0

We have just had our second outbreak of a variant of the Windows XP home security malware (malwarebytes called it Trojan.fakeAlert). It manages to kill our antivirus (nod 32), and then kill attempts to start the task manager or to install malwarebytes. I have managed to clean it off by logging in as an admin, removing the file remotely before it starts up and getting malwarebytes to scan and remove it. My question relates to prevention:

So my question is, how does FakeAlert work?!....I can find nothing on the internet explaining in detail how it's getting in and executing, it seems to be embedded in webpages and then gets automatically download and run?

We can clean it off with malwarebytes, (and are more than a little outraged that windows doesn't prevent these things from installing control panels, interrupting ctrl-alt-del/ctrl-alt-esc etc etc), but we're reluctant to shell out for a Malwarebytes site license if there is a free way of blocking it, but to do that we need to know how it works (and if MBam will keep us safe from this in future)

Some more details on our setup, our client machines are Win XP boxes, connecting to a win server 2003 AD domain

James B
  • 143
  • 1
  • 8

1 Answers1

4

What thing work? You didn't give details on the executable, where it was found, what Malwarebytes called it?...Are you in a managed environment with AD or workgroup?

The only thing I could say from the information given is to institute a policy of blocking executables that aren't whitelisted. This can be done through AD or through addon programs.

You can also invest in a program like Deep Freeze, which restores a computer back to it's "clean" state on reboot. It takes oversight and administration to do this, though. That would limit infections only to a user's profile, if you're using a central server for storing the profiles.

Are you limiting access privileges from your users? Does running something like the system protection from Spybot Search and Destroy alert your users to changes from this malware?

Are you running any kind of proxy server that can scan and block executables from websites? What are your settings for safety set to on the web browser you're using? Are you using IE with the latest updates? Have you tried using an alternative web browser that may not have as much susceptibility? If you use a logging proxy you may even be able to tell where the executable is being downloaded from.

On top of that, if this is a business, what is your policy on browsing non-work related websites? Are you checking the history of browsing on users that become infected?

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • 1
    +1. I would also add: Update installed apps -- Java, Flash and Adobe Reader are *huge* targets for exploits. Look into [Software Restriction Policies](http://technet.microsoft.com/en-us/library/bb457006.aspx) for limiting software execution from within the user's profile (and other non-standard places). – jscott May 20 '11 at 11:51
  • Also install the latest versions of IE (hopefully 8) if you can as it has features to prevent this sort of attack – Jim B May 20 '11 at 12:42
  • I think the newest in the scream...er, stream...is 9, currently available for IE. How effective it is at blocking this I do not know. – Bart Silverstrim May 20 '11 at 12:47
  • @Chris_O my users didn't have to click install for this to happen, it just ran from within a webpage and attached itself into windows (indeed, I had a variant of it myself a couple of months back) – James B May 20 '11 at 13:18
  • @Bart, thanks for the reply, I'm going to go with an .exe whitelist (which for this group of users is surprisingly easy to come up with), and probably disable vb script etc too. I'd still love to know how browsing a webpage allows in this kind of attack – James B May 20 '11 at 13:21
  • @James Typically, we see malware launched from hacked webpages, "phishing" imitation sites and malicious advertisements served up on legit sites. User's often needn't click on anything -- the 3rd party application exploits automate the pwnage. – jscott May 20 '11 at 13:49
  • Every instance of Fake Alert that I have seen requires user interaction to install http://vil.nai.com/vil/content/v_144441.htm – Chris_O May 20 '11 at 14:26
  • The fake malware I've seen sticks an executable into the users profile (like the application data folder under the profile), hides it, and has it autolaunch from a registry setting, again from the user registry settings I believe. Spybot has been wiping it when I run into these cases. But it's sticking the stuff into areas that the user has access to. Without whitelisted executables it would be hard to stop, the way Windows is designed. – Bart Silverstrim May 20 '11 at 15:41