Games changed, any new helpful ideas/tools?

[Slartarama]

So, just to state this, I am no infosec expert. I work as a sysadmin (windows obviously). I've been dealing with malware for a long time and a few years ago I noticed the game has definitely changed. They run in Safe mode, start up in new places, encrypt themselves, block known tools from running, redirect websites etc. I That and other resources helped me see why malware was changing, and being on the frontline, I getto see it everyday.(ugh)


So today I'm dealing with a fake AV product. WIndows_*_ AntiVirus200Whatever. So this malware is really trixie, I can't get it to die, I'm having to rename tools to run them (I.E. HijackThis, ComboFix, ProcExplorere, etc). I am going to beat this one, but the question I have is, are there any other tools or places to look in the OS to fix this, other than Malware Bytes, SuperAnti-Spyware, Hijack This, ComboFix, and all major AV software, etc that will not be brought down by things like this new baddy?

More importantly, since I like to learn where things live, how in the hell is it redirecting every browser that I install? I see no proxies set in any browser. Is there a hidden, proprietary proxy these things run, or am I missing something in the OS that can be changed to beat this thing blocking ALL access to anti-malware websites, which is pissing me off. That is a big one, since I want to know where is it redirecting the sites from? It is reminiscent of WindwosAntiVirus2008, but fresher and better written.

I couldn't even run certain EXEs until I ran a registry fix for EXEs that... well, I've had to do that before, someone wrote and published that, I got that reg file last year, sorry author don't remember your name. I am pretty fluent in WMI/VBS scripting, and the registry so if someone can point in the direction of where this thing is blocking sites from, I'll write my own tool. I used Autoruns to check and could find nothing out of the ordinary, I also pulled a BHO from Hijakc this, but that hasn't stopped it. Nothing in AppInit, Run Runonce, Winlogin, Startup, etc. I checked the HOSTS file too, no joy.

Tried SDFix, Fix Wlechia, FixVundo, FixVirtumonde, ConfikerFix, etc.

I plan on slaving the drive to get rid of the thing tomorrow, so I am not worried about beating it, I just want any help pointing me towards real time tools that I might be missing, whether they are written tools or just some part of the OS/Registry that I can edit/hack to stop this crap in the future I don't care, either would be great, but I would prefer a whole understanding of how this is happening.

Thanks,
Slart

[nihil]

What you are dealing with is this:

http://en.wikipedia.org/wiki/MS_Antivirus_(malware)

Each variant has its own way of downloading and installing itself onto a computer.

AntiVirus2009 can also disable legitimate anti-malware programs and prevent the user from opening or re-enabling them. Antimalware applications disabled by AntiVirus2009 include McAfee, Spybot - Search & Destroy, AVG and Superantispyware. MS Antivirus is constantly updated and re-released to prevent detection by common legitimate anti-virus scanners.

In November 2008, it was reported that a hacker known as NeoN hacked the Bakasoftware's database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned $158,000 in a week.

So there is your motive. It is also how the malware scene has changed............it's all about money these days.

Take a look at these:

http://www.bleepingcomputer.com/viru...antivirus-2009

http://www.2-spyware.com/remove-antivirus-2009.html

http://www.spywareremove.com/removeAntivirus2009.html

Try A-Squared:

http://www.emsisoft.com/en/software/free/

And protect your Registry:

http://www.diamondcs.com.au/freeutilities/regprot.php

These things are difficult to get rid of even in safe mode. Your best bet is to slave the drive or boot a live CD.

[Slartarama]

[QUOTE=nihil;950861]What you are dealing with is this:

http://en.wikipedia.org/wiki/MS_Antivirus_(malware)

MS Antivirus is constantly updated and re-released to prevent detection by common legitimate anti-virus scanners./QUOTE]

[Quote]

Yeah Must be a new strain today. I actually used the 158K a week quote in my paper. Gee I wonder why they write this kind of thing?

Take a look at these:

http://www.bleepingcomputer.com/viru...antivirus-2009

http://www.2-spyware.com/remove-antivirus-2009.html

http://www.spywareremove.com/removeAntivirus2009.html

Try A-Squared:

http://www.emsisoft.com/en/software/free/

And protect your Registry:

http://www.diamondcs.com.au/freeutilities/regprot.php

These things are difficult to get rid of even in safe mode. Your best bet is to slave the drive or boot a live CD.

Thanks, I'll check out the links. And yeah I was thinking the only way to kill this was to slave the drive or boot into a PEBuilder type disk.

Does it feel like we're losing the war yet?

I am thankful that there is only one or two fo these PCs that slip through, if an entire infrastructure was hit, well I'd hate to work there.

[nihil]

Does it feel like we're losing the war yet?

No, but I would say that the rules of engagement have changed substantially. Most malware these days is written to make money not mischief. It is effectively commercial malware that is frequently updated to obfuscate it. I guess that's why traditional pattern matching AVs don't fare too well against it?

Gee I wonder why they write this kind of thing?

Because they are getting paid for it. Malware authorship has now matured into a business or profession

Sorry Slart, I didn't take this in:

Often it is a pain because our environment has tons of separate applications and it is not feasible to remiage the PCs

I know the environment. Have you looked at products like DeepFreeze?

http://www.faronics.com/

It makes an image of each desktop and reloads it every time the machine is rebooted. Sure, it can be circumvented, but scareware authors are percentage players so they probably wouldn't bother. Given these products are usually installed in corporate, public and institutional environments there would be no point, as the user doesn't have purchasing authority.

Anyway, from a scareware viewpoint, infecting those sorts of environment is a waste of space, they just can't avoid them.

If you have power users then you might also look at tools like Mamutu, Process Guard or Online Armor. They will monitor activity and program installation. A sort of flashy version of UAC, but they learn, so over time become less annoying.

Another thought might be virtual sandboxes?



EDIT:

http://www.returnilvirtualsystem.com...ystem-personal

http://www.shadowstor.com/products/ShadowUser/

http://www.shadownow.com/index.html

http://www.fortresgrand.com/products/cls/cls.htm
[Also do a virtual sandbox]

[Slartarama]

Gee I wonder why they write this kind of thing?

Yeah, sorry I meant that as sarcasm. I've been explaining to people the motivations of modern malware writers a lot lately. Everyone seems to get very defensive when we show up to clean malware and the first thing they say is "Why would a hacker want my files?", so I have to explain botnets to them, which usually scares the willies out them.

I looked at Deepfreeze a year or two ago. It's a nice product, but I don't make any purchasing decisions. One good thing is that our environment is changing and going to be more locked down. But thanks, I forgot about Deepfreeze, maybe I should demo it.

Thanks for the responses Nihil.

-Slart