Warning on prompted installs
Posted by angelis on March 20 2007 22:53:32
This is some seriously nasty trojan activity. It normally starts like this, you are surfing a site, and under Windows XP and Vista, Internet Explorer will pop a warning bar, which appears just under all the normal menu bars you have.

This warning bar will tell you you are required to download and install ............. in order to view this page correctly.

I have seen 2 variants so far, one asks you to install google toolbar, which is going to be easy to spot if you already have it installed, the other asks you to install a Windows component and claims to be authentic Windows software.

In my article on security I have warned all who have read do not install anything that pops up while you are surfing no matter what it claims to be. Go to the offical site, in this case http://www.google.com and http://www.microsoft.com and install any components you need directly from the source.

Some antivirus programs are detecting this as a security threat, but since the payload does not actually have any malicious intent I feel the others are lagging behind in offering protection for this. I have seen recent estimates of 5 to 10% of PCs worldwide are infected by this trojan, which is just mind boggling.

The trojan so far has only been identified as altering how your computer communicates with the internet, by changing the servers your computer connects to in order to find websites you want to visit. These servers are considered hostile and are then used to control your surfing experience. Webmasters who rely on affiliate programs to generate income have estimated up to 15% of their income is being taken by people who control these hostile servers, as the servers work by manipulating the affiliate links to credit them instead of the webmaster with the sale, literally stealing income from that webmaster.

As affiliate programs and webmasters fight back against this the people controlling these servers are bound to use them for malicious reasons, so this is a sleeper threat just waiting to be triggered. The potential I see for future threats are information gathering (credit cards, banking details etc), spam assaults and DDoS attacks.

There is no easy way to tell that you have been hit by this infection and in my test PCs that I deliberately infected the ultimate solution has been to back up critical files, format and reinstall windows.