Friday, February 18, 2005

Elite Bar Adventures

The following story is, unfortunately, true. What is even more unfortunate is that there is considerably more to the story. I, too, decided to end a long day of site maintenance (etc.) by browsing the Blogspot "Recently Updated" rolling index which dovetails into the "Next Blog" button. I'll let Mr. Alvin Borromeo , of Blogspots MT Law Blog, tell his story and will follow it with further vitally important information concerning our shared experiences and the astonishing results of my subsequent investigation:

CAUTION: Mallory & Tsibouris Co., LPA does not endorse the use of the "Next Blog" icon at the upper right hand corner of this blog. Please see this post for further information. Monday, January 24, 2005

Spyware on Blogspot?
If you look to the upper right hand corner of this webpage, you will see an icon to go to the "next blog." Clicking on this icon will take you to a randomly selected Blogger blog. Yesterday I was surfing the web on my home computer and hit the "next blog" icon a few times to see what's out there. One of the hits was nana***.blogspot.com (the actual name has numbers in place of the astisks). Pop-ups immediately appeared on my computer immediately after I visited the nana blog, even though I have a pop-up blocker installed. I started getting messages about system resources, etc. I immediately closed all of my browsers, but it was too late. When I re-opened my browser it went to a different home page. My computer was hijacked! Sure enough, Ad-aware (from lavasoft) indicated that my computer had been infected with the Search Miracle/Elite Bar virus.I sent Blogger an e-mail to investigate. I will post their response. In the meantime, I will not be clicking on the "next blog" icon in the near future.

The blog I was directed to, at the time my computer was attacked, was called "Cut Me Deep". But far more happened than the simple download of the SearchMiracle/EliteBar adware. Realizing that the destruction of my Yahoo Pop-Up blocker, and a flood of pop-up ads, at the rate of some dozens per minute, the considerable majority advertising Microsoft Anti-spyware/adware, indicated a possibly serious attack, I brought out the full bag of tricks and went to work. Norton is my first line of information/defense but it, too, was disabled after a few preliminary scans.

I needed information from an uncorrupted source and logged back online and went to the Symantec Free Virus Scan page and spent an hour and more getting the Active-X scan files to download. Another hour was required in order to complete the search. Symantec informed me that I had about ten files infected with EliteBarB adware and nearly
1500 files infected with some generic form of the adware called simply: "adware.elitebar". But one detail of the scan report was shocking: the majority of the infected files were Norton/Symantec program and data files. There were perhaps 10 other infected files, most of them infected with the "B" version of EliteBar adware. Something was clearly out of place.



______________________

______________________



After a day of chasing down the the parasite files and digging out the Windows registry entries inserted by EliteBarB, my computer worked considerably better with the exception that pop-up ads continued at a much faster rate than normal. This lasted for another couple of hours, as I managed to do a Windows program integrity scan (no errors) and tried to disrupt any lingering remnants of the adware by doing repeated defrags and registry optimizations. Soon the Norton package was again inoperable: clearly attacked by the EliteBar adware! I was furious. This "adware" was a sophisticated and voracious virus. Surely, a criminal act. Why wasn't anyone going after these guys?

The next day again, I decided that the Norton/Symantec data file corruption was something I had to get around somehow. I decided to try another Free Virus Scan site and to see how the results compared. As luck would have it, I choose
Panda Software's Scan (a company nominally headquartered out of Bilboa, Spain). Panda's Active X files downloaded reasonably quickly. The scan was reasonably quick as well. But the results were very different. Like Norton/Symantec, Panda informed me that I had some files infected with EliteBarB, but only 5 rather than 10. Panda also told me that I had some 1500 infected files all tolled... But the files, it informed me, were not infected with some generic form of EliteBar adware. It identified them as a "startpage.sj" trojan!!!!!! This trojan, it informed me, had been detected for the first time two days before it attacked my computer. No further information, of any substance, was available.

While Norton/Symantec only gives free scans, Panda also gives free decontamination of all detected worms and viruses (but not of any spyware or adware -- you must buy their software for that). I decided to take the decon. Sure enough, once the trojan was removed the pop-ups were reduced to a normal level and my computer ran normally again. Only the EliteBarB remained and I had manually removed its brain.

But now I notice that shortly after pages are loaded up in my browser they begin to display dozens of links to a search engine with the address
www.searchmiracle.com/. Numerous web searches inform me that this is the sign of SearchMiracle/EliteBar adware. Not only that, but they inform me that startpage.sj (there is also an ".sk" version) appears nowhere on Yahoo and in only a few listings on Google almost all of which are sites of Panda or its subsidiaries. Because Panda clearly operates under a number of subsidiary names in various parts of the world, it is possible that only Panda lists an advisory for startpage.sj and only it has the software to remove it. As for the search engine www.searchmiracle.com/ , it provides no information about its owner and none is available via any major search engine.


Moreover, when a "HTTP Error 404 - File or directory not found" message would normally be the result of a search for a URL that did not exist, or link that was broken, my browser sent me to http://www.yupsearch.com/search.php. This is the same advertising search engine as www.searchmiracle.com/. It simply enters via a different front URL.


The only thing that can be said, with any degree of certainty about startpage.sj, is that it may not be a trojan, per se, but may enter the host computer, install the searchmiracle/elitebar adware tool bar in place of the traditional Microsoft Elite Toolbar, and, then, protect itself and/or SearchMiracle/EliteBar from removal by corrupting the program and data files of at least Norton, and perhaps other major anti-virus competitors, so that they indicate simply, generic EliteBar adware. Somehow, Panda is the only Anti-Virus company that has yet detected it. In a matter of hours after it detected the trojan it had developed a program to remove it.

Also see:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

14 comments:

Alvin Borromeo said...

Gilbert,

Wow. I'm sorry you had to deal with the same problem I did. Luckily I was able to remove the virus after 3 long hours of work. My problems with the "next blog" button prompted me to move my blog to our firm's server. It's now located at www.mt-law.com/blog and you will note that the "next blog" icon is no longer there.

The response from Blogger was utterly useless and did not address the real issue at hand.

Thanks for spreading the word.

teece said...

Bummer about that. Two points: from looking at the source for the web-page in question, and downloading the Javascripts it downloads with wget and reading them, this is both specific to Windows AND Internet Explorer. If you have the option, Firefox or Mozilla is not able to be infected with this exploit (as far as I can tell -- I don't use Windows). Neither is a Mac or a Linux machine, but that is probably impractical. But, from a general computer security standpoint, don't use Internet Explorer unless you absolutely must.

Second, the author of the blog in question may not even realize their page is doing this. IOW, they may not be malicious. It appears that the "cover" action is a bit of Javascript to play music. The author of the blog MAY have just cut-and-pasted that bit of code, hoping to snaz up their blog with sound. Or not.

Rob Thomas said...

It's really sad you struggled with all those other, wierd, programs, when the two best ones, hijackthis and spybot are free, small, and easily downloaded. Also, 'defragging' and 'registry cleanups' do absoloutely nothing to remove adware or virus infestations. Don't waste your time next time 8)

C.P.E said...

Criminal indeed.

Mick in the UK said...

I seccond Timothy (above)...get Firefox.

Dr. Pedant said...

1) Norton is almost always a hindrance not a help. At times, it can be more malign than any virus. I know of at least one individual who had his hard drive wiped clean by Norton. You too have discovered this the hard way. Dump this shitty product before it fucks you again.

2) I concur with what someone else already said: defragging and "registry cleanup" (whatever that may mean to you) will probably do nothing for a virus, and your reference to this makes it obvious you are pretending to knowledge you do not possess. This is the kind of thing con-men love to see. If this is a personality trait of yours, you might want to rethink. Just sayin'.

3) You got screwed by one website you knew nothing about and went knowingly to another (in Spain, no less) and guess what? Got screwed agin, apparently. Not too bright, and I'm shedding no tears for you.

4) Ad-aware and Spybot are both good products. To clean up any infections these guys don't find or can't touch there's only one sure way (short of re-formatting, of course), and that's to CTRL-ALT-DEL into Windows Manager, go to Processes, and one-by-one check them out. Google's a good source. Kill the bad executables, find them on your hard drive, and get rid of them.

I have young kids who have infected my computers a few times--what I have recommended works for me. I have no pop-ups or ads. Ever.

mjollnir said...

May I recommend Sysinternal's "Process Explorer" as opposed to Windows Manager to examine what programs are running in your computer. Easy to use and it provides intuitive features to help you learn what a process is doing. Best of all it is free.

Beside, if you are like me and use Win98 when it is necessary to drop down into the world of Windows, it is a must. Windows’ Manager for Win98 does not show all of the process that are running on your computer.

Al Lenaburg said...

Just finished reading your account of "next-blog" icon button - What a Nightmare! I currently use Panda AV and have had very favorable results. I have a couple of recomendations for Adware/Spyware control that I have also had favorable results with. Three I like are (Webroot)SpySweeper, (Sunbelt Software)CounterSpy, and of course the free version of (Lavasoft)Adaware, is a favorite standby. I own a computer repair business here locally and am constanly on the lookout for the next best software to help knock down this creeping crud spyware, virus's etc. Wish you the best... Al

grass doctor said...

Again apologies for your troubles!!!

However i have used norton for years i also have an active pop-up blocker, and i use spysweeper .....that being said and wit the usual windows firewall in place and using mozilla/firefox( which by the way is the greatest thing since pockets on a shirt, sliced bread etc,etc,etc... tabbed browsing is awesome)i have successfully been pop up free for at least one and a half years i dont even know what popups look like anymore im sure that i am of no help to you just be aware that protecting your pc is like locking the doors of your wifes new car with her purse inside a must!!!! you can never do too much good luck dont for get to fertilze turf grasses in the next two weeks with an active herbicide good luck and happy mowing

Benjamin said...

I tell you, some people are so technical. Trying to insult others and prop others on podiums. The technical definition of a virus is any program that runs itself upon a system against the user's will. Therefore spyware/adware can be a virus. Therefore if editing the registry can disable the virus, it is a virus solution for that particular virus type. This does not mean that solution will be applicable to all viruses. So if you guys stop beating each other over the head and gave sound, reasonable advice instead of wasting time with berating remarks, the world will be a better place.

Ekhym Wethered said...

This is really too bad, my friend. While I don't often shill for companies whose products I use, I make an exception for one exceptional piece of software. This is Trendmicro's PC-illin 2005 (most recent version) anti-virus and internet security software. I first discovered this software after contracting (through a friend attempting to download video while using my computer) what I call the 'raspberry' virus. This virus immediately crashed my system and then during the reboot disabled and devoured norton before beginning to over-write all of my files with lower case 'b's, hence my name for this virus (I never actually found out what the name was and could only get rid of it by low level format of my entire harddrive resulting in total data loss, then flashing the CMOS as it installed a kernal of itself in the BIOS).

TrendMicro provides a free online virus scan and decontamination as you noted Panda does; however, I have found during experimentation and through reviews that there is no better integrated anti-virus, anti-spyware, anti-spam, anti-popup, firewall, and internet security program available than TrendMicro's product. Also, unlike any other company, should you ever need assistance either in setting up the program, maintaining it, or responding to a message from the program; TrendMicro provides free telephone technical assistance and customer service support. All other companies charge for these 'amenities'. Also, updates can be set to be done automatically and run in the background so one never needs be disturbed, disrupted, or even aware of what it is doing. For the first year I used TrendMicro I set it to notify me before updating and found that while Norton (I kept it for a while for comparison's sake) updated perhaps once every week to ten days; Trendmicro updated some segment of its program almost daily, especially its virus definitions; and approximately once every 4 months would come out with a completely updated drive engine. This gives me peace of mind since I know that my computer is constantly being updated with new virus definitions (almost in real time) and thus is protected.

I detest Norton/Symantec almost as much as I do M$ products because of their vulnerabilities, the drain on system resources, and their general inefficiencies. I strongly urge anyone serious about protecting their computer to investigate TrendMicro products which are available for an individual or as enterprise versions for server/corporate environments.

Anonymous said...

Yep, spyware is the death of the Windows world, and now that Firefox/mozilla is gaining exploits in the popup world, the pain will continue.

As was noted by another commentor, the MAC is (for now) immune. I have worked with computers for over 25 years now, every version of Windows, several commercial versions of Unix, with Linux from pre version .39 and have come to the conclusion that the unix systems are the way to go.

I also decided after numerous versions of Linux, that my time was worth more (to me, but this is a personal choice) in doing work than on configuring a system.

As such, I just made the switch to a Powerbook (OS X). Fast, smooth - allows me all the network programming, analysis and Unix tools I need. And lets me "play" on the net with a high level of safety!

My windows boxes have been relegated to conversion to job specific Linux systems (webserver etc) and one will remain as a high powered gaming machine, no IE, and only a game specific connection. (port limited)

The spyware/malware folks suck.

k.s-c said...

I removed the blogger bar from the top of my blog because I don't know where it'll go and because it didn't blend with the appearance I wanted my site to have.

To remove the blogger bar, log in to Blogger, go to your blog settings and then go to the template section. there should be a box to select the color of the blogger bar and a checkbox to remove it.

In addition to this, GET FIREFOX. Very stable and there are a ton of extensions you can get to block advertising and spyware. Also, Grisoft produces a free antivirus software that I have found to be clean, inobtrusive and small.

Hope this helps you~

Gautam Chandna said...

I'd suggest getting Opera, its the one stop web browser that does almost everything.. and yes it blocks pop-ups too..