Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • October 01, 2016, 05:25:06 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware  (Read 4292 times)

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,265
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware


One of the sites effected is apparently CNet, as one of our customers got nailed by this while trying to download the latest copy of Avast AV (which is hosted on CNet). The customer in question is a hyper vigilant old schooler who doesn't like, trust, or use the internet for anything unless absolutely necessary. So they most likely got burnt by the idiotic marketing practice of having multiple unidentified huge green download buttons that infest CNet.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,214
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
And people call me a douche or cheap ass for using ad blocking software. Pfft. Yeah, that's one of the reasons why I run it and never click on ads. Sorry, but if you're not vetting your advertisers, I ain't clicking. There's a long road ahead before a decent solution to this problem is created. Actually solving the problem isn't that hard... rolling it out is near impossible.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Hopefully Malwarebytes will protect users from this.^
What I would do if hit with something like this, is;
-Shut down.
-Kill power physically (as in unplug for 30-60 seconds) [to prevent virus  hiding in the RAM chips between boots].
-Reboot with a CD of Derik's Boot & Nuke (freeware).
-Write zeros to the drive (takes 3 hours on average size drive).
-Not sure if Derik's will do same to any thumb drives, but it's worth considering.
-Shut down.
-Reboot from backup hard drive.
-Run backup restore using any drive cloning software from alternate drive which has been kept physically unplugged.

Once, I forgot to kill power first, and a virus in the RAM jumped to my #1 backup drive and killed that one also.
So I killed power, and got it all up and running using my #2 backup drive.
Now, I also keep a #3 backup drive.
Backups tend to get a little out of date, but are easily updated when needed.

I avoid CNET at all costs.
I picked up a couple of PUPs with a download of 'little registry checker' from MajorGeeks, and Malwarebytes caught and stopped it.

Norton 360 initially gave the download a clean bill of health
Then, after I had clicked on 'littleregistrycleaner.exe', Malwarebytes ran a pop-up warning me of two PUPs.
By that time, I was presented with the option to proceed with either 'Install' or 'Cancel'.
I clicked on 'Cancel', and 'littleregistrycleaner' was quite 'in your face' about wanting to 'install' and ignored its own 'cancel' button.
The little hack was like, "I've got you now; screw you."
So I ran a scan with Malwarebytes which shut it down.
« Last Edit: October 24, 2014, 09:19:55 AM by bit »

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 990
  • !!!... !!!!!! (face my... other left ?!?)
    • View Profile
    • Read more about this member.
    • Donate to Member
Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware


One of the sites effected is apparently CNet, as one of our customers got nailed by this while trying to download the latest copy of Avast AV (which is hosted on CNet). The customer in question is a hyper vigilant old schooler who doesn't like, trust, or use the internet for anything unless absolutely necessary. So they most likely got burnt by the idiotic marketing practice of having multiple unidentified huge green download buttons that infest CNet.

Interesting read.  Were you able to remove the malware?

Hyper vigilant?  Even i know to go to the programs site.

Fake download buttons are hard to judge.  Some are marked Ad... some are not.

.---  ..-  ...  -      -.-  ..  -..  -..  ..  --.

 ^ I hesitated before i clicked your link...  :huh: :) ;D :-[
Windows Vista(TM) Home Premium-SP2   Intel(R) Core(TM)2 Duo CPU    T6400 @ 2.00GHz    4GB RAM    64-bit        Windows(R) Internet Explorer 9

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,265
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
What I would do if hit with something like this, is;
-Shut down.
...

Fail ... That is what they want you to do. Any rootkit's ability to burrow in and completely take over a machine is contingent on panicking the user into performing that ever critical first reboot. After which, with system level permissions it can do massive damage to mapped drives.

Now disconnecting any external backup drives you have would be a good idea in the hopeful assumption that the attack focused first on drive C: ... But nothing is guaranteed with these people.


Interesting read.  Were you able to remove the malware?

They're 50+ miles away and closed for the weekend - staff is trying to contact the out-of-town brass for authorization ... Blah, Blah, Blah - The situation is dire..


Hyper vigilant?  Even i know to go to the programs site.

Good plan. He did. Avast AV's download page sent him to CNet.  :wallbash:


Fake download buttons are hard to judge.  Some are marked Ad... some are not.

Quite true (most are not), and also quite possibly the crux of the problem here. I maintain that lawyers and marketing people should be actively hunted for causing problems like this.


^ I hesitated before i clicked your link...  :huh: :) ;D :-[

Me too. ;)

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,859
    • View Profile
    • Donate to Member
Actually I would feel more secure getting the program from Softpedia or FileHippo than the author's site. Certainly when it comes to bigger software like Avast for example.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,650
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
And people call me a douche or cheap ass for using ad blocking software. Pfft. Yeah, that's one of the reasons why I run it and never click on ads.

^^ This!  (except Project Wonderful. They are an ok ad network.  :Thmbsup:)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
It's generally a good idea to only download directly from the app publisher's website. If you get bounced over to CNet or another 3rd party software aggregation host, think twice. (If you're using a lot of free software, this is now happening with increasing regularity.) Same for any popup upgrade notifications. Always upgrade from inside the app if at all possible. If there isn't an upgrade/"check for update" feature in the app itself, go to the publisher's website. If you're redirected to anywhere other than one of the publisher's websites, go back to the beginning of this post and read again.
 

hypnotized_1_13512_5322_thumb.gif   ;)
« Last Edit: October 24, 2014, 04:05:09 PM by 40hz »

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 671
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
-Not sure if Derik's will do same to any thumb drives, but it's worth considering.

Yes, I once did an Autonuke after booting from the thumb drive and proved that it wipes everything.  ;D

The latest Cryptowall variants are mean. They encrypt a random number of files from most, but not all, folders they have access to, then they reset the file date stamp back so you can't tell as easily what has been hosed. I think our company has handled 6 instances for our customers in the last two weeks, 3 from the same client (different locations), one of which entailed an all-nighter since I was the 3rd level on call. In most cases we can't identify the person who was actually hit - whoever it was never spoke up, we ended up finding out when a file wouldn't open, and find the DECRYPT_INSTRUCTION.txt files.

On the plus side it's a good way to verify that your backup system is working.  :P

Given what I've seen, I'm writing something to at least detect this early, kick out a ticket, and try to grab enough info to see who is causing it. The all-nighter instance was due to a process that ran for almost 24 hours, would have been a lot easier if we saw it sooner. That's my weekend project. That won't get finished over the weekend <sigh>.
vi vi vi - editor of the beast

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,410
    • View Profile
    • Donate to Member
What I would do if hit with something like this, is;
-Shut down.
...

Fail ... That is what they want you to do.

I think if you take it in the context it was given, ie. prelude to wiping all HDDs from read-only media, then the methodology is fine.

However, if you were to power on the system after the shutdown in the hopes that it would come up on the original OS OK ... then you may have a problem.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
What I would do if hit with something like this, is;
-Shut down.
...

Fail ... That is what they want you to do. Any rootkit's ability to burrow in and completely take over a machine is contingent on panicking the user into performing that ever critical first reboot. After which, with system level permissions it can do massive damage to mapped drives.

Now disconnecting any external backup drives you have would be a good idea in the hopeful assumption that the attack focused first on drive C: ... But nothing is guaranteed with these people.
I think I see what you mean; a rootkit can get into the mobo.
Actually, before shutdown, I ran Malwarebytes.

But one time, when I ran Malwarebytes before shutdown, then Malwarebytes itself wanted to reboot, and on reboot my vid card died.
But then I installed a friend's old vid card (that was actually newer than mine), and all problems disappeared.
I never could figure out if there was a virus-rootkit or not, or if the vid card just happened to pick a very odd moment to die.

So, do you think Norton 360 or Malwarebytes would stop the ransomware, or do I also need something like Hitman Pro?
Do do also run CryptoPrevent (paid version).
I don't have Hitman right now, b/c of cost, and it wants to run a scan on every boot-up.
« Last Edit: October 24, 2014, 10:26:30 PM by bit »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,265
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
What I would do if hit with something like this, is;
-Shut down.
...

Fail ... That is what they want you to do.

I think if you take it in the context it was given, ie. prelude to wiping all HDDs from read-only media, then the methodology is fine.

I was speaking about rootkits in general as they need that first reboot to get under (or replace) the shell.


However, if you were to power on the system after the shutdown in the hopes that it would come up on the original OS OK ... then you may have a problem.

A big one yes. :) I have saved machines from the above discussed malady...but it always depended on when the user thought to call for help.

As most frequently is the case, panicking = death.


@crabby3 - Chances are the Vcard was just a freak coincidence, but you're on the right track otherwise.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
^this -to me- is what donationcoder is all about; this is where 'the rubber meets the road';
I give a thoroughly thought-out, beautiful response of my tried-and-proven methodological approach to virus control, and Stoic Joker gives a straight-to-the-point no-frills wake-up call with one word: fail...
I like that.
Of course, my next question is, what's the best approach if you think you've already been infected (besides calling a shop)?
"Don't reboot." Okay, but what next?
« Last Edit: October 24, 2014, 11:20:34 PM by bit »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,265
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
While the below does assume the user has a bit of skill in these matters. It's a skill that everyone should strive to learn...because these days you really have to drive defensively on the information highway. I'm also really not a fan of flattening a machine every time the lights blink funny as it's far too easy to lose something that was recently created/acquired/signed up for especially if it happens to involve some sort of encryption key/certificate (mind you I deal mostly with business machines).

There is also the issue that burning or imaging a drive is a lot of I/O that can only serve to prematurely age the drive when all you really need to do was rewrite the boot sector to either make a rootkit visible, or prevent it from re-infecting a new install (I've seen that one happen a few times - it sucks).

Of course, my next question is, what's the best approach if you think you've already been infected

That is the key point. First thing you need to do is know if you've been infected...and with what. Because chances are when you do actually get that 'something be awry' funny feeling. It's generally because something odd just popped up on the screen...and at that point one of two scenarios will be true:
1. The bugg is taunting you with a cleverly cloaked may I please eat your computer prompt.
2. The game is already over...and you lost.

In the first case the resolution is a simple matter of saying no forcefully (e.g. TaskMan, right click, End Process Tree).

In the second case, you need to find out what the extent of the damage is without making it worse. So to avoid those fringe crossover cases, always take a screenshot of the offending message and jot down the filename of the process you have to kill to make it go away. Then from a known clean machine do a little quick research to see if it is a known bugg...or something completely new.

For the known bugs look at the type of software used for cleanup. If it first level Malware Bytes, Super AntiSpyware, etc. then you can use your preferred utility. If it is a advanced tool like ComboFix...then more care should be taken to see what is being fixed and how. Because many of these utilities - while effective - take the scorched earth approach, and can be as destructive as a registry cleaner if care isn't being taken to monitor what is being "cleaned".

So in a nut shell, the only procedure you use...is to never use a rigid procedure. Always know the enemy and react accordingly. Because if/when the hardware variety bugs become common in the wild it will quickly become crucial to know exactly what you're dealing with to have any chance of recovering. As there aren't any really user friendly methods available for wiping the other hardware components.


Like the USB controller chips that are in every USB device: This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Two separate Security Research groups have confirmed the viability of this attack. One of them released the source code for it during the last Black Hat conference to the public at large (it's available on GitHub). It's an equal opportunity infector that can bidirectionally hop from computer to any USB device (or device to computer) and is currently completely undetectable because - infecting the low level hardware controller chip - the OS never sees it.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Like the USB controller chips that are in every USB device: This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Two separate Security Research groups have confirmed the viability of this attack. One of them released the source code for it during the last Black Hat conference to the public at large (it's available on GitHub). It's an equal opportunity infector that can bidirectionally hop from computer to any USB device (or device to computer) and is currently completely undetectable because - infecting the low level hardware controller chip - the OS never sees it.
Awesome.
I'm a home user, no one else ever uses my machine, and I don't use a microphone.
I see Halloween is coming up; if anyone is planning on scaring the kiddies with spook stories, save your breath and just read this thread to the grownups instead.
What I just read in your link royally scared the crap out of me.
« Last Edit: October 25, 2014, 04:04:47 PM by bit »

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,548
    • View Profile
    • Donate to Member
And people call me a douche or cheap ass for using ad blocking software. Pfft. Yeah, that's one of the reasons why I run it and never click on ads. Sorry, but if you're not vetting your advertisers, I ain't clicking. There's a long road ahead before a decent solution to this problem is created. Actually solving the problem isn't that hard... rolling it out is near impossible.

Naw Ren, I want to chime in with a different sentiment.

Ignoring actual malware "injections", unless you're really savvy it can be tricky to find the actual download link to the legit software that even adblock won't catch because it's local to CNet and so on. There's this big green "download here" button, and way in the corner in grey font is "actual download site" or something.


crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 990
  • !!!... !!!!!! (face my... other left ?!?)
    • View Profile
    • Read more about this member.
    • Donate to Member
@crabby3 - Chances are the Vcard was just a freak coincidence, but you're on the right track otherwise.

Musta been a coincidence.  No malware blocks since last Fri. and I've been all over the place here.

Of course running Rkill and unchecking some firewall settings may have helped as well.
Windows Vista(TM) Home Premium-SP2   Intel(R) Core(TM)2 Duo CPU    T6400 @ 2.00GHz    4GB RAM    64-bit        Windows(R) Internet Explorer 9