It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
I took a call myself from Joyce in Philadelphia late last week. She told me about how she had to wire money to India to get the viruses removed from her computer.
Their pitch to her? Her antivirus software (their fake software) had expired. When she called their so-called tech support number, they told her there was no way they could remove the virus without her making a payment by Western Union to renew the software for another year.
There were problems (of course) with her computer even after she paid the fees, so she was calling to see what the best antivirus software was because what she bought, she felt, sure wasn't very good.
Sure, some readers are going to say, "Why on Earth did she send a Western Union transfer to India?! What was the thinking??"
Let's put that aside for a while and ask the bigger question: Just how prevlent is this crap?
Funny thing is Kasperksy asked this question, too, in their survey/report Digital Consumer’s Online Trends and Risks.
A whopping 24% of users surveyed worldwide said they're encountered fake antivirus software with the worst three countries for "infection" being Russia (48%), the United States (34%), and the United Kingdom (28%).
What's the take-away message from this?
Well, there's more than just one:
- If you've seen fake antivirus software, you're not alone.
- Your chances are about 1 in 4 you will.
- Make sure you're running real antivirus software
- Familiarize yourself with what it's like and how it works
- If you're familiar with it, you're more likely to know a fake threat when you encounter it
Let's take a look.
First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
I left in the entire paragraph from their article so that it could be seen in all its glory."The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
At best, the quote above is misleading. At worst, it's alarmist.
Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.
There was no such intrusion.
What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)
Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.
What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.
There was... no... security... breach... at Microsoft.
Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.
Now that that's clear, just what is this thing?
It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.
OK, so what's it do?
A better question: is there anything it doesn't do?
So far, according to Kasperksy's analysis of Flame it can:
- Ennumerate nearbly bluetooth devices
- Record audio (if there's a microphone)
- Create backdoor accounts on infected machines (HelpAssistant)
- Listen for incoming network requests
- List the PCs directory contents
- Lists "interesting" files
- Logs keystrokes
- Upload collected data to remote servers
- Identifies antivirus software and firewalls
Now the real question. Are you at risk.
As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.
Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.
The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)
Getting Rid of FlameAs complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.
One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.
According to Alexander's research, it looks like Flashfake began its infections via hacked Wordpress blogs.
Good ol' social engineering is what duped the first wave of folks into getting infected. (N.B. Typically, these are the types of infections that are blocked by Internet security software.)From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update.
Next, it appears actual exploits began being used to spread the Trojan via the hacked Wordpress blogs. How many blogs were infected, but it's at least 30,000 according to a Websense report on the Wordpress infections.
Hats off to Kaspersky and Alexander both for the great research and for sharing it.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that
Flashback has been around in one form or another for more than six months now.
As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.
This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
- security researchers
- virus writers
Unfortunately, it's really nothing more than,
Apple is developing software that will detect and remove the Flashback malware.
They do, however, give a good link on how to disable Java in your Mac's browser preferences.
Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.
Is it legal? It appears not, despite being state sponsored....can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Their analysis isn't just hot air. Further in their report, they go on to say,Significant design and implementation flaws make all of the functionality available to anyone on the internet.[Editor's Note: Emphasis mine.]
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?The analysis also revealed serious security holes that the trojan is tearing into infected systems.
"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.
"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.
"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:
F-SecureIn their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.
KasperskyThe Kaspersky blog details their own analysis which uncovered some other interesting details, including:
So what's the point of this trojan? Good question....there are six components in total – each with a different purpose – all of which have been analyzed by us.
"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.
"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.
"The number of applications infected by the various components is 15 in total.
The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
- VOIP software (like Skype)
- web browsers
- chat software
|Software Monitored by R2D2 Backdoor Trojan|
|explorer.exe||Internet Explorer web browser|
|firefox.exe||Mozilla Firefox web browser|
|opera.exe||Opera web browser|
|paltalk.exe||Video chat software|
So now, the question is are the antivirus software companies detecting the trojan?
Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.
The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created.And Kaspersky says,
All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.
So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.
And, if you're not, why not?
The TDSS botnet, regarded as
the most sophisticated threat todayaccording to Kaspersky Labs, makers of Kaspersky Antivirus.
And now, apparently the botnet is proving to be such a menace and so difficult to detect, its creators have even gone so far as to create a Firefox Add-On to make it easier for anyone using the botnet for anonymous surfing to switch from one hijacked connection to another.
Brian Krebs has more detail on the TDSS Rent-a-Bot Botnet Details.
What's so scary about this aspect of the TDSS botnet, which appears to be capable of being used for anything you can imagine, is that this part of it means you can have someone surfing the web as if they're using your computer to do whatever they want.
Here's a screenshot of a few of the infected PCs being rented for web proxy service:
The evil possibilities are endlesss.
Imagine what you could never imagine you doing yourself on your computer. Imagine what you'd never want your computer being used for. Now, imagine someone else is doing these things on your computer. And you don't even know it.
In my mind, I'd call Kaspersky's assessment spot on.
And if as you read this you're thinking to yourself, "Oh, but I know my computer isn't infected. I'd know it! Pfft. I don't need antivirus software." Sure about that, are you?
Sure enough that you can explain why your computer was downloading illegal pictures at 3AM? Or pirated Hollywood movies? Or stolen data from a military base?
You're that sure, are you?
Originally discovered by Xuxian Jian (Assistant Professor and his research team at the Department of Computer Science, NC State University), his report on the Android malware disconcertingly begins,
This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.
"In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.
"Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers.
"Its stealthy design also explains why some earlier variants have been there for more than 2 months....
What does this mean?For starters, it means that the bad guys have found a way to get onto your Android without requiring "root" access, which means that it's able to evade detection and avoid tripping the warning screens and whatnot that you'd expect to see.
The report details how this application silently hooks into the phone, downloads in the background more things it needs to run, and uploads information about your account to computers the bad guys control.
Kasperksy's analysis revealed,
What exactly the bad guys are doing with the botnet either isn't yet clear or isn't yet being revealed by Professor Jiang or Kaspersky. And for that matter what they're doing with the users' data isn't clear/revealed either....the virus does not provide root exploits, but supports a number of bot-related commands.
"One interesting function is that the virus can be used collect information on users’ accounts.
This may be a case where they're just trying to test the waters and see what kind of flags they raise and what kind of information they can glean from users.
Regardless, it's definitely cause for some concern amongst users and antivirus researchers alike, as it will require the AV companies to rethink some of their strategies in protecting phones.
What's Google Doing about it?According to the piece by Kaspersky,
Google has historically taken a hands-off approach to policing the Android Marketplace.
"It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.
"A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.
Adobe has issued a warning about a critical vulnerability in Flash that impacts Adobe Reader and Acrobat.
Kaspersky Labs' Threat post reports that the Flash Player vulnerability is a bug that can be used by remote attackers to run arbitrary code and that Adobe has already seen some attacks capitalizing on this.
Adobe issued a security advisory that the vulnerability exists in the following software versions:
- Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.2.154.18 and earlier for Chrome users
- Adobe Flash Player 10.1.106.16 and earlier for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.
There have been some reports of this vulnerability being exploited by embedding a Flash .swf file within a Microsoft Excel (.xls) file being delivered in an email attachment.
Adobe states they are not aware of specific attacks utilizing Adobe Reader and Acrobat.
A fix for this issue is in the works scheduled for release by March 21, 2011.
Even though the new Flash bug apparently wouldn't be exploitable in Reader X, Adobe plans to update that application in its scheduled quarterly Reader patch release on June 14, 2011.
While you're updating your Flash player, take a peek at your antivirus software and make sure it's up to date, too. After all, it's your last line of defense.