We have a 64bit Windows 8 system running ZoneAlarm (free version) that's suddenly showing a ZoneAlarm dialog consisting of a series of single digit numbers in circles (0 to 6) followed by the text "rat... rat... rat..." (there are more of these)
Hovering the mouse over each "rat..." or circled number produces a tooltip with the text "Rating".
There is one button at bottom center labeled "Close".
Any ideas what this might be?
I recently successfully ran DISM followed by SFC to clean up corruption of system files, if that has any relevance.
ZoneAlarm version number is 11.0.768.000. To the best of my knowledge all patches have been applied to Win8.
I have searched online for the string "rat... etc" and come up empty. If (big IF) this is an attempted exploit of the free version, the paid version may have the same vulnerability.
It's possible this is a spoofed dialog, designed to look like a genuine ZoneAlarm object. It may be the result of injected code, inserted into a valid web page or piece of online software (from Facebook or online merchant such as Vons/Pavilions).
It's possible that clicking on either the "Close" button or the "close window" (x) / pressing Alt-F4 will cause attached code to execute, installing malware (possibly a remote access trojan or RAT).
In the past, to dump such an exploit all you had to do was to go into Task Manager, find the offending browser process/page and stop the process, and then immediately reboot to clear anything that might be lingering in memory.
I've read that there are exploits that can circumvent even this action, so for now I still have the dialog visible while I try to get more information.
If anyone from ZoneAlarm/Checkpoint is reading this, it would be helpful to know whether there is ANY circumstance under which this dialog could legitimately be produced. I'd be surprised if it could, but you never know - a Summer intern with a warped sense of humor could have added it (worse things have happened).
Since this is Windows 8, the usual paths to a solution are either masked or missing (thanks, Microsoft!) and while I'd be comfortable hacking Windows XP (which is running on the second system I have, which is NOT currently suffering the same problem, and which I am using to make these requests for help), Windows 8 is a bridge too far.
The circled numbers (0 to 6) are a puzzle too.
Since this is the free version of ZA I understand that ZA don't offer support (although I'd like to know why, since it's leaving a gaping hole in security that isn't presumably being investigated and therefore could affect the paid version) but it would help tremendously if I knew that this is a known issue, and even more so, how I can ensure the Windows 8 system doesn't end up being compromised (and in the process, losing us the contents of our bank accounts if the RAT grabs access credentials when we conduct online banking).
I continue to search for anyone else reporting this "rat... rat... rat... rat... " dialog and I'll provide any useful info here should anyone else hit the same problem.
This may be a "zero day" exploit, in which case it's all the more important to help me get it resolved.
Examining (carefully) the dialog reveals that the Close button does not exhibit normal behavior. Moving the cursor over the control does not cause the arrow cursor to change to a pointing finger, nor does the command button control exhibit dotted line highlights as a result of tabbing from one control to another (in fact, tabbing between controls does not work). Right clicking in the dialog window produces nothing. Moving the cursor over the close control (x) produces a color change that seems slightly off. Right clicking in the top left corner of the window elicits a pop-up with only two options: "Move", and "x Close Alt-F4", arranged in the wrong format (a vertical line as separator rather than horizontal).
The top left corner of the dialog is missing the ZA logo, and the left hand upper pane has only the word ZoneAlarm, and lacks "Free Antivirus + Firewall" underneath that. The phrase "ZoneAlarm Free Antivirus + Firewall" is rendered in text at the very top of the dialog, which doesn't match the genuine ZA dialogs.
What's puzzling is the fake dialog doesn't seem to appear in Task Manager as anything other than a genuine ZA process - until I noticed that it's only the group title that has the appearance of being genuine; when you open the group you see that the entry corresponding to the fake dialog lacks the ZA icon. Quite where it came from is still up for grabs. I have other screenshots available if anyone wants them (I have isolated the Windows 8 system by going into Device Manager and disabling all networking devices so that communication with the 'Net is not possible, hence the lack of actual screen grabs).
This gives me some hope that the probable code attached to controls in the dialog may not execute if I simply dump the process from within Task Manager.
For now, I've invoked the genuine ZA app for a full virus scan, and we'll see if it spots any active code ready to execute.