Last night I received a Google Alert for one of my websites. For those that do not know what this means, Google Alerts is a service that Google provide for free which will send you an email whenever a word or phrase appears to them for the first time.
Google Alerts is handy for research and to keep an eye on your digital media products, including yourself. Set up a Google Alert for your name and you will get an email whenever someone mentions you online. Set one up for your website and you get notified when your URL appears on someone else’s website, this could indicate a link (good) or clumsy content theft (bad). Or it could be a warning that some reputation management is required.
So, what happened to me? Last night I received a Google Alert for my main website brand, e.g. Webologist (but not Webologist). So I merrily opened to link to see what people were saying about my brand. That is when I caught the spyware.iemonster virus, the zlob.trojan and rogue.securitytool. The last one seemed to do the most damage, closing down my Anti-virus software and changing a bunch of settings on the computer, and generally digging itself into the machine to make it extra hard to remove.
What is my system?
I run Vista and had Avast! Free edition. Avast! had done me proud up until now, it is a great free AV tool. I certainly do not blame Avast! for this breach.
So, what happened?
When I entered the site I saw a Java popup very briefly (I think it was Java, I was not paying much attention really, family distractions etc.). Seconds later Avast announced (or maybe Windows announced) that Avast was shutting down / closing. Alarm bells rang.
The virus deactivated Avast and Windows security, changed browser settings. I did not hang around to see what else was happening, I closed all windows (I use Chrome, Firefox and IE (although IE may not have been open at the time). This was opened in Firefox where I view my gmail. I then booted in safemode and deleted all my stored passwords in Firefox (annoying as I am a member of many websites) but essential as there were some web host account passwords stored.
After trying and failing to run Avast! I used my Android G1 Google phone to investigate the problem. Fortunately an alert of sorts had shown me some names of viruses but it could not remove them.
Zlob.trojan, rogue.securitytool, Security Tool, spyware.iemonster
These are the viruses that infected me. Security Tool is one of those fake anti-spyware programs that try to steal your credit card details after persuading you to buy their product. I assume the Zlob Trojan and spyware.iemonster are the tools that keep the virus on the site, or maybe one is the virus?
How To Remove Security Tool and spyware.iemonster
After Googling the problems I was told to run Malwarebytes and SUPERAntiSpyware. I downloaded them and ran them in safemode several times and then in normal mode.
When I rebooted it came back. Avast! Shields were down still and I could not put them back. Windows Defender was off and not responding.
I read many sites but it was BleepingComputer that provided the final solution (I think, my brain got a but fuzzy). I never did the HiJackThis thing but the rkill download is on that BleepingComputer page.
I did A LOT of rebooting and running SuperAntiSpyware, Malwarebytes and rkill to finally kill the virus. Rkill is designed to force close the virus program so that the superantispyware works. I ran rkill about 20 times in the end.
Eventually after hours and hours or reboots and new AV tests it was clear (according to SuperAntiSpyware and MalwareBytes).
But today even though I was virus clear I had lost internet in Chrome and had to keep closing down ZoneAlarm and rebooting to get an Internet connection. So in the end I had to uninstall Avast, ZoneAlarm, Chrome and FF. There was a Firefox halfway through it all.
After about 100 reboots I was clear. I set up Avast! again and asked it to do a Boot Scan and that took most of the day.
Everyone (touch wood) is working OK again. Chrome is fast, Firefox is behaving, no more blocked start ups programs (oh yeah, I forgot to mention that I deleted all the shortcuts from my startup folder and stopped some things using msconfig). I forget the order of everything though.
What of the Dangerous Website?
It is still on Google with no warning, this is the Google search page. The “Eat Swiss Cheese” was the result that got me, there was a quote from one of my articles on healthy eating while pregnant.
According to Google description is it “proudly powered by WordPress and Grain”. Probably an old version of WordPress or something wrong with whatever Grain is.
Google usually has warnings against URLs in the search results when it knows of a virus on the site, so it must be new.
I have sent email to Google and Avast! Hopefully between them they will secure it as much as they can, or at least block it (Avast) and warn users (Google).
Lesson of the Day
Be very careful about opening Google Alerts. I now copy the URL and open in Chrome’s incognito. No idea if that is the safest option, but seems safest as Incognito says it will save nothing to your computer. Lets hope Avast! picks up the rest in the future.
Avast! have been making software since 1988. There free AV software is one of the better ones on the market. I know several people that use their premium solutions too. Avast! update their virus database daily and make a friendly announcement when they do so, which fortunately can be switched off. I was once watching Dr. Who when Avast! announced that the Virus Database has been updated and it scared the hell out of me.
So, What is Grain?
You can see that I am making this up as I go along…. should have done Grain before Avast! Oh well. Now searching Google……
Ah, this makes sense. Grain is a WordPress Photoblog them. Those links are jpg’s with a strange php thing afterwards. So there s most likely a nasty exploit in the WordPress theme that allows malicious code to be input into WordPress that carries the virus and Trojans. I guess. I am as far from a security expert as you are likely to get. I would do more research, but it just occurred to me that any one of those sites on Grain could be run on Grain for WordPress and carry the virus.
Update: According to SourceForge to use WP Grain you have to additionally install the Yapb plugin (Yet Another Photoblog). So that could be a problem too.
I just want to make it clear that I am not blaming anyone here, not WordPress, Grain, Yapb, Avast! or dibarphoto.com – the virus writers are to blame. Hopefully this information will help all parties to find a solution. I sent Johannes Jarolim and email too so he can take a look at his plugin. I guess I should let the Grain people know too. Looks like a chap called Markus Mayer is the man behind Grain. Need an account to email him, hopefully it will clear up soon. 2am, bedtime.
If this blog post saves just one person then it will be an hour well spent. If it saves you please let me know in the comments below, as I often feel I am talking to myself here.
Hopefully tomorrow I will get some work done!