Malware wears many masks, and often what looks commonplace or relatively benign is actually dangerous to your PC.
Here are some tips on protecting yourself from a particular type of malicious software that even antivirus apps can’t stop.
Malware hiding under the green underline
Online advertising is constantly finding new — and often highly annoying — ways to grab our attention. One of the more pernicious techniques is the green underline placed under text on webpages (see Figure 1). It takes a while to remember that the link doesn’t take you to more information; it links you to an online ad. (Also known as Text Enhance, these ad links might be blue and/or double underlined.)
Figure 1. The green-underline links, shown in this download site for a well-known graphic board vendor, don't provide more information on the highlighted words; they take you to ads.
This latest scourge is usually just irritating. But in some instances it’s actually a form of potentially dangerous malware. On random occasions, hovering over the green link pops up an ad that claims you’re running an outdated video player. Often, the ad looks like an Adobe Flash updater, as shown in Figure 2.
Figure 2. Windows Secrets reader Al Schatz sent in this screen capture of a bogus Flash-upgrade site that could trick visitors into downloading malicious code.
Unfortunately, only the most observant Internet users notice that the link’s URL goes to an unrelated site, such as www.transport-preservers, as reported by numerous PC users on online forums. Other URLs are used, but this particular domain, created July 29, hides behind web-hosting company GoDaddy’s privacy wall, cloaking the true owner of the domain (see whois).
A Google search of “green underline” or “text enhance” turns up numerous reports of bogus popups. Most worrisome, this form of malware goes undetected by antivirus apps. Scan your PC with any AV program, and it will report that your system is clean — with the green underlines still there on webpages.
In most cases, the malicious code is downloaded to PCs alongside free software that was intentionally installed by the user. (For more on potentially unwanted software, see the June 13 Top Story, “Avoiding those unwanted free applications.”)
I’ve helped several users — including Windows Secrets reader Al Schatz — who’ve run into the green-underline malware. The only effective way I’ve found to remove this scummy software is, however, cumbersome: I determine what programs have been recently installed on a computer and start removing any unknown applications, one at a time.
Using a non-Windows AV scanner might be a technique for finding the green-underline malware, but as yet I’ve been unable to test it. In almost all cases, I’ve had to use a remote connection to examine potentially compromised systems. That means I could not look underneath Windows by using an AV scanner installed on its own bootable media. (Kaspersky Rescue Disk is a popular example of a bootable scanner that operates outside Windows. It can be downloaded from the security company’s site and burned onto a CD or installed on a flash drive.)
Using the brute-force removal method
In the cases where I’ve successfully removed this critter, I did so by using Win7′s Programs and Features (or Add or Remove Programs in Windows XP).
To start your search-and-eradication task, click the Installed On column. That puts the most recently installed items at the top of the column. Next, review the installation date of items in the column and try to match any unknown apps with the estimated date when the popups and green underlines first appeared. Write down all names of suspect programs and then uninstall them, one at a time.
After each uninstall, relaunch your browser and go to a page where the green underlines typically appear. If the underlines are gone, you’ve probably found the culprit.
As a final step, restart your PC with the CD-/flash drive–based AV tool and scan your system once more.
Unfortunately, I can’t name any specific application that’s to blame for the malicious green underlines. Although the names constantly change, they often sound benign — such as something related to tune-up software.
However, I can say that transport-preservers was linked to iframe popups, as shown on websites used to investigate suspicious URLs, such as jsunpack and Wepawet. (Transport-preservers appears to be off the Web. Iframes are used to embed a document within a webpage.) The transport-preservers submissions to those two sites show that the suspect URL links directly or indirectly to two ad servers.
However you get them, the malicious popup ads trick users into downloading a bogus video-player update, as reported to me by Al Schatz and by other victims in a CNET Forums thread. (According to StatsCrop.com, the transport-preservers site, just one month online, got 5 million page views — a day! If there are anywhere near 5 million systems getting these popups daily, that’s a lot of impacted computer users.
How does this malware crawl into systems?
In the cases where I’ve assisted, the green-link malware wiggled onto a PC when its user clicked a link in online search results. So keep in mind that search engines don’t necessarily vet the websites they return in search results.
If you’re running on your PC’s admin account, clicking a search-result link could let a malicious site install code on the system. (Just the act of clicking the link could also give approval to install the bogus software.) So if you do a lot of random Web surfing, it’s important to do so from a more limited standard-user account.
If you’ve never configured a standard account, I recommend following Steve Friedl’s excellent tutorial on configuring two accounts for your computer — one with full admin rights and the second with limited rights.
Where to report bogus or malware-infested sites
So if we strongly suspect a site has malicious content, how can we knock it off the Web? Start by reporting it to Google on its Report malicious software page. (Other sites have similar reporting pages.) Keep in mind, however, that legitimate sites can unknowingly harbor malicious code. (Google’s reporting page includes a link to stopbadware.org’s “My site has badware” page.) Ultimately, these sites must do their part and keep themselves clean.
Another stopbadware.org page lets individuals report suspicious URLs. Currently the site lists transport-preservers as only blacklisted by ThreatTrack (the new name for Viper antivirus).
As noted above, transport-preservers seems to be off the Web. But there’s a good chance that the attackers will be back again to annoy us all.
The best long-term protection is, as already mentioned, doing your random Web searches in a standard-user account. Also, use an alternate browser set to a higher security level. I discussed browser alternatives in the Aug. 22 On Security article, “Security and the battle for browser dominance.”
Next, as part of your regular PC-maintenance routine, schedule a time for thoroughly scanning your system with bootable AV media. Malware has become quite adept at hiding within Windows.
And finally, when you do find a site that has malicious links, do your part and report it.
Were it up to me, the authors of malicious code would be hung out to dry, their webservers and computers infected by numerous viruses, their bank accounts cleaned out, their phones tapped by the NSA, and all sorts of other mean and nasty things the editors of this fine newsletter would undoubtedly not approve of. I’m sure that every Windows Secrets reader could add his or her own form of punishment for the parasites that attack our systems.
Better yet: Go immediately to the Kaspersky site, download the Rescue Disk, and keep it on hand — just in case.