Malware Gangs Run Ads To Hire New Coders 120
An anonymous reader writes "Think crime doesn't pay? Think again: an increasingly common sight on underground cybercrime forums are ads paid for by malware writers who are looking to hire talented new programmers. The most common ads are for 'crypters' designed to disguise known malware, and 'Web injects,' plug-ins made to run alongside crime kits like ZeuS and SpyEye. Salaries range from $2,000 to $5,000 monthly, health benefits not included."
Re:Vundo and friends (Score:5, Informative)
Doesn't delete the Start Menu shortcuts....it moves them into a hidden folder called smtemp in your user's Temp directory. They can be restored fairly easily if you haven't already blown away everything in that folder.
Some new variants are removing the registry key that shows the "Show Hidden Files and Folders" option from Folder Options. While re-importing the key is fairly trivial, you have to get rid of the malware first. Even better than that, they then associate any .exe file extensions with the Trojan Horse. If you remove the Trojan Horse, rundll32 asks what program you wish to launch program.exe with.
There is a really nice reg file that someone exported and threw on a website that addresses this issue and fixes the file association. Since reg files can be run without actually opening regedit, it will import if the file association is already jacked. This file is intended for XP, but will work with Vista and 7...it just throws an error that you can ignore.
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip [dougknox.com]
Fun and games. If you stop/remove the Trojan, run the command below from a command prompt with admin privs (for Vista and 7 users...XP runs the command as admin as long as you are a user with admin privs). If the malware is still running, you may still have some time to get some of your stuff moved off if you're worried about losing it or just want to restore the box.
attrib -h /S /D C:\*.*
The malware is cleanable and the OS is repairable, believe me....but it takes a lot of work and time to understand what the malware has already done and what changes need to be reversed.
Hope this helps someone!
Re:Honeypot? (Score:5, Informative)
It's not (yet) illegal to write any kind of software you like, no matter what its purpose. What's illegal is how it's used and/or distributed.
If ever it became illegal to write software which exploits security vulnerabilities in software, there would be a whole community of white-hat researchers who'd be out of a job overnight.
Re:Vundo and friends (Score:4, Informative)
Fist off, it's foolish and counterproductive to try to remove malware by using the OS that's infected. Boot to a live CD (like BartPE so you can mount the registry) and at the very least disable it from startup. From there feel free to boot to the OS and repair the damage.
The start menu is indeed moved to the user's Temp folder. In detail:
smtemp\1 is the public start menu
smtemp\2 is the user's start menu
smtemp\3 is the public desktop (I think, I've only seen this folder once)
smtemp\4 is the user's desktop
It also disables the listing of recently used programs in the start menu and un-pins everything. It's easy to turn that back on.
The following is a terrible idea:
attrib -h
as it will unhide everything on the computer.
It's quite easy to instead just select all the profiles under \Users\, go to properties, uncheck hidden, and apply to all sub objects. Afterwards, go into each profile and rehide only the top folder of AppData and all of the files in the root of the profile (things like ntuser.dat). In XP there are a number of other folders under the profile that are hidden by default. Reference a known good computer to see which ones.
It may also set some group policies to disable the desktop, the task manager, and disable changing the wallpaper. Delete these.
The particular malware that does this does not alter
Another spot to look out for is IFEO debugger entries. Look under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Inside you will find keys of image names (like iexplore.exe). Under each key you may see a string value called Debugger. It's data will be set to the path of the malware that's infected the computer. If such a key exists, the 'debugger' will be launched whenever you try to execute the specified image.
That about sums it up for all of the 'modern' 'viruses'. Quite pathetic. The only reason these things work is because people are tricked into letting them through UAC. The new Mac infections function nearly identically. They require that the user enter their root password for them to install, and all they do is put themselves in the Mac's startup locations, so they're even easier to remove.