PDA

View Full Version : Flash PLayer Malware



pctek
08-05-2014, 08:39 AM
Had a call yesterday. Had I heard of Flash PLayer virus?
Apparently they go to certain websites, Facebook, Yahoo/Xtra mail etc and get Flash Player is out of date, click here to update, showing the exact Flash update page (which of course it isn't).

The businessman had called Need A Nerd the day before, they came round and charged $225. As nothing had been fixed I suggested he dispute that. They then said they would return and wipe and re-do the PC.
I suggested that might be a terrible idea.

I arrive and can't see anything at all has been done to PC except it now has McAfees on it. Businessman tells me he installed that not NAN.
There were 3 PCs in total, 2 had the issue and 1 didn't. All off the same modem/router.

So the 2 of them appear to be clean. The other belonged to a friend who also has a business out of the same premises and shares the internet.
Nothing with NOD32, MalwareBytes, Spybot, Superantispyware, TDDS, AdwCleaner and Hijackthis.

I look this thing up and then check registry, profiles etc manually....Nothing.

I decide to look at modem, default login/password wouldn't let me in....hmmm....I check on modem manufacturers site - oh look, I cannot view it! Forbidden.
So I factory reset modem - problem disappears.

Both access to modem, and yes, I was using correct default login...and the flash problem. Cured.

I've never had a router hijacker before.....I looked it up later that night - apparently TPLInk and Linksys have had these kind of attacks before.

Pity I didn't get to see exactly what had been changed in the modem first...but nevermind, all better now.


Interestingly NAN had tuned up again and were sent away.
Imagine if they did wipe the PC.....they sure wouldn't have backed it up I bet...and of course his backups were iffy at best. And they were doing this onsite - how much would that have cost?
And of course it wouldn't have fixed the issue either.


Gave him some advice on backups, PC maintenance stuff, NOD32 (via Wainuitech), and also had a look at optical drive - deceased now, while I was there.
He asked if A)I could do the new DVD drive B)Be their IT person.

Haven't had this much fun in ages, and I thought it was going to be a standard boring PC hijacker....

wainuitech
08-05-2014, 09:04 AM
Had a read from that link you sent Pctek, its interesting Alright. The picture of the Flash player upgrade does look fake, but I guess the average user wouldn't know.

OH BTW -- The conversation we had on the phone was a lot more interesting than the polite version you posted above ;) Wanna re-write it with the correct language :D

cookee
08-05-2014, 09:49 AM
Had a read from that link you sent Pctek, its interesting Alright. The picture of the Flash player upgrade does look fake, but I guess the average user wouldn't know.

OH BTW -- The conversation we had on the phone was a lot more interesting than the polite version you posted above ;) Wanna re-write it with the correct language :D

Interested in the link referred to, presumably the article, can you post it up?

Many thanks

Cookee

wainuitech
08-05-2014, 10:04 AM
Interested in the link referred to, presumably the article, can you post it up?

Many thanks

Cookee http://www.cbits.co.uk/ourblog/news/fake-flash-player-update-virus-routers-tp-link/

carl beentjes
08-05-2014, 10:24 AM
As the owner of Need a Nerd - Wellington, I've just checked all recent job notes and asked my team about the service visit you refer to and we have no record of such a visit.
The charge doesn't match our billing structure and we haven't been turned away from a customer's door (that I can recall).
Perhaps your friend was referring to another IT provider?
Cheers
Carl Beentjes
Chief Nerd
Need a Nerd - Wellington

linw
08-05-2014, 10:51 AM
Thanks for that headsup. Pretty bloody cunning scheme. All internet connected devices I come in contact with get changed passwords so would this stymie these sods?

Yea, I would like the unexpurgated version as well!!!

cookee
08-05-2014, 10:52 AM
http://www.cbits.co.uk/ourblog/news/fake-flash-player-update-virus-routers-tp-link/

Thanks for that, something new to watch for in the battle against the nasties, cheers

1101
08-05-2014, 11:30 AM
to be fair to NAN, Malware comes in via so many vulnerabilities its usually just absolute luck if you can find the cause . I wouldnt be too quick to criticize them.
Ive had 1 customer with the same repeat infections, just absolute luck I found it was from 1 of many Legitimate NZ websites he visits (a NZ Radiostation website that had been hacked) .
This could be the case here, just 1 hacked website being the cause, perhaps thats how the router was hacked. Only time will tell.

Asus TPlink Linksys etc router vulnerabilities & hacks have been around for some time now, heck going back to 2010 at least.
Also some NAS devises are vulnerable to hacking .
Now lets be honest here, how many techs actually update firmware on routers, NAS , firewall & wifi AP's EVERY TIME they visit a site.
Because that whats actually required, as well as changing the admin pass so its not the default AND turning off remote admin on routers AND disabling WEP

From the website above
"(Updated 6/3/14 am) This malware seems to be being delivered as a “Update to Flash Player”, which we now think is changing settings in Routers so that ALL DEVICES on the local network are routing our to conduit.com servers,"

So the hacked router is a symptom/effect of malware, not the cause ??

wainuitech
08-05-2014, 11:34 AM
As the owner of Need a Nerd - Wellington, I've just checked all recent job notes and asked my team about the service visit you refer to and we have no record of such a visit.
Did you check the ones in Auckland ? The person concerned is not in Wellington.


to be fair to NAN, Malware comes in via so many vulnerabilities its usually just absolute luck if you can find the cause . I wouldnt be too quick to criticize them. The cause or source from where it came from doesn't really matter, its actually fixing the problem that's important. if you can find out the cause as well that's good, but often its hardtop pin point it.
Obviously the whole conversation I had with PCTek on the phone is not here, but the description was put on the invoice and it was read out, it clearly stated there was a problem, yet it also appears not to be fixed, and still charged for.

If someone calls in a company to clean out or fix their computer they deserve to have it fixed or if there is problems options given. Theres been several times when going to customers places something else should be done, its mentioned and if they don't want it repaired its duly noted on the invoice that the offer to fix was refused, and they sign it. That way they cant come back and say they were never told. Theres to many places that only do half the job.

cookee
08-05-2014, 12:05 PM
Did you check the ones in Auckland ? The person concerned is not in Wellington.

The cause or source from where it came from doesn't really matter, its actually fixing the problem that's important. if you can find out the cause as well that's good, but often its hardtop pin point it.
Obviously the whole conversation I had with PCTek on the phone is not here, but the description was put on the invoice and it was read out, it clearly stated there was a problem, yet it also appears not to be fixed, and still charged for.

If someone calls in a company to clean out or fix their computer they deserve to have it fixed or if there is problems options given. Theres been several times when going to customers places something else should be done, its mentioned and if they don't want it repaired its duly noted on the invoice that the offer to fix was refused, and they sign it. That way they cant come back and say they were never told. Theres to many places that only do half the job.

This is one of those dreadful situations that PC's support people (experienced and not-so) sometimes find themselves in. It does seem from the initial posting that NAN did offer to return and were turned away, but of course if that return was anticipated to cost more money I'd understand that.

As for the $225, presumably that was mostly labour, which probably equates to maybe a couple of hours work?

Now as any experienced person will know, the efforts of a previous Tech are not always obvious but if I was checking for Malware (and to be fair, until this posting I would not have instinctively thought of the Router) then I would as a matter of course run through the usual suite of checks to check for and eliminate anything likely to be a problem.

To begin with check their current AV (what it is), and last signature/def. update.
CCleaner next, followed by Malware Bytes. It's rare on a PC that I have not personally seen before to not find something from MWB (the latest facelift version just released is great by the way). But that's just the quick-check, and depending upon the PC specs, and what may be detected, I've known the quick check to take easily half an hour or more, and that's after CCleaning. And here's the two-edged sword, if you run CC first, you are very likely to remove a number of potentially infected items (temp files etc) and had you not, although the MWB scan would be quicker, the report of suspicious items is nowhere as impressive. My worst PC was over 2000 items picked up in MWB.

And then assuming AV, CC & MWB complete normally, you then may also be faced with delayed Windows Security upodates, pending Java & Adobe updates and on it goes. Add a Scandisk check and there's a few more minutes. It very quickly adds up and next things two hours are gone in a blink, and sometimes the problem persists. x

These are all things I do for the client while I'm there (with approval beyond the first hour of course) and all of which will help the stability of the PC.

If it isn't resolved, then you are into MWB deep scans, rootkit checks, restoring Browser defaults etc etc in a deeper diagnosis. This is where the offer to wipe and rebuild comes in, because it's often the only ASSURED way of getting back to a clean system - but of course when the system itself was not the issue (router hack) it will all be for nought. I feel for that guy for sure!!

I have personally followed up a previous experienced tech to a job and nailed the issue right away, and I have no doubt it's happened in reverse, and I'll never know whether what I or the other tech did made the eventual diagnosis much easier because all the other 'housekeeping' had already been done.

All food for thought.

pctek
08-05-2014, 12:08 PM
to be fair to NAN, Malware comes in via so many vulnerabilities its usually just absolute luck if you can find the cause .

Luck? Thanks.
Like hell it is.

OK, they didn't fix the problem in the first place - obviously due to bad luck.

So you don't then charge $225 on a generic invoice, which stated "Technician Fee".

You sure don't then decide to come back and with a further charge wipe the PC. Even it if it had have been a browser hijacker, that's the lamest thing I ever heard - wiping it.
How about a proper fix instead?

And in any case didn't take me a hell of a long time to establish it wasn't the PCs at all and move on from there.

pctek
08-05-2014, 12:12 PM
It does seem from the initial posting that NAN did offer to return and were turned away, but of course if that return was anticipated to cost more money I'd understand that.

As for the $225, presumably that was mostly labour, which probably equates to maybe a couple of hours work?


Nope. Sorry.
I asked the owner who was present when the NAN people were there doing bugger all.
They were turned away because they were phoned and told the bill was in dispute, told the business was not interested in further work from them yet turned up anyway ready to wipe a PC.

WIPE a Pc...this isn't some little thing....the guy potentially would have been left in a hell of a mess and still without the fix done.

The PCs were clean, I established that. Manually.