Apr 042011

As you’ve probably heard by now, “Lizamoon” malware has spread to a growing number of websites, affecting even some huge ones. All of them are running Microsoft SQL Server 2000, 2005 and 2008, so as of now it seems this website cannot be affected by that bug, because your humble servant is NOT running this site atop of Microsoft SQL Server.

Manifestation on Visitors’ Computers

Once (only the first time) you visit the affected site you will receive a browser popup window stating that your PC is infected and that it needs to be cleaned. Of course, the alert also offers to run a security analysis of your computer and if you are naive and accept it, it will run very quickly and give you a fake list of problems and then ask you to buy the tools to fix them and clean the PC. This is not a new malicious technique to seduce you into pulling out your credit card and give some cash to criminal people in need, as I’ve already seen similar popup “alerts” and helped my users, friends and my wife stay secure many times. What’s prevalent in this and other recent cases of malware, phishing, viruses and scams is the social engineering part – the utility doesn’t do much damage and relies instead on simple process that will make you believe and agree to pay a reasonable amount for fake service of cleaning of your “infected” computer. In other words, they are counting on your trust, so I’d call this a “naive citizen tax”.

How To Protect Yourself From These Scams

This section won’t help Mac users with exact steps because it is only about Windows proceduers, but you can still get the concept. This is a generic procedure, a list of what I do when I get this kind of a message in a popup window:

1. Don’t click on Yes or No buttons, because they can both be programmed to do the same malicious thing! Close the popup window instead!

2. Try to close the window by clicking on the red x button on the top right corner of the page (Windows users), but that usually doesn’t work.

3. Close all the internet browsers that you may have open.

4. If that doesn’t work, try to right-click the button of the message popup on the taskbar and click close. If that doesn’t give you any result within ten seconds, you need to kill the application: Go to Task Manager (right-click the taskbar and select “Start Task Manager”), select “show processes from all users”, select the Applications tab, find the browser that was open, select it and click on the “End Task” button at the bottom. If that doesn’t bear any result in 10-20 seconds, switch to Processes tab, click on the “Image Name” header to sort the processes alphabetically (helps to keep them from moving up and down) and select and kill (use End Process button) all the processes related to the browser you were using, for example Internet Explorer processes start with iexplore.exe, Mozilla Firefox processes include firefox.exe and Google Chrome processes begin with chrome.exe (if you have any browsers other than the three major ones I’ve shown you need to find out what the name of that browser’s process is).

When in Doubt, Scan

If you are not sure whether the alert was coming from a web browser or the antivirus on your computer (you better have one and it better be up to date), after you’ve closed the message, close all sessions and programs and run a virus scan. That way you are sure you didn’t skip a legit alert.

I have lead my users, friends and wife and gone through the above described troubleshooting of some systems many times and in most cases they were clean (granted that the user didn’t accept the offered “protection”) and the antivirus program didn’t find anything on the PC.

That’s it. General rules of engaging the Internet and other people’s files and systems:
– Don’t trust these and similar fake security or virus popup messages coming from an internet browser. If you trust a scam or a phishing attempt, no antivirus can protect you.
– Have a good antivirus program (some great free ones include avast!, Avira and AVG in my order of preference)
– Perform (or schedule) an antivirus scan of your system regularly and keep the antivirus program, versions and engines up to date (most of them do this automatically, but it doesn’t hurt to check every now and then) and you’ll be OK.

Good luck.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>