Malware attempts to steal "log-on" info

[leoliver]

Hi Everyone,

The other day I recieved that e-mail from Citi-bank saying I needed to click the e-mail link to log on and change my password. Of course I didn't, because Citi-bank dosen't send such e-mails to debit card holders. But when I tried to log on, from their web-page, I found that my password/user name no longer worked. I called them, and they re-set my password.

And tonight, when I tried I clicked to log on my Net-Spend debit card web-site, I recieved a download pop-up, asking me to Run or Save some sort of Font file. I knew something was wrong so I cancealed, which means I couldn't log on.

This happened with Internet Explorer 8. But when I used my Opera browser, the suspcious download pop-up didn't appear, and I was able to sucessfully log on via Opera.

I was afraid some sort of malware was in Internet Explorer 8, so I used Revo to totally un-install Internet Explorer 8 from my computer. And I won't re-install tell I get some answers.

I ran both a Malwarebytes and a AVG scan, but nothing turned up with either scan.

Any ideas what sort of malware could be trying to disrupt and steal my log on info ?

And how could I go about detecting and removing it ?

Feedback will be appreciated .

[Guest]

Your best bet is to format and reinstall XP. And stop using IE. It's a malware magnet.

[CharlotteTheHarlot]

This happened with Internet Explorer 8. But when I used my Opera browser, the suspcious download pop-up didn't appear, and I was able to sucessfully log on via Opera.

I was afraid some sort of malware was in Internet Explorer 8, so I used Revo to totally un-install Internet Explorer 8 from my computer. And I won't re-install tell I get some answers.

Running Opera (or any other browser) was a good debug step, because you quickly isolated the infection vector as MSIE (big surprise). Most n00bs will just fire up MSIE again, hit Google, try a bunch of solutions, and then wonder why it didn't work.

I ran both a Malwarebytes and a AVG scan, but nothing turned up with either scan.

This not unusual. Running the antivirus/malware from a live infected machine is practically doomed to fail unless drastic measures are taken, a careful clean bootup without anything except essential services running. This is almost possible with MSCONFIG, but not 100% because a rootkit or really aggressive virus will modify files (despite Windows File Protection) that are loaded at startup even under a clean boot.

Any ideas what sort of malware could be trying to disrupt and steal my log on info ?

And how could I go about detecting and removing it ?

It depends now how much time you want to spend at this. Most people do not care to learn about every little detail, what time it occurred, which files were installed and modified, what startup points are compromised. Such people would reinstall Windows to be done with it.

Considering that two primary vectors are vital to success - physical files (which might have been altered or replaced), and the registry (usually containing hooks to load malware), being able to correct problems in these two places without active countermeasures preventing or undoing your work is critical! Consequently, there are only two real ways to clean an infected Windows installation by accessing the infected installation while it is offline (not booted up) ...

(1) - 3rd party bootup disc that loads its own operating system (bypassing the infected machine completely) and has the correct tools to access and clean NTFS volumes, and most importantly, tools to be able to read and write to the offline registry. Making sure that the disc tool can handle rootkits and "Windows XP+" usually means it is appropriate for the job as it implies it has the necessary tools. Such programs will often prompt you to connect to the iinternet first in order to update the tools on the disc (probably old) to the latest definitions (kept in memory for the session). As is always the case, be sure to select 'ALL FILES' when choosing what to scan. That means each and every file, not just programs. If you are a developer and a member of MSDN/Technet you have access to Microsoft's excellent DaRT images to create a bootable disc with the environment necessary to do all these functions (except a proper virus scan) including registry editing, accessing any file, modifying autorun programs, etc. But you cannot use DaRT for commercial purposes or even on other people's computers. Read Microsoft's licensing for the particulars. If you have no access to DaRT then you need 3rd party tools, period.

VERY IMPORTANT: having used many of the discs (supplied as burnable ISO's from antivirus companies) you must understand that most of them use custom Linux setups and almost every single one make a very serious error: they have a timer on the bootup screen that asks "boot from disc, or hdd, or whatever?" and the default will boot the infected computer even ignoring BIOS settings that removed that HDD from the bootup process! The user MUST be attentive when using these discs, read the prompts quickly and press whatever key within the time period. (the authors of such insane routines on these discs should be waterboarded, but I digress ...). Now having said that, this method can definitely be successful with great care and by doing it several times with different discs. It is more time consuming than (2) because the optical drive becomes a bottleneck at initialization, though once the files are loaded into memory or a ramdisk it is largely ignored.

(2) - Placing the hard disk containing the infected installation into another computer (as a slave/auxillary hard disk) and then bootup up that other computer and then using an array of tools specifically targeting that infected hard disk. The "other" computer is best setup as a forensic/diagnostic unit, updated with the latest utilities and antivirus definitions. When doing the physical antivirus file scan, like above, be sure to select 'ALL FILES' when choosing what to scan. That means each and every file, not just programs. It helps to manually delete pagefile.sys from the root folder of the target beforehand since it is a large file that will be re-created later. I also make a point of manually locating and emptying all the various TEMP folders on the target disk. One thing that needs special treatment is the now offline registry on the target hard disk. You will need to learn how to use an Offline NT registry tool for some cases. But for most cases you can get away with just firing up AUTORUNS and selecting the offline system.

- Some people consider remote access through networking as a third method, but I don't because as long as the infected installation is booted up the infection could be deploying countermeasures to thwart the scanning and cleaning process.

Remember that the goal is simple, NO infected files, and NO registry startup locations that loads or downloads something evil. Achieving these two goals will now allow a safe bootup on the formerly 'bad' system. Now you can than update MBAM (Malware Bytes) and MSE (Security Essentials) or whatever other one you use and run them again live, looking for stragglers (legacy vectors such as links placed in startup folders and edits to WIN.INI, and registry substitutions swapping one application for another).

In summary, if you only have this one infected computer, you must go elsewhere and have someone download and burn the bootup CD's, or pull the hard drive and hand to someone competent. This is why so many opt to re-install Windows. And, this is why many who don't will often be re-infected again and again.

EDIT: typo

Edited August 23, 2012 by CharlotteTheHarlot

[submix8c]

For fun, you could TRY to create a second account and try again using it. Infections (generally) have one of two ways to "run/runonce" - the "HKLM" branch (in which case you have some serious scrubbing on your hands) and/or "HKCU" (in which case just the OLD user-id is biiten). Another is "services" (gonked up in HKLM) which is also a bear to get rid of.

Surprising that it's asking for a FONT, of all things. "Run" or "Save"? Nuh-uh! Never heard of a "needed" Font reacting like that.

You COULD try installing and running CCleaner in case it's still in the "cache" and nowhere else. BTW, you should also check for some of those silly "toolbars" that you may have inadvertently installed - some are NOT good and open the door up further.

Chances are, that that eMail could have potentially placed some "goodies" into the Internet Cache (hence trying CCleaner). That's why I avoid going via a Browser into my eMail - I use the Outlook Express (yuk - still dangerous) and let it download my email.

BTW, a handful of new variations of trojans are now going undetected by anti-malware programs, even the "big boys"... In one case, I managed to find and eliminate it. In the other case I had to back up all of the User Data and do a Restore (an OEM-style "Recovery"). Not fun as it took several days for first, and several with "I give up" on the second.

[Tripredacus]

Surprising that it's asking for a FONT, of all things. "Run" or "Save"? Nuh-uh! Never heard of a "needed" Font reacting like that.

Surprising only because that method is extremely deprecated due to security. It is possible to specify a server-side font, but that's HTML 4 and lower. Any website I find that uses something that outdated should be avoided at all costs. Consider what else may be lacking in terms of security.