Phishing Attacks
Alert: Another Fake Email install Rogue Software (From Panda Labs Blog)
Mar 6th
One of the biggest reasons why TechGeekandMore started came from how many customers I had (and still have) to visit every week to either clean Viruses of PC or (even worse) recover as many files as possible and then reinstall Windows. I wanted a way a to try and alert and educate my customers about how …..
- No African Prince was going give you millions
- Emails that say that they are from a friend or family with that weird looking attachment could actually be fake
- Hot College Girl……well this one just really doesn’t have much beyond “Don’t do it”.
ETC ETC ETC…….
In those lines a new email starting this week, that has only 1 goal, to trick you into downloading and installing some really nasty software (more of the fake antivirus software). This new email says that “You have received a postcard”……
The following information comes from PANDALABS blog ( http://pandalabs.pandasecurity.com/the-thousand-faced-rogue/ (http://pandalabs NULL.pandasecurity NULL.com/the-thousand-faced-rogue/))
******************************************************************************************************************
The Thousand-Faced Rogue
Mar 5
- Posted on 03/5/10 by Olaiz (http://pandalabs NULL.pandasecurity NULL.com/author/olaiz/)
We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.
It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.
The message is like the following:
The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.
The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:
% Antispyware 2010
Antivirus % 2010
% Guardian 2010
% Guardian
% Defender 2010
% Antivirus
% Antivirus 2010
% Antivirus Pro
% Antivirus Pro 2010
% Internet Security
% Internet Security 2010
where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.
Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.
As every rogueware, it starts scanning the system to check if the computer is infected.
Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:
However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.
Additionally, it prevents the execution of programs whose window title makes reference to the following programs:
Internet Explorer
Firefox
Several security suites.
When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.
The following image belongs to the message that is displayed when Firefox is run:
It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.
Alert: BlackHat SEO attack targeting Google Nexus One (Updated) (From Panda Labs Blog)
Jan 17th
From the Panda Labs Blog (BlackHat SEO attack targeting Google Nexus One (Updated) (http://pandalabs NULL.pandasecurity NULL.com/blackhat-seo-attack-targeting-google-nexus-one/))
A few days ago Google presented their brand new phone, called Nexus One:
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2010/01/google NULL.jpg)
And some days later we find out that if a user searchs for “buy Nexus One” he will obtain around 4,000 malicious links:
When clicking on any of these links, you will see some of the typical fake antivirus sites:
It will try to infect your computer with a rogueware called LivePcCare. Be careful while searching, and use at least some free web filtering tools (http://www NULL.mywot NULL.com/). (Like Web of Trust)
Update: 5 out of the 6 first results are malicious, including the 1st and the 2nd one.
Update 2: Now the same crew is using the Haiti earthquake
Software: Free add-on for Internet Explorer or Firefox can help prevent you from visiting a fake site that could infect your pc.
Nov 30th
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/weboftrust NULL.jpg) There is an add-on for Internet Explorer, Opera and Firefox that may help keep you from visiting a fake site that could infect your pc with malware or worse. The program called “Web of Trust” (From http://www.mywot.com/ (http://www NULL.mywot NULL.com/)), monitors trends (using their own information as well as information from other security providers) from the bad guys who set up these types of sites and either puts a marker or presents you with a message when a link that you are opening is considered to be either a known “phishing” site (a fake site meant to still your information) or a site that is high risk and could be a “phishing” site. The add-on does not actually block the sites, which means that you as the user still needs to use common sense while surfing the internet, as you could click on the message and tell it to continue to the site in question.
The add-on which is easy to install, will show the following type of notice on searches (Green as safe sites, Red as sites that would be recommended you avoid)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image21 NULL.png) 
In addition when visiting sites that could put you at risk you will see the following message
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image22 NULL.png)
As already noted above, this is only an alert, this add-on with all of the browsers will still allow you to “Click here to continue to the page anyways”. That means that this program does not replace common sense, it is a tool to help you better chose but ultimately its still up to the user to use their own common sense.
Since I like giving real world examples to explain, here is how I explain Web of Trust. Consider WOT like your house or car alarm. When you leave your house, you set your alarm, but because you set the alarm doesn’t mean you don’t lock your doors (At least I hope it doesn’t). Consider your common sense as the looking of your door, if you don’t do it, your still at risk.
Internet Explorer Add-On (LINK: http://www.mywot.com/en/download/ie (http://www NULL.mywot NULL.com/en/download/ie))
Firefox Add-On (LINK: http://www.mywot.com/en/download/ff (http://www NULL.mywot NULL.com/en/download/ff))
Opera Add-On (LINK: http://files.myopera.com/PH%60/UserJs/wot.js (http://files NULL.myopera NULL.com/PH%60/UserJs/wot NULL.js))
Alert: Doing a search for DoorBuster sales could get you infected
Nov 30th
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/computervirus1 NULL.jpg) It seems that the bad guys are at it again, and this time they are using the holiday shopping season to try and trick people into infecting their pc’s. Panda Labs released a post on their Panda Labs site (LINK:http://pandalabs.pandasecurity.com/archive/Black_2800_hat_2900_-Friday.aspx (http://pandalabs NULL.pandasecurity NULL.com/archive/Black_2800_hat_2900_-Friday NULL.aspx)) concerning the fact that if you go online and run a search that many of the links showing on search engines have been compromised and the results actually lead to fake sites that are just there to infect your pc.
From the Panda Labs post here is an example they show with results that will do nothing but infect your pc.
Google Search:
(http://www NULL.flickr NULL.com/photos/lithium-/4120742406/sizes/o/)
If you happen to access one of these fake sites you will get infected with an old favorite, the fake antivirus notices that wont go away until you give the bad guys your credit card information (One of the many others names you may have heard of this is AntiVirus2009 LINK:http://techgeekandmore.com/2009/10/19/rogueware-with-new-ranson-technology/ (http://techgeekandmore NULL.com/2009/10/19/rogueware-with-new-ranson-technology/)), since they will claim your infected until you but their product. At the moment you do, in a miracle your pc is clean, but a good chance that so would your bank account or credit card since you would have handed the bad guys your information.
In case if you do click on a bad link, you will see the screen just like it shows in the example below (or a slight variation). What you will need to do is follow the information from the recent post “What to do if you get a virus or malware” (LINK: http://techgeekandmore.com/2009/11/23/how-to-what-to-do-if-you-get-a-virus-or-malware-via-a-pop-up-message/ (http://techgeekandmore NULL.com/2009/11/23/how-to-what-to-do-if-you-get-a-virus-or-malware-via-a-pop-up-message/)) to attempt to clean your pc.
Fake Antivirus Page:
(http://www NULL.flickr NULL.com/photos/lithium-/4120742422/sizes/o/)
As always take precautions and use common sense when going to links including those that come up on search engine sites (Like Google, Bing, Yahoo). If your trying to get to the site of a major site, but the link showing says pleaseclickme.cm/SoIcanmesswithyou (This is just an example), then you may really want to think about it before clicking on the link.
**Images for this post are from the Panda Labs Post. Presented for the benefit of TGM readers.
How to: What to do if you get a virus or malware via a pop up message
Nov 23rd
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/computervirus NULL.jpg) There have been many posts on TechGeekandMore concerning viruses, spyware, malware, and scareware. If you wonder why, its because as a tech, the number one question and the number one support call that I will take involves pc’s that have already been infected (because the user didn’t know any better) and what to do to clean up the pc.
Sometimes the infection isn’t really bad and a simple scan and delete will clean things up, other times, its a matter of recover/save what you can from the pc and format/reinstall everything (and yes that could mean saying goodbye to important documents or a long downtime). On top of everything else keep in mind that hiring someone like me to clean up your pc could cost $100 / HR or more, and in some cases it may be more cost effective to buy a new pc.
So where do we start, we start at a couple of common things that are DO’s and DONT
1) If your on any website and see a messages like the following
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/avsystemprospyware1 NULL.jpg) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/personalavfakeinstallmessage NULL.jpg)
DO NOT CLICK ON YES OR OK, it is a trick used by the writer of the virus or malware (known as social engineering) to get you to install the malware or virus. Since the message will probably pop up as part of the page your on, you may just think that its a natural part of Windows and agree to it, at least that’s what the bad guy hopes you will believe.
Additionally, when online, DO READ WHAT THE POP MESSAGES SAY AND DONT JUST CLICK ON THEM TO GET THEM OUT OF YOUR WAY. ADDITIONALLY DONT BELIEVE EVERYTHING THAT POPS UP (I know this is a hard concept for most). The following are just some of the MILLIONS of possible messages that you could see
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/confickerfakeav NULL.jpg)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/popupmessagevirus NULL.jpg)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/viruspopup2 NULL.jpg) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/viruspopup1 NULL.jpg)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/virus2 NULL.jpg)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/windowssecuritycenterpopup NULL.jpg)
Now lets talk about how these happen, they can happen because the website your visiting has been infected by a virus. These days its not just pc’s that get infected it can also be websites both minor and major (Scareware Pop-Ups Target Google, New York Times (http://www NULL.waco NULL.bbb NULL.org/article/scareware-pop-ups-target-google-new-york-times-13118)), so DONT think that because the only sites you visit are major sites (Google, NY Times, Twitter, Facebook, etc) that your entirely safe. You MUST always stay alert.
What if you machine is under attack from a Virus or Malware
Take immediate action as soon as the message or popup comes up. The majority of viruses and malware is written in such a way that not only will your machine get infected, but the infection will go out to the internet (completely automatically) and download additional files and infections to reinforce itself. So the longer you take to address the issue the harder (and probably more expensive) it will be to clean your machine. Image your self getting the flu, you take care of yourself and in a few days your body recovers and everything is normal again. However, if you get the flu and ignore it and just let it continue without doing anything about it, you could get sick enough to end up in a hospital or even dead. (Sorry to make it so over dramatic, but really that’s what it boils down to).
As soon as you receive a one of these type of scareware/malware/virus pop up windows, you need to use the task manager to close whatever program your using to get to the internet (You should NEVER try and close the program with the ok or cancel button on the program as all the buttons no matter what they say will download unwanted files on to your pc). You can access the task manager 1 of 2 ways
Task Manager via Ctrl Alt Del key
 (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/ctrl_alt_del NULL.jpg) |
Hold down ctrl, alt, and delete at the same time. |
 (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/xpctrlaltdel NULL.jpg) |
If your on WindowsXP you will see this box. Just select task manager. |  (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/ctrlaltdelwindows7 NULL.jpg) |
If your on Windows Vista or 7, then you will see this window. Select Start Task Manager from here. |
Task Manager via Right Click
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/taskmanager NULL.jpg) |
Use an empty space on the task menu (that’s the bar on the bottom where you see your programs) right click, you will see Task Manager as a choice. Select Task Manager from there. |
Once you have opened the Task Manager, you will see the following window.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/antivirus2009 NULL.jpg) From the applications tab you will see all programs that are currently running. You should highlight any program that is connected to the internet (Internet Explorer, Firefox, Chrome, etc and Anything email) and select End Task. You will be prompted with 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/endprogram NULL.jpg)
and select End Now. Continue doing that until you remove everything that is connected to the internet.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/emptytaskmanager NULL.jpg)
Once you have closed the Window – what next?
This may take a little time, but its best to check you pc and make sure nothing stayed on it that shouldn’t be there. There are 4 things you need to do at this point.
Step#1 -
If you use Internet Explorer
Go to Tools –> Internet Options –> select delete in the browser history section and delete all
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/internetoptionsie NULL.jpg)
If your using Firefox
Go to Tools –> Options –> Privacy and select clear your recent history and remove individual cookies ( you may need to change the setting to remember history to get to the settings)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/ffcache NULL.jpg)If you use any other browser look for the area to remove, cache, temp or cookies and remove all.
***Also make sure you empty your recycling bin.***
Step# 2-
If you don’t already have a copy on your pc, download Super Antispyware (LINK: http://superantispyware.com/ (http://superantispyware NULL.com/)) and install Super Antispyware. **There is a Free and Pro edition, all you will need is the free edition.**
- During the install you will see the following screens. Make sure you say YES to “Would you like Super Antispyware to check for the latest updates….” then select the default or recommended setting for the remaining screens. On the screen asking for email address you do NOT have to enter anything, you can just select the next button.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/superantispywareupdate NULL.jpg)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image NULL.png)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image1 NULL.png)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image2 NULL.png)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image3 NULL.png)
Once installed you will see the following screen, just make sure that the definition date (on the bottom right) is current (shouldn’t be more than a day or two old, if not click on check for updates) then select scan your computer (on top left)
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image4 NULL.png) You will then see
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/superantispywarefull NULL.jpg) At which point, select all your hard drives and select “Perform complete scan” and hit next.
Once the scan completes,
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image5 NULL.png) You will see the list of items found. I would recommend that all shown items remain with checks and then select next.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image6 NULL.png)The lastly once the clean up completes. You will be prompted to reboot. I recommend you close anything that is still open and select yes to reboot.
Step# 3
If you don’t already have Malwarebytes, download and install (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)). **There is both a free and paid version, home users just need to get the free version.
– During the install you will see the following screens, you can select the default choices. Toward the end of the install you will see a choice for “Update Malwarebytes Anti-Malware” make sure you have a check next to that choice.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image7 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image8 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image9 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image10 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image11 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image12 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image13 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image14 NULL.png) 
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image15 NULL.png)
As soon as it is installed, you will see the following screen. Make sure to select “Perform full scan” and select all your drives and run your scan.
(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image16 NULL.png)
Once completed you will see a list of all items found. Select all and remove. Then reboot pc.
Step# 4
Lastly, whatever Anti-virus you have, make sure you update it to the latest updates or signature file (depending on which one you have) and run a full scan of all your drives. If it finds anything select removal and then reboot.
If you don’t have an Anti-Virus program or yours is expired, TGM recommends Microsoft Security Essentials which is free. (LINK: http://www.microsoft.com/Security_Essentials/ (http://www NULL.microsoft NULL.com/Security_Essentials/) )
I know this was a long post, but the steps listed above would be exactly the steps I would take if you called me (and probably most other techs) to take care of your pc. Hopefully this information helps you stay informed and helps you save a headache and some money in the future.
(http://www