02/26/2016

The Ugly Truth About "Ransomware"




Hospital

On Feb 18, the entire computer system at Hollywood Presbyterian Medical Center was locked and held for ransom.

The hackers who easily infiltrated the hospital's system locked and encrypted all of the hospital's medical files and computers making it impossible to work and help patients. The hackers demanded $17,000 to unlock the hospital's computer system. The hospital staff had to resort to pen and paper to get anything done, and many critical patients had to be diverted to other hospitals for care.

And if you think you're not vulnerable to ransomware attacks, think again:

The Lockie ransomeware malware can be targeted at anyone, anytime. Whether you're a big company or a single person, Lockie makes it incredibly easy to infect and hold your PC... or many PCs... for ransom. Local resident Brandi C. was hit by Lockie at home.

Woman

Brandi had to pay $300 to the hackers so they would unlock and release her computer back to her.

300


How Does This Happen?

The Lockie ransomware is spread primarily through emails. Proofpoint CEO Gary Steele says their security firm saw 10 million messages go out in one day that contained the Lockie ransomware. 

Gary

Lockie is typically delivered via email as an attachment. By clicking open a simple Word document attached to your email, you could instantly infect your system with Lockie. Your entire computer would then be locked and encrypted with a demand from the hackers to pay hundreds or even thousands of dollars to unlock your computer.

How To Avoid Lockie and Other Ransomware

  1. Don't click on suspicious links or attachments in your emails. If you get an email from someone you don't know that has an attachment, you have two options:

    1. Delete the email immediately without opening. This is your best and safest option.

    2. Use your antivirus software to scan the file before opening it (most antivirus software has a feature that lets you right click a file and scan it. Caution: be extremely careful that you don't actually double click to open it. If you do, you could instantly infect your PC. If you do get infected with Lockie or any ransomware, try The FixMeStick to get rid of it.

  2. Backup all your data regularly. If you're not already backing up your files... you should be. A good backup software is a critical piece of online security that many people overlook. Backup always and often.

  3. Be sure you have a good antivirus or Internet Security software installed. We say it over and over, but people still get hit with ransomware and other malware all the time because they have poor antivirus software. A good antivirus program will scan attachments before they can do any damage.

 

In the end, the hospital paid the $17,000 ransom to get their files back. They panicked because they felt they had no other choice. They should've trained their staff to better identify suspicious email attachments, and they should've had better antivirus software running.

And Brandi, and thousands more like her, was an innocent bystander who got hit with this devious malware... and you could too. Be alert when you're online just like you would in a bad part of town. Keep your eyes and ears open and don't be too quick to click.

11/28/2015

Emsisoft Tool to Decrypt DecryptorMax

Ransomware

Softpedia has a nice write up on the new Emsisoft tool to decrypt the DecryptorMax ransomware (aka CryptInfinite).

This tool is great news for the good guys and for the consumers who've been affected by this scumware.

If your PC is infected with this malware, you can download decrypt_cryptinfinite.exe (the decryption tool) from Emsisoft here:

http://emsi.at/DecryptCryptInfinite

And, as to how to use it, the fine folks at BleepingComputer.com have a tutorial on using the ryptInfinite / DecryptorMax decryption tool.

 

10/07/2014

Shellshock and Heartbleed: Are You At Risk?

By the time news of most exploits hit mainstream media, the exploits have long been "in the wild," infecting computers the world over.

By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.

So, are these exploits worth being worried about?

Let's get the answer to this question by asking two more:
  1. Are you at risk?
  2. What's the best way to protect yourself?
Heatbleed and Shellshock are very different exploits, each with different attack methods and each with different techniques needed to thwart them.

Let's start with:

What Is Heartbleed?

Although not a virus or malware in the traditional sense, the heartbleed vulnerability is a mechanism by which attackers can gain accesss to your confidential information when you access vulnerable websites, email, and other servers.

If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.

Confused? Let me put it in real world terms.

Let's say you go to your bank or credit card online.

You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.

Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.

And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.

It's not just bank accounts either.

According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.

Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.

Now, some good news.
  1. Microsoft web server are not vulnerable. (This doesn't mean people using Windows as their desktop OS aren't vulnerable. It just means the web sites themselves aren't.
  2. Most banks and other financial institutions that were at risk have now patched their servers, eliminating the vulnerability.
  3. There's a Plug-In for Google's Chrome Browser called, "Chromebleed," that tests for the vulnerability.
As for other things you can do, Tom's Guide has an outstanding effective list of things you should do to protect yourself against heartbleed.

I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
  1. Change your Google, Facebook, Yahoo!, and Dropbox passwords.
  2. Log out of all apps on your phone, iPad, etc., then log back in.
  3. If a website asks you to update your password, do it.
  4. Update your OS (regardless of what you run, Windows, Mac, Linux, BSD, whatever.
  5. Set up two-factor authentication. (This is just a smart thing to do anyway.)
Conspicuously absent from the list, you'll notice, is run/update your antivirus software. Since Heartbleed isn't a virus, there's nothing gained by antivirus software or an Internet Security Suite; however, good ones like those from VIPRE, ESET, and Bitdefender will protect you against other types of attacks, viruses among them.

What About Shellshock?

Shellshock, also called "Bashdoor," is an attack, primarily on servers, that leverages a series of flaws in software called, "Bash," that's commonly installed on web, email, and other servers.

Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?

Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)

The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.

On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.

In an outstanding article on Shellshock by Troy Hunt, he says,
The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk.

"In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them.

OK, brass tacks, what does this mean?

First, it means your computers, laptops, phones, and tablets are probably not directly vulnerable.

HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.

This is a strong case for considering Internet Security software over garden varity antivirus.

The two things most commonly found in Internet Security software absent in most antivirus programs are:
  1. malicious website blocking
  2. software firewall
...both of help make your PC safer from attack and infection.

07/06/2012

Internet Blackout for Thousands This Monday. Are You One of Them?

Is this a hoax, or some kind of Y2K scare tactic? Unfortunately, it's very real for about 65,000 U.S. citizens.

I'll give you the good new first: if you've been running antivirus software for the past couple of years, you're probably fine and won't be affected. All the major antivirus companies have been on top of DNS Changer since it came out a few years back and have either blocked or removed it from any infected computer.

So, what exactly is going on?

Over the past 5 years, some Estonian cybercriminals infected approximately 4 million computers with a virus called "DNS Changer." The FBI (and other International law enforcement agencies) finally caught up with these criminals, arrested them, and seized the infected server farm that was doing all the damage.

Then everything should be fine, right?

Not exactly. The problem is, the FBI had to keep those infected servers running since March. Why? Anyone who has a computer infected with DNS Changer would instantly lose Internet access if these servers were shut down (since the infected computers rely entirely on these malicious servers for Internet access).

The FBI decided to give people a chance to clean up their computers before they pull the plug on these malicious servers this coming Monday (7/9/2012). If for some reason you don't run antivirus software, or are just unsure if you're infected, you may lose Internet access on Monday for several hours.

What exactly does DNS Changer do?

In a nut shell, DNS Changer takes over your computer's DNS and points you towards fake search results populated with malicious websites. Any one of these fake sites will further infect you with trojans or other viruses designed to steal passwords, send you spam, or just steal your money flat out. Nasty business.

For instance, if you were infected with DNS Changer, and you did a search for "Netflix," then clicked one of the fake search results, you would be redirected to a bogus (and dangerous) site called "BudgetMatch" instead.

Or if you clicked a search result for ESPN, you might see fake ads on ESPN's site directing you to a fake timeshare business.

As I mentioned above, if you've been regularly running antivirus or Internet security software on your computer, you're almost certainly safe from losing Internet access this Monday, but we recommend that you at least do a simple test to make sure.

U.S. users can click this link to see if their DNS is working properly (which indicates DNS Changer isn't affecting you):  http://www.dns-ok.us/

You should see this if your computer is safe:


For other countries, and more information, you can visit this site: http://www.dcwg.org/detect/

If you do find that you're infected, you should install some antivirus software to try to get rid of DNS Changer. In many cases, however, your computer may be so infected that it might be too late even for that. In that case, you should seek out a professional to diagnose and solve the issue.

 

01/30/2012

Will 2012 Be the Year of the Cellphone Virus?

I know I'm not the first blogger in the antivirus arena to go on record as saying that I think cell phones and tablet PCs are ripe for the pickin' by the virus and malware writers.

What's clear though is that more folks like us (i.e. people who are *not* employees of the top antivirus manufacturers) are beginning to start beating this drum, too.

PCWorld's Dan Tynan wrote a piece back in November 2011 called, Mobile Malware Epidemic Looms. Now there's a piece in the NYTimes. Build Up Your Phone’s Defenses Against Hackers.

No disrespect to mainstream media, especially the NY Times, which I love, but c'mon... by the time this kind of thing hits The Times, it's arguably already old news. Certainly, it's well beyond the point of being "theory."

The opening sentence of Dan's piece in PCWorld says it all,
I know it’s a tad early for new year predictions but I’m going to beat the rush and make mine now: 2012 will be the year of mobile malware.
At the risk of offending the sensibilities of some of my readers who think they're immune, let me ask a few questions about what you do with your phone.

(N.B. For brevity, I'm lumping smart phones and tablet PCs into one category "phones".) With your phone do you...
  1. Use bluetooth?
  2. Browse the web?
  3. Send or receive email?
  4. Send or receive text messages?
  5. Charge via a USB connection?
  6. Charge at public charging kiosks?
  7. Use QR / "Scan Me" codes?1
If you answered "Yes" to any (and I mean any) of these questions, congratulations, you're at risk.

Now, shift gears for a second and think about not just the ubiquity of the cell phone but the utility. Not only are cell phones everywhere, they're *really* useful, which makes them all the more ubiquitous, which makes them even more useful, and so on.

And, now for the deathblow in the argument against cell phone antivirus software.

Phones are computers. Period.

If there's a microprocessor in it, it's a computer. And, I don't care how much time, money, energy, blood, sweat, and tears a manufacturer has put into their phone. It only takes one oh-so-subtle mistake by a well-intentioned programmer to make the code vulnerable to traditional malware attacks.

Consider this. Just to create the homepage of our site (and just the homepage) takes over three thousand lines.2 And that doesn't even count the code your web browser had to have to understand how to display our site properly for you.

My point: even if you have no clue how many lines of programming it takes to make a cell phone, rest assured it takes millions. Many, many millions. We ourselves are always finding and fixing little errors and typos throughout our site. If we have a hard time finding them in our own back yard, imagine how hard it is for a programmer to think about what problems they're going to encounter when millions of customers start using phones in millions of different ways.

Every mistake, no matter how subtle is a possible virus entry point. Maybe it'll never be discovered. Maybe it will. But in millions of lines of code, there are lots of opportunities for mistakes.

Next is the issue of "social engineering," where you're just out-and-out tricked into running malicious code. Maybe you click, "Yes" accidentally. Maybe you didn't understand what was going on and clicked, "Yes." Regardless, you clicked, "Yes" and installed something evil onto your phone.

What's it going to do?

Who knows? For starters it is a PC. The problem is, it's a whole lot more, too. It's a phone. It's a camera. It's an MP3 player.

Common things (so far) for cell phone malware are things like secretly calling 900 numbers, listening for credit card numbers, stealing contact information, logging keystrokes at your bank, brokerage, and credit card accounts... and the list goes on.

No matter how you look at it, cellphone viruses are here and cellphone antivirus software is a must. Android. iPhone. Blackberry. Windows. Palm. It doesn't matter what platform your phone (or tablet PC) runs, rest assured, it's vulnerable to viruses. Today.

How convinced are we? We're putting our own R & D money on the line: fitting right in line with our regular PC antivirus reviews, we're working on our own cellphone antivirus review site. No launch date just yet, but if what we've already seen in terms of mobile malware is any indication, it had better be soon.
1 QR / "Scan Me" codes are those funny square scan code things that are popping up everywhere offering everything from discount coupons to manufacturer direct purchasing.
2 For some more perspective, we estimate--conservatively--that since 2006 our site has produced well over 1,000,000 lines of code. And that's just the site itself.

12/08/2011

Ask the Experts: Do I Need Antivirus Software?

Martha tapped a note out to us today that asked,
I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Here's my reply: (with a little extra added here for clarification)



Thanks for writing, Martha.

I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)

The first question here is:

Do I need antivirus software?

Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:

What would happen if your PC got a virus?

The main risks of viruses are that they tend to be:
  1. destructive
  2. personally invasive
  3. resource thieves
The first thing is easy to understand. Viruses can delete your files.

If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.

On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?

As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.

Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?

The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".

Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.

Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.

As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.

How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.

12/05/2011

Ask the Experts: What's the difference between antivirus and Internet Security software?


5

Easily one of the most Frequently Asked Questions we get is,

What's the difference between antivirus software and an Internet security suite?

Right on the heels of that is the next one, Is the upgrade worth it?

Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:

  1. firewall software
  2. malicious website filtering

firewall software

Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)

Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.

The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.

What's the point?

You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.

So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.

malicious website filtering

You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."

Who knows.

In either case, the bad guys are on the prowl and are:

  1. secretly taking over legitimate sites and installing their viruses onto them
  2. buying domain names that are typos of legitimate sites
  3. sending spams and phishing emails

Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.

Is the upgrade it worth it?

Yes.

In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.

Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.

The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.

And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.

09/18/2011

Fake Antivirus Software Showing up on Legit Websites

For a while it seemed the fake antivirus software world was going to continue growing unchecked, but as pointed out by ZDNet's Ed Bott in his piece Who killed the fake antivirus business?
The fake-antivirus business was a big money-maker in the first half of this year.

"Then, at the end of June, fake-AV products practically disappeared from the web.

"Was it technology, or does traditional law enforcement deserve the credit?
Ironically, just two weeks after his piece, uTorrent (a company offering legitimate BitTorrent software) saw their web servers hacked into and their legitimate BitTorrent software replaced with fake antivirus software.

As it turns out, the server in question, according to the geek.com piece, was only online with the phony antivirus software/malware for an hour and 40 minutes, from 4:20AM 'til 6AM PST.

A response of under two hours to identify the breach and take the server offline, especially in the wee hours of the morning, is really quite good. (Unless, of course, you downloaded uTorrent in that block of time.)

Here's what one version of the Security Shield fake antivirus software looks like:



(Notice the bad grammar in the fake software's interface, Protect your PC in new level.)

Matthew Humphries, the geek.com writer behind the story, goes on to say,
uTorrent has now apologized and managed to get their servers back online after removing the rogue files.

"If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.
I couldn't have said it better myself.

And that, my friends, is why antivirus software is a must.

Even huge companies like Sony have suffered major break-ins in recent months, like Sony's entire Playstation Network (PSN) being taken down for weeks as a result, so even when you're downloading software from a known, trusted source, who's to say their servers haven't been compromised?

08/25/2011

Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report

In their most recent McAfee Threats Report, antivirus & security software vendor McAfee covers a lot of ground in the malware arena.

Here are the highlights:
  1. Android is now the most highly targeted platform for mobile / smartphone malware.
  2. More successful legal actions are being taken against cybercriminals
  3. 22% increase in malware samples over 2010
  4. On pace for 75 million malware samples by the end of 2011
  5. Fake antivirus software continuing to grow
  6. 38% increase in rootkits (stealth malware) over 2010
  7. Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
  8. After a brief up-tick, spam is again declining
  9. Over 7,000 new malicious websites per day
  10. Over 2,700 new phishing websites per day
What are the take aways from it?

  1. Smartphone viruses are here, they're real, and they're growing.
  2. It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
  3. Antivirus software is a must.

08/16/2011

Best Web Browser for Blocking Malicious Content?


2

Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.



Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.