It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Let's take a look.
First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
I left in the entire paragraph from their article so that it could be seen in all its glory."The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
At best, the quote above is misleading. At worst, it's alarmist.
Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.
There was no such intrusion.
What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)
Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.
What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.
There was... no... security... breach... at Microsoft.
Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.
Now that that's clear, just what is this thing?
It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.
OK, so what's it do?
A better question: is there anything it doesn't do?
So far, according to Kasperksy's analysis of Flame it can:
- Ennumerate nearbly bluetooth devices
- Record audio (if there's a microphone)
- Create backdoor accounts on infected machines (HelpAssistant)
- Listen for incoming network requests
- List the PCs directory contents
- Lists "interesting" files
- Logs keystrokes
- Upload collected data to remote servers
- Identifies antivirus software and firewalls
Now the real question. Are you at risk.
As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.
Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.
The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)
Getting Rid of FlameAs complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.
One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
Sheryl writes in to ask,
OK, so I'm not happy with the anti-virus software that came on my laptop, and it's nagging me all the time to "renew my subscription"--one I didn't even know I had.
"I'd love to get rid of it just because I'm fed up with their nagging me.
"I'm assuming it's possible to replace with a new anti-virus program, but I don't know how.
"Can you help?? Please??
Here's my reply:
Yes, it's possible. It's easy, and I'm glad to help.
STEP 1: PICK THE NEW SOFTWARE
For starters, you'll want to figure out what antivirus software (or Internet security suite) you're going to get to replace what's on there now with.
Doesn't make sense to rip the old one out 'til you know what's going in its place.
My suggestion would be to start with our antivirus software Buyer's Guide. (It's on the right side of every antivirus software review page of our site.)
STEP 2: UNINSTALL THE OLD SOFTWARE
We'll assume you've got the new software chosen, so next we'll get rid of the old software.
The easiest way to get rid of uninstall any (legitimate) program on Windows is to use the "Uninstall a program"1 link within the Windows Control Panel.
[Shown here: Accessing the "Uninstall a Program" link]
[Shown here: Find the program in the list. Click "Uninstall".]
STEP 3: INSTALL THE NEW SOFTWARE
"Duh... of course," some of you might be thinking, but here's the deal: in Step 1, your goal is to figure out what A/V software you're going to use NOT to install it then and there.
First we've got to get rid of your old antivirus software. In the mean time, we want the PC to go without security software for as little time as possible.
Since figuring out what antivirus program is best for your needs takes more than a few seconds, you don't want to uninstall the old 'til you know what the new program is going to be.
1If you're using a versions of Windows prior to Vista, you'll find it in the "Add/Remove Programs" button in the Control Panel.
We get a lot of questions to our "Ask the Experts" link. We answer 'em all.
Most times they're good questions. Some times they're great.
One such question came in today from Rich who asks,
Here's my reply:Which antivirus program and firewall can I use on a laptop with Windows 2000 Pro installed.
"The laptop hardware meets most programs requirements but most programs say XP or newer.
"My laptop works great as is and I would just like to have good antivirus and firewall protection.
This is definitely a tough question.
The problem is this: Windows 2000 (which was my favorite version of Windows) is SO far out-of-patch from Microsoft (it is almost 2012), even if you were to find antivirus software for it, which I quite doubt, the OS itself isn't being updated and thus can't be secured anymore.
If the underlying OS is insecure, all bets are off.
I say this with a background as former CTO of a publicly traded credit card processing company. These types of issues weren't just what-if scenarios there, but things I had to make policy about for my company and shareholders.
The bottom line: even back then I wouldn't have allowed someone to connect to my network with an OS that old, now you're taking about one that's, literally, 12 years old.
It just cannot be secured. Plain and simple.
Here's the next rub: the way the antivirus software "hooks" into the OS has changed even since XP. One malware researcher found the hooking method in XP could in some cases be circumvented and most any antivirus software bypassed. And this was with XP. Who knows what the story is with W2K.
Since Windows 2000, Microsoft has released:
- Windows XP
- Windows 2003 (servers)
- Windows Vista
- Windows 2008 (servers)
- Windows 7
So, as much as I'd love to recommend a product, I'd be doing you a disservice.
Here's why: the reason no antivirus company is making software for 2000 anymore is because if Microsoft isn't updating the underlying OS anymore, they A/V companies certainly aren't willing to put their necks on the line trying to defend what is, practically speaking, indefensible.
Further, most web browsers--the most common attack vector of viruses these days--are no longer supporting Windows 2000.
No matter where you look, the propeller heads have long decided to turn their backs on Win2K
Believe me, I'm a fan of old computer hardware (and I loved Windows 2000) and want to keep things running 'til the end of time, but we're talking about technology not a classic car. (My wife made me recycle more old PCs last year than I'm comfortable even admitting were in my house. I had hardware made in 1991 that still ran.)
In your case, if you're serious about keeping the data on that PC secure, you need to put it to pasture. It just cannot be secured.
My take: a trip to your local Best Buy, to NewEgg.com, or to Buy.com and look for a new lappy. These days, great machines can be had for a song.
And one final note I forgot to mention to Rich: Yes, you can definitely remove the antivirus software that comes pre-installed on a new computer.
It's seldom the best antivirus software for your needs and is often there just because the antivirus company and the computer maker struck a deal to put it there to begin with.
Chances are, they just paid the manufacturer more than the next guy for the privilege. They know a large percentage of people will assume if it's there it must be the best, and they end up renewing the antivirus software when the subscription runs out.
If you haven't already gotten notice from your PC that there are updates waiting to be installed, you're now on notice.
This batch of patches covers a lot of ground: Windows, Internet Explorer, and even Microsoft Office (which you'll likely need to take care of separately).
With so many patches, you can count on one thing: the bad guys are watching these updates, too, to see what things they can exploit on un-patched PCs.
According to a great summary at ComputerWorld on the Microsoft Security Updates,
Here's how the 13 updates break down:Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.'
Curiously, there's some debate about what updates are most important among security researchers,
- Critical: 2
- Important: 9
- Moderate: 2
Given this many updates, and this many high-priority updates, there's no question, this batch of updates is worth taking the time, including reboot, needed to get them all applied.Other security experts from Symantec [makers of Norton Antivirus and Kaspersky Lab also highlighted the IE update as the one users should deploy first.
As far as I'm concerned, no one should be wondering, "Gosh, which ones should I apply?" or, "Which ones should I apply first?"
Simple. Do them all. Immediately.
The one in particular that caught a lot of people's attention was the "Ping of Death" patch, which sounds to a lot of people like the old "Ping of Death" that could be done to PCs years ago.
This begs the question: are there already exploits for this bug?
Equally important though is why is this only labeled as, "Important" and not "Critical?"
Regardless, it really is "Critical" in my opinion because of the ramifications of having an unpatched system.
Exploiting this bug requires very little technical knowledge, and it can allow an attacker to easily prevent your computer from having any Internet access, effectively shutting your PC down.
In Ye Olden Days, a similar attack would even cause the computer to reboot, and continue to reboot, 'til the attacker stopped their attack or you disconnected your PC from the Internet. Ouch.
Bugs like this are one of the main reasons why looking at an Internet Security Suite with built in firewall software is so important. In most cases a PC protected by a software firewall would be immune to this and similar attacks.
Regardless of whether or not you have an ISS with a software firewall, there are still a lot of other things these updates take care of, so get it done!
Here's where you can get the patches:
So says a TechSpot bit about the current OS marketshare.At the end of July 2011, Microsoft can say that Windows XP finally fell below the 50 percent mark. In other words, Redmond's decade-old operating system is now used by less than half of all Internet users.
Our own site stats are a little different but show XP remains a force to be reckoned with. Here's what things look like for us compared to this time last year:
|Operating System||July 2010||July 2011||Percent Change|
|Windows Server 2003||0.5%||0.4%||(10%)|
As you can see with our own website stats, Windows 7 is, thankfully, the only Windows version increasing its marketshare compared to what we were seeing last year.
In contrast, all the others, especially Windows XP and old-as-dirt Windows 2000 are on the decline.
The much maligned Windows Vista is also on the decline, where we're seeing a 40% year-over-year drop in the percentage of users visiting our site who're running Vista.
Given as many complaints as Vista generated, it's understandable why folks are holding on to XP.
There's certainly--amongst a lot of consumers--a cloud of unease still looming over the Windows versions after XP. To a lot of consumers, if Vista was no good, what's so special about Windows 7?
And for that matter, what's so wrong with Windows XP that you've absolutely got to upgrade?
Let's be honest: Windows XP works. It's a good OS, and with Microsoft now promising to support it 'til 2014, it's going to take a lot to pry it from a lot of folks hands, despite it having lesser baked-in, underhood security than Windows 7.
Which is actually the only real reason to upgrade, frankly: Windows 7 has far better security within it than XP does. How's that?
Windows XP was definitely an improvement over Windows 98 and Windows 2000, for sure. Since then though with Vista and 7, Microsoft engineers spent a lot of time working on a truckload of new technologies to help the OS be a lot more resilient to attacks, web-based and otherwise.
Without getting into all the geek-speak, suffice it to say: it's safer. Even the way antivirus software communicates with Windows 7 has changed over the way it communicated with Windows 7. It's that different.
That said, we're realists, and from our perspective, Windows XP visitors still represent about one in three people to our site. A lot of things are keeping people on Windows XP, not the least of which is uncertainty about what upgrading to Windows 7 means.
For a lot of people, spending $20 or $30 for the best antivirus software, which they'd need with Windows 7 anyway, and getting another year or two out of their old PC makes a lot more financial sense than a large outlay of cash on a new PC or an OS upgrade.
Certainly, we ourselves are happy to help everyone running XP find the right antivirus software for their needs--it's still a LOT of people, and antivirus software companies are still definitely supporting XP.
In fact, we still do some of our antivirus software testing on Windows XP. Sure, our tests always center around Microsoft's latest OS, but we still test with XP also.
And from a security standpoint, I believe antivirus software companies will still be supporting Windows XP as long as Microsoft does.
Practically speaking, if Windows XP works, Microsoft is still supporting it, and you can still get antivirus and Internet security software for it, the only thing that will cause most people to upgrade is when they have a hardware failure or other reason to get a new PC.
In the mean time, remember to keep your OS and applications patched regardless of what version of Windows you're running.
If you've never experienced a real-life hard drive failure consider yourself lucky. And warned.
It's only a matter of time before yours goes south. In my case, being a geek both in my personal and business lives for many years now, I've had more hard drives fail than I can count.
Even if you've got good backup software (and you're sure the backups restore properly), the restoration process is always painful and more time consuming than you expect. If you don't have backups, well, well... you may just be screwed.
Sure, there's special hard drive recovery software that can often be brought in to save the day and there are hard drive recovery services, too, although these services can carry a staggeringly hefty price if you have a lot of data to recover, a complex RAID hard drive setup, and/or an especially tricky drive crash.
No matter what, no one, except those folks in the data recovery business like hard drive failures.
It's this fear of data loss that's motivating the latest malware writers to do their thing and create craptastic software no one needs--and certainly no one wants.
In this particular case, the malware, which Symantec is calling, "Trojan.Fakefrag" is they say,
essentially a wrapper around UltraDefragger.
How do you know if you've been infected? Here's what Symantec says to look for:
- It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
- It stops you from changing your background image.
- It disables the Task Manager.
- It sets both the "HideIcons" and "Superhidden" registry entries to give the impression that more icons have been deleted.
Wow. Just about anyone experiencing these things would probably think their hard drive were failing, too.
What next? Again quoting the Symantec researchers,
It then "helpfully" displays a message recommending that you run a diagnostic utility on your computer, launches the Windows Recovery misleading application, and adds a link it on both your desktop and the start menu.
"The misleading application finishes the job, hoping that the victim will pull out their credit card for the $79.50 price tag.
So what's it look like?
Thankfully, they included a screenshot:
If you see this on your PC, and you're running antivirus software already, make sure your antivirus definitions are updated and run a full system scan immediately.
If you're not, now's a good time to take a look at getting some. It's cheaper than the malware's $79.50 price to "fix" your PC, and you'll actually be getting something for your money.
Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.
Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)
A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.
Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.
Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily
In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.
What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.
That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.
This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.
All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.
We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.