Submitted by Ken Dwight on
In the 12+ years I’ve been operating as The Virus Doctor™, I have never issued a general Virus Alert to all of my clients and subscribers to my e-mail list – until now. In the past week I have learned of a very widespread virus outbreak that could ensnare even the most cautious users of the Internet and e-mail.
This outbreak crippled a major hospital in the Texas Medical Center, in Houston, and surely many other computer users around the United States. But unlike some viruses you may have heard about on the evening news, this one has gone mostly unreported in the news media.
Going a step further, only one computer security vendor, to my knowledge, has published anything about it. And even at that, it took some serious digging through their web site before I was able to uncover more details of this infestation.
But what I found was very troubling, on multiple levels. This is a very sophisticated attack with multiple ways of infecting computers, multiple ways of appearing to be legitimate, and multiple payloads (ways of making money by infecting your computer).
I’ll start by describing the attack in layman’s terms, which I hope will be understandable to “normal” computer users who are not geeks. Then I’ll provide more details for the techie readers who want to know more about how the attack works and why I’m so concerned about it.
The first thing you need to know is that this virus infects computers that have been used to research any of at least 15 different travel destinations. It has been able to accomplish this by infecting the web sites that people use to find more information about specific cities or areas. Here are some of the sites that were infected:
- www (dot) visitmyrtlebeach (dot) com
- www (dot) visithoustontexas (dot) com
- www (dot) seemonterey (dot) com
- www (dot) visitannapolis (dot) org
- www (dot) bostonusa (dot) com
- www (dot) tourismvictoria (dot) com
Making matters worse, users were directed to these sites through promotional e-mails that actually came from legitimate sites that the users had opted-in to receive. Some of the promotional e-mails included references to 4th of July activities, while others were general travel-related content, so the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen this time of year.
In most cases of a web site being compromised by criminals, it is still necessary for the user to click on an infected link on that page in order for their computer to become infected. That is not the case with this exploit, though – as soon as that page opens in your browser, your computer is infected.
As if that weren’t enough bad news for this exploit, it gets even worse. Because of the way this infection enters your computer, the attack won’t be recognized or blocked by most anti-virus, firewall, or Internet Security software. Even Malicious Web Site Blocking in Internet Security software is likely to treat these as legitimate sites, unless they analyze the actual behavior taking place on your computer when you go to those sites.
It appears that this attack originated in the Ukraine, and the exact number and identities of all the infected web sites may not be known. The hosting companies for all of the known sites have been contacted, so some of the sites should have been fixed by now.
The payload, or objective, of this attack falls into several broad categories. These are discussed in more detail in the “For the Geek” section, below. But here is the short version:
- A downloader that downloads and installs additional pieces of malicious software
- A rootkit that makes the infection invisible to most security software and support techs
- A component that attempts to steal user credentials and hijacks the computer into a botnet
In short, this attack follows “Best Practices” to make it likely to infect the maximum number of computers, generate as much profit for the criminals as possible, and avoid detection and removal by any but the most skilled IT Support technicians.
For the Geek
This attack is delivering the Nuclear exploit kit to the infected computers, without the user doing anything that could be considered “wrong” or inappropriate. If they do a Google search on Houston, Texas, for instance, and click on one of the top search results, their computer could become infected.
Here are the actual components of the attack:
- Zemot – the downloader that downloads and installs additional pieces of malware
- Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection
- Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDoS attacks
For more technical details, you may want to read the article by Proofpoint, here: http://www.proofpoint.com/threatinsight/posts/travelers-targeted-by-infected-travel-websites.php. If you need to know specific names of executable files associated with this attack, you may contact me directly and I’ll share the filenames that have been given to me.
Even though this is a very sophisticated, multi-faceted attack, it should respond to the methodology and tools included in the Virus Remediation Training workshop. If you’ve completed this workshop and need some help dealing with one of these outbreaks, you’re welcome to contact me directly for assistance.