Ours were dropped via TDL4 rootkit, which bypasses pretty much everything - see here - http://www.edugeek.net/forums/securi...4-rootkit.html
They were definitely the same viruses, one had 14 others as well as the fake AV type one but were at different stages of infection. One was reported immediately and the other had several days of runtime on a home network.
Edit - and one was definitely infected prior to the 27th as reported by the BBC
Last edited by CHR1S; 3rd March 2011 at 02:08 PM.
I think the problem is there are multiple attack vectors going on whether Java, PDF, TDDS, Zeus etc.
We've had two instances of 'Internet Defender' today - pain to remove but MalwareBytes seems to do the trick
The blocking of Internet Ads was discussed at the conference. On one hand it can have a damaging effect on the site if school tech staff all block ads, EduGeek would get no money as all the ads would be blocked. On the other hand, the consumer gains benefit from blocking ads by closing another attack vector and removing distractions on the page (let's be honest, what is one good reason from the consumer perspective to show adverts? Some TV ad-breaks already take the mick with their frequency and length).
Ultimately, it's down to a website to ensure it's ads are not compromised, don't get in the way and are of good enough design to not distract the user whilst being visible. hence why pop-ups fell out of favour for legitimate adverts. Likewise any site that has ads which make sudden unwanted noises get's swiftly vacated. The serving of malware also hurts a site in Google rankings and can lead to blacklisting so it is certainly in the site administrator's interest to secure their ad distribution.
I thought about using AdBlock or similar yesterday but realised management of it would be an absolute pain. Frankly, websites revenue streams come second to user and network security. It shouldn't happen in the first place of course, but writing it off because of the fear of blocking a few penny-hits of a banner ad is just daft. Maybe a little fine tuning - i.e. not hitting static ads but blocking java and flashed based ones.
We've had at least 7 infections (personal computers and 2 on-site computers) in the last week. All have come through a Java exploit (.jar files stored in the temp files) and deployed the System Tool 2011 fake agent. A full scan using Malwarebytes has cleared them all (except for one which had it's boot-up corrupted). All have mentioned Hotmail. I know several sites are affected by this, but we've taken action by blocking Hotmail as it's heavily used and don't want any more infections until things calm down. Even though this ad servers have been reported to be cleared, it's still happening.
Yep, see this popping up all over the place. Currently cleaning my 4th and 5th infected laptop this week with Malwarebytes as I write this
I've done 9 machines this week ( we had two at work and I've done 7 at home - laptops of friends and family ). PITA.
My Dad had this, probably from an out of date version of Java as everything else was fine. Had a member of SMT in a panic on the first Monday back with this on his home computer, didn't mind removing it for him (takes all of 5 seconds...)
As for school so far we're ok *touch wood* I've always blocked ads at the proxy level for our users, this being a contributing reason for that.
The code would appear to inject a "dropper" trojan : not dangerous itself but rather like Conficker was rumoured to be, just a gateway for other nasties to enter the system. Hence why there appears to be many different types of the same infection, once the dropper is there more nasties can work their way in such as the aforementioned rootkits. Had one yesterday that stopped anything remotely useful being run. My old man's work PC actually rebooted into a "fake safe mode" after it looked like a proper MBR based infection found it's way in off the back of this dropper. Needless to say I didn't waste time in suggesting the use of a liveCD to backup then kill off the HDD!
This is the symptoms I had, programmes being intercepted before being able to run. From a novice in the world of viruses etc, I must say I was somewhat impressed by what this was doing, not taking away the anger and frustration it causes. I guess probably quite easy to do, but I did tip the hat to the creators!!!
There are currently 1 users browsing this thread. (0 members and 1 guests)