How To: Remove Virus Trigger 2009

Yet another rogue spyware program on the loose, this time named “Virus Trigger 2009″.

One thing I noticed about this program, is that the website looks quite professional and appears in the number 1 spot in google when you search for keyword “Virus Trigger 2009″. Nasty huh.

Time to check this baby out.

After firing up my dummy box, I proceeded to download Virus Trigger 2009.

Screenshots

Like most Rogue Spyware applications, its hard to actually minimize or close the Virus Trigger window, especially when it prompts you to purchase the application.

Manual Removal of Virus Trigger 2009

Virus Trigger 2009 installs itself into the following folder.
c:\program files\VirusTriggerBin <- Delete this folder Virus Trigger 2009 runs as the following processes
VirusTriggerBin.exe and uninst.exe <- Use the taskmanager to kill these processes Removing from Startup
To remove this program from starting up when your computer starts, following these instructions

1) Click the start menu, then run
2) Type “msconfig” and hit enter
3) Click the startup Tab
4) Untick “VirusTriggerBin”
5) Reboot

The Solution

Whilst you can manually remove “Virus Trigger 2009″ by simply deleting registry keys and files as per the manual removal stage featured above, its much easier to remove “Virus Trigger 2009″ simply by using PCTools Spyware Doctor..

%productBox%

How To: Remove Ultra Antivirus 2009

Yet another nasty rogue anti-spyware program is amongst us, this time named “Ultra Antivirus 2009″. I managed to get this baby loaded on my test machine and boy did I let her rip!

Ultra Antivirus 2009 pretends to be a “Anti-Spyware” program, often tricking users into thinking its a legitimate program. The main goal of Ultra Antivirus 2009 is to trick users into purchasing the software, often by providing fake scan results and informing the user that the software detected threats on the computer.

But alas that is not true, and when reality kicks in; your computer is in fact fine. Ultra Antivirus 2009′s main goal is to get you to Purchase Their Product!

For gods sake DON’T DO IT!

Screenshots

Analysis Stage

Ultra Antivirus 2009 installs itself into the following folder.
c:\program files\UltraAv <- Delete this folder!

Through some analysis, I uncovered that Ultra Antivirus 2009 connects to the following server in order to retrieve new information regarding payment details.
Internet Protocol, Src: 91.208.0.223 (91.208.0.223)
Not Good ..

Removing from Startup
To remove this program from starting up when your computer starts, following these instructions

1) Click the start menu, then run
2) Type "msconfig" and hit enter
3) Click the startup Tab
4) Untick "UltraAV"
5) Reboot

The Solution

Whilst you can manually remove Spyware protector by simply deleting registry keys and files as per the Analysis stage featured above, its much easier to remove Ultra Antivirus 2009 simply by using PCTools Spyware Doctor.

%productBox%

Remove Win32/Heur Virus

So a friend of mine had a virus called “Win32/Heur”. According to research, the Win32 Heur virus spreads via peer to peer programs such as iMesh, WinMX, Ares and torrents. This virus is nasty for a few reasons;

  • It actually records your browsing activities and displays advertisements to you based on your usage.
  • It de-activates your anti-virus and firewall programs
  • It spreads like crazy!
  • How can I fix this?

    To remove the Win32/Heur virus I ended up getting my friend to download PCTools Internet Security which completely removed the virus.

    Its free to download so give it a try!


How To: Configure IPSec with Sonicwall

A few months ago, I had the pleasure of installing and configuring a VPN link between an outdated Linux box and a Sonicwall TZ170. Oh the joys I had in getting this to work ..

The Sonicwall device was located in a data center, whilst the Linux machine was located in an office protecting a 192.168.0.0/24 network, and my task was to join the two devices using IPSec. The best way to illustrate this setup is by displaying the configuration files. As an example, the following are the IP addresses used in the config samples.

Sonicwall TZ170 = 111.111.111.111
Linux machine = 222.222.222.222

The Linux IPSec Server

The Linux server is running Debian so a simple “apt-get install ipsec” had IPSec installed in no time.
Initially, I decided to use a simple preshared password for authentication. PLEASE NOTE the order that my ipsec.secrets file is displayed, there are many articles on Google which flip the left and right sides around.

My /etc/ipsec.secrets file

222.222.222.222 111.111.111.111 : PSK “test”

My /etc/ipsec.conf file

conn sonicwall
auth=esp
authby=secret
auto=add
esp=3des-sha1
ike=3des-sha1
keyexchange=ike
keyingtries=1
pfs=no
type=tunnel
left=111.111.111.111
leftsubnet=111.111.111.111/32
leftnexthop=%defaultroute
right=222.222.222.222
rightsubnet=192.168.0.0/24

The Sonicwall TZ170

Please note, even one incorrect setting will render your IPSec connection useless so triple check everything. Once logged into the Sonicwall TZ170 device, click the VPN menu then click the “Add” button.

To get this point-to-point VPN working with a Linux server using IPSec, you MUST use the exact details in the following diagrams. Simply substitute 111.111.111.11 with the Public IP of the Sonicwall device and substitute 222.222.222.222 with the Public IP of the Linux server.

Where it has “Choose Local network from list”, you’ll need to create a network object which represents the local network your protecting. In my example it was 192.168.0.0/24. Where it says Choose destination network, you’ll need to create a network object that represents the Linux server, so for this example it would be a single internet host with an IP of: 222.222.222.222

Once both sides have been configured, switch back to your Linux machine and from the console (be sure your logged in as root) simpy type;

ipsec auto –up sonicwall

Hopefully you see something like; (The main part to look for is the “established” part.

Oct 23 20:54:06 localhost pluto[18968]: “sonicwall” #2411: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

If you run into troubles look through the logs on the Sonicwall to see why the connection failed. Another good place to look is on the Linux machine under /var/log/secure

How To: Remove MS Antivirus 2008

The latest edition in rogue antispyware programs, MS AntiVirus – looks and feels like a regular antispyware application, but in fact – deadly as hell.

For those that don’t know, a “Rogue Anti-Spyware” program is a fairly new form of threat that entices users to download a program to protect their PC, but in fact the software they download is a form of malware, designed to entice users to pay for the software, in order to remove it. The main goal of Rogue Anti-Spyware programs is to make money, infecting and performing unwanted actions on your PC is just a measure in order to get you to “pay up”.

I wanted to see this MS AntiVirus 2008 program in action, so I fired up my Windows XP test box and gave it a whirl.

First I infected my PC with the MS AntiVirus program

See how MS AntiVirus 2008 looks and behaves like an AntiSpyware program, designed to trick the user that it is a legitimate program.

Fake infection

The below screenshot shows MS AntiVirus 2008 telling me that my system is infected. Rogue AntiSpyware often uses “fake spyware results” to inject fear into the user, so they feel the need to buy the software to remove the “fake results”.

MS AntiVirus 2008 communicating to a third party

The below screenshot shows packet sniffing software “WireShark”, detecting MS AntiVirus 2008 talking to a third party web service, namely a MACOS web server called “WebObjects” – nasty stuff.

Okay its time to get rid of this nasty program, time to whip out AdAlert.

Removing MS AntiVirus XP with AdAlert

I cracked open AdAlert and performed a full scan; below are the results.

The result: A clean system
AdAlert managed to disinfect my heavily infected system, deleting key registry files, application files and desktop shortcuts – no traces of MS AntiVirus 2008 are left behind.

If you’re infected with MS AntiVirus 2008 and are looking for an easy, fast way to remove it – I suggest you give AdAlert a whirl. You can download AdAlert here.

Download AdAlert for Free now!

Possible HIFRM – Trend Micro’s annoying popup

If you’ve been experiencing a pop up from Trend stating something about a “possible HIFRM”, then no fear – we can tell you how to get rid of this annoyance!

1) Click the Start menu and select Control Panel
2) Double click Internet Options
3) Under the General tab click the Delete files button, under the Temporary Internet Files section.
4) A new dialog will appear, click the “Delete all offline content checkbox” and click OK.
5) Click on and close Internet Explorer.

Also you will need to delete your windows temporary files.

1) Click on START >> RUN.
2) Type in TEMP then click on OK.
3) On the upper-left on that window, click on EDIT and then SELECT ALL.
3) Now press the SHIFT and the DELETE button simultaneously or together to delete all the contents of that folder

Reboot your computer! The HIFRM message should not appear now.

Howto: Remove Virtumonde

If you’ve managed to attract the known trojan VirtuMonde – then you’re in trouble. This nasty trojan is known to act as a rogue antispyware program, showing advertisments and popups on your machine. Not only will it make your machine run slow, but also is known to perform denial of service attacks on websites of the attackers choosing.

Technical Details

If you’re receiving popups that advise you to install software to fix “system deterioration”, then you most likely have the Virtumonde trojan. Other symptoms include disabling the windows registry editor and hiding the taskbar.

Removal

The first step in removing the trojan is to stop it from starting up apon startup.
Delete the following registry keys. (If not possible, launch regedit from safe mode)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\”WindowsUpd”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\”SysUpd”

Because this trojan generates randomly named dll files in your windows/system32/ folder – we cannot suggest an exact guide to removing the virtumonde trojan. Instead you’ll need to download an up to date Anti-Virus engine in order to scan your entire system, and remove this virtumonde trojan.

Don’t have a virus scanner? Try Kaspersky’s 30 day free trial.

How To Remove Spyware using AdWareAlert and NoAdware

Weird popups? Porn? Messages advising you to purchase products? Internet Explorer homepage keep changing? Did you wallpaper disappear? System running slow?

All of the above are symptoms of spyware, which may have been introduced to your machine via various methods – which include activeX downloads and software you installed on your PC (such as Kazaa and other p2p programs).

You did not authorize these applications to install onto your PC – so why are they there?

For a bit of fun and games, I decided to be the test dummy. After firing up VirtualBox running a clean install of Windows XP, I proceeded to install various ‘known’ applications that included spyware. These included Kazaa, Performance Optimizer, Bonzi Buddy and XP Antivirus 2008.

After I had installed these applications, I was infected with spyware – there was no doubt about it. Here’s a few screenshots of my system;

XP Antivirus 2008 informing me that I have a ton of viruses :) .. *cough* fake!

Who likes my new wallpaper?

Internet Explorer Hijacked!

Some funky looking Windows processes

Removing them all

If you performed a Google search for “Anti-Spyware”, you will be bombarded with hundreds of applications which promote “Greatest protection”, “Instant spyware removal” and “Free scan now”. I decided to give two programs a whirl and there were;

NoAdware and AdwareAlert

NoAdware

NoAdware is a lightweight antispyware application designed to dig deep within your system to find traces or spyware, dialers and adware. It also has a number of PC Shields, designed to lock down certain parts of your system so that spyware cannot perform any modifications. This includes locking down your IE homepage, IE favorites and your windows hosts file.

While NoAdware managed to remove the majority of spyware found on my dummy PC, it wasn’t able to fully remove AntiVirus 2008 – which as I mentioned before is a NASTY spyware application designed to try and sell you products, whilst providing FAKE virus results.

Download NoAdware

AdwareAlert

The thing that impressed me the most about AdwareAlert is that it actually detected XP Anti-Virus in its scan results, where as NoAdware didn’t. The software promotes its “3 way protection” system, whereby AdwareAlert Scans, deletes and protects your system – pretty straightforward really. AdwareAlert also has an inbuilt quarantine system and the ability to add programs to an ignore or white list.

Overall AdwareAlert was able to clean the system and restore my dummy system to its former state.

Download AdwareAlert

Howto: Remove W32/Spar virus

The W32/Spar virus is a nasty little thing that often is found imbedded in files you may have downloaded through P2P programs such as Kazaa and Limewire.

You may find an annoying popup which states;

Patch applied succesfully! If your software is still trial maybe you need to install it before patch it.

To remove this virus, follow these steps;

Remove the following registry entries

Start>run>regedit

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Printing Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WinSpooler.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinUpdating
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WinUpdating.exe

Then reboot your machine. The above step will stop the virus from launching upon startup, but you will still need to clear it from your system. I suggest you download and install an Anti-Virus program such as Kaspersky or AVG.

How To: Remove AntiMalware Guard

If you’ve been unlucky to install AntiMalware Guard, then you might have some difficulty in removing it. AntiMalware Guard poses as a fake anti-spamware program and is designed to show FALSE spyware results. To kill and remove AntiMalware, you are going to do a little digging – so lets get started.

Kill the process

First of all, kill the executable which should show in your processes list as

“AntiMalwareGuard_Free[1].exe”.

Remove registry entries

Next, fire up regedit (Start>run>regedit) and proceed to delete the following keys/folders if they exist.

HKEY_LOCAL_MACHINE/Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiMalwareGuard

HKEY_CURRENT_USER/Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AntiMalwareGuard

Reboot

Reboot your computer and AntiMalware Guard should be gone!

However I cannot state this enough, you must install and have an up to date AntiVirus and AntiSpyware application to stop threats like this from entering your computer in the first place. I’ve reviewed popular antispyware products AdAlert and NoAdware here.

Dan Kaminsky’s DNS exploit released

A few weeks ago, Dan Kaminsky published information about a flaw in the DNS protocol that could allow attackers to compromise DNS records.

“We worked with vendors on a coordinated patch,” said Kaminsky, noting this is the first time such a coordinated multi-vendor synchronized patch release has ever been carried out. Microsoft, Sun, ISC’s DNS Bind, and Cisco have readied DNS patches, said Kamisnky

Today the exploit was released to the world, and is available on Metasploit.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

Preconceptions About Network Security

A common preconception about network security is that as long as the firewall is working and preventing all unauthorized access to internal devices (that’s incoming traffic) – then the firewall is doing its job. However this often isn’t the case and a number of recent attacks have proved this. This misconception is held amongst many sys admins and their IT managers, who often turn their back on security news with the idea that they have a firewall; they are protected.

I wanted to demonstrate how an attacker with a targeted victim, can gain access and infiltrate an organizations network.

When I say targeted victim, I mean the attacker specifically wants to target a certain organisation and has re-arranged his tools to suit the environment at hand. Many of these attacks are planned and a rough outline can be seen below.

For this little example, lets call the Attacker Bob and the company “Widgets Limited”.

Attackers goal: Bob wants to gain access to Widget’s internal network.

Bob knows that Widget’s has a strict firewall policy which has a number of open ports such as SMTP and FTP. After failing to exploit these two services, Bob moves on to a more complex approach using a little social engineering and a basic web vulnerability.

Step 1:

Bob visits social networking site; linkedin.com and looks for employees that work for Widgets. He finds out that Lisa and Mary both work for Widgets and have each other on their friends list. (Concept works for Facebook too)

Step 2:

Through the use of Google, Bob may be able to tell what email address format Widgets use (“@widgets.com”) and therefore will be able to determine whether the company uses simply “Lisa@widgets.com” or perhaps “lisa.lastname@widgets.com”.

Step 3:

In the next step, Bob sets up a website with javascript code known to exploit either Internet Explorer or other addons such as Adobe Flash player. (A exploit was found in the version of Adobe Flash that comes with Microsoft’s XP service pack 3″)

Step 4:

Remember those two Widget employees Bob found earlier? Bob can then send Lisa an email with a link to the website he created, and by spoofing the sender address, can make it look like it came from Mary, the other Widget employee. Bob uses the sender address format he found in Step 2 so that its sent to the correct Lisa. Bob might make the email say something like “Checkout this funny video”.

Step 5:

When Lisa visits the page, the exploit is injected into the operating system – which is most likely shell code designed to perform a certain function, or perhaps a trojan is loaded allowing Bob to take control.

But how can the attacker connect to Lisa’s machine; there’s a firewall!!

Why should sys admins restrict outbound traffic, I mean my employees aren’t hackers!

Ah but most firewalls generally allow outgoing traffic, so Bob configures the trojan to use a Backconnect script which tells the trojan to make a connection BACK to Bob’s computer – bypassing the firewall.

As you can see in this example, Bob is able to achieve his goal of gaining access to the Widgets network. From here, Bob could run network scans on internal subnets to asses further machines he could compromise. Have an unpatched domain controller? Bam – Bob is in and you don’t want to know what damage he can do. Bob could also use ARP poisoning tools which will allow him to perform man in the middle attacks (article coming soon), which allow data from a particular host to route through a certain network device.

What can I do to stop this?

Keep your Anti-Virus up to date!

Ensure all PC’s have an updated anti-virus program designed to be proactive! (Kaspersky 6.0 for workstation does a great job at this!)

Patch your network devices!

Nessus is a vulnerability scanner which has the ability to scan all machines in a particular subnet. Nesses can report;
-Hosts that need Microsoft updates
-Hosts that have exploitable software (Such as Adobe Flash, old versions of Firefox, IE, etc)

Limit outgoing traffic!

Create a firewall policy to only allow outgoing traffic on the ports people need! If your clients only need web access to browse the web, only open port 80! While this might help prevent Bob from using a backconnect script, he can always connect through port 80 ..

I’d love to hear peoples thought’s on this topic so feel free to add comments! Valuable comments will have their content injected into the post to help educate others.

« Previous Entries