Why do malware pop up before install?

J

james

The other day, while surfing, I got a dialog

Application "a" wants to access the internet (not exact wording). Do you
want to
(1) allow
(2) block
(3) forgot what it was

Assuming it was from my firewall, I clicked on block and soon thereafter my
computer was infected with a rootkit that announces its presence.

It seems that many malware would pop up a misleading dialog (e.g. do you
want to install an anti-virus?) before installing itself.
Why not just install quietly?
 
D

David H. Lipman

From: "james" <nospam@nospam.com>

| The other day, while surfing, I got a dialog

| Application "a" wants to access the internet (not exact wording). Do you
| want to
| (1) allow
| (2) block
| (3) forgot what it was

| Assuming it was from my firewall, I clicked on block and soon thereafter my
| computer was infected with a rootkit that announces its presence.

| It seems that many malware would pop up a misleading dialog (e.g. do you
| want to install an anti-virus?) before installing itself.
| Why not just install quietly?

How do you know you were infected with a RootKit ?



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
L

Lon

james wrote:
> The other day, while surfing, I got a dialog
>
> Application "a" wants to access the internet (not exact wording). Do you
> want to
> (1) allow
> (2) block
> (3) forgot what it was
>
> Assuming it was from my firewall, I clicked on block and soon thereafter my
> computer was infected with a rootkit that announces its presence.
>
> It seems that many malware would pop up a misleading dialog (e.g. do you
> want to install an anti-virus?) before installing itself.
> Why not just install quietly?
>
>
It is a really good idea to become very familiar with the exact look and
feel of your firewall type messages. That way, you dont click on
something put up by malware where the "block" button means "infect my
computer"
 
F

FromTheRafters

"james" <nospam@nospam.com> wrote in message
news:%23DxByIREJHA.4900@TK2MSFTNGP06.phx.gbl...
> The other day, while surfing, I got a dialog
>
> Application "a" wants to access the internet (not exact wording). Do
> you want to
> (1) allow
> (2) block
> (3) forgot what it was
>
> Assuming it was from my firewall, I clicked on block...

Well, *was* it from your firewall?

Nevermind, even if it was from your firewall running malware
could possibly draw its own version of the dialog over the top
of the firewall one and have all of its buttons function as "I give
my permission for this action" i. e. connect to the internet and
download the *rest* of the malware suite or the latest plugins.

> and soon thereafter my computer was infected with a rootkit that announces
> its presence.

Since the purpose of a "rootkit" these days is to *hide* from the
user, it doesn't make much sense to announce its own presence
unless it is a ruse to get you to okay yet another undesireable user
action. My guess is that nothing really bad has happened unless
and until the final "why *yes* please save me from this by installing
and executing this purported AV from who knows where" action
is consented to by that fatal last click.

> It seems that many malware would pop up a misleading dialog (e.g. do you
> want to install an anti-virus?) before installing itself.
> Why not just install quietly?

It requires user consent - in this case an uninformed or intentionally
misinformed consent.

Probably a variation on the XP antivirus 2008 (or is it 9) foistware.
 
K

kalyan

Hi

Check out this article

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/print.html

It might be clear your doubt



--
Warm Regards
Kalyan



"james" <nospam@nospam.com> wrote in message
news:%23DxByIREJHA.4900@TK2MSFTNGP06.phx.gbl...
> The other day, while surfing, I got a dialog
>
> Application "a" wants to access the internet (not exact wording). Do
> you want to
> (1) allow
> (2) block
> (3) forgot what it was
>
> Assuming it was from my firewall, I clicked on block and soon thereafter
> my computer was infected with a rootkit that announces its presence.
>
> It seems that many malware would pop up a misleading dialog (e.g. do you
> want to install an anti-virus?) before installing itself.
> Why not just install quietly?
>
 
J

james

>
> How do you know you were infected with a RootKit ?

(1) It was very difficult to defeat. E.g. it disables me from running online
virus scan, redirects my browswer when I tried to download windows defender,
when boot up in safe mode, it is still there and prevents me from running a
virus scanner from a CD, crash when I try to edit hosts file, etc. It turns
out that the hosts file was not edited it is redirecting browser from
online virus scanner some other way.

(2) when I used trendmicro to scan the drive offline, it reported
RTKT_STITCH.E, RTKT_STITCH.D, plus some TROJ_xxx.

(3) even after trendmicro removed 6 files associated with this malware, it
is still not completely gone. It would change my screen saver everytime I
boot, to a screen saver with a fake vista style dialog saying virus found,
blah blah blah (as if a taunt).
 
J

james

> It is a really good idea to become very familiar with the exact look and
> feel of your firewall type messages. That way, you dont click on
> something put up by malware where the "block" button means "infect my
> computer"

It was the first time I saw a fake firewall message and I let my guard down
:(

It would be even better if real firewall message is done in a way that
cannot be faked in a browser. E.g. a balloon coming out of the tray icon.
 
B

~BD~

Hi James

Maybe you should try scanning with MBAM available here:- http://www.malwarebytes.org/

A new version launched ............. today!

Let us know if it helps.

Dave

--
"james" <nospam@nospam.com> wrote in message news:OQr6nedEJHA.4904@TK2MSFTNGP06.phx.gbl...
>> It is a really good idea to become very familiar with the exact look and feel of your firewall
>> type messages. That way, you dont click on something put up by malware where the "block" button
>> means "infect my computer"
>
> It was the first time I saw a fake firewall message and I let my guard down :(
>
> It would be even better if real firewall message is done in a way that cannot be faked in a
> browser. E.g. a balloon coming out of the tray icon.
>
>
>
 
D

David H. Lipman

From: "james" <nospam@nospam.com>


>> How do you know you were infected with a RootKit ?

| (1) It was very difficult to defeat. E.g. it disables me from running online
| virus scan, redirects my browswer when I tried to download windows defender,
| when boot up in safe mode, it is still there and prevents me from running a
| virus scanner from a CD, crash when I try to edit hosts file, etc. It turns
| out that the hosts file was not edited it is redirecting browser from
| online virus scanner some other way.


That does not mean it is a RootKit. All that indicates is that it has good self
preservation teqhniques.


| (2) when I used trendmicro to scan the drive offline, it reported
| RTKT_STITCH.E,
| RTKT_STITCH.D, plus some TROJ_xxx.


OK, that could mean RootKit activity.


| (3) even after trendmicro removed 6 files associated
| with this malware, it
| is still not completely gone. It would change my screen saver
| everytime I
| boot, to a screen saver with a fake vista style dialog saying virus found,
|
| blah blah blah (as if a taunt).



I suggest you scan using Gmer. If you are rooted, it can be used to remove the RootKit.

http://www.gmer.net/index.php


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
D

David H. Lipman

R

Root Kit

On Mon, 8 Sep 2008 16:55:22 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "~BD~" <BoaterDave@nospam.invalid>
>
>| Hi James
>
>| Maybe you should try scanning with MBAM available here:- http://www.malwarebytes.org/
>
>| A new version launched ............. today!
>
>| Let us know if it helps.
>
>| Dave
>
>No.
>
>If he is truly rooted, he needs to use an anti RootKit utility such as Gmer *FIRST*.
>
>Then he can scan with with normal ant malware utilities.

If he is truly rooted the only sensible thing to do is flatten and
rebuild.
 
You must log in or register to reply here.

Similar threads

I
Why won't the install button pop up when I want to install a game I own but it isn't installed?
Replies
0
Views
57
I need help pls123
I
A
Why am I seeing a pop-up always after signing in?
Replies
0
Views
79
Arsil Aariz
A
B
  • Article
Announcing Windows 11 Insider Preview Build 23435
Replies
0
Views
151
Brandon LeBlanc
B
B
  • Article
Announcing Windows 11 Insider Preview Build 22621.2129 and 22631.2129
Replies
0
Views
165
Brandon LeBlanc
B
D
Why did this one exe NOT get blocked from running by user account control?
Replies
0
Views
137
D.J.5
D
Back
Top Bottom