Tuesday, August 26, 2014
“ALERT: Malware 'Meteoroids'”
“ALERT: Malware 'Meteoroids'”
by Karl Denninger
"Be careful out there. I found a particularly-pernicious bit of spyware today and had some fun getting rid of it. It's called Meteoroids and when loaded (usually as part of a bundle with some sort of free utility or other legitimate package) it displays a "cute" rendition of the game Asteroids on top of all your browser windows. The theory is that it brings you great "offers."
Needless to say that display is damned annoying and if you manage to accidentally load it you will instantly head over to the Program window and uninstall it. All good, right? Not so fast, Kemosabe! Unknown to you it dropped a service into Windows under an obscure apparently-random letter name (very clever guys, trying to hide your intentions) when it had administrative privilege during installation- privilege it retains, incidentally. The problem is that the service survives the uninstall, and worse, it is capable of and does "hook" a browser session even without an extension loaded!
The odds are very good you'll never know it's there since it doesn't call itself what it is and in addition it claims to have uninstalled when you told it to. But it didn't, and it's still creating and, presumably, transmitting data about whatever you do. If you find the working directory and kill it (it's in AppData) it will be re-created as soon as you open a new browser window, or if you have one open. Since it's running with privileges an ordinary user account can't stop the service either and worse, it has access to everything on the machine.
Malwarebytes can find it as can someone who knows what they're doing, but most anti-virus systems will not pick it up- including Avast.
I have no idea how extensive the data it is collecting and sending is once it "claims" to be uninstalled but this is an especially nasty little piece of **** due to its persistent nature, that it is running with privileges and thus could get to anything on the machine and the fact that you'll get infested with it from perfectly "legitimate" downloads- not browsing porn sites or other similar places.
I'm not usually one to say "there ought to be a law", but I will this time: If you as a software author or distributor allow your code to be bundled with such an "installer"- anything that leaves a piece of itself behind after being de-installed specifically and/or attempts to obscure its components and functions by calling itself anything other than what it is- that ought to be treated as felony computer fraud and abuse and you, along with the entity that wrote that crap, ought to go to prison.
Yeah, I know how to get rid of it and did with no harm done. But I know what I'm looking for. Most people don't and won't even know it's there.”
(Hopefully) Helpful links:
Malwarebytes, Free Anti-Malware and Internet Security Software:
"Remove "Meteoroids" Adware" (Virus Removal Guide)
"Remove Meteoroids Ads" (Virus Removal Guide)