any pop-up or window generated that you didnt ask for or dont understand you should close it by using the red x in the upper right corner OR if the window is the active (upper most) window you can hold down Alt and hit F4 to close the active window. If you have a bunch of them you can keep pounding alt f4 till they go away. Alt tab to switch to the window you want then alt f4 to close it.

3 of us have seen this kind of attack recently and 2 of us managed to avoid the infection by carefully closing the windows.

If you have wives/ kids etc that use your computers or theirs take a second and show them how to close windows without using cancel button.

As I previously posted there are some tools you can use on my website (http://www.bosshelp.com/tools) to try to clean the infections. The problem is most of the time you cant install new software or get it to run because the virus/malware shuts all that down. Thats where hiring someone like me to help can be handy.

If you are inclined to take your PC infection to Geek squad be prepared that they make money by selling hardware and they DONT value your data. So backup - if you can - EVERYTHING before you go.

One of the secrets to cleaning these issues is removing the drive from the pc and attaching it to a second PC to scan as a second drive

I use one of these (http://www.newegg.com/Product/Product.aspx?Item=N82E16812232002)to attach the laptop or desktop to a second PC. Many times you can scan the external drive and clean it enough to be able to put it back and get the PC booting correctly and then run some more scans from safe mode on the infected drive.

Hope this helps

mikelemoine
09-23-2009, 09:46 PM
I've found that some of those "Your PC may be infected" windows are really one solid image that has a fake X (or No thanks or Cancel button) to close it. If you move your cursor around you'll see it stays highlighted and no matter where you click you are really clicking the same "Yes install your virus on my PC" button.

My buddy's son got the Internet Antivirus Pro scam on his PC which makes it hard to tell which button says "don't install". I think it said "don't protect my PC" or something so he clicked the other one and it took me hours to finally get it cleaned since it puts a link in the registry to reinstall it if it gets removed. They are no different than the mafia making you pay them to protect you from them!

I've gotten to where I open task manager and end task on IE explorer to make sure it kills it. I'll remember Alt+F4 for the occasional popup though, thanks!

Sandman
09-24-2009, 09:32 AM
I've gotten to where I open task manager and end task on IE explorer to make sure it kills it. I'll remember Alt+F4 for the occasional popup though, thanks!
:tu::tu::tu:
That's what I do.

Silver_2000
09-24-2009, 01:04 PM
many of the new infections disable task manager

if you can get it open you get access denied errors trying to change anything

Sandman
09-24-2009, 02:26 PM
many of the new infections disable task manager

if you can get it open you get access denied errors trying to change anything

Outside of browser holes, you should have to click something in order to be infected. Even drive-by-downloads should require that you click something. Make sure you keep your box updated to help close some of these browser holes.

Here's some info for the peeps that are interested on different methods of infection (http://www.malwarehelp.org/methods-of-infection.html).

If you're talking about a pc that is already infected.... all bets are off. But with a little common sense and awareness you can prevent infection. I think I've gotten one infection in many many years.

Like Doug has said many many times, keep your pc updated, keep your antivirus updated. I also run a personal firewall (Comodo, but it is kinda naggy and you have to know what it is talking about, but it is free). And torrents are the worlds worst to contain infections.

What some of these infections can do is pretty scary. Data and identity theft are easy. They could simply install a key logger and watch you type in your password to your bank account and then upload it. They can disable your antivirus and any other tools that might be able to quarantine them. Some of these things are pretty smart.

Silver_2000
09-24-2009, 03:09 PM
Outside of browser holes, you should have to click something in order to be infected. Even drive-by-downloads should require that you click something. Make sure you keep your box updated to help close some of these browser holes.
I used to think the same thing but I saw it on a VM of mine the other day.

I had done a Google search and from that opened about 10 browser tabs

I closed the PC and it went into standby

When I reopened it a day later the act of coming back from standby caused the pages to refresh, when they did one of the banner ads on one of the pages was infected, it spawned a number of popups and popunders that were nearly impossible to close without activating them.

So to summarize I did NOTHING to start the infection process other than load a page. The average user would have a very hard time closing all the windows without actually enabling the infection.

This was on Vista Machine with all updates and using updated version of Firefox.

Ironically Vista was running on a macbook pro - if I had been in OSX and had done the same search there would have been no concerns

Sandman
09-24-2009, 03:23 PM
I used to think the same thing...

So to summarize I did NOTHING to start the infection process other than load a page. The average user would have a very hard time closing all the windows without actually enabling the infection.

This was on Vista Machine with all updates and using updated version of Firefox.


So, did you find the source of the infection? Or did it go away after closing all the popups?

Also note, there will always be some sort of browser hole and it may take some time for the developing company to respond to close the hole, if ever. So I still stand by my original statement.

Silver_2000
09-24-2009, 05:23 PM
not wanting to start an argument here but

from your link


Malware may also be installed through accessing a website, whose prime aim is to drop Spyware onto the client. The malware installation will be embedded within the web page. ActiveX (a Microsoft technology) is then utilized to install the malware (generally as a browser plug-in), on the client. ActiveX is a mechanism which allows applications to be run within other applications. This installation will allow the malware to operate every time the browser is opened.

Another common method of malware intruding an unprotected system is when visiting a site in Internet Explorer that displays an advertisement or misleading download link that you have to click on to continue. That's when the site installs one or more programs on your computer, without asking any further permission. Sometimes these are referred to as 'Drive-by Downloads'.


Active X is simply MS branded java - Firefox doesn't natively support Activex, HOWEVER, since an active x control can infect you with no click it makes sense that another java applet could be created to do the same.

Im not arrogant or confident enough to say that its not possible to get infected with out clicking on anything.

Sandman
09-24-2009, 11:37 PM
I'm not looking for an argument either. But I'm always up for a friendly conversation. Hopefully I'll learn something in the process.

I will agree that nothing is impossible. If a security measure can be designed, it can also be broken, hacked, worked around, and misused.

However, all of the web components whether it be javascript, activex, or anything else have security features designed in place to protect your pc. Any action that is questionable should either be denied or left up to the user to decide. It would be irresponsible for them not to. The browser itself plays a big part in this. IE 7 is better than IE 6 on security and IE 8 is better than IE 7.

ActiveX does has many security features built in and IE goes to great lengths to work with ActiveX and security. Depending on your settings (and many of the security features can be turned off), components are allowed to run based on a signature or permission by the user.

As you pointed out, Firefox does not officially support ActiveX. It uses NPAPI but it has it's vurnerablitilies as well.

So, does an activeX control have to be clicked in order to be installed... Maybe not. But it's still not that easy for that component to be installed. It does have to pass thru an array of security features to do so.

Which security feature is the easiest to crack? That easily has to be the user. A little social engineering and it's game over. All it takes is one wrong decision by the user to open a door and change the rules.

98Cobra
09-25-2009, 12:05 AM
Dont forget the ton of infections that can now come from downloading a malformed PDF or even a Flash ad that is using an exploit. You truly do not have to click on anything anymore to become infected.

Firefox + Adblock FTW.