PLEASE Explain HOW "XP SECURITY 2012" Hijacked my system.

[GoldenEagles]

Could Someone PLEASE Explain HOW "XP SECURITY 2012" Hijacked my system?

Eight days before Christmas, my computer was hijacked by XP SECURITY 2012. I will not get into the details, as these are well known, and well documented now, and once you figure out how to get a command to run, Malwarebytes cleaned it out. (Well, except for one exe file which I had to delete manually for some reason).

This certainly fits the definition of SCAREWARE. With its capacity to take control of everything, and leave the user seemingly with no escape options.

After going through this ordeal, I just would like to know, how in the world did this thing get into my computer? I am looking for somewhat of a technical answer.

Of course, I know it was through a webpage ...

I was doing a google search, and I clicked on one item in the list of search results. When I clicked on the link, I noticed immediately that the page delivered was not the page I expected. I have seen this before, where a page is hijacked by malware, and the user is transferred to another page entirely, and quickly. As the alien page was loading, AVIRA signaled a detection. And yes, this is the URL I remember seeing at the time.

This entry is from my Avira webguard log:

12/17/2011,22:03:15 [DETERMINE] Malware found.

URL: h

tt

p://salepharmacy.in/content/field.swf

Contains recognition pattern of the EXP/SWF.AH exploit

Of course, that is not the link I clicked on. It was the URL I was surreptitiously delivered to. At the time, I clicked OK on the Avira dialog to block the execution of “exp/swf.ah”.

However, at that exact moment, my machine was taken over by the most insidious case of malware I have ever experienced. Avira did not detect or block this. It was XP SECURITY 2012.

This is my question: By what method does "XP SECURITY 2012" ride in, even under the nose of an Anti-Virus program that is supposed to have its eyes open? Could someone please give me an answer to this question?

Thank you.

GoldenEagles

[fivealive]

no every anti virus is going to catch everything id suggest if your using fiefox or google chrome to get the addons noscript and adblock plus

they should help this from happening again

about 2 years ago i was hit by a drive by download

that hacked my hotmail and none of my security stopped it or even detected it once i knew what was going on.

Since then i now use full version of malwarebytes and i use mse and noscript as well as adblock plus and iv yet to have another issu mind you i also restrict my web browsing

[GoldenEagles]

Thanks Fivealive for your response. This happened in Internet Explorer 8. And Yes, I have decided to run the full version of Malwarebytes from now on.

"i also restrict my web browsing" - that is not an option for me. I was doing research, and I was actually very deep into a Google results pagecount.

But I am still looking for a technical answer as to how a mature technology like Windows XP and IE8 can be exploited so easily. How does XP SECURITY 2012 do that?

[fivealive]

from my understanding it exploits weaknesses in your browser for instance out of date flash plugins or even out of date java

id still suggest changing your web browser to either firefox or google chrome there alot more secure and faster then explorer and as i said those addons are really helpful

[Firefox]

To avoid getting infected, you need to make sure you keep your computer fully patched at all times. This includes Java, Anti-virus, and any Microsoft Critical updates. Also running Malwarebytes PRO along side your antivirus will help in the prevention.

That being said, just because you have your system patched and up to day does not mean there is no chance you won't get infected, no one product can be 100% effective due to the way malware changes everyday.

Should you have any further questions don't hesitate to ask.

[GoldenEagles]

In a PC Magazine Review of Google Chrome 15, I noted this interesting statement:

"PCMag's security blogger, Larry Seltzer, considers Chrome path-breaking in a safety sense. The entire program architecture is internally sandboxed so that almost all vulnerabilities are unexploitable in any practical way. By integrating Flash, Google automatically updates it, which is certainly an important security advance, and as mentioned, that built-in plugin is now sandboxed in the Windows 7 and Vista versions of Chrome."

Does this articulate a valid reason why one might consider switching from Internet Explorer 8 to Google Chrome (running under Windows XP)?

I wonder as well, from a security standpoint, whether malware authors create their little poison darts to exploit Internet Explorer mostly, as that is what most people use, and leave the other browsers alone? And perhaps that might be another reason to move away from Internet Explorer [8]?

[fivealive]

well each browser has there issues but in this case chrome and firefox are generally alot faster when it comes to patching security holes

and as i mentioned those addons are a great help im sure you could ask someone to explain in better detail what exactly noscript does because quite frankly im not very good at articulating my self never mind explaining something i dont understand completely

but yes i strongerly urge you to switch to another browser

and as firefox said keep everything up to date

[DBrugge]

For the record, I got the same malware using Firefox.

[fivealive]

i didnt say it wasnt possible justthat ie isnt as secure

and if firefox is used with the addons i mentioned its alot more secure

[shadowwar]

As said before..

These come down through exploits in windows and other software. Keep up to date on windows updates, Java, Flash and Adobe pdf.

One program i recommend to keep up with this is:

http://secunia.com/vulnerability_scanning/personal/

Its free for home use and will tell you what software is out of date on your system and what has vulnerabilities.

This fake AV changes multiple times per day. So try to keep Mbam up to date as much as possible.

[GoldenEagles]

Thank you shadowwar for your response.

You say, "These [attacks] come down through exploits in windows and other software. Keep up to date on windows updates, Java, Flash and Adobe pdf."

Can you explain with a little bit more specificity what kind of weaknesses in Windows or other software XP Security 2012 exploits? Does it have a special door it keeps knocking on again and again? I always update IE8. It always has the most current patches. My Java is the latest version. I was not using PDF at the time, so we can count that out (?). Avira signaled a detection on an .swf file at the time of infection, as I noted above, but that was blocked. The XP Security 2012 exploit was either in progress at that moment, or a fraction of a second later.

[shadowwar]

Swf is flash so it was most likely using a flaw in that. Could be an older one where the patch would fix it and prevent it or a new 0-day flaw that adobe hasnt fixed yet.

[GoldenEagles]

shadowwar, in relationship to your secunia link, I have downloaded the program, installed it, and run my first scan.

All of the things that I use on a regular basis show patched.

However, there are 16 "end of life" items listed, that I don't use at all. But this brings up a question.

For example, take Real Player version 10 for example. (The latest version is 15). I have not updated it, because I don't use it. If I don't use it, I wonder what kind of a security threat it could be. Would it be possible for a website to embed realplayer media content, and actually invoke that older program with <embed> tags, and then exploit whatever weaknesses that older version might have?

[shadowwar]

If its installed its accessible so yes.

[iroc9555]

Besides the exelent advice given by shadowwar, fivealive,and firefox you might also consider doing your deep browsing " sandboxed ". I do not used Sandboxie but when I know that my browsing can lead me into murky waters I sandboxed Firefox with Comodo. Mind you, You will have some restrictions but it is better to be safe than sorry.

Regards.

[GoldenEagles]

Thanks, Hernan for bring up the "sandbox" principle.

So, if XP SECURITY 2012 still managed to get past both AVIRA and MALWAREBYTES, and into the "sandbox", when it executes, and makes those changes to the registry which gives it total control over what happens henceforth on the infected computer, then, in reality, it has only changed the settings in a "virtual" registry? Is that right? And when the sandbox is deleted, EVERYTHING that XP Security 2012 thought it had successfully done to the computer, can be deleted, just by deleting the "sandbox"?

(Something like throwing away a disposable hospital glove?)

[noknojon]

(Something like throwing away a disposable hospital glove?)

Almost, but NO setup is ever going to be perfect. It all depends on your browsing and clicking habits -

Even I have found this the hard way, and every person that clicks on a link they do not know 100% is at risk

You can only do YOUR best.

XP SECURITY 2012 changes quite often, so MBAM updates several times every day to try and catch up with these people -

I recall when it was XP Antivirus 2000 , Same program but a more basic version -

[GoldenEagles]

Thanks, noknojon, for your reply.

You say, "XP SECURITY 2012 changes quite often, so MBAM updates several times every day to try and catch up with these people"

You make it sound like these hackers have a palette of hacking options that is basically limitless. How accurate is that characterization?

[exile360]

Thanks, noknojon, for your reply.

You say, "XP SECURITY 2012 changes quite often, so MBAM updates several times every day to try and catch up with these people"

You make it sound like these hackers have a palette of hacking options that is basically limitless. How accurate is that characterization?

Fairly accurate. One of the things these malware creators do is scan their new, unreleased versions with security products, like Malwarebytes, to see if it gets detected or not, and if it does, they then modify the file until it is not detected any longer. We work very hard on our heuristics to make this more difficult for them, which does often work, but not always.

[GoldenEagles]

exile, thanks for your interesting comment. I will have to think about that for a while.

In the meantime, I would like to know, when people are surfing the web, why the operating system cannot simply throw up a message box asking the user if they will allow a new .exe file to be written to disk? As far as this XP SECURITY 2012 attack was concerned, a new .exe file was written to the hard drive in the midst of a web browsing session. If the operating system would have just asked me if I wanted that file written, I could have said NO. Why doesn't the Windows XP operating system give the user this simple and very basic level of protection? NO to new .exe files written to the hard drive while web browsing unless approved by the user? This seems like a no-brainer to me.

[exile360]

exile, thanks for your interesting comment. I will have to think about that for a while.

In the meantime, I would like to know, when people are surfing the web, why the operating system cannot simply throw up a message box asking the user if they will allow a new .exe file to be written to disk? As far as this XP SECURITY 2012 attack was concerned, a new .exe file was written to the hard drive in the midst of a web browsing session. If the operating system would have just asked me if I wanted that file written, I could have said NO. Why doesn't the Windows XP operating system give the user this simple and very basic level of protection? NO to new .exe files written to the hard drive while web browsing unless approved by the user? This seems like a no-brainer to me.

Many infections will get through due to exploits, usually in browser plugins such as Java or Flash player (that's why it's extremely important to uninstall any old versions of these plugins and be sure that you keep your current versions up to date). Other times they'll exploit the browser itself, for example, some rogues will target Internet Explorer, others target Firefox, and others target Chrome and even Safari.

Windows XP lacks UAC (User Account Control) a feature that exists in Vista and 7 that helps to mitigate such attacks, but not always.

Also make certain that you've got your OS updated (Windows Updates, including all service packs and new Internet Explorer versions etc.).

Aside from that, keep your antivirus and other security software (such as Malwarebytes) up to date at all times. The information here is an excellent resource on some things you can do to keep your system secure.

[GoldenEagles]

Thank you, exile, for the link. Lots of good information there.

Though I see that you made a thorough and conscientious effort to not address my previous very specific question. Is there a reason for that? Was the question so dumb, you did not want to shame me further by addressing it?

However, one thing that the information at your posted link led me to do was to visit the Windows Update site, which reminded me that I had hidden, over the last 8 months, all security updates having to do with Microsoft .net framework, all versions, 1.1, 2.x, 3.x, as none of them would install, and I could not find a solution to the issue, so I just hid them. (Secunia PSI scan did not catch this either) I spent New Years Day finally dealing with the issue. Many hours. I don't know whether this had anything to do with the XP Security 2012 hijack. But the problem is fixed now anyway.

In my research on the .net framework security update problem, I see lots of people have problems in that area, so I just wanted to note here, for the record, something the search engines will list, what the solution was in my case.

I used the .net framework cleanup tool, which anybody can find when they do searches on this issue (Method 2 here). Using that tool, which you download from a link from that page, I deleted all of the .net framework installations, all versions. This had to be done because none of them would uninstall through the normal process.

After deleting all versions with that tool, I sat back and said to myself, why go further? Who needs this .net framework stuff anyway? And then my eye caught something different in my system tray, where my APC PowerChute program was not working anymore, my APC was not communicating with the computer. That is the uninterruptable backup power source (UPS). I see I had a tangible reason to reinstall.

I then reinstalled .net framework 3.5 SP1 (which installs .net framework 2.0 automatically) using the link from the microsoft page noted above. It installed successfully. (I did not reinstall version 1.1.)

Then, using the Windows Update site, I applied numerous security patches to the .net framework 3.5 SP1, and all of them installed successfully.

In hindsight the solution was simple, though time consuming. As these installs drag on for quite a while.

Exile, perhaps you could comment on whether, in your judgment, these uninstalled security patches in .net framework, versions 1.1, 2.x, 3.x, could have contributed to the XP SECURITY 2012 hijacking that I experienced.

Thanks.

[John A]

I find that switching on ActiveX filtering in IE9 another useful trap (not available in XP). Also, I uninstalled all Java applications a few months ago and have yet to come across a web site that needs it.

[shadowwar]

Though I see that you made a thorough and conscientious effort to not address my previous very specific question. Is there a reason for that? Was the question so dumb, you did not want to shame me further by addressing it?

Windows XP lacks UAC (User Account Control) a feature that exists in Vista and 7 that helps to mitigate such attacks, but not always.

UAC is what you were talking about in your previous response having the ability to authorize running starting applications. XP does not have this built in. There are other programs to add it though.

I use this but unfortunately its no longer supported by the author anymore: http://download.cnet.com/ProcessGuard/3000-2239_4-10333974.html

I am sure there are other similiar programs out there i just never have looked personally.

Unless i missed it too he seems to have answered your questions. Would you mind restating what you would like answered?

Thanks

[Maurice Naggar]

<kibbitz>

.... comment on whether, in your judgment, these uninstalled security patches in .net framework, versions 1.1, 2.x, 3.x, could have contributed to the XP SECURITY 2012 hijacking that I experienced.

Thanks.

No, that is very doubtful. To get rogues such as that, all it takes is simply clicking a link (during a net search, for example) that leads to a site pushing the malware, what we call a drive-by infection, which appears to be your case. To whatever extent your .Net frameworks were out of date, I doubt that had something to do with getting a rogue like this.

Kudos on finding the .Net framework cleanup tool.

</kibbitz>