It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
With a lot of the things we as consumers buy--especially things we buy rarely--we narrow the field down from a huge list of options to the two or three things we're most serious about buying.
And since most of us renew our antivirus software for somewhere between one and three years, it's no different. Easily the most common of these narrowed down head-to-head comparisons in the world of virus protection is Norton vs McAfee.
The two questions all of us ask at a time like when we're comparing two things are:
- What's better?
- If the more expensive is better, it worth it?
So, let's take a look at these two heavyweights and get this question answered!
Norton Antivirus 2012 vs.
Norton Antivirus 2012
McAfee AntiVirus 2012
|Virus & Spyware Protection|
Prevention / Real-time Protection
|Consistently scores among the top programs in our tests at preventing new virus infections. Earned an "excellent" rating against "zero day" threats in each of our 2012 tests.||Does quite well against most new viruses and earns a "very good" rating in this part of our tests; however, it comes at a huge performance cost that sometimes makes using the web painfully slow.|
Manual Virus Scanning & Removal
|Did nearly as well at detecting and removing viruses on our test PCs as it did at preventing them from getting there in the first place. Another "excellent" rating.||Mysteriously, McAfee outright missed about 50% of the viruses we tested with, and some of those that it did find, it had a tough time removing.|
|Not as impressive against spyware/adware as it is against viruses, but it still earns a "Good" rating in our tests both for preventing infection and successful removal.||Not good, not bad against spyware, truly "Average." It did, however, do better at stopping spyware from getting in than it did at removing it.|
|Verdict||Category Winner: Norton|
|Installation, Usability & Tech Support|
The best installer of 2012.
If we had a rating for "Outstanding," it would earn it. Instead, its 100% score earns it an "Excellent" rating in our scoring grid.
The complete opposite of Norton's installer. Account setup required, very large, slow installer has to be manually downloaded onto each PC you install the software onto.
Too many hoops to jump through. Really a terrible experience from start to finish. Rating: "Poor"
|Black interface takes some getting used to, but it's aesthetically pleasing and mostly easy to use. Some screens feel a bit bolted on. Overall it's fast and works well.||
At the risk of sounding overly harsh, this is a flawed interface by most any measure. Its tiny main window (and huge top label section) forces everything to be done in a window about 2" x 3".
Some features require multiple scroll bars to work. Needs a complete redesign.
|While many help beyond basic installation and upgrades is a "Premium" service (i.e. they charge you for it), the Norton support (long complained about by consumers) has gotten much better. Just don't expect to talk to them for free if you need help.||
Like Norton, McAfee charges for most everything beyond help with basic installation and upgrades.
Overall, a "Good" experience; expect the basic techs to stick to a script, even if your needs aren't on their script.
|Verdict||Category Winner: Norton|
Norton Antivirus 2012
McAfee AntiVirus 2012
|Money Back Guarantee||
60 Days (The longest available.)
30 Days (Industry average.)
|Verdict||Overall Winner: Norton|
Here are the highlights:
- Android is now the most highly targeted platform for mobile / smartphone malware.
- More successful legal actions are being taken against cybercriminals
- 22% increase in malware samples over 2010
- On pace for 75 million malware samples by the end of 2011
- Fake antivirus software continuing to grow
- 38% increase in rootkits (stealth malware) over 2010
- Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
- After a brief up-tick, spam is again declining
- Over 7,000 new malicious websites per day
- Over 2,700 new phishing websites per day
- Smartphone viruses are here, they're real, and they're growing.
- It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
- Antivirus software is a must.
Since the Wired article, there has been just tons of coverage about how the worm came to be, about the threats to equipment like the Siemens controllers in the article, and what the real threats are from these types of attacks.
One of the best ones was in an ITWorld piece this week, "Does the Mac have an edge against state-sponsored hacking?"
This isn't just about state-sponsored hacking but about the question generally of: Does a Mac Need Antivirus Software?
This question is posed indirectly in the outsanding research document Macs in the Age of the APT [Advanced Persistent Threat] done by iSEC Partners.
There's a second question-within-the-question though: Does the Apple computer need antivirus software?
Let's start with a quote from the ITWorld article,
...and as you might expect this is where things get interesting.When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?
"Not necessarily, according to researchers at iSec Partners, a security consultancy that is part of NCC Group.
"Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of the type of intrusion that hit Google -- called an advanced persistent threat (APT) attack -- and compared how the Mac would do versus Windows 7.
It's commonplace in the Mac community to believe--even recklessly--that Apple OSX is immune to viruses and other malware.
Malarky. If it has a CPU, it can get a virus. Full stop.
Right now there are still fewer--far fewer--threats for the Mac. No question.
Some pundits claim this is because there are fewer Macs than PCs; others will claim this is because the Mac is so much more secure, it's all but impervious to attacks technologically.
While that may--and I want to emphasize may--be true, that doesn't mean the Mac really is impervious technologically. It's not. It's just that the bad guys haven't publicly put the attention onto the Mac that they have onto Windows.
Further, the Mac is no more immune at all than a Windows 7 PC against a social engineering attack where the user is tricked into installing malicious software.
Again quoting the ITWorld piece on the iSEC research,
Interestingly, Stamos echoes the same key point we like to make about security: Security isn't just about protecting against technological attacks. It's also about protecting against social engineering attacks, too.Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story.
"'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'
"The problem is that many of Apple's server protocols -- mDNS, Apple Remote Desktop, the Mac Kerberos authentication, for example -- use weak authentication models that give the attackers ways of getting access to parts of the network that should be blocked.
"'Every password-based authentication mechanism in OS X has problems,'[Editor's Note: Emphasis mine.] Stamos said.
And, it isn't even so much a question of getting tricked. It's also a question of accidental installations, too.'Most people get malware because they intentionally install it,' he said. 'At an institution of thousands of employees, you have to assume that one of them going to get tricked.'
Who hasn't been typing away when suddenly you get some popup message from your OS or your web browser as you're typing in something else and you accidentally hit [space] or [enter] to the popup message as you're going?
"Oh crap. Did I just hit [OK] to something? What was that message?"
And this, regardless of threats from government- or crime syndicate-funded viruses and crackers, is why the Mac--just like its PC brethren--does need antivirus software.
The ITWorld piece goes on to say how the attacks are much more commonplace than you might think. And there's research to back this up.
Here's the thing, too. A lot of these companies are very sophisticated companies. Just take Google for example.McAfee released a report saying that it had uncovered evidence of a sophisticated hacking operation that had broken into systems at more than 70 companies over the past five years.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion," wrote Dmitri Alperovitch, McAfee's vice president of threat research in a blog post.
Most anyone would be hard pressed to come up with a more technologically adept company. Yet, they got hit with an APT attack.
The point being, if a highly sophisticated company can get hit, doesn't it stand to reason that you can, too? Even if you do run OS X?
As the iSEC researchers said so well in their pdf,
Huh. I think that's great advice for PC users, too.Bottom Line: Run your Macs as little islands on a hostile network.
September is proving to be a busy month for the bad guys. Aside from the latest email worm, dubbed W32/VBMania@MM by McAfee, Adobe is also being exploited by the cyber criminals.
This latest bug (CVE-2010-2883), being called, "Critical," Adobe's highest rating, affects Adobe Reader / Acrobat versions 9.3.4 and earlier on the following platforms:
- Microsoft Windows
- Apple Macintosh
According to Adobe, there are mitigation techniques available for Windows users, though an upgrade is definitely a better choice. Their official announcement warns,
Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.
"For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited.
"Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.
Possible effects of the exploit?
This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system, so, unless you have some very good reason not to upgrade your Adobe Acrobat/Reader immediately, you should.
For more details, here's a post from Sophos on Adobe Acrobat/Reader exploit and the official Adobe Reader/Acrobat security announcement.
As if we all hadn't learned the hard-learned lessons from 2001, including (among other things), not to open attachments we're not expecting and to not click links in emails when we're not expecting them, there's a new worm making its rounds today.
With this newest, latest, greatest iteration of the computer worm, this one dubbed "Here you have" or W32/VBMania@MM, we're taught apparently we need to re-learn some of those old lessons once more.
Here are what two of the worm's emails look like:
|Subject: Here you have|
This is The Document I told you about,you can find it Here.
Please check it and reply as soon as possible.
|Subject: Just For you|
This is The Free Dowload Sex Movies,you can find it Here. http://www.sharemovies.com/library/SEX21.025542010.wmv
Enjoy Your Time.
- via Outlook, spamming itself to everyone in your contact list
- over network shares
- AutoRun on removable media (i.e. flash/thumb drives)
All-in-all, it's a combination of the techniques of the old-school Outlook viruses and those of the more recent multi-vector worms, including disabling antivirus software.
Sneaky for sure.
On top of that, it's disguising itself as a .pdf file, when in fact it's an executable program.
As users, we've all been trained for so long that .pdf files are harmless, when in fact they're not, themselves having become an attack vector more than once recently.
At least as far as good news goes, the malware:
- isn't auto-executing (as the Outlook viruses were a few years ago)
- requires that a user click a link and run the file
- is being caught by most antivirus software
The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn't rely on a link to a downloading site.
"But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.
Which brings up a point that can't be repeated enough:
- No matter how tempting: Avoid opening emails from strangers. Subject lines like the ones in this worm are a dead giveaway to their content.
- If you absolutely must open a stranger's email, don't click on links in them
- If you absolutely must click the link (or do so accidentally), if you're prompted to 'Run' a file, don't. Just don't.
No matter how tempting, I assure you, you're not missing out on anything except for anger, frustration, tears, heartache, and a trip to your local computer store.
An interesting post yesterday on malware statistics at The Register caught my eye:
more than one in three (36.7 per cent) of domains registered in the West African country hosting viruses or malicious code.
Cameroon domains are those that end in .cm and are easily arrived at as keyboard typos.
Imagine you've just meant to go to: www.example.com
Instead though, you've just typed: www.example.cm
That missing 'o' in .com in millions of domain names will take you to a different site than what you intended, and in this case, the .cm domain extension belongs to domains that are supposed to be site in and of Cameroon.
This little typo, according to a report called, "Mapping the Mal Web, The World's Riskiest Domains," [.pdf] by McAfee, Inc., makers of McAfee Antivirus,
"may explain why cybercriminals have set up fake typo-squatting sites that lead to malicious downloads or spyware under the country's domain."
It doesn't take a rocket scientist to figure this one out. With such an easy typo and a country not known for Internet security is all it takes to ensnare many unsuspecting computer users.
By setting up a bogus site at domains ending in .cm, the malware and virus writers are easily able to get people to visit their servers that host scripts that can automatically infect your computer with a virus, trojan, keylogger, or other malware.
Unless you're highly technically competent and can setup your own DNS server, the only practical solutions for most consumers is to do all of the following:
- 1. Keep your computer patched.
- A PC with the latest Microsoft Windows updates is significantly harder to infect than an unpatched computer.
- 2. Don't run as Administrator (or with Administrator privileges.)
- By running with a user account with lower permissions, it makes it harder for some viruses and malware to infect your machine.
In contrast, when you run with Admin privileges, you're giving the edge to the viruses, as your account has all the permissions they need to infect your machine, hide themselves, and become even harder to remove.
- 3. Check your web browser's security settings.
- Sometimes, regardless of if you're running Internet Explorer, Firefox, or Opera, when you're web surfing, the default permissions can get in the way of you doing what you need to.
Because of this, you may have altered the default permissions to looser ones than can make it easier--or even enable--these types of malware attacks.
- 4. Run antivirus firewall software.
- Internet security software, including a firewall, antivirus software, and antispyware can help prevent the malware scripts from infecting your machine.
The piece did have some positive news... it looks like Hong Kong is taking things seriously on the virus and malware front:
"Hong Kong (.hk) websites have successfully managed to purge themselves of malware threats – droppings from the most risky domain last year, to a mid-table (34th) position next year.
"This year only 1.1 per cent of .hk sites pose a risk, compared to one in five .hk Web sites setting off warning bells in McAfee's equivalent report last year.
"McAfee credits 'aggressive measures' from .hk’s domain managers in clamping down on dodgy registrations for the drop."
Hats off to the domain registrars in Hong Kong.
|Top 10 Riskiest Top Level Domain Extensions1|
|Rank||Country / Name||Extension|
|8||Former Soviet Union||.su|
|1 Data originally published in McAfee's "Mapping the Mal Web, The World's Riskiest Domains," [.pdf]|
One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.
The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.
There's nothing real about the fake software, except the threat it poses.
The process works like this:
- Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
- Get consumer to install the phony (but very real looking) antivirus application
- Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
- Use the newly infected computer to do their bidding, including (among other things):
- identity theft
- credit card fraud
- bank theft
- infecting other computers
Solution to the Fake Antivirus Software Problem
Word is filtering out today about a way to tell fake antivirus software from legitimate ones.
A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.
In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.
In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:
|Legitimate Antivirus Software Vendors|
You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.
If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.
Sad to say, the bad guys are at it again.
Computerworld brings news of a new, as yet unpatched ActiveX bug that's being exploited to compromise PCs.
Already because of these attacks, threat conditions have been raised by several antivirus vendors including, Sunbelt, makers of VIPRE; Symantec, makers of Norton AntiVirus; and makers of McAfee VirusScan.
|Antivirus Vendor||Threat Details Page|
|Sunbelt||Sunbelt Security Blog|
|McAfee||McAfee Avert Labs|
Additionally, SANS.org's ISC (Internet Storm Center), temporarily went to condition yellow, with the release of this ISC Diary Entry called, Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.
Here are some key highlights from ISC's Diary entry,
- "The vulnerability is being actively exploited on web sites."
- "One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX." [AVR Editor's Note: If you haven't already tried Mozilla Firefox, we recommend you download Firefox and give it a try.]
- Attack vectors include,
"A .cn [Chinese] domain using a heavily obfuscated version of the exploit." [AVR Editor's Note: The key word here is "obfuscated." You may not even know you're on a Chinese domain being infected with this virus when it happens.]
- Another attack vector mentioned was, "A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.
"This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient.
"Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server."
Regrettably, as with many things, the bad guys beat Microsoft to the punch, and a patch for the security vulnerability hasn't yet been released.
In the mean time, Microsoft has a manual Active X Vunlerability Workaround [AVR Editor's Note: Look for 'Enable workaround' beneath the 'Fix it for me' section'.]
Here are further details of Microsoft Security Advisory on the MS Office ActiveX Vunerability.
It should come as no surprise that we're big believers in antivirus software and in keeping antivirus software updated; however, as any customer we've gone to bat for with the various vendors will testify, we're also consumer advocates.
Today, we got news that Symantec (makers of Norton Antivirus) and McAfee (makers of McAfee VirusScan Plus), two companies for which we have tremendous respect, have both reached a settlement with New York's Attorney General, Andrew M Cuomo, in a case about autorenewing antivirus subscriptions without the explicit consent of their respective customers.
Here are the details from the article about the antivirus renewal settlement on PCPro.co.uk:
"The investigators found that, 'information about automatic renewal charges was not clearly disclosed, but was instead hidden at the bottom of long web pages or in the fine print of license agreements.'
"The companies have now agreed to provide electronic notification both before and after the renewal of subscriptions.
"Customers will also be allowed to apply for refunds for up to 60 days after being charged."
Autorenewals themselves aren't necessarily a bad thing; in fact they can be quite beneficial to the consumer in that they obviate the need for a consumer to remember to renew antivirus subscriptions, thus keeping their computers safer.
The key thing here is that the consumer is well-aware of the renewals rather than being hit with them after the fact and only finding out about them on their credit card statements.
If you're uncertain what the terms of your antivirus software subscription renewal are, it's a good idea to find out when it is, and if you're due soon, remember to take a look at other antivirus options before yours expires.
After all, because the malware writers are getting smarter every day, the antivirus software has to get smarter, too, so a lot happens from year to the next with antivirus software.