Antivirus 2009 and Search Strings to Get Infected
Antivirus 2009
Over the last few weeks a wave of Trojans have been spreading across the Internet. I have been hearing and reading a lot about the Antivirus 2009 Trojan that has been infecting users. If your not current on what the Antivirus 2009 Trojan is you can get a full description about it on the Trend Labs Malware Blog.
I had first heard personal accounts of the malware from a student. Users he supports had been infected with it and since it was so new he had a hard time finding a tool to remove it. You can read his post here and here on how he was able to remove it.
At this time I think all the major Antivirus providers have pushed updates to detect and block this particular piece of malware. For details on the actual Trojan that is part of this malware you can get more info on the Trend Micro Virus Encyclopedia.
Search Strings to Get Infected
I also found a follow up related to the Antivirus 2009 malware on how search results are causing people to get infected. This was done through SEO poisoning. I have been doing some research into SEO and started to think about how it is “theoretically” possible to manipulate search results. This shows what the worse case scenario of doing that would be. You can get the full story here from the Trend Labs Malware Blog.
How many of us use search engines to find information? How many of us ever go past the first few pages of results? Imagine if someone was able to control what your “first few pages of results” were? You can see that this opens a whole can or worms.
I am curious to know if anyone else has been infected with the Antivirus 2009 malware? If so how did you get rid of it and did you have any experience with the poisoned search results?
There are 7 Comments to "Antivirus 2009 and Search Strings to Get Infected"
Another thing this thing does, that I didn’t mention in my article, but was reminded of it when you talked about SEO poisoning is that it will corrupt your google search engine results, but only on the infected machine.
For instance if you do a search for “Bauer-Power” in google you will get a number of sites matching that as you should, but when infected you get the same results except all of the links point to the same infected page (Something like http://axkduoijfkjolguj.com/a_bunch_of_nonsense)
If you manually type in a web page you can browse just fine.
Is that basically the same thing you were saying when talking about SEO poisoning?
Thanks for the update. In the post I linked to more info on the search results you describe on the infected machine. Here is the link again http://blog.trendmicro.com/a-million-search-strings-to-get-infected/.
Okay, that is a little bit different. The actual search string “changes on the river amazon” will take you to poisoned SEO. That is different than my example. These guys are pretty creative!
Your right! This is getting crazy. It’s started to make me think more about the search results I get now. Before I was worried about unethical marketing practices. Now I have to worry about malicious hackers. Almost makes you think the web is a dangerous place. :P
I got stuck with a couple of trojans via such a process. AVG removed the offender (or at least one of them – I have since found others) but then I couldn’t log on to my pc so had to get that sorted too. My google browsing in Firefox was the cause. I only ever bother with the first few pages of search results unless I am really looking for something which is actually quite obscure but that needs very commom key words. The results on the first page were quite obviously looking not as clean as they should (but weren’t nonsense, just looked like they were being directed) but before I got to shut down and check, a popup virus alert (antivirusfreescan2009) came up, which I dumbly clicked the corner X on to kill (DOH!! It’s not actally a X stupid!) which was swiftly followed by all my firefox tabs disappearing and me being redirected to the site. This is only my second time with trojan in 10 years).
I killed firefox, checked the AVG and there was the flag but the pc was getting painfully slow (system constantly using 99-100% resources without applications running!) so I cold killed it.
Since AVG had killed the offending thing … I was happy … until I tried to restart the next day and logon. After a reg fix all is now well. But what a pain.
I’ve removed about 25 cases of Antivirus 2008 and 2009. MOST of the time, system restore is available…which lets me get back to precede the infection. I install Malwarebytes Anti-Malware from http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html after downloading the latest version and updates to another computer and then onto a flash drive. Once I get the cleanup done, I set a restore point and update all of Windows updates, onboard antivirus program updates and java updates. I have had 1 system have a reoccurance but the 2nd time was a slightly different variant. There has been 1 case where the user clicked through all the process to install the virus completely – whereby system restore, task manager, windows explorer, safe mode, etc all were then disabled. That system required a format/reload.
I work in a school system with 650 computers. We have been hit hard with this virus, but Malwarebytes’ Anti Malware works wonders. (malwarebytes.org)