Helping people with computers... one answer at a time.
Viruses seem to come at us from all directions, and lately that includes websites. We'll look at how this happens and what you need to do to stay safe.
Last night I was researching some information about Vista. I went to a legitimate help site I've used before. As soon as I clicked on the site my machine became infected with "Antivirus XP 2008". I have a current CA Antivirus 2008, Windows Defender, and my firewall is active. I immediately ran full system scans with CA and Defender in Safe Mode with Networking. Nothing was detected. I found removal instructions at bleepingcomputer.com using a free product called Malwarebytes' Anti-Malware and it worked like a charm. Then I had to fix a missing Desktop Tab in my display dialog box as well as edit the registry to make the display wallpaper functional again. All of this leads up to my questions....
•
I've been hearing a lot about "Antivirus XP 2008" recently, and it seems to be active out in the wild.
The questioner goes on to ask 4 very good questions about this particular attack, and web-site based attacks in general, and I want to address each one individually.
•
First, if you're dealing with "Antivirus XP 2008", here are a couple of resources to get you fixed up:
-
How to remove Antivirus XP 2008, the article the questioner references at bleepingcomputer.com.
-
AntiVirusXP2008 information at Symantec's Security Response center.
-
Antivirus XP 2008 details at Computer Associates
On to the specific questions.
•
|
Why didn't my CA AV and/or Windows Defender stop this attack? This rogue malware has been around for several months - enough time for CA and MS to update their definitions. |
That's a very good question. As you can see, I included a link above to information on this specific threat on the CA website. Among other things, that site includes the specific version of the CA anti-virus database to which detection of "Antivirus XP 2008" was added: roughly a month prior to getting the question (and updated about a week or so ago).
What this leads me to wonder is whether or not you are, in fact, getting the latest database updates automatically. If not, this could be a classic case of why you should always make sure that all anti-malware software is updating its database regularly: new threats show up all the time. Regardless, it's the first thing I would check.
Second, in some variations of this threat you must actually click on the bogus warning message presented by the malware in order to be infected. If you saw that message, and ran your scans prior to dismissing or clicking on the message, you might not yet have been infected.
But my money's on the issue somehow being the database updates.
•
|
How did the malware get onto a legitimate website? Hackers? The site webmaster? |
You didn't indicate the site (I'll assume it wasn't mine
), so I can't comment on its
legitimacy. Obviously, the webmaster can do pretty much anything. In
some cases, the webmaster it not necessarily the site owner, but rather
a employee or a contractor, so I suppose there's always some level of
risk, but I don't consider it to be all that high - again, if this is a
truly legitimate site.
More commonly, the culprit is a hacker.
In the past, we've associated hackers with destructive behavior; things like defacing a site, deleting the site contents, or putting up offensive material in its place. Lately, the tactics have shifted so that a hacked site isn't quite as obvious to the owner as it once was. Hackers now do it with a purpose: to spread malware, or to game the search engines. Depending on the underlying technologies used to implement the web site, there may be security vulnerabilities that would allow a knowledgeable hacker access in such a way that they could quietly manipulate the site contents to include things like malware downloads.
This is the reason that contacting the site owner is exactly what you should have done. It's on them to listen to you, and I hope they do, since I consider this the most likely vector for this particular problem to have happened.
Another newly emerging class of attack vector is advertising. Occasionally, malicious folks will actually purchase ads into which they place the first step of their attacking code. Most ad networks will immediately reject these types of ads, and actual successful use of this approach has so far been very rare.
•
|
Do websites use any kind of anti-malware programs to keep from becoming infected? |
Not really, since the threat is ... different. There are certainly things that could be scanned for, and as this threat is on the rise this type of scanning is happening more and more. However, the web isn't quite like your PC. A "hack" could be a simple link or single line of Javascript innocuously placed in a comment or a hacked home page. The real "virus" is then referenced from a different website completely, when your browser references that link.
The real solution for web sites, which will sound very familiar to PC owners, is to stay aware of vulnerabilities discovered in the software used to implement the web site, and to keep that software up to date. In addition, website designers have the additional burden of coding and configuring their websites properly to avoid common exploits like SQL-injection, and malicious HTML posted in comments.
•
|
Is there any program or tool available to scan websites before clicking on them to make sure they haven't been hacked or infected? And I'm not talking about IE7 or Firefox 3 phishing filters that detect bogus sites. I'm talking about a way to make sure legitimate sites are still safe to enter. |
No and yes.
No, in the sense that I'm not aware of a reliable service that does this. There have been attempts, but they've typically caused more problems then they've avoided. They unfortunately have a record of "false positives", flagging totally safe and legitimate sites as somehow bogus, and raising so many false alerts that users ignore them totally if they actually want to get anything done. (Yes, one did for a while flag Ask Leo! as a malicious site, and nothing could be further from the truth. No, I'm not bitter. Much.)
Yes, in the sense that ultimately these types of infections happen like any other: a program gets downloaded and run on your machine. That means that an up-to-date and properly configured anti-virus program should catch it as it attempts to happen.
Article C3483 - August 28, 2008
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
The free Malwarebytes removes it. The download webpage mentions $24.00, but that is for the fulltime protection. Also, ComboFix at wwww.bleeping computers removes it too.
I use these two progs. to cleanup customer's computers. Before running Combofix there is a tutorial that should be read.
Packrat1947
Posted by: Packrat1947 at September 12, 2008 6:07 AMWell let me tell you what this friggin virus did to me. First off I accidentally agreed to the contract. DOH! Not realizing what I had done immediately I went about my business around the house and I come back and there is a "scan" going on by this xp 2008 virus saying I have several hundred trojans, cookies, and viruses. It then prompts me to purchase their product... LOL... I didn't w00t But I did want to update my mcafee because I knew it was outdated... Well they wanted money too so I decided not to go that route either. So I let the virus sit there for about 24 hours, hooked up to the internet, not giving it a second thought. When I came back to the computer, I found something very strange. All restore points had been erased, My ability to defrag was gone, my ability to customize my desktop settings was gone, and there were about 9 corrupt files in my c:\ drive and registry files and system32 files. Then I noticed if I left the mouse alone for about 3 minutes the system reboot would occur claiming I had just recovered from a serious threat. And this would happen every 3 minutes, making the virus even worse.... So I said ok time to deal with this little booger... So I went to google, searched antivirus xp 2008 and came up with mr. leo's recommended site and I clicked on it... with no success, so I tried again and it wouldn't connect... So I tried another and all I would get is a no connection page, or a redirect to a spam site. So I tried 3 different browsers... aol, mozilla, and internet explorer... all the same results... so I disassembled my computer took it to a friend of mine and said fix it. We tried to defrag.. nothing, system restore points.. all gone, and I allow MAXIMUM space for restore points creating one every other day, and with every install and un-install. ALL GONE! So we tried something else, I grabbed my old xp boot discs and using nero I backed up all the files I needed from my computer and got ready for a re-format... That little booger (me thinks) would not let me... No matter what we tried, the system would not boot up to a new system... Finally I bring the computer home, after 8 days of this. I open up a browser thats been sitting on the shelf collecting dust for 3 years w/out update... MSN Explorer that came with xp... lmao It was unaffected by the browser re-directs and I was able to get to trend-micro housecall and quarantine most of the malicous software associated with this worm, and then I used malwarebytes to get the rest. And now I have AVG Security protecting my @$$ bye bye mcafee.
Posted by: Tim at September 16, 2008 12:22 AMDude... You DON'T need to reinstall your (old) browser because of the redirects! :)
Easy trick. Go to Google, lookup whatever it is you want. Click on the 'cached' link. Doesn't seem to be affected by the redirects. ;)
Leo, I came to your site to find out WHAT IS THE SOURCE of these infections?
Thanks Big Guy! :)
Posted by: much guest at October 29, 2008 11:58 AMWhat is a virus which attacks or infects specific anti-virus software’s’ is known as?
Posted by: rohit dhir at January 3, 2009 12:05 AMMalwareBytes is a good choice, however, I've found that Spyware Doctor does a better job when removing malware. As for Antivirus XP 2008 there are many many manual removal guide on the net. For example:
Posted by: rodi at June 25, 2009 7:09 AMAntivirus XP 2008 removal at bleepingcomputer.com
Antivirus XP 2008 removal at 2-spyware.com