I got one of those virii that infects you with fake antivirus software with numerous fake warnings and popups trying to get you to buy their antivirus softaware. Apparently, it interferes with my ability to open task manager to close it. I would usually just do a rollback, but I’m in the middle of a poker game now.
While I’m waiting, what data can I send to the FBI, if any, to get them to persecute these guys?
(Just FYI, the windows I had open at the time were SDMB, IMDB, and Wikipedia.)
Not much. Without some deep forensics you’re not likely going to be able to determine the true source of the infection, if it’s even possible at all (you don’t likely have the necessary levels of logging & auditing enabled). It’s most likely a worm rather than a virus (if you care of the distinction), and it didn’t necessarily come from an open browser window.
After you do your rollback make sure you apply all your updates.
The chances are that the people that need persecuting are well outside the jurisdiction of any American agency. The bank accounts used in these cases are usually based in China or Korea or any other country that doesn’t co-operate too well with western requests.
This sort of thing has been happening a lot lately here at the SDMB.
From the FAQ:
If you think you see malware on the SDMB:
I had a nasty bout with that malware lately. Ugh.
It’s probably a good thing that virus-writers are not among my patients. It’d be harder than usual to keep my Hippocratic oath.
I just got one like that recently – really surprising, since I typically keep my machines pretty thoroughly protected. I had made the mistake, though, of relying on MS Security Essentials instead of a better malware protection system like Avast. This was Windows Vista SP2, everything patched and up-to-date, browsing with Firefox 3.6. Just visiting one page with a malicious advertisement was sufficient to get a .exe sneakily injected into my user AppData folder and executed. MSSE made a feeble attempt to block the attack, but it didn’t get any farther than displaying a warning notification for a second or so before the malware bitch-slapped it into oblivion.
It then proceeded basically as you described: popping up phony malware alerts and trying to sell me their “anti-virus” software. It would also open Internet Explorer windows every once in a while to try to sell me Viagra. I expect it got through by exploiting a buffer overflow or similar vulnerability in the Adobe Flash plugin; if not that, it must be a vulnerability in Firefox itself. It just underscores the fact that designing and building secure software is really hard.
Fortunately, I make a point of running a limited user account and elevating privileges only when necessary (everybody, absolutely everybody should do this – never run as root when you don’t have to!), so damage control was fairly easy. First I rebooted, logged in as an administrator, and ran some scans from there. I figure it must be something fairly new, though, since neither Malwarebytes nor Avast! was able to identify the executable file as a threat – but when I logged back into the infected account and ran a memory scan, Avast! identified the running process as something called “JS:FakeWarn-C.” I had to dig through the registry manually to find the startup entries, but after doing that and brutally murdering the executable, I had no more problems.
As for finding the assholes responsible, I regretfully have to agree with Severian and charlie145 that no prosecution is likely to be even remotely possible. Death is too good for these bastards, but if any kind of IP address or bank account tracing could reveal an approximate location, I would heartily back President Obama in pursuing a course of foreign policy that involves targeted airstrikes.
Flash was very likely the culprit. It’s very vulnerable to that kind of exploit. Bad guys buys ads, sneak in an exploit, then when you go to a legitimate site the ad itself infects you. Run No-Flash and Adblock extensions in the Firefox/Opera/Chrome, and only enable the ones you need.
MSSE is actually pretty damn good and like the AVG of old, its very light on system resources. AVG has become a little bloated lately.
One of the things about AV apps is they are only as good as their last set of updates. No matter who you get them from or how much you pay for them. Although there is a lot of pattern checking (heuristic scanning) an AV program is mostly a big blacklist. See this file? Kill it!
When a virus first hits the net, it spreads like wildfire.
The antivirus providers then have to:
Locate it
Figure out how to kill it
Show love for Opal
Write the update patch to kill it
Wait for updates to apply to the userbase.
AV software providers often run machines exposed unfirewalled with no AV protection to the internet in hopes of picking up new viruses aka “honeypots”
Many AV applications also have a tool to call home if it gets a heuristic hit on a file that looks like a virus but not enough for an automatic kill decision a copy of the file is sent back for analyisis, allowing them to use their userbase to harvest possible virus files.
As far as FBI goes, as I understand it, they really don’t bother looking into anything like this unless you have over $10K in losses because of it. A reload of windows isn’t gonna get their attention.
Someone puts one through the firewalls at a major company and knocks them out for a day or two they MIGHT pay more attention.
[SIZE=“1”]Of course if they were down for that long they need better IT support…give them my # 
[/SIZE]
Start hitting defense contractors or government agencies, then you will have their undivided attention in ways that would make Chuck Norris worry.
Lift off and nuke them from orbit…
Y’know, the title sounds like an ailing crook is looking to bring G-Men down with him…
Is it no longer the Secret Service that deals with computer crime? I know at one point hackers were chased down by the tasseled loafer guys, not the wingtips - no longer true?
No agency will do anything with this but laugh. You’d have to show you’ve lost thousands of dollars from the crime before they might care. There are just too many infections daily (minutely!) to attempt to track any down.
I install MSE, Threatfire, and Secunia PSI on infected personal machines after I’ve been suckered into cleaning or nuking them and I haven’t had one come back re-infected yet.
They should provide a dummy credit card number that we can use so the feds can see where and who is trying to run the number.
I do use Adblock, at least: the sad thing is that I’m pretty sure the infectious ad was on a site that I had specifically exempted from ad-blocking because I wanted to be supportive. No more! And since that incident I also run Flashblock and whitelist only a very few sites.
It’s the only way to be sure. 
At least some of them are being pursued by the FBI. Indictments were handed down in Chicago - who knows if they will ever catch them.
You don’t they wont care and I would be mad if they would.