Create an Account
username: password:
 
  MemeStreams Logo

Vundo/VirtuMonde removal tool

search

Dagmar
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Dagmar's topics
Arts
  Sci-Fi/Fantasy Literature
Business
Games
  Role Playing Games
  Video Games
   PC Video Games
   Console Video Games
   Multiplayer Online Games
Health and Wellness
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
  Activism
  Futurism
  Politics and Law
   Internet Civil Liberties
   Surveillance
   Intellectual Property
  Media
  Philosophy
  Religion
  Security
Technology
  Computers
   Computer Security
   PC Hardware
   Computer Networking
   Computing Platforms
    Linux
   Software Development
    Open Source Development
    Perl Programming

support us

Get MemeStreams Stuff!


 
Vundo/VirtuMonde removal tool
Topic: Computer Security 9:27 am EST, Dec 24, 2007

In case any of you have loved ones or whatever running Windows, this is something you may need soon. Normally this wouldn't be such a pain in the ass, but this is now one of those "landscape changes" resulting from people like the Russian Business Network (also known as "criminals"--there is no mincing words on this) really bearing down on the subject of installing malware onto people's computers.

I'm going to say something that will upset some of you now. Pregnant women and those prone to fainting may wish to stop reading now.

* * *

This fscker will get you through Firefox if you're not careful.

* * *

It's not Firefox that's being exploited, but any one of three plugins (and probably more than that) that are installed if you have not been keeping them up to date. High on the list of possibilities are Quicktime and Adobe Reader plugins for one very specific reason.

Those two things have their automated update checkers tied up in exceptionally ponderous system tray apps that most people disable because they're a big waste and slow down booting. ...so if you don't have these doing their thing through the system tray, the first time you may find out there's a necessary update is when the plugin is triggered by the browser--at which point it's too late, you've been compromised.

The machine I just cleaned up was infected while a person was browsing MySpace (and this isn't MySpace-specific, I'll explain at the bottom) using Firefox and it was infected through the Quicktime plugin. All the user initially saw was that Quicktime was informing them of an update being available... and then they started getting the popups advertising for what are essentially phony anti-spyware programs.

This particular variant did the following things above and beyond "the usual". It blew AVG right off the drive. It damaged the Quicktime installation so that it could not be updated without going and manually getting the update, although Quicktime itself still worked properly. After a partial removal in safe mode was attempted, it locked out all accounts, including the administrator account. Very not cool, that. (It of course disabled all the internet security settings in XP, and riddled the registry with itself, and installed "partner" software as the usual.)

Why this is not specific to MySpace

The problem that's coming up now is that the criminals are using front companies to buy ad space from legitimate/normal ad companies, and serving the ads from their own machines, which every so often will instead return a 404 document which invokes a vulnerable plugin. I've seen multiple perfectly reasonable sites go into a panic lately (CuteOverload got so freaked out their wiped their site and restored it from a scoured backup) because their users were reporting that their antivirus solutions were hollering about viruses on their site--which turned out to be coming from major ad banner companies that would otherwise be considered "safe".

Vundo/VirtuMonde removal tool



 
 
Powered By Industrial Memetics
RSS2.0