Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Malware Simulates Hard Drive Failure

timothy posted more than 3 years ago | from the just-a-healthy-reminder dept.

Security 294

An anonymous reader writes "A nasty strain of malware goes beyond mere sensational alerts, it makes it seem the user's hard drive is failing. It moves files from All Users and the current Windows user's profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user's ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well. Of course, it's all done in an attempt to get people to buy the software that will fix it."

cancel ×

294 comments

Sorry! There are no comments related to the filter you selected.

Hey buddy! (4, Funny)

MrEricSir (398214) | more than 3 years ago | (#36197750)

Nice computer you got there. Would be a shame if anything were to happen to it. My buddy Vinny here, he sells "protection" against these kinds of problems. You pay every week, and there ain't gonna be no problems, capiche?

Re:Hey buddy! (-1)

Anonymous Coward | more than 3 years ago | (#36197828)

I suppose you think all hoods are Italian, and all Italians are like Goodfellas and Jersey Shore? RACIST ASSHOLE.

Re:Hey buddy! (0)

Anonymous Coward | more than 3 years ago | (#36197962)

Italians are not a race. They are a nationality.

Re:Hey buddy! (0)

blair1q (305137) | more than 3 years ago | (#36198046)

Racists don't get to define the semantics of their demonization.

Re:Hey buddy! (0)

Anonymous Coward | more than 3 years ago | (#36198356)

the word you're looking for is bigot in this case

Re:Hey buddy! (3, Interesting)

PCM2 (4486) | more than 3 years ago | (#36198396)

Actually I think the word you both are looking for is "straw man."

Re:Hey buddy! (0)

wmbetts (1306001) | more than 3 years ago | (#36197992)

They're not?

Re:Hey buddy! (-1)

Anonymous Coward | more than 3 years ago | (#36198122)

Where did the parent post say anything about Italians? Are you saying that only Italians can name their kid Vinny? Gee, I guess you are the one who is messed up.

Re:Hey buddy! (0)

Anonymous Coward | more than 3 years ago | (#36197910)

What is a "All Users" and what do you mean "Windows"? This is a basement! I have only doors! And I'm the only one here.

Re:Hey buddy! (-1)

Anonymous Coward | more than 3 years ago | (#36198276)

except your mom

Re:Hey buddy! (-1)

Anonymous Coward | more than 3 years ago | (#36198590)

no, moms upstairs making me sandwich.

Re:Hey buddy! (5, Funny)

ozmanjusri (601766) | more than 3 years ago | (#36198366)

what do you mean "Windows"?

"Windows" is a computer operating system used by many people, most often without the owner's permission.

Re:Hey buddy! (2)

R3d M3rcury (871886) | more than 3 years ago | (#36198168)

This reminds me of a funny trick to play on somebody from back in my mainframe days...

Create a directory with the same name as the home directory inside the user's home directory. Set a login script to place the user into that directory.

So they try to get to their files and there's nothing there. Everything looks normal. Usually, someone with half-a-clue can figure it out pretty quickly, but it does provide that brief moment of terror that gets the blood pumping in the morning.

Re:Hey buddy! (3, Funny)

Anonymous Coward | more than 3 years ago | (#36198374)

that reminds me of a trick I used to play back in my mainframe days too. I'd just delete everything a user had in their directory. Man you should have seen the look on their faces. I'll never forget the feeling over power I experienced either....

Re:Hey buddy! (0)

Anonymous Coward | more than 3 years ago | (#36198520)

Nowadays it's more fun today with mount --bind over the top of their home directory..

Re:Hey buddy! (1)

mcavic (2007672) | more than 3 years ago | (#36198536)

Or in the DOS days, create a RAM disk and substitute it for Drive C. Very convincing.

Re:Hey buddy! (2)

MstrFool (127346) | more than 3 years ago | (#36198552)

There was a prank going around the Gateway 2000 tech centers that I found quite amusing. Do a screen-shot of the desk top, set it as the background, then move the icons to a folder. I found it really showed the clued from the clueless. Quite a few techs called for some one to fix their system. And no, i wasn't the one doing it, though I was the one to fix it many times.

Re:Hey buddy! (1)

black mariah (654971) | more than 3 years ago | (#36198658)

Pulled this one on my parents many times over the years. It never fails to amuse.

The Game of Catchup (4, Insightful)

MightyMartian (840721) | more than 3 years ago | (#36197756)

Had this one get on one the computers I administer. Managed to poison the profile and for a brief while I thought the files had been deleted. Of course, I got the inevitable "isn't your AV and anti-malware software up to date", to which I responded "As much as can be, the user is relied upon not to be a simpering moron who clicks on every possible link."

Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Re:The Game of Catchup (0)

Anonymous Coward | more than 3 years ago | (#36197804)

This is why the only solution is a GNU/Linux solution. You tell people two simple things. Click the update button when the updates happen and don't download ANYTHING. If you want a program click the Ubuntu Software center and search for it. Everything else is going to potentially infect you.

Re:The Game of Catchup (1, Interesting)

bleble (2183476) | more than 3 years ago | (#36197820)

You tell people two simple things. Click the update button when the updates happen

How do you think that will work out? The bad guys will just craft their website to look like an update and the user will stupidly run it just like before.

Re:The Game of Catchup (1)

RobbieThe1st (1977364) | more than 3 years ago | (#36198674)

Except that it won't: The user'd have to:
1. Click on the fake link.
2. Accept the file download(FF at least asks you to save or cancel with any download)
3. Right-click the saved file, click properties, and check the 'make excecutable' button.
4. Double click on the application, and then enter your password.

I think that'd take some doing to convince the user to do all that, especially when the user's used to clicking on the Main Menu -> System -> Update or w/e.

Re:The Game of Catchup (3, Informative)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36198202)

This is why the only solution is a GNU/Linux solution..

I'd love to see your MRI scan while you tell people this.

Re:The Game of Catchup (1)

PsychoSlashDot (207849) | more than 3 years ago | (#36198272)

This is why the only solution is a GNU/Linux solution. You tell people two simple things. Click the update button when the updates happen and don't download ANYTHING. If you want a program click the Ubuntu Software center and search for it. Everything else is going to potentially infect you.

That's cute, but if users were inclined to obey exactly those instructions, Windows would be fine.

Re:The Game of Catchup (3, Insightful)

Attila Dimedici (1036002) | more than 3 years ago | (#36198412)

Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.

Re:The Game of Catchup (1)

toadlife (301863) | more than 3 years ago | (#36198494)

And when when Ubuntu moves from 1% to 85% of the desktop market share (any day now, right?), we'll get to see how well that repository model scales.

Re:The Game of Catchup (2)

Attila Dimedici (1036002) | more than 3 years ago | (#36198640)

That is certainly a possibility. However, the repository model does certainly provide for much greater security, especially when it contains such a large range of free software as most current Linux distributions. Considering that the Apple IOS app store model is the same sort of distribution model it seems likely that it scales.

Re:The Game of Catchup (1)

bensode (203634) | more than 3 years ago | (#36198500)

Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.

Sure it does. I believe it rhymes with torrent.

Re:The Game of Catchup (1)

Attila Dimedici (1036002) | more than 3 years ago | (#36198606)

If you think that is the same, you have not worked with Linux.

Re:The Game of Catchup (1)

Moryath (553296) | more than 3 years ago | (#36197818)

This is also why end-users shouldn't have install rights. Period.

Re:The Game of Catchup (3, Insightful)

The Dawn Of Time (2115350) | more than 3 years ago | (#36197902)

"it's like a computer, only useless."

Re:The Game of Catchup (0)

somersault (912633) | more than 3 years ago | (#36197996)

What "useful" stuff do you need installed that you can't ask IT to install?

Re:The Game of Catchup (1)

Moryath (553296) | more than 3 years ago | (#36198094)

Nothing, really.

Especially in the days when a simple Remote Help session to take screen control and approve/deny the program is all that's needed.

If you're going to have end-users running with install rights, you're going to have orders of magnitude more infections. Partly because they are going to reflexively "click yes" on every single thing they see, partly because you're going to have a defined population of users who are the kind of morons who install every "ooh look it's free" widget from Bonzi Buddy to Weatherbug and all the tagalongs and security holes that come in along with them.

Re:The Game of Catchup (1)

MightyMartian (840721) | more than 3 years ago | (#36198156)

As I said, the user could not install the malware on the system, but they had execution rights to their own folders, so it poisoned their profile. I was going to implement a GPO-based SEP, only to find out it's trivial to bypass.

Re:The Game of Catchup (2)

19thNervousBreakdown (768619) | more than 3 years ago | (#36198162)

Anything I want to use less than two weeks from now.

Re:The Game of Catchup (1)

Anonymous Coward | more than 3 years ago | (#36198664)

Our IT department has a very narrow concept of what is useful: MSOffice, the various corporate database software packages, group email and that's pretty much all they are willing to manage for my dept. If we want anything else, we pretty much have to purchase and install it ourselves out of dept budgets or our own pockets. What about all the little utilities and other essential but unsupported software that makes my workday so much easier? UltraEdit, ACDSee, Teleport Pro, SecureCRT, VNC, Photoshop, Acrobat, CorelDraw, WinAmp and VLC (for background music or lunch breaks), Firefox, Mozilla Prism (awesome app BTW), Truecrypt, Vice Versa for backup, DragonDictate... that's just off the top of my head. I rely on all those apps to "do my job" in the most efficient manner, but most are not IT supported. So I insist that any pc IT provides has me listed as an admin with install rights. The general IT bias is against this concept, but in the real world people are much more productive when they don't need to beg the helpdesk staff ever time they want to install something, or justify it's use to a committee.

Re:The Game of Catchup (3, Informative)

mrnobo1024 (464702) | more than 3 years ago | (#36198142)

That's all well and good in a corporate environment, but do you really expect every home user to have his own personal IT department?

Re:The Game of Catchup (4, Funny)

Bacon Bits (926911) | more than 3 years ago | (#36198492)

My relatives certainly seem to think they do.

Re:The Game of Catchup (1)

Moryath (553296) | more than 3 years ago | (#36198662)

No, but why should they be running as superuser just to open their email client?

Re:The Game of Catchup (1)

Anonymous Coward | more than 3 years ago | (#36197898)

I got this virus the other day, running Firefox on Vista Ultimate 64 bit :(

Not sure this one is an IE issue. Had Trend Micro business security on here as well and that sure as hell didn't catch it either ;/ Managed to remove it easily enough in safe mode though - although it was largely manual.

Re:The Game of Catchup (0)

Anonymous Coward | more than 3 years ago | (#36197928)

Blame the browser, but not the simpering morons, since this time they don't have to click on anything in IE -- had this happen to me a week or two back. Work machine, XP, admin account, and only IE8 allowed. (Yeah, my employer seems to hate themselves pretty badly.)

Re:The Game of Catchup (0)

Anonymous Coward | more than 3 years ago | (#36198462)

No, don't blame the browser. Blame either: the adobe vulnerability that allowed the exploit or the IT dept. that didn't patch the exploit or allowed the user to run with admin rights. The browser had nothing to do with it. As mentioned above, you get the same thing using Firefox - since the exploits are Flash or Adobe Reader the browser really has nothing to do with it.

Re:The Game of Catchup (1)

LurkerXXX (667952) | more than 3 years ago | (#36198504)

Bah, I'm at a major research hospital. The inept IT department has us all on IE6.

Re:The Game of Catchup (3, Insightful)

gad_zuki! (70830) | more than 3 years ago | (#36198050)

>Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?

Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.

I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.

Re:The Game of Catchup (1)

uctechdude (921990) | more than 3 years ago | (#36198084)

>Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware? Microsoft has a relevant web browser??? I thought Java and Flash were exploits for IE. Both have updaters but you don't _have_ to install them. There is no forced update like chrome uses.

Re:The Game of Catchup (1)

machine321 (458769) | more than 3 years ago | (#36198244)

Java and Adobe reader *do* have autoupdaters. How do you think toolbars get installed?

Re:The Game of Catchup (0)

Anonymous Coward | more than 3 years ago | (#36198182)

Just out of curiosity, how is IE9 "atrociously" insecure? I use it as much as Firefox and never had any issues.

Re:The Game of Catchup (0)

Anonymous Coward | more than 3 years ago | (#36198470)

After recieving my ThinkPad W520(i7-2920XM) from lenovo which came with WIN7(aka NTv6.1) Professional. I wanted to see what Windows 7 looked like, so after the first boot and loging in. I checked to make sure i was admin, i tried to run gpedit, nope access denied, so then i tried wmic, also access denied. So after about 4 minutes after first boot i realized Microsoft was once again selling there software with all the doors open, i power off and pulled out my Red Hat CD.

The only version of window you have a chance of securing is Ultimate, and then you'll later find out theres been backdoor open since 1997. And then there are those people that use virus scanners, yea i'm gonna pay some company to install a root kit on my computer yea right. And then you have this other group that use free virus scanners, what are you just stupid.

Sounds Like System/Windows Recovery (0)

Anonymous Coward | more than 3 years ago | (#36197780)

This is not new, nor even a new tactic. I have come across malware that held user's data to ransom by encrypting it. System/Windows recovery are, (rather unfortunately) extremely easy to pick up when a gullible user mistakes an error notification on a web site for a local machine generated message and interacts with it accordingly. These Malware applications also disable anti-virus software and associated services for many popular AV/Security products, which in my opinion is a damning indictment of those products.

Fortunately as easy as it is to pick up, it's also relatively easy to remove, there are many free tools available that do just that. However you may wish to reconsider re-installing your O/S after you virus and malware scan your data and then perform a backup (post removal) I generally wouldn't trust an installation that has been compromised by malware such as this.

Re:Sounds Like System/Windows Recovery (1)

MightyMartian (840721) | more than 3 years ago | (#36197790)

Well, in my case, the most it could do is fuck with the files that the user had permissions to fuck with. The system itself, other than the profile, was fine. I was thinking about putting in some software execution policies, only to find out that they're pretty well useless.

Re:Sounds Like System/Windows Recovery (4, Informative)

adolf (21054) | more than 3 years ago | (#36197930)

I just cleaned this off of a computer two days ago.

It set some registry entries values meant for maximum fuckery, marked every file on the disk that it could access as being hidden (thus even "dir" from a command line would result in "File not found,") and nuked the contents of the start menu, and did some other mean stuff.

Malwarebytes removed it but left the registry broken (which is arguably correct behavior). I changed the registry entries by hand, and I restored the start menu from an earlier copy.

After that, things were happy...except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam. This turned out to be an infected Windows DLL, which "sfc /scannow" couldn't/didn't bother to fix. I was just about to give up on the machine for a happy time of nuke/reinstall, and another half-dozen hours of putting the machine back how it was... but then I tried combofix and the redirect problem went away, too.

All said: While I am a little richer having fixed these problems, money is poor compensation for this sort of pain.

I welcome the day when an affordable online service* can do incremental backups that can be used for a simple, bare-metal restore. Bandwidth isn't the issue anymore, and spinning storage is cheap; where is it?

*: Yes, online. If it's offline, that means that folks will have to think about it on a regular basis, and it won't be done.

Re:Sounds Like System/Windows Recovery (2)

amliebsch (724858) | more than 3 years ago | (#36198284)

If this is Win7, it doesn't have to be online. Just attach an external USB disk and tell it to back up there. It will automatically do an image+incrementals, auto-delete the oldest images when the disk is getting full, and can be bare-metal restored booting from the Windows DVD. It's actually pretty sweet.

Also: if the registry is hosed, system restore should be able to help you out.

Re:Sounds Like System/Windows Recovery (2)

adolf (21054) | more than 3 years ago | (#36198452)

If the malware takes control of the PC (which it does, in the context of the FA), then having a single, locally-attached backup disk isn't necessarily a good answer: It can destroy/disrupt the backup just as easily as it can anything else on that PC.

A well-thought-out rotation of backup media would help, but that's no good because it involves humans who simply won't do it.

This wouldn't be a problem, so much, with good online storage: Even Dropbox does a good job of keeping old copies of your data intact for a period of time. I simply want the concept extended to an entire disk, with metadata intact, to enable a bare metal recovery.

This, combined with extra, out-of-band human verification (SMS?) for when you Really, Really want to destroy backup data, would work well against malware.

(And, yeah: I did use System Restore eventually. I consider it to be a last resort, though, simply because I am ignorant as to the extent of its workings and I am prejudiced against system-level programs which do not provide meaningful feedback as to what they're doing.)

Re:Sounds Like System/Windows Recovery (1)

MokuMokuRyoushi (1701196) | more than 3 years ago | (#36198654)

except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam

Hey - I just had the same problem with an office computer. I got rid of it the same way, but for some unidentifiable reason, about half the links in FF now are opening in IE. Did you have the same issue? If so, have you figured out the problem?

Re:Sounds Like System/Windows Recovery (0)

Anonymous Coward | more than 3 years ago | (#36198296)

Dis is one half.

False alert (3, Funny)

lucm (889690) | more than 3 years ago | (#36197800)

A little while ago I was sure I had this malware on my computer. However the actual problem was worse: I had a Seagate hard drive.

There is an upside with Seagate products: they taught me the importance of using RAID and/or backups.

Re:False alert (4, Insightful)

LurkerXXX (667952) | more than 3 years ago | (#36197988)

AND BACKUPS! *AND BACKUPS*!!!

RAID is *NOT* a substitution for backups. Delete a file on the RAID and it's gone. Someone takes the machine, and it's gone.

Backup your computer to offline media, and make sure to keep a (hopefully encrypted) copy of it at some remote location (like a family members house, work, wherever)

RAID IS NOT A SUBSTITUTION FOR BACKUPS!

Re:False alert (1)

adolf (21054) | more than 3 years ago | (#36198278)

Seconded, and furthered:

RAID would do nothing to protect against the thing described in TFA.

RAID only protects against hardware failure, and even then only if the failure is actually detected instead of just silently munging data.

This is not to say that RAID is not useful: It can be a performance boost in some applications. It can provide a clever way to combine many smaller disks into one larger volume, which can also be useful in some instances. To be sure, some of the things RAID does do can be very cool for a lot of different reasons.

But RAID is not a backup. It never was, and it never will be.

Re:False alert (0)

lucm (889690) | more than 3 years ago | (#36198450)

> Delete a file on the RAID and it's gone

Do you check that all your files are there before taking a backup? Probably not. Even if you have a very complex strategy of nested backup with grandfather and his whole family, odds are that once you notice that the said file is gone, it is also gone on your backup.

You see, just typing stuff in uppercase does not mean you are right. There is a whole discipline around this kind of stuff, it's called Information Lifecycle Management. But in any case this is completely off-topic, as my comment was merely an opportunity to complain about my bad experience with Seagate hard disks.

> RAID IS NOT A SUBSTITUTION FOR BACKUPS!

UPPERCASE IS NOT A SUBSTITION FOR HAVING SOMETHING INTERESTING TO SAY.

First fucking flag for anyone with a clue (0)

Datamonstar (845886) | more than 3 years ago | (#36197802)

Download a fix for a hardware problem. Maybe firmware, but no way that'll be coming through anything other than the manufacturer's channels of communications. Also, it's the OS that makes this possible. Note that nothing at all is actually happening to the files. Shame shame shame again.

Re:First fucking flag for anyone with a clue (0)

Anonymous Coward | more than 3 years ago | (#36197890)

How fucking stupid do you have to be to think that this is targeting people who have a clue? Did you think about this at all, or did you just have some desperate desire to come across as an unlikeable Comic Book Guy figure?

When web apps... (2)

3vi1 (544505) | more than 3 years ago | (#36197836)

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Re:When web apps... (1)

rtaylor (70602) | more than 3 years ago | (#36197972)

True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

Remove users files in standard Gnome/KDE places and futz with the .bashrc or .profile file to make the login wonky.

Re:When web apps... (1)

3vi1 (544505) | more than 3 years ago | (#36198430)

>> True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

People that were conditioned to Windows might fall for it, but people that 'learned' Linux would know it's BS.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs admin access?

VIRUSES IN LINUX DON'T PROPAGATE BECAUSE LINUX DOESN'T WORK LIKE WHAT YOU'RE USED TO.

Re:When web apps... (0)

Anonymous Coward | more than 3 years ago | (#36198626)

"Viruses" don't propagate in Linux because nobody fucking uses Linux.

Derp it up all you wish, the fact is, Linux has no desktop marketshare that's even worth mentioning. Oh, but you'll be in for a surprise if that ever changes. Protip - Ubuntu's lolroot crap is as effective as anything else at teaching users they should click 'OK' whenever presented with strange dialog.

Now if you'll excuse me, I have to go laugh at all the tools who install $CMSFLAVOROFTHEMONTH into a docroot and then never fucking update it. Linux. Hurr, durr, answer to everything, hurr.

Re:When web apps... (1)

Pentium100 (1240090) | more than 3 years ago | (#36198628)

How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

There are a lot of people who are used to Windows, so if they switch, especially after hearing that Linux has no viruses/malware they might feel safe clicking on anything.
Also, in my experience not all programs and drivers are in the default repositories, for example, drivers for Canon multifunction devices (the scanner part) are available as a .deb file from canon web site, but not on any Debian Linux repository. Which means that I (or someone else) actually have to sometimes download and run a file to install a program. Opera web browser is also not available in the default Debian repositories, but has its own repository and I have to add it to the list to be able to use Opera. So, I (or someone else) have to do that sometimes too. Sometimes I also may download and run a shell script to do something that I want. I can read and semi-understand a simpler shell script though, I doubt that everyone can.

Any of these could be a way for malware. If a user wants the screensaver with kittens, he will try to install it. Also, "Your computer has problems, download this simple script to fix them". The script then downloads and runs whatever the malware makers want.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs admin access?

"Want this screensaver with the cute kittens? You can download it for free (admin access required to install)"

If you impose behavior limits, like "don't click on ads, don't install random programs, do not run as root, stay updated" then Windows become quite safe too. Sure, there are remote vulnerabilities, but I really doubt that, say, Firefox or Flash on Linux is completely safe (if so, why the Windows versions have bugs?). Running as limited user will limit the malware to just screwing up the user's files which, on a single-user system is almost as bad as screwing up the whole system (if malware deleted all my files, I might as well format and reinstall).

Limiting the user to default repositories would only work if the repositories contained every single non-malware app that is available, otherwise there will be a reason for the user to use alternative means of getting the software and may end up getting malware.

Re:When web apps... (1)

miknix (1047580) | more than 3 years ago | (#36197984)

Next step.. Modify the malware to prompt the user to install Linux?

Re:When web apps... (1)

somersault (912633) | more than 3 years ago | (#36198068)

Good reason to change the default theme in Windows too.

Re:When web apps... (1)

adolf (21054) | more than 3 years ago | (#36198382)

While I believe your advice is well-intentioned, it's really no good.

This only works if the malware isn't using existing Windows widgets for its displays.

If I were I Windows programmer (I'm not) and I were writing malware (good heavens!), I'd use the native toolkit for all of my dealings...just like most other software does. It's easier, that way.

And then: Changing themes, for properly-implemented malware, would also change the look of that ill program to match.

Re:When web apps... (1)

amliebsch (724858) | more than 3 years ago | (#36198472)

Most malware, being trojans, cannot create native widgets because they are stuck inside of the browser jail, so they simulate system widgets to fool users into believing they are not already jailed to the browser, and then the user inadvertently lets it out of the jail.

Re:When web apps... (2)

pz (113803) | more than 3 years ago | (#36198432)

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Good reason to not have the default color scheme on your windows box. Makes it easy to spot the fake popups.

Re:When web apps... (0)

Anonymous Coward | more than 3 years ago | (#36198588)

You're not the person the malware is trying to fool.

If you know enough about computers to recognize malware, you probably know enough to remove it.

Gramma? Not so much in either case.

Re:When web apps... (1)

vlueboy (1799360) | more than 3 years ago | (#36198678)

Thanks for the Java reminder --I got a this new PC the other day and had meant to ensure the OEM had NOT bundled it. I had a recent Java-initiated spyware on the Vista laptop earlier in the week.

I'd forgotten to dump the Java runtime since I used to play with the SDK. Because enterprise Java has grown ever complex and acronym-ridden, I simply stopped minding it about 2 years ago and forgot to remove its inconvenient attack vector even though I've been hit through it more than once.

On the color schemes, I used to have Teal (aquamarine colors) immediately highlight the one white and gray "standard-colored" window popups as fake. Fake popups also stand out when all you have is MacOS 8 --the problem goes back to more than a decade ago. It's a shame that after Windows 2000, MS has hidden and then removed the fancy pre-named color themes (not Luna or glass, but the CLASSIC ones) and left only the default AND green-on-black ones.

I'm pretty sure they want to establish a non-fragmented look to compete against the pretty iconic MacOS X brushed metal and Gnome's brown desktop motifs.

TLD4 Variant? (1)

terbo (307578) | more than 3 years ago | (#36197840)

I think this is a TLD4 variant, I've had to remove it several times
over the past several months, pretty persistent but the usual.

Re:TLD4 Variant? (1)

Mashiki (184564) | more than 3 years ago | (#36198098)

That one, and the new TSS variants floating around are...painful. Nuking the machine from orbit and restoring from a clean backup is almost easier than removing them. The last machine I cleaned from one of the new TSS variants took nearly 5 hours. The infection point was some bloody facebook page.

The stupid it burns sometimes.

Re:TLD4 Variant? (1)

pspahn (1175617) | more than 3 years ago | (#36198194)

Oblig. Friendface [youtube.com]

Re:TLD4 Variant? (1)

kvvbassboy (2010962) | more than 3 years ago | (#36198266)

It's been a long time since there was malware in my computer. How exactly do these things get inside, in the first place?

Once they get installed into a computer, do they spread throughout the local network?

Re:TLD4 Variant? (0)

Anonymous Coward | more than 3 years ago | (#36198354)

This particular one? Either a browser exploit distributed as a banner ad, letting it run automatically in IE8 if you visited rlslog.net (or anyone else using the same ad network) about a week ago, or plain stupid user-clicks-on-everything in less borken browsers. If you actual get the malware, and then pretend to be a semi-trained money and click "Yes, please install this obviously fake software fix for the hardware problem you're giving me obviously fake warnings about, follow through with your credit card, and let it sit on your machine, I have no clue if it has the ability to spread over the network, but it seems unlikely

I saw this today (1)

CmdrPorno (115048) | more than 3 years ago | (#36197860)

It certainly takes it a step further than "your system is infected." Ironically, the system actually does appear to have a bad hard drive (bad blocks marked by CHKDSK). Customer had paid someone else to replace the hard disk a little over a month ago and showed me the receipt, but the hard disk in the machine was the same capacity as the OEM disk and had a date code indicating that it was likely not a new drive, but the one that was factory installed.

They're just going to replace the machine since the "infected" one has Vista and, for that reason, will run badly even after it's fixed properly (and honestly). The linked article provides a location where the malware hides the user data.

Been around a bit (1)

zvar (158636) | more than 3 years ago | (#36197886)

Umm... This has been around for a few months.

Bad news day, I'm guessing (1)

knotprawn (1935752) | more than 3 years ago | (#36197914)

There are quite a few windows bugs out there. This one makes changes to the registry and moves files and folders around. Most of the other bugs do that anyway. I didn't read the whole article, of course, but it seems like this isn't really all that news-worthy. The only difference that I can see is that it moves more stuff around than the other bugs. Or perhaps there was a point and I missed it.

Re:Bad news day, I'm guessing (1)

somersault (912633) | more than 3 years ago | (#36198130)

In our world, that word doesn't mean what you think it means. You should say "malware" and not "bugs". Bugs are mistakes in the design or creation or a computer program.

Malware can finds its way into your system via bugs, but viruses and other types of malware are not bugs.

Chimera, Bellerophon (0)

Anonymous Coward | more than 3 years ago | (#36197968)

Reminds me of the plot of Mission:Impossible 2.

How could one differentiate ... (0)

PPH (736903) | more than 3 years ago | (#36197970)

... between this malware and normal Windows behavior?

Re:How could one differentiate ... (1)

Mashiki (184564) | more than 3 years ago | (#36198132)

Well normal windows behavior means that under a LUA, you can't do squat. I mean, you are using LUA's right? So, how often do you see hive collapses? I can count them on one hand, over the last 10 years. However malware behaving like this has been off-on again for the last 5ish years.

We had this one. (0)

Anonymous Coward | more than 3 years ago | (#36198010)

Unfortunately there are recurrent strains: it attacked our Windows XP, which became slower and slower and errors start to show up.

We solved by buying Vista; this one, too, became heavy to a point the machine barely worked.

We solved again by acquiring Windows 7, a very simplified and clean desktop. Very nice. This must be that Zen "less-is-more" thing: less things on screen and more money goes away...

Today I noticed gvim had some trouble starting a macro (but when it works, after some 20 seconds, it's fast as usual).

Do you think we could pay in advance to M$ to help them accelerate Windows 8 release? Didn't they have a software insurance program?

happened last week (0)

Anonymous Coward | more than 3 years ago | (#36198102)

This happened to a computer I worked on last week. The malware set the hidden attribute to all the Start menu icons, and also the My Documents files, so it looked like everything was lost. There might have been a couple of other changes, but I can't remember. Didn't take me 5 minutes to fix it all, and Malware Bytes removed the hoax program for me.
  I can see how it would mess with other users and give some people a scare. Old trick, but it worked.

Am I the only one... (0)

Anonymous Coward | more than 3 years ago | (#36198288)

That would just buy a new hard drive?

4 instances of attrib running (0)

Anonymous Coward | more than 3 years ago | (#36198324)

I've had a few users get one recently that, upon opening taskmgr (thank goodness for LANDesk) had 4 instances of attrib.exe running. Ends up setting every file on the drive to Hidden, System and Read-Only. A PITA to fix remotely. I wish I could get our security guys to add Adobe & Java updates to the critical security patch list.

zeus weapon stimulates foul fatal 'weather' (-1)

Anonymous Coward | more than 3 years ago | (#36198368)

3rd day in a row here in northern ny. looks like our right to remain silent is holding us up so far

My end users say it was coming from MSNBC.com (1)

gunkthruster (1975684) | more than 3 years ago | (#36198392)

...my day was spent removing this bastard from our work machines. Good day to be a help desk lackey.

Re:My end users say it was coming from MSNBC.com (4, Insightful)

Mashiki (184564) | more than 3 years ago | (#36198416)

And sites complain when people block ads. This is of course why anyone with a brain blocks ads.

Ah (1)

jav1231 (539129) | more than 3 years ago | (#36198428)

Windows...move along.

bitcoin (0)

Anonymous Coward | more than 3 years ago | (#36198434)

After their creditcard access is limited, they might turn to bitcoins, hope they don't, then someone will look for a way to shut down btc access.
bit.ly/btcbonus for a few free coins
I'm not anon I forgot my pw and I'm locked out of last pass while on my phone -opticbit

Just ran into this yesterday and (1)

Mithrilhall (673222) | more than 3 years ago | (#36198510)

it seemed pretty easy to clean. We ran cmd to launch taskmgr.exe as the local administrator. Then we were able to kill the processes. Once that was done, Malwarebytes took care of the infected files. After that was done we had to use a System Restore point from a few days before the infection.

Re:Just ran into this yesterday and (1)

FlyingGuy (989135) | more than 3 years ago | (#36198620)

Wouldn't a simpler way be, every time IT touches a machine is to get a backup of the registry ( a clean one ) or better yet simply have a default registry on hand. Pop the install CD, go into repair mode and restore the registry to your company defaults.

Another way would be to perhaps take the infected registry and then compare it to the infected registry and you will find every trace of the damn thing, yes?

oh! i Love looking at website that infect windows (1)

geekthecat (546223) | more than 3 years ago | (#36198594)

add links so all of us with GNU/linux can check it out, Please.

Ugh (1)

ModernGeek (601932) | more than 3 years ago | (#36198646)

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

I know that the stupid XP Antivirus even sets a key in the registry that marks .EXE files as "safe file"

I assume that means that IE will then open and execute any .EXE that heads it's way.

It seems that removing these infections involves the tedious process of booting the hard drive from another machine, and manually picking it all clean.

Only then, does the registry have to be picked through with a fine tooth comb to keep more infections from arising.

I've seen some where Windows Explorer is set as being the actual virus, so that when an AV program deletes it, one cannot log in.

I know that Windows is horrible, and it is not used within my enterprise, but how is it that these infections are able to even exist? Where do they come from?

Legal action? (2)

morikahnx (1323841) | more than 3 years ago | (#36198668)

If the company in question is linked to the trojan, can we take legal action taken against them? It looks like an open and shut case.

woderful blog (-1)

Anonymous Coward | more than 3 years ago | (#36198672)

That was one explicit of most posts. I’ve noticed in a long prolonged time. A very good deal appreciated, I’m likely to need to hold round here extra.Wholesale Jewelry [chinajewelrytop.net]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>