The Liza Moon Malware attack
In the "Windows Secrets" newsletter this week Fred Langa writes this: (do yourself a favor and subscribe to the paid version)
TOP STORY
LizaMoon infection: a blow-by-blow account
"Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it's pure malware.
If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can't be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You'll find lots more LizaMoon news coverage via Google.)
My encounter with LizaMoon started unexpectedly one evening when a suspicious warning popped up on my screen. As discussed in a previous Top Story, I use Microsoft Security Essentials and the Windows 7 firewall to protect all of my PCs. In over a year of constant use, I'd never had any malware trouble. But that abruptly changed.
That evening, I was searching for something through Google — I don't recall what. When I clicked a link, a blank page overlaid with the dialog in Figure 1 popped up instead of the site I was expecting.
Figure 1. A real LizaMoon initial dialog, captured in the wild.
My mental alarm bells immediately started ringing — the dialog was identified as a Message from webpage. But why was a random, external webpage displaying what looked like a local security message?
Also, how could a random webpage know what was installed on my system (suspicious programs or not)? The warning made no sense.
There was plenty more to suggest that the dialog was bogus. For example, the third sentence is in fractured English — Microsoft dialogs aren't like that. And the kicker: I keep my system very clean, so the odds that it would suddenly contain "a variety of suspicious programs" are virtually nil.
Then it struck me. I'd encountered a for-real LizaMoon page hijack, in the wild!"
LizaMoon infection: a blow-by-blow account
"Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it's pure malware.
If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can't be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You'll find lots more LizaMoon news coverage via Google.)
My encounter with LizaMoon started unexpectedly one evening when a suspicious warning popped up on my screen. As discussed in a previous Top Story, I use Microsoft Security Essentials and the Windows 7 firewall to protect all of my PCs. In over a year of constant use, I'd never had any malware trouble. But that abruptly changed.
That evening, I was searching for something through Google — I don't recall what. When I clicked a link, a blank page overlaid with the dialog in Figure 1 popped up instead of the site I was expecting.
Figure 1. A real LizaMoon initial dialog, captured in the wild.
My mental alarm bells immediately started ringing — the dialog was identified as a Message from webpage. But why was a random, external webpage displaying what looked like a local security message?
Also, how could a random webpage know what was installed on my system (suspicious programs or not)? The warning made no sense.
There was plenty more to suggest that the dialog was bogus. For example, the third sentence is in fractured English — Microsoft dialogs aren't like that. And the kicker: I keep my system very clean, so the odds that it would suddenly contain "a variety of suspicious programs" are virtually nil.
Then it struck me. I'd encountered a for-real LizaMoon page hijack, in the wild!"
Notice the mental bells that began ringing. The questions he asked himself.
These are the kinds of questions we should always ask when we see any message that suggests we should let someone scan our computer!!
There are times we ask. I use Crucial.com to scan computers when I am thinking they could use more memory. But the popup windows does not intrude when I go to crucial.com. Rather I have to ask, and I have worked with their site for a number of years. They are OK.
Unsolicited popups are almost always a danger sign. (I consider the User Account Control popups from Windows Vista and Windows 7 to be exceptions to the rule, as do I the popus from Norton or McAfee assuming I authorized the install of one of these antivirus programs. By installing, I authorized them.