PC Pitstop is proud to welcome our friends at Windows Secrets as guest contributors. The weekly Windows Secrets Newsletter brings you essential tips for Windows, applications, and computing on the Internet.
By Fred Langa/Windows Secrets
A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links. Fortunately, LizaMoon is easy to avoid if you know what to look for.
Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it’s pure malware.
If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can’t be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You’ll find lots more LizaMoon news coverage via Google.)
My encounter with LizaMoon started unexpectedly one evening when a suspicious warning popped up on my screen. As discussed in a previous Top Story, I use Microsoft Security Essentials and the Windows 7 firewall to protect all of my PCs. In over a year of constant use, I’d never had any malware trouble. But that abruptly changed.
That evening, I was searching for something through Google — I don’t recall what. When I clicked a link, a blank page overlaid with the dialog in Figure 1 popped up instead of the site I was expecting.
Figure 1. A real LizaMoon initial dialog, captured in the wild.
My mental alarm bells immediately started ringing — the dialog was identified as a Message from webpage. But why was a random, external webpage displaying what looked like a local security message?
Also, how could a random webpage know what was installed on my system (suspicious programs or not)? The warning made no sense.
There was plenty more to suggest that the dialog was bogus. For example, the third sentence is in fractured English — Microsoft dialogs aren’t like that. And the kicker: I keep my system very clean, so the odds that it would suddenly contain “a variety of suspicious programs” are virtually nil.
Then it struck me. I’d encountered a for-real LizaMoon page hijack, in the wild!
Typically, when you encounter any suspicious webpage dialog, the correct procedure is to immediately dismiss it via the red-X close box in the upper-right corner of the dialog box or to simply close the browser. (If needed, you also can use Windows’ Task Manager to kill offending software or its processes.)
Next, if you think you might have a security problem, you should manually launch known-good security tools directly from reliable sources. In no case should you ever launch unknown software triggered by visits to random websites.
In my case, however, this was exactly the kind of malware I’d been looking for to test. In the past few months, readers reported encountering new malware that masquerades as a security tool — malware that disables or bypasses Microsoft Security Essentials. I’d been trying to track it down for weeks. And suddenly, there it was.
Living dangerously: taking the malware’s bait
Given this unexpected opportunity, I took a deep breath and clicked OK, knowing full well that I was voluntarily giving the webpage permission to interact with my PC.
A new webpage opened, showed a flurry of fake “scanning” activity (most likely, just an animated .gif), and then reported a huge number of discovered viruses and security problems.
I knew my system was clean, so this report of widespread infection was clearly fake. But because the page layout and icons closely mimic those of familiar Windows tools, it could easily fool casual users into thinking that the alert was real.
After a minute of fake scanning activity, a new dialog opened — offering to “Remove all” the threats (see Figure 2).
Figure 2. Clicking “Remove all” on this fake security dialog starts the malware download. Find a way to close the dialog, as discussed in the text.
The new dialog set off more of my internal alarm bells. Windows normally identifies the software or subsystem involved in security alerts — such as the Action Center, the Security Center, Security Essentials, or whatnot. A dialog simply labeled “Windows Security Alert” is suspiciously generic.
And what’s this about “Windows Defender”? That’s Microsoft’s standalone anti-malware tool that ships with Vista and Win7 and is available as a free download (page) for XP. The forerunner of the more complete Microsoft Security Essentials, it’s deactivated when you install MSE. Since I have MSE active on my system, I shouldn’t be hearing from Windows Defender.
At that point, you’d normally try to dismiss the warning by clicking on the red X. To see what would happen next, I clicked “Remove all,” knowing I was inviting trouble.
(If you’re keeping count — and I did — you’ll know this was my second entirely voluntary action leading to infection.)
A real and quite legitimate Windows file-download security warning opened, as shown in Figure 3. But while the previous dialog discussed “Windows Defender,” this dialog box asked permission to download an installer for “Internet Defender.” What’s more, the dialog clearly showed that the file was from a site called update65.saceck.co.cc — not Microsoft!
Clearly, the LizaMoon authors are confident that people do not pay attention to these details.
Figure 3. This dialog box has several naming inconsistencies: the previous dialog mentioned Windows Defender, but this one offers something called Internet Defender. It also isn’t coming from a known address, such as Microsoft.com.
Ignoring yet another opportunity to bail out before being infected, I clicked the Save button and entering the location where the file should be saved (the third voluntary action on the path to infection).
My hard-drive light flickered briefly and I swallowed hard, knowing that a malicious payload had just been delivered to my personal PC. (Yes, my system was fully backed up and my sensitive data encrypted.)
Ready or not, the malicious payload arrives
I intended to disconnect my PC from the network before the malware ran, assuming that going offline would keep any system damage local and no personal data could be exported.
But there must have been a script running somewhere, because the malware installer immediately attempted to self-start. Fortunately, Windows reported an NSIS error (see Figure 4). NSIS is SourceForge’s Nullsoft Scriptable Install System, and the error means that an installation script failed an integrity check.
Figure 4. The first sign of trouble after downloading the malware
This post is excerpted with permission from Windows Secrets.