Surfing and encountering malicious software

A couple days ago I was researching for the “You full of Crap?” posting and came across some malicious software on one of the websites that I visited. Every time I come across something like that I get flashbacks to different attacks that I experienced in the early days of the net – say, a little more than ten years ago.

Dang, those attacks where full of popup storms where the act of closing a window popped up a dozen more. And every time, the content was more than triple-x.

I have to say that I’ve been lucky to not have to deal with losing control of a computer for quite some time now.

Fortunately, the other day I was able to successfully kill the explorer before doing anything foolish. In other words, as soon as I detected something unusual, I switched to the task manager and proceeded to terminate the internet explorer and then ran a virus check using the software that I’ve got installed for just such occasions.

The scan didn’t turn up anything wrong.

It was at that point that I took a second visit to that sight just so I could gather the following information:

  • A screen shot(or two) and
  • The explorer address

The screen shots follow:

Notice that I caught this software running a progress bar from 0 to 100% at 96%. Just after it hits 100%, it appears to pop up a dialog allowing the user to remove the malicious software. That dialog is shown  in the second image.

Click for larger image
click for larger image

Things to note:

Take a good close-up look at the first diagram. This information is shown inside IE (Internet Explorer) – it’s NOT a dialog like it looks. The designers of this malicious software want you to think that Windows has detected an issue and Windows is trying to warn you.

Aero is missing. One of the cool display items that came out with Windows Vista was the transparent application title bar. It looks like this:

Click for larger image

Notice that you can partly see through the title bar of the dialog showing you what’s underneath. Now look back at the malicious software dialog – you can’t see through the title bar AND it’s the  old windows classic style. This difference can be seen in the first screenshot looking at the top right hand side of the picture. The minimize, restore and close icons are different than the malicious software dialog. If things don’t look right, they aren’t.

Also notice that they cleared out the content of the website.  Why? Because you’re not on the website that you thought you were on. Take a look at the name in the address bar of the explorer. I copied it so you could see the entire address

http://www1.firesavez7.com/?p=p52dcWpkbmqHjsbIo216h3de0KCfYWCcU9LXoKitaVzHysd2lJOCeXBarK3NapqXYWRha2VrlGXIVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooWOYXmKZYpGak19oaGeL08ifb1qtp3VlanCUYJucaWNmWqarlmqTYmeZYJqam2RwWJnInriMWKuimHVscXE%3D

I went looking for www1.firessavez7.com and couldn’t find anything useful. But this definitely is not the website that I wanted to visit.

Now here is where it gets tricky. You know how when you click on a webpage the explorer will perform operations for you? Well, these dialogs are itching for you to click on them. Don’t you just want to click on the “Remove all” button? 

  • Don’t.
  • Resist.

If you do anything, click on the ‘x’ associated with IE’s tab. This little area:

Click for larger image

When you click here, the internet explorer will shut the page down. But, the page complains with a frightening warning – that I did not capture. Fortunately, that dialog is a legitimate dialog (look at how it looks) and instruct it to close the page.

At this point, you’re heart might be beating fast, but you didn’t empower the malicious software to install anything!

I guess the reason for this post is to let you know that you can get out of some situations relatively unscathed.

Remember, if in doubt, bring up the task manager (right click the task bar select Start Task Manager) and terminate the explorer. Afterwards, run your favorite virus scan for piece of mind.

If you want to search for more information on this using Google, search for “Security Threat Analysis virus”. Microsoft has a write up here.

Leave a Comment