We have just had our second outbreak of a variant of the Windows XP home security malware (malwarebytes called it Trojan.fakeAlert). It manages to kill our antivirus (nod 32), and then kill attempts to start the task manager or to install malwarebytes. I have managed to clean it off by logging in as an admin, removing the file remotely before it starts up and getting malwarebytes to scan and remove it. My question relates to prevention:
So my question is, how does FakeAlert work?!....I can find nothing on the internet explaining in detail how it's getting in and executing, it seems to be embedded in webpages and then gets automatically download and run?
We can clean it off with malwarebytes, (and are more than a little outraged that windows doesn't prevent these things from installing control panels, interrupting ctrl-alt-del/ctrl-alt-esc etc etc), but we're reluctant to shell out for a Malwarebytes site license if there is a free way of blocking it, but to do that we need to know how it works (and if MBam will keep us safe from this in future)
Some more details on our setup, our client machines are Win XP boxes, connecting to a win server 2003 AD domain
Answer
What thing work? You didn't give details on the executable, where it was found, what Malwarebytes called it?...Are you in a managed environment with AD or workgroup?
The only thing I could say from the information given is to institute a policy of blocking executables that aren't whitelisted. This can be done through AD or through addon programs.
You can also invest in a program like Deep Freeze, which restores a computer back to it's "clean" state on reboot. It takes oversight and administration to do this, though. That would limit infections only to a user's profile, if you're using a central server for storing the profiles.
Are you limiting access privileges from your users? Does running something like the system protection from Spybot Search and Destroy alert your users to changes from this malware?
Are you running any kind of proxy server that can scan and block executables from websites? What are your settings for safety set to on the web browser you're using? Are you using IE with the latest updates? Have you tried using an alternative web browser that may not have as much susceptibility? If you use a logging proxy you may even be able to tell where the executable is being downloaded from.
On top of that, if this is a business, what is your policy on browsing non-work related websites? Are you checking the history of browsing on users that become infected?
No comments:
Post a Comment