Does this site look plain?

This site uses advanced css techniques

The fraudulent emails purporting to be from Online Employer contained links to password-stealing badware that's still not fully detected by all the A/V products, so if you're not absolutely positive that none of your users opened it, a service bureau use its firewall to prevent the badware from phoning home to the mothership, as well as detecting which machines may be infected.

Important!

These procedures do not protect your workstations from being infected!

Instead, they block the malware from phoning home with your private data after an infection has already occurred.

If you find an infected workstation, the only safe thing to do is to flatten and reload the OS.

This badware is very hard to see when it's running — it mainly injects itself into other processes, so Task Manager won't show anything — and if successful will steal passwords when you login to banking or other secure sites: I presume this includes the Online Employer portal.

In your border firewall, block all OUTBOUND traffic (TCP, UDP, IP) to 83.233.30.157, which is http: // iicon - metal . org. This is a server located in Sweden, and efforts have been made to shut it down.

If possible, tell your firewall to log the traffic, and if anything shows up there, it will identify the internal workstation that might be infected.

If you find a workstation that's been infected, the only safe thing to do is to save the key data, reformat, and reinstall the operating system from known-good media. Since this badware includes a remote-control component, there's no real way to know that the bad guy didn't use it.

Consult your local IT/Security resources to have this done.

Back to main analysis