Blog

SmitFraud – What is it?

It seems that the most popular malicious computer infections I run across lately here in the Low Country comes in the form of spyware that has been classified as “SmitFraud”. SmitFraud has many variants – it seems like a new variant has been popping up every couple of weeks lately and it makes preventing infections a test in diligence. The worst part of this infection is that it blackmails you into buying fake security software to remove it.

The most common question I get from my customers is “How did I get it?”. This is a tricky one to answer as it can get installed in more than one way. The most common way is in the form of something that looks legitimate. Internet Explorer users are the most susceptible to infection, as it will use Internet Explorer’s plug-in architecture to install what you think is software to watch a movie or listen to music online through your browser (these are what is referred to as codecs). The problem is that you can just be browsing along on the internet and get infected without even knowing it happened.

How do you know your infected? Well, that’s an easy one – trust me, you will know. A common symptom is that your background wallpaper will be changed and it will have a message telling you that you are infected (some folks incorrectly refer to wallpaper as their screensaver – so to clarify, I’m talking about the picture or pattern on your desktop behind all the icons). Some later variants skip this as it was a little too obvious that something is amiss. Another common symptom is pop-up windows for fraudulent anti-virus software sites, but the most common symptom is a blinking yellow triangle with an exclamation point in your system tray (that area by the clock) that has a message bubble telling you to click there to download software to remove the infection. I have seen some slight variations in the blinking icon color and shape as well. This is a major nuisance because it mimics the Windows automatic update icon, which is something you would want to actually click on. If you are unfortunate enough to have actually clicked on the icon, it will install one of a handful of rogue false security software packages and perform a fake scan, which will of course say that you are infected and need to purchase the software to remove it. Here’s the kicker though – it never actually removes the real virus!

How can I get rid of it? Ah, the million dollar question (or at least $75.00 if I come out to do it). I have battled this beast in so many of it’s forms that I can honestly say that no one piece of software can definitively work to get rid of it. If you value your time and sanity, give a professional a call. If you are brave enough to take this on, here are some tips from what I have learned. HijackThis is an important starting point to see what is starting up on your computer and where it is starting from. Be aware though that if you don’t know what you are doing, you can seriously damage your PC with this. The reason this is so powerful is because it shows you things that are vital to the system as well as the malicious stuff, so if you make one wrong click and you wont be able to boot your machine again. That said, I use this to look for Browser Helper Objects (BHO’s) that do not belong as well as startup dll’s that shouldn’t be there and random false codecs. I also run of few different anti-spyware scanner applications, such as SuperAntiSpyware, Ad-Aware, and AVG Anti-Spyware. Another free tool that is powerful, but has not been as effective on the newest variants is a program called SmitFraudFix. This program works best in Safe Mode, and it works wonders with the older infections at getting rid of it. Some Anti-Virus programs will classify SmitFraudFix as a virus itself, so you need to disable your security software before downloading and running it. Other methods I have used involve monitoring the processes in the task manager for strangely named processes that are running (a quick Google search of an unknown process name will tell you what it is, and sometimes how to get rid of it). Cleaning your temporary files is a must-do step that will help prevent a re-infection – you can easily do this by running the disk cleanup tool that comes with Windows.

How do I prevent it? The majority of people I see infected with this are running a consumer version of a Norton Anti-Virus product. To be honest, I personally feel that Norton Internet Security is a such a huge burden on a PC that it is similar to having a virus! The fact is, Norton is the most popular security software out there and like Windows, it is a target that malicious software writers to overcome. Coupled with the fact that a lot of PC’s come with it installed already with a limited subscription that runs out and is left unchecked by the average consumer, it makes my job a lot more difficult. Do yourself a favor, if you are going to purchase security software, get the best – not the most popular. The reigning king of efficiency is Eset’s NOD32. It is not the easiest to install and configure (we can always help), but once set up, it is the best security software I have seen for the average consumer. It is fast, and updates very frequently. Another favorite of mine also happens to be free for home use – AVG Free Edition is an excellent piece of software and you certainly cannot beat its price. Make sure to keep your computer patched via Windows Update, and for goodness sake, stop using Internet Explorer for casual web browsing! I encourage you to switch to Firefox immediately. It is a great product that is far ahead of Internet Explorer in may ways, most importantly security. If you have to use IE, make sure to update to IE 7 as it has much better security features than IE 6, such as an anti-phishing filter. If you want a good free software firewall, Comodo is great. I personally think software firewalls are a pain in the butt and stick with the Windows firewall alongside a hardware firewall, but for those of you who surf in coffee houses and public WiFi hotspots, Comodo or something similar is a must.

I only touched the surface of how to deal with SmitFraud (as well as general security practices), and if you want more info, please check out these resources:

Wikipedia
Security Cadets
Major Geeks

Related Posts