Are you just one click away from disaster? The following post on ASP forums woke me out of my complacency (reproduced with the author’s kind permission):
It happened to me today with FireFox 3.
While searching Google for some information on a movie I watched recently (wasting time, more or less), I clicked on a link that I thought was to IMDB. I only glanced at it in the Google search results before I clicked on it. As soon as the page loaded the browser closed, my desktop background was changed and some sort of fake scanner window showed up. Then I saw desktop icons appear. Then a BSOD, or so I thought.
It turns out it was a pretty common piece of malware called Smitfraud combined with a fake AV malware software called “AntiVirus XP 2008”. They kept asking me to register the software in order to clean the 2700+ virus that it found during its “scan”. The BSOD was a cleverly designed screen saver, I assume designed to make a user reboot without trying any real scanner software.
Luckily I use Acronis TrueImage to do incremental backups every night so restoring to what I had at 4AM this morning only took about an hour but it really woke me up. I had disabled the Avast resident scanner a few days ago thinking that I didn’t need it – I mean, I don’t download random EXE files from the net, I don’t visit “bad” sites and I don’t use any p2p file sharing network so I’m safe – right? WRONG! Talk about a humbling experience. Here I am, an uber nerd, and I just had my entire system hosed in about 4 seconds by visiting a website. If I weren’t obsessed with backups and redundancy I could have lost the source code to all of my software or worse, allowed some cracker kid to install a rootkit and gain access to my desktop on demand. Talk about a nightmare!
I can only assume I ran into a site exploiting some new QuickTime or Flash vulnerability. I definitely didn’t download and run anything from the website – I only clicked the link from Google.
If I could remember the site I would try to return to it in a VM with an anti-virus software enabled to see if it could catch it before bad things happened. I can only hope that my huge mistake of not turning my AV software’s resident scanner was the main thing that allowed the software to be installed.
I’ve since started using OpenDNS.org, set Acronis to do incremental updates twice a day, enabled Avast’s resident scanner and installed the Teatimer program from Spybot Search & Destroy. Oh, and I uninstalled Flash and QuickTime just in case (though I checked and I had the most recent versions of both!).
Mitchell Vincent, www.ksoftware.net
The responses included several suggestions to use the ‘Noscript’ add-on for FireFox. I have been trying it for a few days. It is slightly annoying to keep on having to OK scripts on trusted sites. But that seems a price worth paying. And don’t forget to do your back-ups.
Successful Software 
Great post, Andy!
Also, keep your Java Runtime updated. I recently helped a relative with a pretty nasty malware infection — the initial infection installed several other pieces of malware (including Smitfraud mentioned above). The consensus on some security forums agreed that one possible culprit was an old version of Java 1.4, circa 2005. The Sun autoupdater was disabled and it hadn’t been updated since the computer was new.
Andy,
Pass on my condolences for his experience to Mitchell.
We’ve had this problem for a long time now (malware, poisoned sites etc). But it’s getting to the point of being a pandemic. I mean, CBS was done over recently (along with a few other large sites). Sooner or later we’ve got to come up with a better system than we ones we’re using now. Like a rewrite of the Windows kernel (like that’s going to happen).
Actually, *all* that happened to this guy was that he saw some maximized browser windows with content imitating BSOD and whatnot. Closing the browser was all he had to do.
Sensational story with no leg to stand on. Move on.
>Actually, *all* that happened to this guy was that he saw some maximized browser windows
How do you know? if it was a buffer overflow exploit couldn’t it also have done unpleasant things at the OS level (modifying the registry, files etc)?
Simple solution: upgrade to Vista. Is more secure, along with many other benefits.
I got the same one yesterday. It dropped 4 files into my system32 folder, which were easy to delete, one of which was a.exe, a trojan. It modified my notepad2.ini file for some unknown reason. It also made some registry entrys disabling my desktop and screen saver tabs under desktop properties.Spybot S&D identified it as smitfraud, but failed to remove it completely, it reinstalled from a temp file upon reboot. Smitfraudfix removed the remnants quite nicely. Pain in the ass though.
hngovr1
How did you find out what it had done?
I agree with Nick. While it’s far from perfect its a big step in the right direction when it comes to securing a system (providing that you don’t go and turn all of it off)
@Andy
check out the date created timestamps on your system32 files. any files created or altered at the time of infection are highly suspect.
As far as I know all antiviruses and firewalls can be easily tricked until the user has administrator’s rights.
Work under restricted user will better help protecting your computer than any antivirus ever.
Good article, informative, I’ll be sure to update avast on my linux distro Ubuntu too.
You do not need to unninstall quicktime and flash. You were most likely exploited by the vulnerability because you weren’t using the latest version of the software. I recommend using Secunia PSI – https://addons.mozilla.org/en-US/firefox/addon/3456 .It scans all the programs currently installed on your computer and scans for security vulnerabilities and prompts you to update the listed software exposed to the vulnerability and the best thing about it is it’s free! I also recommend you use a Firefox Add-on called WOT, you can use this in conjunction with NoScript to check if the page your visiting is really safe then allow the script under NoScript. You can get the Firefox Add-on here – https://addons.mozilla.org/en-US/firefox/addon/3456
xxx is right, this will have just been a maximised browser, made to look like a desktop. It’s incredibly common and is just an attempt to get you to install some software (which really is probably a virus). I’m not saying it’s safe to turn off virus scanners but what the writer is describing would not have been a virus caused by visiting a web page.
“How do you know? if it was a buffer overflow exploit couldn’t it also have done unpleasant things at the OS level (modifying the registry, files etc)?”
No. Not through a browser. The most you could hope to achieve with a buffer overflow exploit is a denial of service (crash the browser), certainly not trigger a system virus scan, a screen saver or a BSOD.
What was the reason for the web change to creative commons. I want to know why. I could get a virus on my computer. i don’t need the
those problems. send me an ans.