cryowizard (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
cryowizard) wrote2009-09-15 07:45 pm
cryowizard) wrote2009-09-15 07:45 pm
Entry tags:
Viruses
I had a fascinating battle with a piece of malware crap on one of my friend's PCs.
Malware is called Windows Police Pro. It's fucking awesome. He says he installed an ActiveX control from someplace (yeah, I know). Then the fun started -- it presented him with a fake BSOD and said that shit is about to go down if he immediately doesn't get an awesome program called Windows Police Pro. He did (yeah, I know). Once that crap was in, the comp basically can't run anything, it keeps running a window that shows a "virus scan" and it finding all the "viruses". And it tries to force you to buy (!) that program (apparently, there actually is a program called WinPolicePro, and this is a rogue version of that). The cool part is that you can "stop" and "start" the "virus scans", and even click the "update virus definitions" button which simulates progress bars of "downloading" something. It also shows a fake Windows Firewall warning (all legit-looking) with a terrible, terrible scary warning about them bad viruses on the machine.
It's an awesome piece of rookie computer user psych. I loved it. It pretends to be an antivirus, and very effectively at that (for dummies of course, a professional would see this garbage for what it is in a second).
It took me 3.5 hours to figure that shit out (with a meal intermission). Kinda hard to do with one non-working comp. Dank Wel to![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
lkoyfman for late-night registry lookups. Eventually I figured it out -- they had a pattern in the binary they use for hijacking, and I was able to nail them. They set themselves up as a system-wide executable launcher (whenever you click something in Explorer), and I found where the registry point of entry was. From there it was as simple as giving LK a call to find out what the proper entry point keys were, and then we killed it.
T'was fun, I have to say. Like hunting :)
Malware is called Windows Police Pro. It's fucking awesome. He says he installed an ActiveX control from someplace (yeah, I know). Then the fun started -- it presented him with a fake BSOD and said that shit is about to go down if he immediately doesn't get an awesome program called Windows Police Pro. He did (yeah, I know). Once that crap was in, the comp basically can't run anything, it keeps running a window that shows a "virus scan" and it finding all the "viruses". And it tries to force you to buy (!) that program (apparently, there actually is a program called WinPolicePro, and this is a rogue version of that). The cool part is that you can "stop" and "start" the "virus scans", and even click the "update virus definitions" button which simulates progress bars of "downloading" something. It also shows a fake Windows Firewall warning (all legit-looking) with a terrible, terrible scary warning about them bad viruses on the machine.
It's an awesome piece of rookie computer user psych. I loved it. It pretends to be an antivirus, and very effectively at that (for dummies of course, a professional would see this garbage for what it is in a second).
It took me 3.5 hours to figure that shit out (with a meal intermission). Kinda hard to do with one non-working comp. Dank Wel to
lkoyfman for late-night registry lookups. Eventually I figured it out -- they had a pattern in the binary they use for hijacking, and I was able to nail them. They set themselves up as a system-wide executable launcher (whenever you click something in Explorer), and I found where the registry point of entry was. From there it was as simple as giving LK a call to find out what the proper entry point keys were, and then we killed it.T'was fun, I have to say. Like hunting :)
no subject
no subject
no subject
pussy-catno subject
no subject