Administrators Beware of Spyware Guard 2008
Lumension - May 5th, 2009
So here you are, an accomplished network administrator… you understand the risks to your enterprise. You have managed to wrestle local administrator rights away from your user community. All systems are running current versions of a popular antivirus software. So your user community can browse the Internet with gleeful abandon. Think again. Joe User while browsing the Internet is suddenly confronted with a very convincing popup that declares their system has several vulnerabilities. They are instructed to click a link to ‘Remove all’. He is now the proud owner of SpywareGuard 2008.
The malware is able to install itself regardless of the fact the user who clicked on it only has basic user rights on their system. The ‘tool’ then creates its own version of Windows Security Center which would fool Bill Gates himself. The fake Security Center will then popup randomly informing the end user their antivirus is no longer functioning and instructs them to click a link to fix it.
This and many infections like it can be prevented with Lumension Endpoint Security suite but for those who may be skittish about implementing a whitelist solution, there are other options. One very powerful option is to run the solution in a non-blocking mode. This allows you to monitor what is being launched and, in the case of malware as above, it becomes a very power forensics tool. Once you discover an outbreak you can now consult the logs.
Here you can see the Who, What, Where and When of the infection. Prior to having such a tool, you would have to go to security websites and discover the manual method for removing such infections. With the logs you can now see exactly what is attempting to launch. You can utilize a tool like Lumension Patch & Remediation to deploy a removal batch file that deletes the files and purges the appropriate registry keys.
Going beyond the clean up, you now have the ability to determine the original attack vector (see below)
Here you can see the original file that was launched to trigger the infection as well as where and when it entered the system.