Wednesday, March 10, 2010

the anatomy of a fakealert infection

Over the last year, a new type of virus (malware) has become prevalant. The weird part is that antivirus vendors are way behind on detecting these new viruses. It seems new generations of these viruses change just enough to evade detection. This post will show you what it typically looks like when you are infected with one of these viruses - called fakealert viruses.

It starts by visiting an infected site. These don't necessarily need to be inappropriate sites. You can visit an infected site from a regular innocuous google search.

You start by getting a pop-up like this:

For some viruses, hitting OK might infect you - or it might be hitting any of the buttons in the pages that follow. What you're seeing here is a web site pop-up with words on it. It could just as easily be telling you the plot of last night's CSI: Miami. A web page can display anything as you will soon see. In this case, it just happens to be misleading text. The virus can't just infect you - it needs a little help from you in order to run a script.

If you hit ok, you often get something like the screen below. Again, it looks like something your computer is telling you - but it's just a web page. It could be a spoiler for Dancing with the Stars, but it's just an image and text that someone chose to put on there. Nothing is really scanning.

If you try to close the browser, it won't let you. No matter what you try, you get something like this:

And then it will often try to run/download a file to further infect you.

Another example of what you might see:


So what is the answer? You've found your way to a web page that you can tell is trying to infect you - but it's hard/impossible to close your browser (the example here is Firefox - but Internet Explorer is vulnerable as well).

The answer is to close your browser with Windows Task Manager before you can be infected. Hit control-alt-delete and the start the Task Manager. Find your browser on the applications tab (either Internet Explorer or Firefox) and hit end task. This will close your browser without the annoyances and get rid of the potential infection before you are infected (presuming you didn't interact with virus/malware in the web page).

So that's pretty much it. That's what you should be looking for and the best way to avoid infection if you come across these types of viruses/malware. If you find yourself infected, you can use the tools listed here to disinfect your computer.

UPDATE - Symantec talks about fakealert viruses here:

Still no improvement on the handling of these types of malware. Very lame.

No comments: