I work on that same theory. What happens is that they go to some website that pops up a browser window that's designed to look like the window of an antivirus app. They actually do a pretty good job-it can fool the average user easily. Anyhow, the animation in the window tells them they're infected and to "click here" to clean the virus, and when they click there it downloads an EXE that plants the malware on their system.
We do have a content filter in place that's supposed to block URLs that contain malicious content, but that hasn't seemed to stop this. I don't know what URLs are serving it up to people, and reconstructing that after the fact is a pain. I could do it-find an infected user, get an idea of when they became infected, then check the content filter logs to see what sites they accessed during that period. But I'm sure there are multiple URLs serving it, and keeping up with them all is a game of cat and mouse just like keeping AV definitions up-to-date to catch the latest version of the malware is. John From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:08 PM To: NT System Admin Issues Subject: RE: #*&$&% "Security Tools" Malware Do you do URL filtering? I work on the theory A/V should be the last line, stop them getting there in the first place. From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 15 September 2010 17:20 To: NT System Admin Issues Subject: #*&$&% "Security Tools" Malware The "Security Tools" malware is about to drive me insane. My users keep managing to infect themselves with it, and we're having trouble stopping it. They don't run with admin rights, so there's no real damage done to their systems and we can clean it up in about two minutes. But the time adds up, and I'm tired of my technicians having to waste time on it. Our antimalware software is Microsoft's Forefront Client Security, and it's having a tough time catching this. Every time I get infected, I send the EXE to Microsoft and they update their definitions-but the EXE's used by the malware apparently change rapidly, and seem to constantly be a step ahead of FCS's definitions. I can think of a couple of options that I know would stop it, like blocking all EXE's at our web filter or using group policy to limit the running of EXE's-but this would also prevent users from doing things like installing safe plug-ins from websites, so it's not a first resort. Suggestions? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin