In case any of you have loved ones or whatever running Windows, this is something you may need soon. Normally this wouldn't be such a pain in the ass, but this is now one of those "landscape changes" resulting from people like the Russian Business Network (also known as "criminals"--there is no mincing words on this) really bearing down on the subject of installing malware onto people's computers. I'm going to say something that will upset some of you now. Pregnant women and those prone to fainting may wish to stop reading now. * * * This fscker will get you through Firefox if you're not careful. * * * It's not Firefox that's being exploited, but any one of three plugins (and probably more than that) that are installed if you have not been keeping them up to date. High on the list of possibilities are Quicktime and Adobe Reader plugins for one very specific reason. Those two things have their automated update checkers tied up in exceptionally ponderous system tray apps that most people disable because they're a big waste and slow down booting. ...so if you don't have these doing their thing through the system tray, the first time you may find out there's a necessary update is when the plugin is triggered by the browser--at which point it's too late, you've been compromised. The machine I just cleaned up was infected while a person was browsing MySpace (and this isn't MySpace-specific, I'll explain at the bottom) using Firefox and it was infected through the Quicktime plugin. All the user initially saw was that Quicktime was informing them of an update being available... and then they started getting the popups advertising for what are essentially phony anti-spyware programs. This particular variant did the following things above and beyond "the usual". It blew AVG right off the drive. It damaged the Quicktime installation so that it could not be updated without going and manually getting the update, although Quicktime itself still worked properly. After a partial removal in safe mode was attempted, it locked out all accounts, including the administrator account. Very not cool, that. (It of course disabled all the internet security settings in XP, and riddled the registry with itself, and installed "partner" software as the usual.) Why this is not specific to MySpace The problem that's coming up now is that the criminals are using front companies to buy ad space from legitimate/normal ad companies, and serving the ads from their own machines, which every so often will instead return a 404 document which invokes a vulnerable plugin. I've seen multiple perfectly reasonable sites go into a panic lately (CuteOverload got so freaked out their wiped their site and restored it from a scoured backup) because their users were reporting that their antivirus solutions were hollering about viruses on their site--which turned out to be coming from major ad banner companies that would otherwise be considered "safe". Vundo/VirtuMonde removal tool |