New Twist in Security 2010 Outbreak

Lately, we’ve been seeing a great deal of the Security 2010 malware, the subject of an earlier post. It comes in a number of different flavors but is, so far, removable without major disruption in most cases. It continues to surprise, though, with its clever little wrinkles.

We recently encountered two separate cases of Security 2010 that were, apparently, successfully removed. Yet the users continued to experience frequent browser redirects and tainted search results. Exhaustive examinations of each machine revealed no suspicious executables. Yet in monitoring the IP traffic,  we could see the computers consistently connecting to an address in Eastern Europe immediately before each redirect. How this was happening was a mystery. On a hunch I checked some settings and solved the mystery. The solution actually turned out to be simple. The malware had manually reset DNS primary and secondary values to the aforementioned Eastern European address.

DNS stands for Domain Name Server, and Domain Name Servers are the giant databases that resolve the familiar domain names (e.g. www.yahoo.com) into IP addresses (e.g. 69.147.125.65), which actually define addresses in cyberspace, and which the many routers that make up the Internet actually understand.  Each time you type in a web address into your browser or click on a link, your computer must contact a Domain Name Server to turn that collection of words into an IP address. And each time my customers’ computers attempted to connect to a requested address, the computers would contact the rogue Domain Name Server, which would then falsely resolve the domain name to another unrelated site. Presumably, the owners of the redirecting website were paying the rogue DNS for the redirects. In a way you have to admire their entrepreneurial spirit.

In this case, simply setting the DNS values to default (Obtain DNS address automatically) solved the problem. This setting, the most commonly used, allows your router or Internet Service Provider to connect you to a default DNS.

A Matter of Personal Responsibility

A few days ago I received a phone call from a young man who said that his Mac laptop was damaged and could I possibly fix it. I said, yes, probably, but needed to know a bit more about the problem before committing.

It turns out that he had carelessly dropped the laptop from a height, severely damaging the case. He said it ran, sort of, but clearly had some problems. He wanted me to replace the parts bearing obvious damage so that he could take it back to Apple and, claiming ignorance, have it fixed under warranty.

Now I’m no saint, but I know a bright ethical line when I see one. This was no more a warranty issue than if the young man had worked over his laptop with a ballpeen hammer. I was genuinely offended that he had tried to recruit me into what was, in effect, a scam. I paused a beat and then said something like:  “I am not going to be a part of that deception. You were careless with your laptop and broke it, and it’s your responsibility to fix it.” The young man seemed shocked that a business would turn down the chance to make a buck. I was shocked that he was shocked. Is that what our society has come to?

I have no great love for Apple. I think their products are overpriced and overrated, and I think Steve Jobs is a dictatorial prick who would take out his grandmother if she somehow threatened share price. And don’t even get me started about the uber-irritating, cooler-than-thou Apple mythos. But none of that matters a bit because fair is fair. Period.

Major Malware Outbreak

Over the last few weeks, we have seen a major outbreak of a type of malware known commonly as Security 2010. In our experience, the speed of this outbreak’s spread and it’s tremendous reach are unprecedented. For maximum impact, the authors of this pestware have been releasing updated versions every few days to stay ahead of the common database-driven anti-malware programs.

This is the work of highly skilled, well-funded actors. The authors of Security 2010 have managed to infiltrate large numbers of legitimate, heavily visited websites with their infectious mother-ship software. Simply visiting a compromised website is often enough to deliver the malware. In other cases the user will receive an official-looking message stating that spyware has been detected, and that the user should download software to remove it. Following the attached link delivers the malware to the unsuspecting user.

Infected machines will display an legitimate-looking program that runs on startup bearing the name Security 2010, Antivirus Pro 2010, or any of a number of variations on this theme. The program appears to be scanning for, and finding, malware. The software also displays a rotating menu of  scary messages about dangerous malware supposedly found lurking on the system. The whole display is completely bogus. The software also displays a message that the user has an unregistered version installed, and offers a link to register the software, for a hefty fee of course. However, paying these extortionists will NOT make the problem go away. It is all simply a scam intended to separate the user from his or her money. Unfortunately, lots of people have taken the bait and handed over their credit card numbers to these criminals.

Security 2010 thoroughly monopolizes the user’s computer, rendering it essentially useless. The software also employs a number of defensive strategies to defeat removal, including deactivating firewalls, turning off anti-malware software, and disabling standard system-management tools such as the task manager and, more rarely, regedit. It may also disrupt the .exe file association, making it difficult to run executable files.

Beyond rendering your computer unusable, Security 2010 does not appear to be actively malicious. But it opens security holes that leave the computer vulnerable to other malware infections. Left unattended the problems could grow even worse. At Computer Medic, we have developed very effective methods for dealing with the Security 2010 software, and would be happy to assist you if you should become infected by it.