Internet Troubles Loom
This March 8th, the FBI is planning to unplug domain name servers (DNS) it set up to help eliminate malware from over half of Fortune 500 companies and government agencies still infected in early 2012. Those computers still infected with the Trojan, will not be able to access the Internet after the FBI shuts down their temporary servers.
…the feds replaced the criminals’ servers with clean ones that would push along traffic to its intended destination. Without the surrogate servers in place, infected PCs would have continued trying to send requests to aim at the now-unplugged rogue servers, resulting in DNS errors.
The malware, called DNSChanger Trojan, is said to illegally redirect traffic and prevent users from accessing the updates necessary to remove it. Without access to these critical patches, these large companies, government agencies, and home users are said to be more susceptible to hackers. (more…)
Computer Viruses Evolve
New malware morphs into different shapes unattended by humans
Now this is quite a fascinating story, it seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.
Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. (more…)
Windows Patch Tuesday – December 2011
Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.
Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)
Automatic Computer Malware
According to a Security Intelligence Report from Microsoft, AutoRun—the feature in Windows that automatically executes files when you plug in a USB or connect to a network—accounts for almost half of all malware infections. These are infections that don’t require any user-input from you, so it’s kind of not your fault that your computer gets infected. By turning off AutoRun, you’ll add an extra step to certain tasks, but it’s worth it to cut down on malware 50%.
This report states that Windows XP SP3 systems get infected about ten times as much as Windows 7 SP1 64-bit systems, and six times as much vs. 32-bit Windows 7 systems. That alone is one reason why you might want to upgrade your parents’ machines to Linux. bear in mind that Windows XP should have been mostly fixed back in February of 2011. See Microsoft Security Advisory 967940. The update does not disable auto-play for CD nor DVD media, but only USB drives, external hard drives and network shares. (more…)
Windows 8 Antivirus
In a move that is likely to anger the antivirus industry, Microsoft is adding security features from its Security Essentials program to Windows 8. This is good news for consumers, but bad news for the antivirus industry. Microsoft should have been doing this since the release of Windows 95. While many of us do simultaneous facepalms and giggle at a decade-late decision, others question the legality of doing so. A multi-billion dollar industry has grown, based on the absolute porous operating system that is Microsoft Windows.
That’s right. Microsoft this week began offering U.S. customers its free antivirus program via Windows’ built-in update service, a move one major security firm said may be anti-competitive. Microsoft is adding features from its Security Essentials program, which is currently available as a separate download for Windows users, to the Windows Defender package already built into Windows. This means that Windows 8 users will get out-of-the-box protection against malware, along with firewall and parental controls from within Windows without requiring users hunt down a separate download or buy new software. (more…)
My Scam PC
I’ve seen this ad on TV for a program to speed up your computer off on on when viewing cable. The program that installed was called “Cyber Defender”. It’s listed in many sites on the internet as a possible Virus, Trojan or Rogue.
It would do one and only one operation and that was to scan the registry. Or at least it appeared that’s what it was doing. I was locked out of selecting any other options. Then it reported over 400 errors in my registry, but when I hit the button to Fix the problems, it took me right to there web site, where I was presented with the opportunity to spend money to buy their program. (more…)
Apple Mac Malware
Malware that targets Mac OS X isn’t anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that’s been in favor among Windows malware authors for several years now.
The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user’s machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user’s machine and then opens it as a way to hide the malicious activity that’s going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.
That server isn’t capable of communicating with the malware, however, the researchers found, so the malware is on its own once it’s installed on a victim’s machine. What’s not clear is exactly how the malware is spreading right now, what IS known is that this disables Apples built-in malware protection
“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the analysis by F-Secure said.
Windows-based malware variants have been using the same sort of techniques for hiding themselves for a long time now. They often use common file extensions such as DOC, PDF, XLS and others to entice users into opening the malicious file. In some cases, the malware may not have the proper icon to go along with the fake file extension, as is the case with the Mac OS X Revir.A malware that F-Secure identified. It’s a simple trick, but it’s still quite effective and users have shown themselves to be willing to open these files, regardless of the potential consequences.
Notably, the Trojan horse bails and deletes itself if you have the Little Snitch app installed.
F-Secure offers removal instructions if you fear you’ve been infected; the fix involves deleting entries from your browsers’ .plist files. Check out F-Secure’s page if you’re concerned, but you only need to worry if you recently installed Flash Player from a download that you didn’t get from Adobe’s website.
The State of Hacked Accounts
A recent report from Commtouch finds about one third of Gmail, Yahoo, Hotmail and Facebook users even noticed when they were hacked, and more than half found out later after friends alerted them. This lag time provides a wide open window for scammers to use social engineering techniques to target more valuable targets, and harvest droves of personal information, long after a user might need to take steps to protect themselves. I always recommend that people use ESET NOD32 in conjunction with HitManPro. Combined, both of these of programs should keep you 99% free of malicious software found on the web these days.
We see increasing use of social engineering in online scams these days, which really is just a way to elevate trust of the scammer. In years past, hackers used this as a cornerstone of their activities, gaming people out of dial-up numbers, phonecards, etc. Later that gave way to more mass spam campaigns and other nonsense. As organizations have gotten better at implementing filter and reputation systems, scammers seem to be moving back the other direction toward old familiar ground.
The attacks are becoming much more sophisticated, and sequential, so breaking into your email account may very well be just the tip of the spear, so to speak. After they gain this, they datamine and repeat the process, targeting very specific areas as they go. Many users have the same username/password pair across multiple services, so the scammers build a database as they go, slowly gaining more and more access to your life. Over time, their database becomes more and more valuable for sale to other scammers, and the process repeats.
The report, “The State of Hacked Accounts”, said one in eight hijacked accounts were used for phony distress email scam, asking the friend to wire funds to a foreign country, never to be seen again. More than half were used to send spam.
Among the 34% who knew their account was hacked, 15% cited a Facebook link scam, 15% cited a WiFi connection, and 15% clicked on email-based malware. There’s other great information in the report, it’s a good read.
How do you protect yourself? First, find some way to manage your passwords across the different services you use. It may be easy to think up a random password that’s secure, but that makes it hard to remember, especially if you change it often. Also, watch your email account for strange behavior that doesn’t look like it originated from you, for example, bounced messages it doesn’t look like you sent. Keeping on top of your accounts might spare you the expense of having your data trotted out for the world to see and exploit, which is never a good end to the story.
Solution: try Linux!
Windows PC Malware
The latest semi-annual Security Information Report (SIR) from Microsoft has been released, and its 232 pages carry reminders of some important facts about computer viruses, other malware and overall PC security.
Here is the link to their blog: http://blogs.technet.com/b/security/archive/2011/10/10/latest-microsoft-security-intelligence-report-now-available.aspx
When it comes to Windows, there are ten things that one should keep in mind:
Infections happen
According to the report, of all the computers that visited the Microsoft Malicious Software Removal Tool(MSRT) in the first half of 2009, 8.7 out of 1,000 (that is, not quite one percent) had some kind of malware infection identifiable by the tool.
The hot spots were Serbia and Montenegro, where the rate was 97.2 per thousand, Turkey with 32.3, Brazil with 25.4, Spain with 21.6, South Korea with 21.3, Saudi Arabia with 20.8, and Taiwan with 20.4.
The cleanest were computers in Finland with a rate of 1.9. The U.S. rate of 8.6 was nearly the same as the global average. (Other sources–typically malware protection vendors who see no reason to be coy–quote much higher infection rates.) Not mentioned by the Microsoft report is that Apple Macintosh infections remain rare.
Malware amounts to an ecosystem
There’s viruses that replicate themselves and spread to other computers, sometimes just for its own sake.
They’re called worms if they do it through e-mail or instant messaging. Trojans follow the metaphor of Homer’s Trojan Horse, whose occupants emerged in the night to open the Troy’s gates to a devastating attack. Spyware watches your actions for marketing purposes. Adware produces annoying popup ads. Malware, incidentally, is any software you didn’t ask for, especially software that has malicious intent. A bug, meanwhile, is any software that doesn’t work right–and may be preferable to malware.
Malware has many sources
You can get an infection by visiting a malicious Web site, or by clicking a file attached to spam e-mail, through a p2p file-sharing network, by downloading what you thought was free software, or by using an infected removable device like a USB memory stick. Intrusion attacks can come in over the Internet.
Malware can bite
Many trojans will download other malware that take root in our computer and start doing nasty things. These include password stealers and keyloggers that will try to swipe your account information so that someone else can swipe your money. Or they may turn your computer in to botnet node, under the remote control of a bot herder, who will typically use it to spew spam.
Trojans rule (in the U.S.)
If you’re going to get an infection, at least in the U.S. it’s likely to be some kind of Trojan. According to the SIR, 42 percent of the infections that the MSRT discovered were Trojans. Adware was also big at 16.3 percent. Nasty password stealers amounted to 4.1 percent. Elsewhere, infections are a toss-up. In Brazil, for instance, password stealers aimed at on-line banking predominate. Spain and South Korea have little in common, but both are afflicted by worms that target on-line gamers.
Vulnerabilities vary
Not all operating systems are equally vulnerable. Microsoft’s figures show that unpatched Windows XP has an infection rate of about 32.5 per thousand–about four times the global average. The rate falls to a sub-average 8 for thousand for Windows XP with Service Pack 3 (i.e., fully updated.) The rate for updated Vista machines was 3.1 per thousand for the 32-bit version, and 2 per thousand for the 64-bit version.
Patching works
Hackers have a reputation of being ahead of the software vendors, but in reality they often use vulnerabilities for which patches has already been issued. Even when the bad guys get the upper hand, it may not be for long. Microsoft likes to use the example of the “Reno” Trojan that was attacking Vista, causing Windows Explorer to generate trackable error reports. After Microsoft issued a patch, the reports fell from 1.2 million error reports daily to less than 100,000–in three days. Within a month it was off the chart.
Updating works
The rate of infection of 64-bit versions of software was usually a third lower than the rate of infection of the 32-bit version.
Malware is not the only danger
The big news is the rise in phishing–e-mail that tries to trick you into revealing information that could be used for ID theft or other fraud. The phishers have been going after denizens of social networking sites and even large corporations.
Upshot: Update your gray matter
Software can’t protect you against the phishing plague–only common sense can do that. If some random e-mail asks for your personal information because somehow otherwise your bank account, or our game subscription, or your corporate computer privileges will be suspended, delete it.
Yes, this is why I show people Linux all the time, where you do not put up with all this mess. Who has the time to keep up with all of this garbage? It’s a wonder anyone gets any work done using Windows. There are two lines that I carry with me and I use them often these days:
“In a world without walls and fences, who needs Windows and Gates?”
“I get paid to support Windows, I use Linux to get work done.”
Microsoft Word Virus
A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.
The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.
The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.
Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.
So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.
In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.
According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.
Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.
Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.
