Over the Christmas vacation, I was the unfortunate victim of a particularly nasty spyware infection known as "Virtumonde."
Internet Explorer began acting strangely and I was receiving multiple pop ups for something called "AntiSpyware 2009" which advertised (with no small hint of irony) to remove any spyware infections I had on my computer. How perfect is that...not only did they cause my problem, but then they had a ready-made solution to fix it handy?
I felt I would do the "quick and dirty" route and downloaded / installed AVG Free AntiSpyware...which subsequently scanned and found nothing. You get what you pay for I guess. A lot of people swear by AVG, but it really was no good at removing this particular infection (or even finding it). They may have subsequently updated their definitions database but I can't vouch for that currently.
My next act was to go about uninstalling IE from my system permanently for once and for all. I knew it wouldn't remove the infection now that it was on my computer, but I was just sick of IE altogether and had long ago stopped using it in favor of FireFox. The pop ups were all coming from IE for some reason...and when I finished removing it, FireFox did get some pop ups, but it was not nearly as bad as what I was experiencing with IE.
Being employed in the security utility space, I am pretty well familiar with the general state of AntiSpyware products and immediately went and downloaded a copy of PC Tools Spyware Doctor (which is pretty well regarded), which I had a license for from product-related research a few months ago. It rapidly found and deleted a large number of infections of the Virtu.gen!G strain and, with some lock ups ,rebooted my machine in a clean state. PC Tools has done a very nice job with their SEO I will say - Searches for "Virtumonde" seem to turn up PC Tools landing pages and affiliates pretty effectively.
However, I will not be giving them credit for "fixing the problem." The next day, I ran the scan again and, sure enough, Virtumonde was back! Spyware Doctor got rid of it, but not permanently. Subsequent scans and removals yielded similar results. The active protection and real time shields that come with Spyware Doctor didn't really stop it from coming back either. Again, maybe they have updated their definitions since I ran the scan, but I can't vouch for that.
Reading around on the forums, I saw a huge number of people complaining about this particular variant of Virtumonde, which has apparently been lurking on the internet in other forms for at least 3 years.A lof of people on the HiJackThis forum were posting logs and solutions...but everything I saw there seemed like it would require a long time to implement. Having a lot of other more interesting ways to spend my time, I was literally only interested in finding THE FASTEST POSSIBLE SOLUTION to this problem. Digging around in logs and hand twiddling the registry didn't really appeal to me all that much.
I will say, the general state of "advice" for removing this particular infection was quite varied. Most likely because Virtumonde keeps coming back in new variants, causing the available advice to rapidly obsolece.
According to WikiPedia, Virtu spreads using outdated versions of Java and recommended updating my version of Java. I updated Java and ran the Spyware Doctor scan again, which once again temporarily removed the problem.
Another aspect of Virtumonde is that it seems to switch off Automatic Updates...I assume as a precaution to prevent people from downloading Microsoft patches that immobilize the infection. After scanning and removing with Spyware Doctor, I was able to re-enable Automatic Updates and install the latest fixes. Unfortunately, still no luck with preventing the reoccurance of Virtumonde. Negative points to Microsoft.com because they required me to have IE installed in order to download the updates. Bastards.
Next, I tried Windows Defender, which is a free antispyware releasd by Microsoft. WindowsDefender rapidly found and removed the infection...but again, it came back. So no points for Windows Defender either.
I attempted to use OneCare's web-based scanner: http://onecare.live.com/site/en-us/default.htm?redir=true
However, it choked and wouldn't let me use it on my current operating system. No idea why...this is a legitimate copy of XP. It might just not support anything other than Vista is my thought.
Anyways,
I also tried a free utility called "VundoFix" which also didn't work. I am guessing it wasn't up to date with the newest strain.
Finally, someone posted about a utility known as "Super AntiSpyware"
Holy Christ almighty it actually worked! As a test, I ran Spyware Doctor and Windows Defender...which both declared my system "clean." I then ran Super AntiSpyware and it found 23 more instances of Virtumonde on my computer. I only used the "free" version of the product...but it worked where the other "industry leaders" apparently were not able to get the job done.
I think its a testament to the "Build A Better Mouse Trap" world of security utilities. The "top dog" in the space is constantly changing. I remember a few years ago Spybot Search & Destroy was the #1 player, then it was Lavasoft and now it is AVG. Lavasoft's engine I believe is licensed from a company called "Avira" which has received very high marks in the past for producing very excellent security removal tools. Looking back, I wish I had given Lavasoft a chance to remove Virtumonde...I am curious about whether or not it would have done the job.
High praise to Super Antispyware though.
Reference:
Wikipedia's Vundo Entry
Symantec's Vundo Entry
VundoFix
Super AntiSpyware (aka "The Solution)
Sunday, January 11, 2009
Subscribe to:
Posts (Atom)