About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry WatchThe Technological » Hall of Monkeys » Heroes Banquet)

Bill Gates Not the Patriot

The biggest military power in the world and they can't protect their systems from 2-bit attacks.


Buy It

Try It

ABBOTTABAD (Rixstep) — Obama might feel proud to announce the demise of a terrorist sought by the US for ten years but Bill Gates has to be holding his head in shame: his remarkable MS Windows operating system is getting whacked silly in drive by attacks that sucker in people looking for more information on the day's events.

Rumour has it these new malware attacks on Windows require the user to be 'Windows stupid' - to gleefully agree to download codecs to see exclusive information. Not the case at all. Sean Collins of CoreITPro in Philadelphia saw one of his Windows boxen get hit before his eyes.

Collins was on the box at the time, a Windows box needed for one of his clients who won't listen to reason; he visited Mashable to follow up a link; he then visited the Tweeter feed of @ReallyVirtual; and from there he scooted over to the website of ReallyVirtual's Sohaib Athar; and BOOM! the machine got hit.



As if Athar hadn't warned about this earlier.



The payload was the TDSS root kit and it took no user interaction. The Windows box also had Microsoft's own antivirus protection.



Collins wasn't happy with himself either - he knows better.

'I'm just fucking pissed how complacent I got working on a Windows machine. I actually logged in to my bank a few times, as well as shelling into my servers through Putty.'

'AND THE WORST PART IS I BROUGHT MY MAC LAPTOP PRACTICALLY EVERY DAY. WHY OH WHY?'


Collins says he noticed something funky at Athar's site but it didn't register at the time.

'I distinctly remember a 1x1 pixel in the top left hand corner of the site that took a crapton of time to load - before the actual content of the site loaded. That's where the exploit was delivered.'



The system was Windows XP; it shouldn't be allowed online anyway; but millions upon millions are still using it. Here's what Malwarebytes said.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6492

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/2/2011 12:32:21 PM
mbam-log-2011-05-02 (12-32-21).txt

Scan type: Quick scan
Objects scanned: 201017
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\User\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\User\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\User\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\User\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

The Really Virtual site, otherwise run by Apache, uses a lot of WordPress logic. And Athar complained earlier about being infected; it's possible the attackers used WordPress flaws to infect his server. But that doesn't change how the malware was able to infect Windows machines with no user interaction.

Security Week was hinting that some sort of social engineering was necessary to make the attack work; evidently this is not the case, at least not with all Windows boxen.

'In this situation, when users click on a link to a malicious site and reach the infected Web page, they are prompted to accept the download of a file, such as a codec to watch a video, and the malware will be installed on the computers.'

And don't forget they're talking rootkit here, folks - the kind of malware that's supposed to need lots of authentication and privilege escalation to get into the most protected regions of the system's compound. But not on Windows - just walk through the front door with no questions asked.

Slashdot picked up the story almost immediately.

I swear I read this same article every time: '[Insert world event here] being used to spread malware'
 - AC-x

That didn't take long at all!
 - motang


Leave it to Bill Gates to sour this day of jubiliation in the US. Barack Obama might be the man of the hour but Bill Gates makes one crappy patriot - he hasn't been able to stop computer terrorism against his Windows in sixteen long years.

What I should have done long ago. Win7 in a VM. http://t.co/LUeDF1M
 - Sean Collins

See Also
CoreITPro Website
Sean Collins (sc68cal) on Twitter
Sean Collins: Trojan.FakeAV.ReallyVirtual in ZIP format
MEGAUPLOAD: Trojan.FakeAV.ReallyVirtual in 7zip format

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.