windows Verifying Malware

Removing ‘Windows Verifying Center’ Malware

 This malware doesn’t appear to be more than a few days old based on the results I was getting from Google. It was time for some creative troubleshooting.
Here is what was happening. When he logged onto his computer he was greeted by this:

Then after a few seconds he would be asked for permission to scan his computer.
The first thing I did was to unplug his computer from the Internet.
At this point there was no way to avoid the software. I tried pressing CTRL-ALT-DEL and invoking the Task Manager and I tried pressing Alt-F4 to try and kill the process. I also tried rebooting his computer and bringing it up into safe mode. That didn’t work either as we were greeted by the same screens and same restrictions.

Note: For those that don’t know, Alt-F4, closes the current window or application. It is a legacy keyboard shortcut that, at times, is a good thing to know.

I proceeded to boot his computer up normally, allowed the malware to “scan” his computer and then when it asked for confirmation to “fix” the problem, I was able to close the software and finish booting into Windows by pressing Alt-F4.

I tried pressing the ‘X” in the upper right corner of the above screen but that didn’t work either. Before the client called me he had tried to “register” the software and fortuntaely for him, his bank was able to block the transaction and called him to warn him that this software wasn’t legitimate.

Anyway, once I was able to get into Windows, the software wouldn’t let much happen. No Internet. No CMD window. No MSConfig. I even tried to install MalWareBytes from my USB stick but it would kill that process too. Everytime I tried to run any of these I’d see the following screen:

I’d exit this screen as well using the Alt-F4 key combination..
As you can see from these screenshots, the software looks VERY legitimate.

Removal Instructions

The way I was eventually able to work around the software and remove it was to do the following:

1. Followed the above steps to bring up the Windows desktop
2. Started the Windows Control panel
3. Brought up the user account control panel item and created a new user with a password and administrator rights.
4. Logged out as the current user and back on as my new user
5. At this point I was able to load MalWareBytes and update it from this new user account. You can either do this by opening your browser and downloading it or by copying it to a USB drive and putting that drive on the infected computer.
6. Run a quick scan and clean the items it found from the computer and rebooted
7. Logged back in as the new user
8. Ran a full MalWareBytes scan and rebooted

Read more...

Tip Untuk Pengendali Laman Web daripada serangan pengodam

Pemantau keselamatan siber, CyberSecurity Malaysia menasihatkan semua pengendali laman web milik organisasi dan kerajaan supaya mengambil langkah proaktif dalam melindungi laman web mereka berikutan serangan penggodam yang dijangka memakan tempoh masa beberapa hari.

Sehubungan itu, Ketua Pegawai Eksekutif CyberSecurity Malaysia, Leftenan Kolonel Datuk Husin Jazri berkata, pihaknya menyediakan tip dan amalan-amalan terbaik untuk melindungi laman web daripada serangan penggodam.Menurutnya, antara tip berkenaan termasuk:

(1) Apakah yang anda perlu tahu mengenai pencacatan laman web?

http://www.mycert.org.my/en/resources/incident_handling/main/main/detail/756/index.html

(2) Langkah-langkah untuk pulih daripada pencerobohan sistem UNIX atau NT:

http://www.auscert.org.au/render.html?it=1974&cid=1920

(3) Senarai semakan pengesanan pencerobohan:

http://zeltser.com/log-management/security-incident-log-review-checklist.pdf

(4)Langkah-langkah untuk mengatasi kelemahan SQL Injections:

http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.html

(5) Bagaimana untuk melindungi SQL Injection dalam ASP.NET?

http://msdn.microsoft.com/en-us/library/ms998271.aspx .

(6) ModSecurity

http://www.modsecurity.org/

Sehingga awal pagi Khamis, sebanyak 51 laman web .gov.my digodam menyebabkan 41 daripadanya mengalami gangguan pada tahap yang berbeza, menurut Suruhanjaya Komunikasi dan Multimedia Malaysia (SKMM).

Serangan itu berlaku ekoran satu kenyataan sebuah kumpulan luar negara dikenali “Anonymous” untuk menggodam laman web rasmi kerajaan www.malaysia.gov.my semalam, dengan alasan kononnya kerajaan mengenakan sekatan Internet.

Suruhanjaya itu berkata terdapat cubaan menggodam beberapa laman web termasuk laman webnya sendiri www.skmm.gov.my pada 11.30 malam tadi tetapi gagal.

Menurut SKMM, Pusat Keselamatan Rangkaian suruhanjaya itu bersama beberapa agensi lain, penyedia perkhidmatan dan pakar-pakar telah menjalankan usaha berterusan bagi memantau dan menyekat serangan itu.

Sementara itu, Husin berkata, sekiranya laman web dirosakkan atau mendapati ia berdepan dengan serangan penggodam, hubungi Cyber999 menerusi saluran e-mel di cyber999@cybersecurity.my atau mycert@mycert.org.my atau talian 1-300-88-2999 yang dipantau pada waktu kerja iaitu dari 8.30 pagi hingga 5.30 petang; atau faks 603 89453442, telefon bimbit +60 19 2665850 yang boleh dihubungi sepanjang masa; khidmat pesanan ringkas dengan menaip CYBER999 REPORT ke 15888.

CyberSecurity boleh diakses melalui laman web http://www.mycert.org.my.

Read more...