rogue database

I had a customer call me today and complain that the Microsoft Security Essentials icon was missing.  After talking with them for a minute, he mentioned he had “Malware Professional 5.0” installed.  Huh?

He informed me that he paid $30 for it, and came across it from Priform CCleaner’s website.  I don’t know about that, but I do know that Malware Professional 5.0 is a rogue.

My guess is that MP5 killed MSE.  Also, it was not on the Add/Remove programs list either.

I informed the customer as such and encouraged him to dispute the charge and get a different CC# on that account.



Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps

Wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become

Feb 22, 2010 | 05:20 PM

By Kelly Jackson Higgins

Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks.

Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank’s fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah.

Card skimming has been on the rise during the past year, with most attackers rigging or replacing merchant card readers with their own sniffer devices or ATM machines. The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

Read the whole article here.

Attackers going after end users rather than servers

The Web traffic study also finds issues with botnets, corporate policies, and outdated browsers
By Paul Krill, InfoWorld
February 22, 2010 08:01 PM ET

Rather than targeting Web and email servers, attackers these days are prone to going after enterprises from the inside out, compromising end user systems and then using them to access confidential data, according to a Web traffic analysis report by security-as-a-service provider Zscaler.

Based on a recent study of traffic passing through its global network,  Zscaler’s “State of the Web — Q4 2009” report also notes trends including issues with botnets, corporate Internet access policies, and the use of the Internet Explorer 6 browser. Officially being released on Tuesday, the study analyzes Web traffic volumes covering several thousand Web transactions per second and hundreds of billions of Web transactions.

Zscaler found attackers were prone to embedding JavaScript or malicious iframes to pull content from an attacker’s server, whereupon the content is rendered in a user’s browser, said Mike Geide, senior security researcher at Zscaler, in an interview on Monday.

Read the whole article here.

Stopping Stealthy Downloads

An Article by Brian Krebs

A new tool blocks files that try to install without alerting the user.

By Brian Krebs

Monday, February 22, 2010

Researchers at SRI International and Georgia Tech are preparing to release a free tool to stop “drive-by” downloads: Internet attacks in which the mere act of visiting a Web site results in the surreptitious installation of malicious software. The new tool, called BLADE (Block All Drive-By Download Exploits), stops downloads that are initiated without the user’s consent.

“When your browser is presented with an [executable file] for download, it’s supposed to prompt you for what to do,” said Phil Porras, SRI’s program director. But software can also be pushed onto an unsuspecting user’s computer without ever asking for permission.

Read the whole article here.

Good Guys vs Bad Guys: Bad Guys raising the bar

Makes you want to install linux, yesterday. But, of course, that doesn’t really fix things since they’re IN THE COMPILERS NOW…. Sheesh.

February 22, 2010 6:47 AM

Perfect Hide Out Spot: Attackers Now Hijacking Compilers

Malware authors and distributors have been perfecting methods to hide the nature of their work for over a decade now, creating endless varieties of Trojans, backdoors and downloaders that appear to be one kind of program (think rogue AV), but of course turn out to be something far more ominous.

New evidence suggests, however, that cutting-edge malware creators are increasingly taking their obfuscation techniques to another level and manipulating program compiler runtime stubs, a method that essentially allows them to “hide in plain sight” by merely using attack delivery mechanisms that people and AV systems have not yet been programmed to look for.

Read the rest here.

A Restore Store Rant

I don’t “go off” too often, but I need to post this.

Of the several computers I’ve fixed this week – so far I have, no joke, radically fixed no less than 3, and improved one more, by removing all Norton / Symantec products.  On some I have had to run the “norton removal tool” in order to do so, as the software was not removable by normal means.

This “software” is absolute trash.  It is 100% junk.  Sure, I’ve found some “tests” online that say Norton A/V 2010 is doing great right now.  My own limited testing confirms that to be true.  However – the truth needs to be told.

This software is trash.  No matter how “well” Norton 2010 is performing, it is vastly and radically outshadowed by the abysmal and pathetic and downright MALICIOUS epic fails that I have dealt with – that are solely caused by the crapware that is all products NORTON.

Here’s an example – I’ve cleaned up two systems this week alone that were riddled by malware, and norton was also installed.  After removing the malware of which norton was oblivious, I was forced to remove the norton 360 product off of them both because the internet was inexplicably broken.  The services were running, TCPIP was running, it was connecting to the router, the browser was reset, there was no proxy, no firewall- but there was no surf.  After simply uninstalling (or running the norton removal tool) the internet access and the systems as a whole were perfectly happy.

Just now, another system was inexplicably unable to access the internet.  Norton was NOT installed, or so I thought.  As it turns out, the norton internet access filter or whatever it is called was installed in the network.  I disabled it.  No luck.  I uninstalled all remaining norton dreck I found in the add/remove programs area even though the AV was gone.  No luck.  Finally on a whim I ran the norton removal tool and that fixed it.  This system didn’t even have any serious malware, and it didn’t have norton installed!

And this is just the noteworthy issues THIS WEEK and it’s only WEDNESDAY MORNING!   I can’t tell you how many times since doing computer work full time that I’ve FIXED computer problems by REMOVING norton.  This software is supposed to HELP people, yet it BREAKS their systems.

At one time I was fixing no less than four systems at once with serious malware problems – all of them with Norton 2009 happily running along saying everything was perfect.  These people pay money for norton and it does NOTHING but rob them of performance, which they also paid for.

I had one customer who had a quad core computer with 4 gigs of ram running XP.  This computer was months old.  It was running so slowly that it was a usability issue.  I fixed it.  Know what I did?  I UNINSTALLED NORTON 360.  Instant performance boost, like night and day.  They were happy, because I gave them their computer back.  Where is the outrage?

Yet, many many people just don’t “have” antivirus unless they “have” norton.  Every year, go and buy your norton and put it on.

Well, it will keep me busy.

Please, if anyone from Symantec comes across my post PLEASE post a comment or email me and tell me something, anything, in your defense.  Is it the malware guys attacking you because you are so prominent in the security field?  Are they hacking your warez and there is nothing you can do because you have such market share?  At least tell me something, but as it is I will keep removing your software as required and not recommending you to ANYONE – and people ask me all the time what to do.

At the moment I remove your products multiple times per week and install microsoft security essentials – my customers eyes light up when I tell them that it is good and it is also free and will continue to be free after the first year.

Again – anyone from norton or symantec please tell me what the deal is.  If I’m wrong and your software is NOT crap then I will apologize profusely.

Same goes for McAfee and Webroot.  Same story but it happens far less often.



I have a medical office customer who had a computer get infected with Malware yesterday.  This was a winXP machine, non-admin account locked down via a domain controller, and centrally administered A/V.  This computer is locked down so hard they can’t even install a printer without logging in as administrator.  The entire network is behind a $1500 firewall appliance, complete with it’s own paid antivirus and filtering subscription.

The malware completely “installed” a fake A/V, fakealert/loader, proxy, and began showing porn popups.  The customer was simply doing their job, going online getting insurance information.

This kind of malware is written to install without requiring true admin privilege, yet is not easily removed by folks not knowledgeable or well equipped.  The “malware” content isn’t really even detectable by any A/V, period, as it isn’t really a virus until after it runs.  But, it messes things up bigger than life when it does.

These kinds of malware basically can’t be stopped.  Day to day, amongst the networking and other stuff I do, maybe 80% is malware remediation.  80% of that is of the fake antivirus variety.

  • Calendar

    • May 2018
      M T W T F S S
      « Jul    
  • Search