A new level of malware sophistication

I woke up today around 4 AM when one of our cats jumped on my stomach.  By now, it’s a pounce and jump operation because he knows if I catch him, I’ll throw him across the room and bounce him off a wall.  So he pops up from the floor to the window pane, pounces on my stomach from above my head, then flies off the bed, all in less than one second.  It’s an effective technique to wake me up, not so good to persuade me to feed him.

Some days, I really don’t like cats.

Since I was awake, I staggered out to the other room to do some computer work.  As I sat down in front of this Windows 7 system, I saw a window on the screen that made my blood run cold.  There, right in front of me, was a window telling me this computer had several virus infections and a “click here” button to clean them all up.  I lost count of the number of fake AV systems I’ve cleaned over the years, but this one was right here at home.

Fake AV, or fake antivirus, is a great scam.  Here is how it works:  Vicki the virus author decides she wants to make some illicit money.  So Vicki writes an evil program that pops up a window on a computer screen with an alarming and official looking message about dozens or hundreds of viruses found.   But the whole thing is a lie, designed to entice naïve users into giving up sensitive information.

Vicki will probably craft her program to display a reassuring ”Click here” button with a promise to make it all better.  When the user “clicks here”, her program will probably prompt for a credit card number, with the promise of a $24.95 download to take care of all the problems.  When the user enters the credit card number, the program will send the data back to Vicki, and Vicki can either have a great shopping spree at the credit card holder’s expense, or sell the credit card number in an underground market.

Vicki’s program may also leave behind a key logger or other malicious software designed to track user mouse clicks and keystrokes and send the results back to Vicki.  Vicki can mine this data at her leisure, stealing anything of value she wants.

It’s serious business.  If you “clicked here” for one of these programs, and especially if you gave a credit card number, stop reading this right now, call your credit card company, and cancel the credit card.   Also call your other credit card companies and your bank and sign up for a credit watch service.   Pull your computer off the Internet and have a trusted professional thoroughly clean it.  Don’t mess around with this – identity theft can make your life miserable for the next several years.

But Vicki has a distribution challenge – how does she distribute her evil program to millions of potential victims?  Enter many of today’s popular news, weather, sports, and gaming websites.   These sites make money by selling ads.  When a user visits, say, www.espn.com, that website will also download several banner ads from all over the Internet.   Those ads do not come from ESPN, they come from advertisers who pay ESPN.

So when you visit the ESPN website, you also visit several other advertiser websites who display their ads in areas ESPN assigns.  Any one of these can download programs to your computer for, say, displaying animation, touring the advertiser client products, or displaying a popup window claiming you have dozens of virus infections.   ESPN cannot possibly vet all its potential advertisers and must depend on the advertisers to keep their own websites clean.

I purposely picked on ESPN because ESPN had a well documented incident a few years ago, but all websites that sell third party ads have the same potential issue.  If any one of these ad websites are compromised, and that ad happens to display on your computer, your computer is in danger.  From the users’ point of view, it’s like a game of Russian Roulette.

From Vicki’s point of view, there are hundreds, maybe thousands of these ad websites.  Vicki only needs to find one with poor security so she can inject her program and make it act as an unwitting distribution point.

Vicki no doubt subscribes to an automated underground service that constantly probes these websites, looking for vulnerabilities.  When she finds an eligible candidate, she injects her payload, compromises the website, and sits back and waits for the credit card numbers to flow in.

Vicki’s evil payload eventually found its way to one of my computers when my wife visited an Internet game site the other day.

If you find such a program running on your computer, do not immediately shut down and reboot – this will generally trigger these programs to deliver their evil payload and they will own you after the reboot.  Instead, launch your Task Manager, find the offending process, kill it, find the offending program on your hard drive, delete it, then do a thorough virus scan using a reputable tool.  Or call me and I’ll guide you over the phone.

Curiously, this fake AV program was a little different than most.  This one claimed it was a Norton virus scanner and a quick trip into my Windows Task Manager found a process named nss.exe.  NSS.exe is, in fact, the name of the free Norton Standalone Scanner.  But in this case, it was an evil program pretending to be the real nss.exe.  I killed it and the fake AV window went away.

Next, I searched my hard drive for any file named nss.exe.  I found two occurrences, both in folders with Norton in the name, under C:\Program Files (x86).  Looking at these folders, I found dozens of .DLL, .exe, and other files.  This was definitely not a typical virus scenario.  Most directories containing malware programs have a single, hidden program with a random name.  This one was different – this one went to a lot of trouble to look like a real Norton installation.  The creation date for nss.exe was May 7, 2013.  The creation date for the directories I found were from July 28, 2013 at 5:39 PM.  The time as I write this is around 4:30 AM on July 30, 2013.

This gets even more interesting.   Looking at Control Panel…Programs and Features, I found references to two packages claiming to be Norton virus scan tools.  When I right-clicked and selected the “Remove” option, a new window popped up asking me if I wanted to install the Norton virus removal tool.  I also heard my hard drive rattle a little bit, suggesting to my paranoid mind this virus may have delivered its payload.

Nice try Vicki, but you failed to solve two problems:

  1. I never installed anything from Symantec or Norton on this computer, although it’s possible my wife may have done so.
  2. Even if somebody else installed this stuff without my knowledge, why would a removal option instead prompt me to install something new?

I think, with help from my wife,  I stumbled across a new variation on an old theme.  I’ll bet a zillion dollars, this is a particularly sophisticated fraud.  I think my hypothetical Vicki ripped off the Norton Standalone Virus Scan installation and replaced the main program, nss.exe, with an evil program of the same name.  It probably found its way to a compromised ad website, where my wife inadvertently downloaded it from the free Internet game site she likes to visit.

To be safe, I did a System Restore and restored that system to its state 4 days ago before the last Windows Update, or 2 days before the fake Norton installation.  After a reboot, Control Panel…Programs and Features no longer shows anything claiming to be a Norton product.  I deleted the offending directories and started up a full virus scan in another window using a popular tool named Malwarebytes.  The scan took one hour and 14 minutes to finish and I am pleased to report this desktop is clean.

With hindsight, I probably should have taken some screen shots and quarantined those directories so I could present it all in this blog post.   But, just like most users, this desktop is a tool and I need it up and running.  I didn’t think about documenting it all until after I removed it.

For my non-technical friends, the moral of all this?  Just like with your car, be on the lookout for unusual behavior.   If your car flashes the “Check Engine” light or exhibits unusual behavior, you look into it, right?  If your computer starts to act differently, you should also look into it.  Call me or Contact Us if the problem looks complicated.  You have important data inside that computer and believe me, you do not want criminals across the Internet messing around with your identity.

For my more technical friends, I think the malware arms race just ratcheted up a notch.  This looks like a new level of sophistication.  Watch out for variations on this theme as Vicki’s friends craft other pieces of malware to imitate other free virus scan products.

Vicki found the wrong user to mess with this morning.  Hopefully, you can also stop Vicki and her friends cold when their programs try to invade your computer.  Be vigilant.

Enough is enough!

I just finished wading through 471 new comments from the past 3 days on my blog post from late March titled, “How to spot a phishy email”.   The good news, I guess, is my blog post found its way onto the search engines and is getting some visibility.  The bad news – every single one of those 471 comments, along with nearly all the hundreds of comments before it are automated spam solicitations.  The overwhelming bulk of those are for drugs of some kind.  Ambien and Tramadol seem popular.  I have no clue why.

A few comments are designed to stroke my ego.  This one is typical, coming from IP Address 83.49.115.185 somewhere in Spain:

Its like you learn my thoughts! You seem to understand a lot about this, such as you wrote the e-book in it or something. I feel that you simply could do with some percent to force the message home a little bit, however other than that, this is magnificent blog. A great read. I will certainly be back.

Notice how the text is highly complimentary and also vague.  The email addresses are always from Hotmail or Gmail or Yahoo or one of the other free services, and the names are always random characters and numbers.

I am an advocate of open and vigorous discussion and I participate in several technology forums and email groups.  I contribute lots of comments and I help others troubleshoot problems online.  I like to think that’s what community is all about.

But here, on my own website, I find I am wasting time wading through drug and porn and SEO pitches and evaluating whether each comment came from a real person or a spambot, and whether the comment is even remotely connected to the subject matter.

This is not what community is all about, this is a few parasites trying to freeload and use my website to sell their questionable and illegal junk.

I’ve had enough.  I am turning comments off.  My time is too valuable and I’ve worked too hard to build a high quality website and blog to allow runaway spam to consume my time.  If you want to sell drugs and porn and questionable SEO over the Internet, you’re not welcome here.  Shoo.  Go somewhere else.

If you are a real person reading this and want to weigh in with an opinion or comment, even a hostile one, then  fill out the Contact Us form.  If it’s on topic, I’ll post it and give you credit for it.