Catched a 0 day malware just while browsing

[BucklingSpring]

I was looking for an image on google images to put some colors in a post then WAM!
This window popups


Then this one


Must be a new variation of XP Home Security, since the name itself is pretty common.
I found the culprit and submitted it to a Meta Virus Search Engine.



Only one anti-malware out of 37 was able to detect something "Generic"

This little bastard breaks EXE associations and LNK associations. So Windows can't run any applications and keeps asking whet applications to use for .EXE and .LNK extentions

I thought latest and greatest browsers were little more robust against running arbitrary code exploits.

I case you get hit... Here's the registry fix file
http://filext.com/WinXP_EXE_Fix.reg

[bionicroach]

That sucks, man.  What browser were you using when it happened?

[BucklingSpring]

That sucks, man.  What browser were you using when it happened?

Opera 11.11 released couples of days ago supposedly to fix arbitrary code executions.

I'm glad it was an "obvious" intrusion. Although I always keep an eye on the running processes and services, something more subtle could have fooled me long enough to cause more damage.

[bionicroach]

Wow.  Yeah, that's what scares me: the malware that is NOT an obvious scam like this to fool grandmas into giving their credit card numbers out to "clean" their computer.  I'm worried about rootkits that sit there silently listening in the background and phoning home.

If you have a router with logging capabilities, it's not a bad idea to review them once in a while and see if there is traffic happening that you don't expect to see.

[BucklingSpring]

I tried to relocate the page where I got hit... Couldn't :-(

Oh well.

[BucklingSpring]

My Java JRE was 6u13... Just updated to 6u25, might have been a java exploit... Who knows.

[keyb_gr]

Any popular kind of plugin = larger target area, hence why my main browser is pretty "naked" in that regard (Java and Flash are only on by default in the secondary browser, which does all the "multimedia" stuff). Besides, you must have missed that GH got infected with some malware using a combination of Java and Windows Help Center vulnerabilities not too long ago.

[bionicroach]

If you are a Google Chrome user, this tweak works pretty well to help stop plugins from running without your consent.

[DaemonRaccoon]

Windows XP? Well there's your problem.

[Zamorph]

Windows XP? Well there's your problem.

XP is the best OS

[bionicroach]

[ricercar]

I got that same-ish security center intrusion the other week on Windows7 and Firefox, calling itself Win7 Home Security. Since I use Windows 7 Enterprise, not Home, it was pretty easy to recognize as bogus.

It's a browser exploit, not an OS exploit. I got it surfing on Google images; no binaries were downloaded or executed by me. Made me really mad even when I realized it was relatively easy to clean up (assuming one has another machine to research and download the fixes, since it disables the target machine pretty thoroughly).

Beware: The legit Windows Security Essentials did NOTHING to protect from this intrusion.

[keyboardlover]

The latest stuff I'm seeing is all the same - Javascript browser exploits which download java executables to your local machine. Since most OSes have a JVM running, this is pretty scary. Means it doesn't matter what OS you use.

Make sure you use virus protection and it's up to date!

[bionicroach]

Beware: The legit Windows Security Essentials did NOTHING to protect from this intrusion.

I'm seeing that more and more at work.  It's scary -- albeit kind of funny -- that our IT security guy tortures our poor end users with all manner of hellish Windows group policy lockdowns, performance destroying anti-virus utilities, etc, and we *still* get constant malware infestations.

The best defense is a solid backup strategy, including system image restore-from-bare-metal type of backups.  I rarely bother with trying to remove malware anymore, unless it's for fun / challenge reasons.  It's so much faster to just roll back to the most recent known-good system image.

[BucklingSpring]

Windows XP? Well there's your problem.

What are you using smart arse?

I bet I can get a load of CVE's for it as well.

[BucklingSpring]

It's a browser exploit, not an OS exploit. I got it surfing on Google images; no binaries were downloaded or executed by me. Made me really mad even when I realized it was relatively easy to clean up

The latest stuff I'm seeing is all the same - Javascript browser exploits which download java executables to your local machine. Since most OSes have a JVM running, this is pretty scary. Means it doesn't matter what OS you use.

Make sure you use virus protection and it's up to date!

You guys nailed it. NOT OS PROBLEM - But BROWSER PROBLEM. As I wrote in the OP, that 0day sh!t didn't have any problems bypassing the AV line. 36 of the 37 up to date mainstream AV's didn't catch it. The only one who did is well known for it's false positive and didn't have much credibility.
 

I'm seeing that more and more at work.  It's scary -- albeit kind of funny -- that our IT security guy tortures our poor end users with all manner of hellish Windows group policy lockdowns, performance destroying anti-virus utilities, etc, and we *still* get constant malware infestations.

The best defense is a solid backup strategy, including system image restore-from-bare-metal type of backups.  I rarely bother with trying to remove malware anymore, unless it's for fun / challenge reasons.  It's so much faster to just roll back to the most recent known-good system image.

That's a Yoda grade advice :-) I feel master level of Force ;-)

[bhtooefr]

Myself, I find that the best way to stay safe is to require all plugins to have user intervention to start. Opera can do it pretty easily, and Firefox can at least do Flashblock.

I've gotten owned by a bad Flash ad on a legit site, FFS.

[BucklingSpring]

Methinks Scott Adams also likes Amy Pond.

Show Image

Do you own this trackball as well? ;-)

[BucklingSpring]

You're doing something wrong if you aren't staring at her legs.

You got a virus?

I like legs with little more meat on it.

Figure Skaters ... Best to my taste.

[Zamorph]

Anyone recommend a program to backup files?

[bionicroach]

Anyone recommend a program to backup files?

For file-based backup, my current favorite tool is CrashPlan.

http://www.crashplan.com/

Works on Windows, Mac, and Linux and is free for local or peer-to-peer backup.  Online subscription is pretty reasonable for unlimited data.

For smaller amounts of data, Dropbox is a decent backup solution as well, but it's really more suited for file sync than backup, IMHO.

For whole-system image-based backup, I use Acronis True Image.  My only complaint about it is that their new releases tend to be somewhat buggy.  Best to wait a while before upgrading each version.  Other than that, I haven't had any problems with it and it has saved my bacon a number of times.

A similar product that is also good is Macrium Reflect.  Not quite as full-featured as Acronis, but seems to work fine in my testing.

For a super lightweight solution, another nice imaging tool is Drive Snapshot.  The cool thing about it is that it is only like a 500k executable that requires no install.  (Unless you want the Windows file associations to browse its backup archives in Windows Explorer.)  The only real drawback is that it doesn't have any built-in scheduling capabilities for automatic backup, but if you're handy with batch files / powershell / etc, that's pretty trivial to do on your own.

And of course if you're using Windows 7 (Professional or greater, I think...?) full system image backup capability is included in the OS.

[bionicroach]

I use Acronis but am about to give SyncBack a whirl after seeing a writeup in Maximum PC.

SyncBack is a very nice tool.  I can only recommend the paid version of their product, though.  My quibble with the freeware one is that I noticed that it did not support Unicode characters in filenames when some of my backups were failing with bizarre error messages that made me think my hard drive was failing.  I emailed their tech support and got a snarky reply about how their product page for the freeware version *clearly* stated Unicode support wasn't included in the freeware version and that they couldn't add it because the third party library the product was based on didn't support it.  I argued that they could still put a decent error message in so as not to confuse the user, but they didn't agree and said they shouldn't even reply to my email since they don't offer support for their freeware.  This miffed me because I have been a paying customer of their flagship SyncBack Pro product for YEARS, and I mentioned this in my initial email...I also recommended that maybe they should just get rid of the third party codebase and release a crippled version of the Pro product to replace the old freeware (easier maintenance, I would think). But no go.

[keyb_gr]

Something I just remembered: If your browser does any sort of "smart" prefetching, it may not be the worst idea to turn that off.

[BucklingSpring]

I use Acronis but am about to give SyncBack a whirl after seeing a writeup in Maximum PC.

Backup - I'm with Acronis too... I've heard few horror stories with it but so far, it's been good to me.

For file synch, have been using SuperFlexible for many years. Very very happy with it.
http://www.superflexible.com/

[iMav]

McAfee Online Backup of course!

[BucklingSpring]

McAfee Online Backup of course!

Sigh, yet another product converted into a service... At that pace, we will rent word processor services and pay as we type...

I don't like to send all my data I don't where, managed and accessed by I don't know who.

Takes less time to bring an external drive with TB of data to a friend than doing the same over the wire.
 
But of course, offsite storage is a good $$$solution$$$... Corporations do it all the times (Iron Montain, SunGard, etc...)

[BucklingSpring]

No longer 0 day... Good old reactive AV solution has reacted.
The culprit now has a name

...\Local Settings\Temp\jar_cache105771765234917354.tmp - a variant of Win32/Kryptik.NZU trojan
...\SANDBOX\Virus\tjb.exe - a variant of Win32/Kryptik.NZU trojan

As with the JAR crap (Java ARchive) we can also conclude it was a Sun Java exploit. Thank you Mr Unix.

[DarthBaiter]

My son's system just got hit with that "Windows Security Center" crap.
Good thing I warned em about suspicious windows and not to click on any thing and just shut the page down. He ran restore...not sure if that's gonna solve anything.
Anyway, he tried to search for "windows security center on google on the infected system and it kept returning a fake google page...forgot to take a snap shot of it.

[ricercar]

Yes, this trojan disables your browser's trustworthiness: doesn't give valid results. I found that a second uninfected computer was needed to research and download the fixes.

[Crypt]

How does malware work on Win7?  Would UAC disallow this exe from running without permission?