Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Malware Imitates Browser Warning Pages

Soulskill posted more than 3 years ago | from the good-thing-nobody-ever-mindlessly-clicks-through-those dept.

Microsoft 143

Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."

cancel ×

143 comments

Not new... (2, Informative)

Darkness404 (1287218) | more than 3 years ago | (#33466308)

Imitating warning pages or other elements of the UI is not a new tactic. Back in the 90s and 2000s there were lots of "You are the 223423424th person to view this page" banners that were deliberately trying to imitate Windows 9X or XP.

Re:Not new... (1)

jornak (1377831) | more than 3 years ago | (#33466396)

This is also old news in regards to the actual topic. Malware has been imitating error pages and injecting code into pages (like "Google detects you're infected, use software to fix!" on Google") for the longest time..

Re:Not new... (4, Funny)

Anonymous Coward | more than 3 years ago | (#33467194)

How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7? Do you realize that using knock-off "operating systems" and programs like Foxfire and Chrum and Oprah is intellectual property theft? Why do you think you fools are getting viruses? It's not cool. You're not slick and getting one over on "the man". It's fucking bullshit. Microsoft Internet Explorer 8 was designed and engineered to exacting standards to mesh flawlessly with the intricate security in Microsoft Windows 7. Your knock-off crap is not. Why do you freetards insist on removing your noses to spite your faces? Do you just tire of smelling your own bullshit? Microsoft Windows 7 and Microsoft Internet Explorer 8 are superior to this freetard shit in every possible way. Microsoft have invested billions of dollars in blood sweat and tears to deliver an exceptionally secure system and you people just take it for granted. What would you do if Microsoft were driven out of business because you thought you could steal from them and use Lumix and frebsd? You people disgust me with your Lunix and Crabble puke. Do you think you're special? Guess what... You're not! You can't think you can honestly get away with continually stealing the fruits of the billions of dollars Microsoft Research has invested in producing the intellectual property that you dorks so cavalierly pilfer to inject into your Gnom and KED and Quark shit. You all disgust me. You people need to look into the mirror and reevaluate your lives.

Re:Not new... (3, Funny)

paiute (550198) | more than 3 years ago | (#33467342)

How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7?

2/10: for using it's and your correctly.

Re:Not new... (2, Insightful)

History's Coming To (1059484) | more than 3 years ago | (#33467770)

I need to look in a mirror and re-evaluate my life....

Actually, it's a very, very good troll that brings up some interesting points, so I'll bite.

The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses. There's an element of truth in that, a regularly patched system, be it *nix based or Windows is generally a good idea. This is, however, a different thing to having every possible update just for the sake of it. If I installed Windows and iTunes on my system simply because I *might* want to use them, or because everybody else has it, or because I saw an advert, then I'm opening myself up to new potential avenues of attack. Let's presume I only want to read the text on the internet....no pictures, no video, no Silverlight or whatever the latest thing is....I'd use a very bare-bones system, say Lynx running without a GUI, PDF support etc.

If there's nothing running scripts at a system level, for example no JS, Flash, Java plugins and the like, then that's multiple attack routes taken care of. Sure, the modern internet is very snazzy and all, but being able to "install and run our video codec" is asking for trouble if you just want to look at naughty ladies. Less is often more.

Re:Not new... (1)

armanox (826486) | more than 3 years ago | (#33468126)

Let me ask you this Mr. Coward - can you show me what the free world has stolen from Microsoft?

Re:Not new... (0)

Anonymous Coward | more than 3 years ago | (#33468252)

This just makes me so mad. I hate even thinking about it let alone writing it down. But, Linux has stolen at least a billion dollars [slashdot.org] directly from the pockets of Microsoft. And what makes it really sad is how much more good work Bill Gates could do with the Bill and Melinda Gates Foundation if that sorely needed money were not so callously stripped from his grasp. It makes me sick. There is a special place in Hades for users of Gnu software.

Re:Not new... (1)

Runaway1956 (1322357) | more than 3 years ago | (#33468256)

I looked into the mirror. "How are you today, Mirrorimage?" "Oh, fine, except I get tired of hearing the Microsoft shills calling me thief, and worse." "Oh, don't worry about the shills. Do you realize what crummy lives they lead? Think about it." "Oh, wow - sucks to be so pathetic that you have to praise the unpraiseworthy. Suck even more to praise those unpraiseworthies who will never even notice or appreciate your pathetic noises." "Yep, you got it. I would rather BE a thief, than to be a shill. Not that I'm considering a life of crime or anything, but if I had to choose, I'd rather be a thief!"

Re:Not new... (1)

hairyfeet (841228) | more than 3 years ago | (#33467332)

Yep, looks to be just another spin on the Security Tool malware that has been going around for a couple of years now. I remove that crap at least twice a week at my shop. I've seen versions of it that looked like AdAware, like AVG, and like Norton. Of course the easiest to spot was the fake Norton, since it didn't slow the machine to a crawl and they actually wanted less money than Symantec charges, LOL!

Seriously though ever since SP3 the OS has been less and less of an attack vector. More and more I'm seeing either social engineering or third party like Reader or Flash based attacks. Basically this just proves something I've thought for a long time, that even if you harden the OS ultimately it comes down to the user, and as you can see from TFA these malware guys are getting better every day when it comes to mimicry. As we saw with the Linux backdoor introduced via KDE themes or the hacked ID game editor, no OS is safe if a malware writer truly wants to target it, at least not as long as the user has the right to alter and install.

Re:Not new... (1)

mlts (1038732) | more than 3 years ago | (#33468304)

What I see as an attack vector are third party add-ons. You can have a secure browser, but if an add-on gets compromised, it is all for naught.

What it really will take is hooks to OS level protection for the Web browser. Microsoft got something right with the low security mode of IE7/IE8 in Vista/W7, but it would be good to be able to isolate add-ons completely from each other on the OS basis so they don't even share the same memory space as the browser, and absolutely no filesystem space, unless the user wants to save cache or objects (saved games or whatnot.) Essentially, the only thing most add-ons need is to be fed code from the Web page, and given space to render their interactive output.

Your Post is at Virus Risk!1! Scan? (3, Funny)

ackthpt (218170) | more than 3 years ago | (#33466746)

The biggest security hole is Microsoft's version of the javascript interpreter. They should collaborate with Google and adopt the rewrite for Chrome, it would solve half the problems right there.

BTW, I found a virius in yor post - clikc this link to free triel of PostScan 2010!

IE 9 won't share WSH's JS interpreter (3, Interesting)

tepples (727027) | more than 3 years ago | (#33466864)

The biggest security hole is Microsoft's version of the javascript interpreter.

IE 9 will not use Windows Script Host's JavaScript interpreter. I predict that this change will make it easier for Microsoft to maintain the integrity of the sandbox.

Re:IE 9 won't share WSH's JS interpreter (0)

sconeu (64226) | more than 3 years ago | (#33467386)

But then how can they claim that IE is an "integrated part of the OS" and not removable?

Re:IE 9 won't share WSH's JS interpreter (0)

Anonymous Coward | more than 3 years ago | (#33467406)

Why wait for IE 9 to not use WSH when I have a choice of great browsers that I can use right now that also don't use WSH? Yeah, I think I'll keep using Firefox, Chrome, Opera and Safari.

Re:IE 9 won't share WSH's JS interpreter (1)

JamesTRexx (675890) | more than 3 years ago | (#33469134)

And topping that off I use Sandboxie [sandboxie.com] with Firefox on the Windows machines.

Re:Not new... (2, Interesting)

_133MHz (1556101) | more than 3 years ago | (#33467086)

Another way to make these really obvious is to use your operating system with any language other than English. Malware writers don't bother with localization, so their fake error messages always display in English regardless of your actual OS language. Even the USB autorun viruses are dead easy to spot, you know something's fishy when there's a lonely English menu option in the Autorun dialog, usually "Open folder to view files" while the rest aren't.

Amazingly, most people still click on the damned things.

Re:Not new... (0, Offtopic)

Runaway1956 (1322357) | more than 3 years ago | (#33468306)

;^( Not fair. I suffer from monolingualitis. I can't use another language. Think I can get disability from Social Security for that?

Re:Not new... (2, Insightful)

camperslo (704715) | more than 3 years ago | (#33467522)

Imitating warning pages or other elements of the UI is not a new tactic.

Perhaps browsers could be developed to use some feature that 3rd party pages couldn't easily duplicate? It might not be practical to use colors/effects etc not supported by standard browser features, but maybe a browser could be designed to display some preset USER SPECIFIC DATA or graphic that javascript and other net-driven browser code does NOT have access to?

Re:Not new... (1)

treeves (963993) | more than 3 years ago | (#33468980)

Didn't say it was a new technique or tactic, just a new piece of malware.
Would you prefer they don't say it was new in the headline (makes it rather awkward: "Malware imitates warning pages"), don't report it at all, or what?

Keepin' it real fake (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33466312)

Subject says it all.

Themes (5, Insightful)

characterZer0 (138196) | more than 3 years ago | (#33466342)

All the more reason to theme your window manager - it makes this stuff obvious.

Re:Themes (1)

clang_jangle (975789) | more than 3 years ago | (#33466410)

It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.

Re:Themes (1)

Smivs (1197859) | more than 3 years ago | (#33466436)

It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.

Yeah, love 'em. Opera/Ubuntu

Re:Themes (1)

daedae (1089329) | more than 3 years ago | (#33466790)

I saw one that replaced your HOSTS file to prevent you from going to symantec, kapersky, etc., and show a host not found error instead. Sadly, it wasn't clever enough to check your browser first, so it displayed the IE error page in Firefox.

Re:Themes (1)

marcosdumay (620877) | more than 3 years ago | (#33467564)

WTF is that, privilege unescalling? If you can already replace the HOSTS file, why would you change a page to get the user clicking on something?

Re:Themes (1)

Rick17JJ (744063) | more than 3 years ago | (#33467174)

I once encountered a fake "Microsoft Warning" message on my Linux computer. That was probably about 5 years ago. The "Microsoft Warning" said that spyware had been detected on my computer. The pop-up recommended purchasing a specific anti-virus product to fix the problem. Seeing the Microsoft pop-up was funny, since I did not have any Microsoft products at all installed on my computer.

On two occasions since then, I have also been diverted to websites that claimed to have detected spyware and viruses on my computer. In both of those instances, I was browsing the Internet while using Firefox and Linux.

After having supposedly detected viruses and spyware on my computer they offered to scan my hard drive. When I tried to say "No" or close the tab or close the pop-up or whatever, the advertisement reappeared and pretended to begin scanning my drive "C." A progress bar showed the progress. After finishing, it listed the viruses and spyware which had supposedly been found in my registry and on drive "C." However, Linux does not designate hard drives or partitions by drive letters and Linux also does not have a registry.

My understanding is also that there has not yet been any problem with Linux viruses circulating in the wild. But, just to be safe, I looked up those virus names on the Internet, and found that they were listed as only affecting certain specific versions of Windows.

In once instance, after again declining to purchase their virus scanner, a box popped up asking me what program to use to open the Windows executable file that the website was attempting to download to my computer. It also gave me the option of saving the file to wherever I wanted on my hard drive, or canceling the download.

Re:Themes (1)

natehoy (1608657) | more than 3 years ago | (#33467450)

My understanding is also that there has not yet been any problem with Linux viruses circulating in the wild.

Not as much, but that doesn't make it impossible. Most Linux distro managers maintain ClamAV in their repositories. You might want to consider installing it.

Re:Themes (1)

Nadaka (224565) | more than 3 years ago | (#33468596)

There are have been a few over the years, just like for macs. Contrast that with 10s of thousands for windows.

Re:Themes (0, Troll)

Anonymous Coward | more than 3 years ago | (#33466414)

Or switch to ubuntu or linux mint, not worry anymore about malware, and get on with your life.

Re:Themes (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33466744)

Actually, even that isn't required. People just need to stop running random executable files that they find on the internet. Seriously, I don't even have anti-virus software and I don't even get viruses because I avoid stupid shit that's obviously a virus. Also, using IE doesn't help, either.

Re:Themes (1)

drumstik (624763) | more than 3 years ago | (#33467500)

That's actually not near enough these days - you're far behind the times ;) These days all you have to do is see an infected add that slipped through, open a malicious PDF, put in an infected flash drive, etc. It's really sad to see Slashdot users - people who are supposed to be the cream of the nerd crop - spouting this decade old stuff as if Conficker never existed. If you run Windows and do not run an antivirus solution, you are bad at computer security, full stop.

Re:Themes (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33467728)

"you are bad at computer security, full stop."

Odd because I've *never* gotten a virus, and I don't use shitty browsers such as IE. The solution really *is* to not be an idiot, and you will avoid 99% of malware. Exploits are possible, yes, but they happen rarely, and certainly never happen to me. Seriously, the only reason that poorly made malware gets so many people is because 99% of the people who own computers barely know how to work a television remote.

Re:Themes (0)

Anonymous Coward | more than 3 years ago | (#33467932)

You don't need to even use IE the browser. Many other apps use the IE engine as part of their offering. I agree that if you are running a Microsoft O/S without virus/malware protection, then you are as at fault as anyone ... because you should know better.

Re:Themes (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33468016)

"then you are as at fault as anyone"

At fault of what? That would be true if I had ever gotten a virus, but I haven't. In fact, no one I know that has any decent knowledge of computers has got a virus. Not because of some anti-virus software, but because they aren't complete idiots.

Re:Themes (1)

drumstik (624763) | more than 3 years ago | (#33468056)

I hope you're right, and you're lucky. Because if you're wrong, you likely wouldn't know it. You'd just spew out whatever infection vector the virus uses (and perhaps have some banking passwords stolen, as well).

Re:Themes (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33468160)

Well, I do have anti-virus software, it's just not the kind that constantly looks out for viruses. I do scans every once in a while to get rid of spyware and such, but never really find any bad malware. I was mainly talking about the lack of need for that kind of anti-virus software.

Re:Themes (1)

jpapon (1877296) | more than 3 years ago | (#33468694)

The solution really *is* to not be an idiot, and you will avoid 99% of malware.

Ah, but you see, I want to avoid all of it.

Re:Themes (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33468798)

That's likely impossible, anyway. Even with anti-virus software. Even with Linux, as there is always a chance that someone will find something to exploit.

Re:Themes (0)

Anonymous Coward | more than 3 years ago | (#33466822)

Or switch to ubuntu or linux mint, not worry anymore about malware, and get on with your life.

Because malware cannot possibly coerce dumb users into installing a browser plugin in Linux or modify your user space. It's not that Windows is a fatter target with dumber users, Ubuntu is just that awesome.

Re:Themes (1)

maxwell demon (590494) | more than 3 years ago | (#33467126)

Of course not. BTW, for your security, you should install KnowScript. You surely have heard about it. Get it at www.evilmalware.com :-)

Re:Themes (0)

Anonymous Coward | more than 3 years ago | (#33467136)

My household members used to install junk all the time when we had windows, bringing the system to a crawl. We've been on ubuntu for a year now, and they don't have the password to install anything. It has been very stable.

I get asked every month or so to help someone fix their bloated windows zombie machine. I always suggest switching, but nobody has tried it yet.

Re:Themes (1)

Yvan256 (722131) | more than 3 years ago | (#33467502)

I get asked every month or so to help someone fix their bloated windows zombie machine. I always suggest switching, but nobody has tried it yet.

Keep suggesting switching, help people switch if necessary. But for crying out loud, stop doing free technical support for Microsoft.

Re:Themes (1)

kevinmenzel (1403457) | more than 3 years ago | (#33468006)

Because you couldn't do the same thing on Windows?

Re:Themes (0)

Anonymous Coward | more than 3 years ago | (#33467842)

Absolutely whole-heartedly agree. My mother used Windows for years and I constantly had to make visits to rid her machine of viruses and hijacked homepages and trojans, you name it. I personally started using Linux several years ago and knew how easy and hassle free a computing experience could be.

  I mentioned to my brother that if mom keeps on calling me over to fix her Windows box, I was just going to install Ubuntu on it and call it a day. But he was like, "No man, she won't go for it. She has to have internet explorer and Word." So, finally, the last time I went to fix her crapped up box, I said, "Look, I have this other system called Linux and it does everything you normally do just with different programs. The main difference is, it isn't targeted by viruses and trojans so you will be able to use it without worrying about it constantly getting broken." After asking me if she could burn CD's, "write her book", etc. and me saying, "Yes yes yes." she relented.

That was the last time I ever had to fix her box. And she constantly raves to her friends about how fast and user friendly it is. Oh, and btw, she could never burn CD's in Windows because she couldn't remember the steps in WMP so I set her up with K3B and locked it to the audiocd profile and had it always start up in her Music directory with the menus disabled except for drag and drop and "burn". She burned her first CD about 5 minutes after I booted the system up for her the first time.

tl;dr The parent poster's advice is worth it's weight in enriched Uranium.

Re:Themes (5, Funny)

qoncept (599709) | more than 3 years ago | (#33466564)

So now we're up to, what, 1 legitimate reasons?

Re:Themes (1)

anorlunda (311253) | more than 3 years ago | (#33467054)

Uh thank you very much.

Practical and immediately useful advice from a Slashdot comment. What will they think of next?

Firefox personas (1)

Burz (138833) | more than 3 years ago | (#33468650)

I thought it was weird of Mozilla to push the personas idea since it seems tacky. But it's true that the window frame represents the security context for an application like a web browser, and a uniform customization of the frame would make the browser more secure against window imitation threats.

Why is this new? (3, Insightful)

HockeyPuck (141947) | more than 3 years ago | (#33466388)

There's plenty of rogue/fake AntiVirus programs [wikipedia.org] out there. Is the new part that they imitate your browser rather than looking like a real anti virus program?

Re:Why is this new? (1)

nigelo (30096) | more than 3 years ago | (#33466656)

Well, let's see now; from RTFS:

"auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome...relying on the user's trust in their browser, a tactic that hasn't been seen before".

So, mebbe?

Re:Why is this new? (1)

Even on Slashdot FOE (1870208) | more than 3 years ago | (#33467066)

All of the ones I have seen so far have no idea what I am running, so that sound like a new trick.

First Post! FTW ;) (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33466394)

Yeah!

Possible solution (3, Interesting)

OnePumpChump (1560417) | more than 3 years ago | (#33466412)

The first time the browser is used, create a security image like bank websites use. Store that image or the word used to generate it someplace where the malware will presumably not be able to access it.

Re:Possible solution (1)

Darkness404 (1287218) | more than 3 years ago | (#33466460)

It already looks different than the genuine protection page (where it says to download and "upgrade") and so for the technically savvy people that should be an obvious red flag, for everyone else, they wouldn't know the difference with or without a security image.

Re:Possible solution (1)

jeffmeden (135043) | more than 3 years ago | (#33466724)

"Proven antivirus protection fin one click!"

Whether it's shark fin, mahi fin, or tuna fin is user-selectable...

Re:Possible solution (1)

Nadaka (224565) | more than 3 years ago | (#33468680)

"Proven antivirus protection fin one click!"

Whether it's shark fin, mahi fin, or tuna fin is user-selectable...

They are french mal-ware writers.

What they really mean is "Proven antivirus protection ends in one click!"

Re:Possible solution (0)

Anonymous Coward | more than 3 years ago | (#33466802)

also technically savvy people don't need to use the browsers' built-in phishing/forgery protection. It only slows you down.

Re:Possible solution (1)

Thaelon (250687) | more than 3 years ago | (#33469252)

There's a study out there [computerworld.com] that has proven that those security images don't work.

The new part of this (5, Informative)

querist (97166) | more than 3 years ago | (#33466430)

One part is old - imitating the web browser error page, specifically the IE error page. I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page. The new part on this one is that they're checking which browser it is and making sure the error page matches the browser.

Re:The new part of this (0)

Anonymous Coward | more than 3 years ago | (#33466690)

This isn't really surprising at all. I thought about doing this when I was a kid. Are malware writers really so dumb that they *just* realized you could do this?

Captcha: fooled.

Re:The new part of this (1)

jj110888 (791178) | more than 3 years ago | (#33468416)

I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page.

They don't. IIS by default uses error pages that look very much like IE's. Newer version of firefox and all versions of Chrome ignore them (I think it does a file size test)

Get all the details at the conference. (1)

Just_Say_Duhhh (1318603) | more than 3 years ago | (#33466448)

Is this just an advance posting of a presentation at MalCon [slashdot.org] ?

These guys really need a conference to hone their skills, and take advantage of everyone who doesn't read /. daily (because those of us who do read /. daily are too smart to be conned by these losers). Right?

Re:Get all the details at the conference. (0)

Anonymous Coward | more than 3 years ago | (#33466478)

Yes correct because... hang on i'll reply in a minute. Got an error message.

Re:Get all the details at the conference. (1)

NevarMore (248971) | more than 3 years ago | (#33467484)

(because those of us who do read /. daily are too smart to be conned by these losers). Right?

I see that you are new here.

Bit of Advice (2, Insightful)

kid_wonder (21480) | more than 3 years ago | (#33466468)

You spend all this time writing this creative software (malware)...

Try fracking finding someone who can proofread your english; it's abysmal and frankly embarrassing. I realize it is not your native language but this lack of attention to detail is exactly the reason you find yourself writing malware in the first place ... oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

Re:Bit of Advice (0)

Anonymous Coward | more than 3 years ago | (#33466572)

Thanks you for a advice. Are you available profread for me? Pay $1000 day, work at home. Send name and bank number to malgod@malgot.org an will advance you paymet for first work.

Re:Bit of Advice (1)

jeffmeden (135043) | more than 3 years ago | (#33466754)

Thanks you for a advice. Are you available profread for me? Pay $1000 day, work at home. Send name and bank number to malgod@malgot.org an will advance you paymet for first work.

Corrction: malgod@malgod.org

You owe me $1000, send me your bank account number and I will collect the fee directly.

Re:Bit of Advice (3, Funny)

LocalH (28506) | more than 3 years ago | (#33466880)

Corrction: malgod@malgod.org

Correction: "Correction"

You owe me $10,000, as I'm charging my standard rates for proofreading for proofreaders.

Re:Bit of Advice (0)

Anonymous Coward | more than 3 years ago | (#33467348)

Thanks you grately, response better after you post the corection. I now have several goodly English speekers to assist, but now my bank account is vacant from they payments.

Having cash and not wanting to delay your payment until the bank in Nigeria open again on monday I send your fee via Wesern Union, receipt number 3819684492.

Re:Bit of Advice (1)

click2005 (921437) | more than 3 years ago | (#33466626)

I would say let those idiots get scammed if they're stupid enough to fall for this sort of obvious fake.
Unfortunately it'll only get worse until some politicians get paid to propose a bill that will
require IPSs to filter bad traffic to protect Joe Public. ISPs will of course use that as an excuse to
get around any net neutrality rules that get proposed. Eventually all traffic not pre-approved will get
filtered/blocked/downgraded.

Re:Bit of Advice (0)

Anonymous Coward | more than 3 years ago | (#33466958)

I would say let those idiots get scammed if they're stupid enough to fall for this sort of obvious fake.

Doesn't work, because eventually letting crooks get away with robbing people will impact you, it's not possible to get all of them, but if you don't try, they run rampant, and get up to you.

If nothing else, it just means that everybody decides that he needs to look out for himself, and so...

Re:Bit of Advice (1)

Beerdood (1451859) | more than 3 years ago | (#33466710)

Lol at the firefox warning button here [microsoft.com]

"Get me our of here and upgrade"

So what, you're getting me one more 'our of browsing on this site before I have to upgrade? Allright, I'll upgrade in an hour.

Re:Bit of Advice (2, Insightful)

cheekyjohnson (1873388) | more than 3 years ago | (#33466776)

"oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve."

So... 99% of the people that own computers?

Re:Bit of Advice (2, Interesting)

RJHelms (1554807) | more than 3 years ago | (#33466820)

I was going to post exactly this. The sample Google Chrome image in the article is immediately obvious as a fake because real Chrome warning pages have proper subject-verb agreement and don't have character encoding images. I imagine Firefox warning pages don't have the two buttons overlapping.

I'm really forced to wonder this about a lot of malware and phishing scams - I somewhat frequently get e-mails telling me I won an "iPhone-4G" on "Facebooks", how hard it is to get those right?

At the same time, I think you hit on exactly why they don't bother with this. The bottom side of the intelligence bell curve is still half of the people who will see the page, and they are the same people who are more likely to fall for it even when there are no errors with the English. I imagine it simply doesn't pay to shell out any amount of money for proofreading.

Re:Bit of Advice (2, Insightful)

flimflammer (956759) | more than 3 years ago | (#33467264)

oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

I disagree with this line entirely.

Sure, those of us at Slashdot may realize the obvious attempts at breaching our computers safety, but not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding). Even still, that doesn't make the completely stupid, just naive.

Security Fix Schedule (2, Interesting)

ackthpt (218170) | more than 3 years ago | (#33466618)

Firefox will have it fixed within hours.
Chrome will have it fixed within days.
Microsoft will issue a patch with in months.

Re:Security Fix Schedule (1)

nasalicio (122665) | more than 3 years ago | (#33467022)

If that wasn't so true it'd be hilarious. Sadly, too, you can be assured that if/when MS does release a patch, they will wait until a Tuesday to do so.

Re:Security Fix Schedule (2, Insightful)

mrsquid0 (1335303) | more than 3 years ago | (#33467200)

> Firefox will have it fixed within hours.
> Chrome will have it fixed within days.
> Microsoft will issue a patch with in months.

Apple will ignore it.

Re:Security Fix Schedule (1)

blai (1380673) | more than 3 years ago | (#33468216)

Microsoft will issue a patch with in months.

Microsoft will issue a patch?

Re:Security Fix Schedule (4, Insightful)

gaspyy (514539) | more than 3 years ago | (#33469066)

That'd be the day - when a browser developer can issue a patch for human stupidity.

But that web site was SECURE! (4, Funny)

Junior J. Junior III (192702) | more than 3 years ago | (#33466624)

The .gif image of a shield SAID SO!

Re:But that web site was SECURE! (1)

jeffmeden (135043) | more than 3 years ago | (#33466788)

This part never fails to amuse me. An arbitrary image that happens to say "it's safe because I said so, and look; I even know what day it is today!" makes me feel GREAT about the web site. It needs to say "go find the lock icon in your browser. does it look locked? good. on your way."

When are will the Anti-Malware people... (0)

Anonymous Coward | more than 3 years ago | (#33466660)

Write anti-malware that looks like malware, or their most common sources? The Public certainly has a knack for finding it.

Disguise your anti-malware as: New Torrent Software, Cracked Versions of Popular games/key generators, Latest nude pic of the current fad celebrity, or hooked into some flash/pdf vulnerability

Malware would be driven to an all time low in a couple of years.

Linux users (1)

digitalhermit (113459) | more than 3 years ago | (#33466736)

Bastards, I use Elinks. Couldn't they at least humor me and do background=#00000000 and set the font to courier 10 in neon green?

Malware? (2, Funny)

dandart (1274360) | more than 3 years ago | (#33467172)

Is there a Linux port? I'd love some malware. I miss having people trying to install software on my computer without permission! Maybe I should go get a Mac.

Re:Malware? (1)

Yvan256 (722131) | more than 3 years ago | (#33467418)

What's funny is all those fake warning boxes trying to trick me.

"Windows XP has detected a problem!" ...really? I thought my Mac mini was running Snow Leopard!? I guess I was wrong!

Antivirus is malware anyway (0)

Anonymous Coward | more than 3 years ago | (#33467318)

Always has been. Always will be. I'm educated. I don't punch the monkey. The two times I can think of where I got compromised, it was because I was on one of "those" sites. Yes, I admit it. The other time was Nimda, one of the rare email attacks that actually worked without the user being tricked.

Given the frequency with which I've been affected, it doesn't make sense to pay continuously, either with money or lost CPU cycles.

Responding to the Nimda attack by purchasing and installing A/V would have been like launching wars against two whole nations in response to an attack by rogue elements from one nation...

Re:Antivirus is malware anyway (0)

Anonymous Coward | more than 3 years ago | (#33467542)

I don't punch the monkey. The two times I can think of where I got compromised, it was because I was on one of "those" sites. Yes, I admit it.

Surely you see the contradiction here.

PS: I think the term is "spank".

Just Hurting Kids and Old People (4, Interesting)

ideonexus (1257332) | more than 3 years ago | (#33467392)

What offends me most about these malware tactics is that I'm savvy enough to recognize the spoof, but the low income kids and old people in my neighborhood aren't. I know not to click on anything that pops up in my browser when I'm surfing, but every week I get people on my porch needing help cleaning out their infected systems, which I do and they get infected again within a week. How can these malware authors take pride in preventing little kids and old people access to the Internet or their software? Where's the sport? What pathetic losers.

Re:Just Hurting Kids and Old People (1)

smegmatic (1145201) | more than 3 years ago | (#33468070)

Malware authors are not the first dishonest people to make money off of children and old people. I doubt they care if you think they are "pathetic losers". I doubt they take pride in what they do. I doubt they're doing it for sport. They just want some money.

What about us? (2, Insightful)

Yvan256 (722131) | more than 3 years ago | (#33467532)

...auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome.

What about Safari and Opera users?

Re:What about us? (1)

RJHelms (1554807) | more than 3 years ago | (#33467846)

Real Safari users use Chrome.

Re:What about us? (1)

Yvan256 (722131) | more than 3 years ago | (#33468046)

I know both use Webkit, but I think they use different Javascript engines.

Re:What about us? (0)

Anonymous Coward | more than 3 years ago | (#33468528)

All three of you?

Re:What about us? (1)

Yvan256 (722131) | more than 3 years ago | (#33469488)

Safari is available on Mac OS X, Windows, iPhone, iPod touch and iPad.
Opera is avaiable on Mac OS X, Windows, Linux, Nintendo Wii and Nintendo DSi, and a shitload of smartphones.

Still think there's only three Safari or Opera users?

Seen it (2, Interesting)

ReederDa (1874738) | more than 3 years ago | (#33467820)

I've actually seen this malware in action. If you're infected and it decides to start running, there's not really much you can do. Disables the task manager as well. Library computers are most at risk.

Re:Seen it (2, Informative)

WildBlueYonder (1714974) | more than 3 years ago | (#33467948)

Not only does it disable the task manager, this (or a variant of it) disables Control Panel and ways to get to useful parts of the control panel without going through it (like running msconfig.exe directly). They also change your proxy settings on your web browsers so that you can't go online to attempt to trouble shoot the problem. At this point even an above-average computer user can be flummoxed as most of the basic tools are taken away from them. Although after this point they kinda drop the ball. Once you go into safe mode and look at the start up tasks the offending processes have been random collections of letters. Seems odd that they don't name themselves "Microsoft Security Panel" or something else like that.

Re:Seen it (0)

Anonymous Coward | more than 3 years ago | (#33468638)

Naming the processes something readily identifiable like that makes it easier for people tasked with cleaning it up to take countermeasures. The random naming makes that harder and also makes it easier to quickly recreate the process when it's removed.

fir5t# post (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33468284)

BSDJ sux08s. What and, after initial

Grammar (1)

yoyhed (651244) | more than 3 years ago | (#33468910)

Looking at these new screenshots, they STILL have fucking grammar issues. If I'm going to fall for something, it's not going to be an error page with spelling errors and unnecessary exclamation points. How hard would it be for these fuckers to find a native English speaker to proofread their shit for them? Jeez.

sounds familiar... (0)

Anonymous Coward | more than 3 years ago | (#33469390)

I became infected by a similar virus about a week or so ago. I do not remember doing anything out of the ordinary that made me susceptible to intrusion, but I will say that I was on a website that uploads the latest raw scans of just-released japanese manga chapters. There are a lot of worries going to these sites, such as pop ups and redirects, but I have never had any problem in the past. You can usually close out these pop ups and redirects before they are aloud to load. Anyways, that is the only questionable activity I can think of that would have caused my computer to catch this virus.

I was surfing the internet, submitting homework via internet portals, and just basic operations when I noticed that I wasn't connected to the internet anymore. I looked at my connections to confirm that I was connected, which I was, but I still couldn't access any sites. Then, in my minimized icon list in the bottom right of my desktop, a warning message popped up that looked very similar to a Microsoft Windows warning box/message. (I wish I printscreened these messages, they would help reinforce my experience). The message said something like, "34 malicious viruses were found on your computer. Upgrade antivirus software to delete them." (I'm paraphrasing because I do not remember word-for-word what the message said). I was hesitant to click on the message, but I wanted to investigate further. So, I click on it and a program pops up on my screen, similar to any antivirus pop up menu, and begins to do a scan of my computer. It gets to about 12% when I stop it and cut my connections, physically and electronically. The name of this "anti-virus" program was "AV Security Suite." During the 12% of scanning it was able to do before I turned off my network connections, it stated that it found 34 viruses, spyware, etc. and that if I wanted to delete these malicious software I would have to upgrade by logging on to a website that AV Security Suite directs you to, and this upgrade will cost money.

(I want to state that I was skeptical the very second I saw the "Microsoft Windows warning message." This message, the AV Security Suite template, and the various other pop ups looked distinctly different than anything similar in nature that I have seen in windows, that's legitimate. These were different in that their font and placement of text and headers on the templates were different and inferior to that of legitimate Windows warnings. To the naked eye and merely glancing at the messages, it is still relatively easy to overlook their inadequacies.)

At this point I try to open my task manager, I try to scan my computer, I tried to do a lot of diagnostic stuff but to no avail. Every time I tried to open one of these applications a pop-up would come up saying, "[blank] is infected and cannot be opened." I wasn't even allowed to restore my computer to a previous point. I was stuck. This was the only computer that I had access to at 2 in the morning and I didn't want to reconnect to the internet with an infected computer, so I had to wait until the next day to find another computer to search the internet for information on this AV Security Suite and how to fix my computer.

Upon, searching for suggestions, I found that this Security Suite was indeed a virus and a very annoying one at that. It is installed from a trojan, which was downloaded from searching the internet. AV Security Suite blocks all applications unless the file name of the executable is for a web browser. This explains why I couldn't pull up my task manager or run diagnostic tests. I found out that in order to temporarily disable this virus is to restart the computer and bring up the task manager before AV loads up. Once you bring up the task manager, search through your processes until you find something that you do not recognize. I say, "...not recognized," because apparently the virus has variations of its name and it could be named something different on other people's computer. The process on my computer was called, "wtimhmishdw.exe." I stopped all processes for it and subsequently I was able to access all of my applications again. But, this was only a short term solution. Unless you completely get rid of this virus, you will have to repeat this process every time you start your computer.

(I also want to state that, in my searches, I came across a comment on this purchasing of their product. I can't remember what the price was, but they say it is something around $30 but they will actually bill you something around $200.)

When I stopped this process, I immediately started my smart, in depth, scan of my computer using ESET Smart Security. When it was complete, guess what, nothing out of the ordinary was found. I then run Windows Defender and scan my computer, again nothing was found. So, just to be sure that the virus was still somewhere in storage, I restarted my computer without bringing up my task manager. Did the virus reload and infect my diagnostic software and prompt me to buy their product? Yes, it did.

I then restarted my computer, but this time I loaded in safe mode with networking. Here I brought up my control panel and ran scans on everything that there was an option for, to check for any problems or suggestions. Eventually, under the "start up program" scan, the scan brought up "Steam" and something called "[Blank]" (I can't remember what the actual name of this program was, but the location of the program was [C:\Users\Name\AppData\Local\avvygxirn\wtimhmishdw.exe). Look, "wtimhmishdw.exe," this was the name of the process I stopped, that was infecting my diagnostics software. I then had the control panel stop and never allow this program to run upon start up.

After I did that I opened up IE, went to Internet Options, went to Connections, clicked on LAN settings, only to find that the "Proxy server" option was selected. I then changed that option back to "Automatically detect settings."

I restarted my computer without opening my task manager to find a working desktop without any infections to my diagnostic applications or any changes to my LAN settings. All seemed well until I ran two more in depth scans, one after the other, using ESET and Defender. Neither was successful in finding and deleting this virus, but the virus wasn't causing anymore harm, for now.

Over the next week, I ran scans multiple times a day, until on 9/1/2010 ESET found C:\Users\Name\AppData\Local\avvgxirn\wtimhmishdw.exe - a variant of Win32/Kryptik.GJM trojan - cleaned by deleting - quarantined

and also found C:\Users\Name\AppData\Local\Temp\google.exe - avariant of Win32/Kryptik.GJM trojan - cleaned by deleting - quarantined.

I hope they are gone for good, because this was such a pain in the ass.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...