What to look our for

As soon as you get to the website, the following pop up appears. **This is why it is important to read messages before clicking ok. 

What you probably wont see (unless you drag the window above around the screen) is the little window (as shown below) that opens directly behind the main window. If you were to expand the little window you will see that its for 1anetantispy.

If you click on the OK button above you will get infected. 

What to do if you see the AV check Window

1 – DO NOT CLICK ON ANY OF THE POP UP WINDOWS.

2 – On your computer click on the start button –> click on Run (or type Run in the search box) –> Once you get the run box, type taskmgr into the Run box and press OK

3 – This will open up the Windows Task Manager. Look for all items that involve the browser you are using.  (In the example below, its Internet Explorer) Highlight each item and then click End Task.  Once all the browser windows close

4 – (A) If you are using Internet Explorer go to Tools –> Options –> and Click on Delete Browser History.  (B) If you are using Firefox, go to Tools –> Options – > Privacy –> and click where it says “Clear you current history”.

     The latest rogueware infection is called DesktopSecurity2010. What will happen if you get infected with the DesktopSecurity2010 rogueware

• DesktopSecurity2010 is an adware program that warns users of non-existing threats in their computers so that they purchase a certain program that removes them from the computer.
• Additionally, in order to make users think that their computer is really infected, it displays a warning message when the computer is restarted, and from time to time the screen fades to black and other times blinks with different colors.
• DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

What should you look out for when web surfing

DesktopSecurity2010 is easy to recognize, as it shows the symptoms below (These are some possible symptoms, you can still get infected without seeing these):

• It reaches the computer in a file with the following icon:
  
• When it is run, a screen to install the program is displayed:
  
• Once installed, it starts to carry out a system scan in search for possible malware and once finished, it displays warning messages informing users that the computer is infected: 
  

One of the known ways that the rogueware is installing

    The following post on the PandaLabs site (LINK: http://pandalabs.pandasecurity.com/making-new-friends%e2%80%a6/) shows 1 of the ways you can get infected.  Two of the clean up jobs that I have had to do in this past week occurred because the user also fell for a greeting card email as described below (Confirmed).

Making new friends…

• Posted on 05/13/10 by Olaiz

I’m very happy because I’ve received a greeting card via email from a new friend, thought it’s not my birthday, my saint’s day or anything like that

Look what a nice card I’ve received:

Besides, it has been sent from 123greetings, which is a legal website to download and send cards, so it must be trustworthy.

I’ve clicked the picture of the message and I’ve been redirected to the website http://luxxxx.googlegroups.com/web/setup.zip, but I can’t see any greeting card here, but a Google groups website containing a link… maybe I have to follow the link in order to view it…

There’s no way. I can only see the Windows of an antivirus called DesktopSecurity2010 informing me that my computer is infected and that I have to pay the license in order to eliminate the malware. I think that I got infected and I have neither a greeting card nor a new friend…

Now, talking seriously, yesterday we commented how this false antivirus was using Google Groups users (with malicious intentions) to be distributed. In fact, the URL from which the rogueware is downloaded is like the following:

http://Google Groups user.googlegroups.com/web/setup.zip

Some of these users are felixss, gorlum or misterxyz.

Google has reacted to this and has started blocking these malicious users. So, if you try to access any URL that uses these malicious users, the following message is displayed informing you that the user cannot be found:

Even so, some malicious accounts may still be active, so don’t trust messages like this and don’t follow any link like those we’ve previously mentioned in this post.

So what can you do to help protect yourself

• If you get a link, email, instant message, asking you or telling about something you were not expecting, even if it seems to be from someone you know, DO NOT TRUST IT! Getting a message from grandma saying check out the new pictures i upload and realizing she is 80 years old, ask yourself, does grandma really know how to upload pictures? It only takes a minute to call the person, and get a response to “did you send me….. message”, if they did, they will tell you instantly. If they didn’t they will be the 1st to say “What are you talking about”. 
• Because of Twitter, the use of link shorting sites seems to have become the norm.  The problem is that a link to   http://bit.ly/dr9Ucz could be a link to many place. How do you know if it is a safe link or not a safe link.  Again, even if the link is sent to you by someone you know, DO NOT TRUST IT unless you were specifically expecting it. For the record, http://bit.ly/dr9Ucz is actually a link to techgeekandmore.com, and TGM does not list shorten links on the TGM site, because we want you to know where you are clicking to.  One thing you can do to check shortened links is visit sites that expand the shortened link.  (If you use one of these link expander services and copy the link, be careful to copy the link and NOT accidently double click on the link) Some of the sites you can visit to use to expand links

-> LongURL (LINK: http://longurl.org/), PrevURL (LINK: http://www.prevurl.com/index.php), ExpandMyURL (LINK: http://www.expandmyurl.com/), URL Snoop (LINK: http://urlsnoop.com/), Securi.net (LINK: http://sucuri.net/?page=tools&title=check-url). At all the sites, enter the shortened URL and click to find out where the link will lead

-> In addition if you use Firefox to browse the web, you can install LongURLPlease (LINK: http://www.longurlplease.com/), or LongURL (LINK: http://longurl.org/tools), which are Firefox browser extensions that automatically preview the destination URL for shortened links from just about any shortener you can name.

• As always make sure that your PC is updated with all the latest Windows Updates, your Anti-virus is updated, your install of JAVA is updated, your install of Adobe Flash player is updated, Your PDF reader is updated. Most viruses, spyware, rogueware use problems with these programs to get into your computer. Use can use sites like File Hippo (LINK: http://www.filehippo.com/ ) to check and make sure your programs are up to date.

What to do if you do get infected

     If you still get infected, you can use SuperAntispyware and Malwarebytes programs to clean your machine, I recommend downloading both before you get any infection.  Run them on a regular basis (Regular = once a week or so), even if your computer does not show any signs of issues. 

     To download both programs I recommend using Ninite (LINK: ninite.com)

If you would like to see more information on ninite you can see the TGM post http://www.techgeekandmore.com/2009/12/25/software-two-must-haves-for-the-new-pc-pc-decrapifier-and-ninite/

     If after running SuperAntispyware and Malwarebytes, you are still infected, then you will need to use a PE (Physical Environment) disk.  The PE disk that TGM recommends is UBCD (LINK: http://www.ubcd4win.com). The how to for the UBCD can be found at http://www.ubcd4win.com/howto.htm .

      La versión en inglés del correo electrónico se a visto por un tiempo, "Cheques para ver quien te está bloqueando en MSN".  El gancho del ser que si puede clic en el enlace proporcionado en el correo electrónico, que podrá ver (supuestamente) que ha le bloqueado de su lista de MSN Messenger.  Como se señaló mirando el origen del correo electrónico (abajo), es casi una traducción exacta de la versión en inglés, afirmando que si se mira el enlace usted será capaz de ver que está bloqueando le (bloquear las direcciones de internet dentro de la fuente del correo electrónico) 

Lo que realmente hace el vínculo es instalar una versión de Antivirus2009 (o 2010) que produce una gran cantidad de dolores de cabeza para el usuario y normalmente requiere un tecnología para limpiar o reinstalar el equipo.  Si tienes amigos ni familia de habla española, le recomendamos encarecidamente que Hágales saber no se van a abrir este correo electrónico y a sólo la lista como correo no deseado y elimínelo.  Si ya han abierto el correo electrónico, pueden utilizar programas como la versión gratuita de SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html ) o la versión gratuita de Panda (LINK: http://www.malwarebytes.org/).

     The English version of the email has been a regular for a while, “Checking to see who is blocking you on messenger”.  The hook being that if you click on the provided link in the email, that you will be able to see (supposedly) who has you blocked from their MSN Messenger list.  As noted while looking at the email source (below), it is almost an exact translation of the English version, claiming that if you look at the link you will be able to see who is blocking you (I did block the internet addresses within the source of the email) 

     What the link actually does is install a version of Antivirus2009 (or 2010) which causes a lot of headaches for the user and normally requires a tech to clean up or reinstall your computer.  If you have any Spanish speaking family or friends, we highly recommend that you let them know NOT to open this email, and to just list it as junk mail and delete it.  If they have already opened the email, they can use programs like the free version of SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html) or the free version of Malwarebytes (LINK: http://www.malwarebytes.org/).

- No African Prince was going give you millions

- Emails that say that they are from a friend or family with that weird looking attachment could actually be fake

- Hot College Girl……well this one just really doesn’t have much beyond “Don’t do it”.

ETC ETC ETC…….

     In those lines a new email starting this week, that has only 1 goal, to trick you into downloading and installing some really nasty software (more of the fake antivirus software).  This new email says that “You have received a postcard”……

The following information comes from PANDALABS blog ( http://pandalabs.pandasecurity.com/the-thousand-faced-rogue/)

******************************************************************************************************************

The Thousand-Faced Rogue

Mar 5

• Posted on 03/5/10 by Olaiz

We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.

It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.

The message is like the following:

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.

The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:

% Antispyware 2010

Antivirus % 2010

% Guardian 2010

% Guardian

% Defender 2010

% Antivirus

% Antivirus 2010

% Antivirus Pro

% Antivirus Pro 2010

% Internet Security

% Internet Security 2010

where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.

Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.

As every rogueware, it starts scanning the system to check if the computer is infected.

Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:

However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.

Additionally, it prevents the execution of programs whose window title makes reference to the following programs:

Internet Explorer

Firefox

Several security suites.

When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.

The following image belongs to the message that is displayed when Firefox is run:

It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.

The FBI released the following warning this week after the earthquake (LINK: http://www.fbi.gov/cyberinvest/escams.htm)

HAITIAN EARTHQUAKE RELIEF FRAUD ALERT

01/13/10—The FBI today reminds Internet users who receive appeals to donate money in the aftermath of Tuesday’s earthquake in Haiti to apply a critical eye and do their due diligence before responding to those requests. Past tragedies and natural disasters have prompted individuals with criminal intent to solicit contributions purportedly for a charitable organization and/or a good cause.

Therefore, before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:

• Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
• Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
• Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
• Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
• Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
• Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

MSNBC has released a list of charitable organizations that are active in Haiti, to help you know that your donation is going to the right place.  The list can be found at http://www.msnbc.msn.com/id/34835478

——————– o ——————–

In addition to the the financial scams, there are now also web scams which will cause your pc to get infected with Rogueware (Things like fake anti-virus messages), while visiting sites that appear to be legit Haiti Support or Information sites.

In the latest attempt to use a news making event, into a way to spread Rogueware, those running what are called SEO (SEO = Search Engine Optimization) are targeting keywords related to the earthquake in Haiti. Running searches on terms such as ‘Haiti’, ‘RT (re-Tweet)’, ‘Wyclef Jean’ and his charity, ‘Port-au-Prince’, Haiti donations, just to name a few are bringing up sites on major search engines pointing users to what they believe to be legitimate news and images related to the tragedy. When in fact, these sites, because the criminals were able to manipulate results of the search engines, are showing fake sites mixed in with real sites.

(Picture from http://sunbeltblog.blogspot.com/2010/01/dangerous-web-search-haiti-earthquake.html)

If you encounter one of these fake site, 1st thing that you should NOT DO is click on any pop up or link that says you need to install something to see the site.  1st thing you SHOULD DO is attempt to close your browser by selecting either the X on the top right or by selecting CNTR-ALT-DEL on your keyboard, going into Task Manager, highlighting your browser, and selecting END TASK (Never attempt to use any of the actual “Close” or “exit” buttons that will appear with the pop up as most of the time the “yes” and “no” button will both do the same thing which is install the Rogue program on your machine).

In addition, as soon as you reopen your browser (after closing it for the pop up), you want to make sure that you go in and clear your Temporary Internet Files and your Internet Cookies (In Internet Explorer its Tools –> Internet Options –> then under browsing history –> delete and then delete all.  In Firefox its Tools –> options –> privacy –> clear your recent history / clear your recent cookies).  That is in addition to making sure that your Anti-Virus software is up to date, that your Updates for your operating system (Windows, MAC, Linux) are up to date.

(Soapbox**) I continue to point out the need to update, and yet I still regularly get called out to clear infected machines, that are missing updates (Had a Windows PC last week on XP service pack 1 and Norton AV 2004 with updates from September 2005). Not that I don’t want to work, and get paid, but if you really want to make sure you don’t suffer thru the down time and expense of waiting for a tech like myself, UPDATE UPDATE UPDATE.  Will updates protect you 100%, no, unfortunately in the age of the internet, new and more innovative ways to beat a system come up 100’s of times every day, seven days a week.  However, keep in mind, when you leave your house, you lock your door.  Why?  Will locking your door, protect your house from being robbed?  You hope so, and 99% of the time it will.  So updating your system is like locking your door, if you don’t lock your door you will eventually get robed. (End Soapbox)

**Lastly – To the people of Haiti and those readers of TGM with family and friends in Haiti. You have our thoughts, during this difficult time.**

     Let me ask you this, why do you listen to the traffic every morning on the radio on the way to work?  Isn’t finding that route to work, where you can stop and get breakfast or your coffee at Starbucks good enough?  Won’t that get you what you need?  Well……of course the answer is no.  We all listen in case that one day we hear about a traffic accident or police action or broken water main or …… well you get the idea.  We want to know this so that we can get a different route and try and avoid getting stuck in a traffic mess.  Your route may never be affected, but you listen anyways everyday because that 1 time you don’t listen, you know will be the 1 time that your 30 minute commute will become 4 hours (I did have that once, it was a nightmare). Ok so if you know put that analogy to why you update your software (Operating System, Software, and your Anti-Virus/Anti-malware protection), its basically so that you can hope that you never run into that “nightmare situation”. 

     Now let me tell you a little about the latest nightmare that the bad guys have started releasing on to the internet that you and I travel.  This one is called TotalSecurity2009 (From the same people that brought you AntiVirus2008, AntiVirus2009, and many others http://techgeekandmore.wordpress.com/2009/08/29/alert-another-fake-anti-virus-program/).  This one does the same things as the others, you go to an infected website and you see a pop up that says “Your computer is infected, click scan now to clean your machine” (or something to that effect depending on which one you get). 

     Then all of a sudden you start getting these pop-ups that look official and legit and even look like they my be part of your operating system, telling you that “the sky is falling” and that you need to buy (insert Rogue Malware name here), and that you can pay $XX amount of dollars (of course by major credit card) and they will clean your pc for you.  That’s like having a burglar walk up to your house and say, sorry I just robbed your house, may I now install your new security system to keep me from robbing you again!

     Ok back to TotalSecurity2009, this one has a new wrinkle. An extra level of sophistication, like we haven’t really seen before. In the past when you go infected you suffered thru allot of pop-ups and messages, but for the most part all functions of a pc still worked (OK except maybe web browsing to a legitimate web Anti-Virus website which previous ones would redirect your webpage so that you would only see Antivirus site pages they wanted you to see).  In TS2009, its different, TS2009 actually locks all your applications and files, except for Internet Explorer and that is basically so that Internet Explorer can keep giving you messages that you need to pay $79.99 to get the unlock code for TotalSecurity2009 and then be able to use TotalSecurity2009 to clean your system.  So in essence, if your a non-technical person and don’t know any better, you will feel like you have no choice but to pay them to release your pc from malware jail. 

     Here is the biggest problem with paying them, because to me it really isn’t about the $79.99, you will probably never get billed that amount.  What you will have done is given a criminal your name and information and your credit card number and in fact what it will cost you will probably be more than $79.99 with your information out in the open for the bad guys to use (and charge your card) at will until you have to close and change your accounts.

     The following Video comes from Panda Labs (A maker of legitimate Anti-Virus / Anti-Malware software) that shows how the rogue malware works and what effects it will have on your pc. 

[vodpod id=Groupvideo.3686216&w=425&h=350&fv=]

     Additional information from Panda Labs can be found at http://pandalabs.pandasecurity.com/archive/Rogueware-with-new-Ransomware-Technology_2221_.aspx

Panda Labs has also cracked the Rogue Anti-Virus so that you can unlock your machine if you get infected with this Rogue malware.  Once you unlock your machine, you can download a 1 month free trial of the Panda Global Protection software that you can then use to clean your pc http://www.pandasecurity.com/usa/homeusers/downloads/register?Tipo=1&CodigoProducto=60&Idioma=2&TipoUsuario=12&Country=US&TipoLead=2&Ref=WWUS-GP10-DWN

Additionally you can also download Malwarebytes http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button and SuperAntiSpyware http://superantispyware.com/ to do additional scanning of your machine to make sure everything is clean. 

     Remember, all 3 of these products plus all other PC security software that is from a legitimate software company still needs to be updated by you the user before scanning or attempting to clean any malware from your pc, because you don’t know if your infection was created weeks ago or 1 hour ago and all security software needs to have the latest updates from its maker in order to give you the best chance and cleaning your pc.