A lot of the recent Fake AV types are also taking advantage of SEO poisoning ( and/or DNS poisoning ) to get users to end up at a site with malicious pages, but some of these malicious pages can be as simple as a Fake AV warning in a browser, without any malware (yet) to socially engineer the end user to click somewhere on the page. This ‘click’ then activates code that either infects the system, or grabs a payload from the mother ship. In some cases they take advantage of users having unnecessary elevated privilege to turn off AV services long enough to infect the system, other times they take advantage of software vulnerabilities to gain elevated privilege…
There are multitudes of variants coming out weekly, and even daily… maybe a dozen different under-the-hood mechanisms using the same social engineering user dialog… buggers ! Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Jonathan Link [mailto:[email protected]] Sent: Thursday, May 05, 2011 4:30 PM To: NT System Admin Issues Subject: Re: Antivirus Center Understood. I knew there was a lag in the infection and you being able to work on it. Makes the ability to identify the infection source more challenging. On Thu, May 5, 2011 at 4:26 PM, John Aldrich <[email protected]> wrote: Only clue I have is that there was some sort of suspicious installer in his temporary internet files. Not sure if it was a "drive-by" install or if he actually clicked on something he shouldn't have. That's really the only clue I have. First I knew of it, the user was calling me yesterday afternoon saying he had firewall warnings, so I walked him through downloading VipreRescue and when that didn't find anything, and he was still having the pop-up warnings, I tried to get him to download MBAM, but he didn't want to go through that and decided to send me his laptop. *shrug* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
