LarryFlowers
09-15-09, 09:17 AM
I was able to document a recent attack on a client's PC from the latest iteration of a very agressive fake anti virus software scanning program.
No web site seems to be immune from this attack and it appears to be finding it's way onto the web sites via advertising. CNN, MSNBC, The New York Times and hundreds of other legitimate sites have been affected.
This particular attack was the result of a Google search...
In pictue attack1, the user was searching for dol sized football helmets for a promotional item they were working on.
In picture attack2, note 2 things.. McAfee site advisor is installed and is placing green checkmarks next to search results it has determined are safe... and look at the 5th result on this page "Doll-baby prince william doll..." and note the lack of a green checkmark, replaced by a question mark. The user clicked on it anyway...
In picture attack3, this is what happened when the user clicked on the google link. No matter what you click on... ok, cancel or the red X.. you get picture attack4.
This is a very realistic looking page that appears to be scanning your PC, which of course it is not doing.
In picture attack5, you see the very official looking Windows Security Alert pop-up listing your supposed infections.
If you attempt to cancel, or close the window, it won't. Any attempt other than to click on "remove all" delivers no result.
In attack6 you see the only thing you can do at this point... open the Task Manager and shut down all of the browser related processes that are running.
In attack7 you see the results of a Malwarebytes scan that was run immediately after this attack. Vista and Windows 7 machines will not have any changes made to them, the Malwarebytes scan of an XP machine will show results which Malwarebytes will successfully remove.
No web site seems to be immune from this attack and it appears to be finding it's way onto the web sites via advertising. CNN, MSNBC, The New York Times and hundreds of other legitimate sites have been affected.
This particular attack was the result of a Google search...
In pictue attack1, the user was searching for dol sized football helmets for a promotional item they were working on.
In picture attack2, note 2 things.. McAfee site advisor is installed and is placing green checkmarks next to search results it has determined are safe... and look at the 5th result on this page "Doll-baby prince william doll..." and note the lack of a green checkmark, replaced by a question mark. The user clicked on it anyway...
In picture attack3, this is what happened when the user clicked on the google link. No matter what you click on... ok, cancel or the red X.. you get picture attack4.
This is a very realistic looking page that appears to be scanning your PC, which of course it is not doing.
In picture attack5, you see the very official looking Windows Security Alert pop-up listing your supposed infections.
If you attempt to cancel, or close the window, it won't. Any attempt other than to click on "remove all" delivers no result.
In attack6 you see the only thing you can do at this point... open the Task Manager and shut down all of the browser related processes that are running.
In attack7 you see the results of a Malwarebytes scan that was run immediately after this attack. Vista and Windows 7 machines will not have any changes made to them, the Malwarebytes scan of an XP machine will show results which Malwarebytes will successfully remove.