12/08/2011

Ask the Experts: Do I Need Antivirus Software?

Martha tapped a note out to us today that asked,
I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Here's my reply: (with a little extra added here for clarification)



Thanks for writing, Martha.

I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)

The first question here is:

Do I need antivirus software?

Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:

What would happen if your PC got a virus?

The main risks of viruses are that they tend to be:
  1. destructive
  2. personally invasive
  3. resource thieves
The first thing is easy to understand. Viruses can delete your files.

If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.

On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?

As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.

Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?

The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".

Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.

Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.

As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.

How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.

06/30/2011

TLD4 / TDSS an "Indestructible" Botnet?

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.

No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.

TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.

The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.

So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.

This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.

And, because the MBR is infected, it runs before the operating system even starts. Huh?

Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.

So, how the heck do you detect this thing, much less get rid of it?!

As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.

Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.

Norton Bootable Discovery Tool
Kaspersky Anti-rootkit TDSSKiller

Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,
If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Ouch.

Depending on who you ask, this is either overkill or, really, the best, most cautious approach.

One researcher for Symantec, Vikram Thakur, says,
When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 1.0.15.15640 as of this writing.)

If you get bad news from GMER it'll look like,
As far as an official Microsoft response, the Microsoft Technet blog on Popureb.E says,
If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

Here's how to fix the MBR by hand:
  1. Open a Windows Recovery Console
  2. Use the tool BOOTREC.exe1 to fix the MBR as in:

    bootrec.exe /fixmbr

  3. Restart the computer and you can then scan the system to remove any remaining malware.
Notably, Microsoft adds a critical part almost as an afterthought, If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."

If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.