05/10/2017

When Antivirus Software Fails You: How to Spot (and Defeat!) a Real Malware Attack


It isn't every day you get to see what a real Trojan attack looks like.

When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.

But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.

If you've ever wondered what an attack looks like, here's your chance to see one.

Here's the best/worst part: nothing stopped it.

  • Not our Internet Security Software.
  • Not any of our browsers' built-in malware protection
  • Not even Windows 10 built-in security.

See for yourself how it happened and what you can do to stop it.

 



Be the first to know about
our upcoming free workshop!

We'll cover problems like this, plus free, easy-to-do PC optimization, and other useful, real-world PC help topics.

I promise you, it'll be some of the
best, most useful stuff you'll ever see.


Put in your details here to be the first notified.

[Click here to download the printable step-by-step companion "recipe" file.]
This file opens in a new tab / Window for you.


06/05/2012

Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:
  1. Ennumerate nearbly bluetooth devices
  2. Record audio (if there's a microphone)
  3. Create backdoor accounts on infected machines (HelpAssistant)
  4. Listen for incoming network requests
  5. List the PCs directory contents
  6. Lists "interesting" files
  7. Logs keystrokes
  8. Upload collected data to remote servers
  9. Identifies antivirus software and firewalls
This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.

04/13/2012

Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)



People sometimes question why antivirus software that's not a part of the operating system is a must.

With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.

To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.

Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.

Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.

Now, let's bring Apple into the picture.

Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.

Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).

Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.

All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.

Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes the most common variants of the Flashback malware.

Here's what the update looks like in Software Update:

03/26/2012

Zeus Botnet Sting Lead by Microsoft

The good guys are always happy to see when there's any positive action towards stopping a botnet--particularly when the action is strong, like Microsoft's "Operation b71."

SecurityWeek.com has a great story of the Microsoft Zeus Botnet Sting. As you might expect, there's a lot of cooperation between different companies and agencies needed to take out this kind of thing.

Here's the guts of the takedown story,
Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois.

"The move, which Microsoft said was its 'most complex effort to disrupt botnets to date,' was to seize and preserve data and evidence from the botnets to use in a case against multiple botnet operators.

"In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.
What caught my eye here was the scope of the botnet operation. Eight HUNDRED domains.

Figure if the domains cost $5-$10 each, the domain names alone cost $4,000 - $8,000, so there's no doubt if the bad guys are spending that kind of dough just on the domain names, they're making real cash from the botnet.

As much as most people would hate to admit it, it is a business. (It's a business most of us wouldn't touch with the proverbial ten foot pole, but it is a business.)

Unfortunately, it's not the end of Zeus. Not even close. Was it a setback for the operators? Yes. The end? No.

Just how nasty is the Zeus Botnet? Here's a quote from the current Wikipedia page:
While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords.
In other words, the bad news is, it's meant to give the bad guys total control of your PC.

The good news is, antivirus programs are able to prevent, detect, and remove the threat.

The one other bit of bad news though is that even though antivirus software can detect and remove the bot, it's very, very hard to tell if you've been infected without the latest software and signatures.

In other words, because it's such a well-designed bot, if you're not running up-to-date antivirus protection, chances are you'd never even know your PC had been infected. To the bad guys credit, it's a very well designed piece of software and is known for its clever design and stealth.

If you're so inclined to learn about the legal proceedings, full details are at: www.zeuslegalnotice.com.

12/01/2011

Ask the Experts: What's the best antivirus software for Windows 2000?



We get a lot of questions to our "Ask the Experts" link. We answer 'em all.

Most times they're good questions. Some times they're great.

One such question came in today from Rich who asks,
Which antivirus program and firewall can I use on a laptop with Windows 2000 Pro installed.

"The laptop hardware meets most programs requirements but most programs say XP or newer.

"My laptop works great as is and I would just like to have good antivirus and firewall protection.
Here's my reply:

Hi Rich,

This is definitely a tough question.

The problem is this: Windows 2000 (which was my favorite version of Windows) is SO far out-of-patch from Microsoft (it is almost 2012), even if you were to find antivirus software for it, which I quite doubt, the OS itself isn't being updated and thus can't be secured anymore.

If the underlying OS is insecure, all bets are off.

I say this with a background as former CTO of a publicly traded credit card processing company. These types of issues weren't just what-if scenarios there, but things I had to make policy about for my company and shareholders.

The bottom line: even back then I wouldn't have allowed someone to connect to my network with an OS that old, now you're taking about one that's, literally, 12 years old.

It just cannot be secured. Plain and simple.

Here's the next rub: the way the antivirus software "hooks" into the OS has changed even since XP. One malware researcher found the hooking method in XP could in some cases be circumvented and most any antivirus software bypassed. And this was with XP. Who knows what the story is with W2K.

Since Windows 2000, Microsoft has released:
  • Windows XP
  • Windows 2003 (servers)
  • Windows Vista
  • Windows 2008 (servers)
  • Windows 7
...and we ourselves are already testing with Windows 8.

So, as much as I'd love to recommend a product, I'd be doing you a disservice.

Here's why: the reason no antivirus company is making software for 2000 anymore is because if Microsoft isn't updating the underlying OS anymore, they A/V companies certainly aren't willing to put their necks on the line trying to defend what is, practically speaking, indefensible.

Further, most web browsers--the most common attack vector of viruses these days--are no longer supporting Windows 2000.

No matter where you look, the propeller heads have long decided to turn their backs on Win2K

Believe me, I'm a fan of old computer hardware (and I loved Windows 2000) and want to keep things running 'til the end of time, but we're talking about technology not a classic car. (My wife made me recycle more old PCs last year than I'm comfortable even admitting were in my house. I had hardware made in 1991 that still ran.)

In your case, if you're serious about keeping the data on that PC secure, you need to put it to pasture. It just cannot be secured.

My take: a trip to your local Best Buy, to NewEgg.com, or to Buy.com and look for a new lappy. These days, great machines can be had for a song.




And one final note I forgot to mention to Rich: Yes, you can definitely remove the antivirus software that comes pre-installed on a new computer.

It's seldom the best antivirus software for your needs and is often there just because the antivirus company and the computer maker struck a deal to put it there to begin with.

Chances are, they just paid the manufacturer more than the next guy for the privilege. They know a large percentage of people will assume if it's there it must be the best, and they end up renewing the antivirus software when the subscription runs out.

08/29/2011

Morto: Remote Desktop Connection Worm In the Wild, Spreading Actively

The fine folks at Finnish antivirus software maker F-Secure have spotted a new worm in the wild.

For us antivirus folks, worms are among the most feared because of their ability to infect, spread, and replicate on their own.

This one is being dubbed "Morto," and what's so unique about it is it's the first one to use the Microsoft Remote Desktop Connection.



The only surprising thing to me is that it's taken so long for a worm of this type to surface. Remote Desktop gives you direct access to your desktop remotely, so if someone manages to break into your system via the Remote Desktop Service, it gives them direct access to your computer--as if they were working right on your desktop, albeit remotely.

This particular worm isn't exploiting any bugs in Windows or in Remote Desktop; rather, it's exploiting weak passwords, long the bane of good system administrators.

Further, it's attempting to gain access to the default "Administrator" login, giving it maximum permissions on the system. Thus, once it's in, the computer is fully compromised.

Our own networks are seeing this threat attempting to connect to our servers at a rate of about 10 attempts per second, so clearly, this is a threat to take seriously if you have machines that rely on TCP port 3389, the Remote Desktop port.

As for the passwords being attempted, F-Secure's post on the Morto Remote Desktop worm lists these as the passwords being used to attempt the break-ins:
  • admin
  • password
  • server
  • test
  • user
  • pass
  • letmein
  • 1234qwer
  • 1q2w3e
  • 1qaz2wsx
  • aaa
  • abc123
  • abcd1234
  • admin123
  • 111
  • 123
  • 369
  • 1111
  • 12345
  • 111111
  • 123123
  • 123321
  • 123456
  • 654321
  • 666666
  • 888888
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
As you might imagine, there's already Morto worm discussions on the Microsoft Technet forums, so if you think you're at risk, you might want to head over and take a peek at the discussions.

Here's our recommendations to keep this worm at bay:
  1. Change your password. Here's a how-to on choosing a good password.
  2. Rename your "Administrator" account. Since the worm is using "Administrator," alternatives will help keep it at bay.
  3. Block access to TCP port 3389, if possible, or limit access only to IP addresses you trust.
  4. Make sure your antivirus software/Internet security software is up-to-date.
F-Secure is detecting the Morto components as:
  • Backdoor:W32/Morto.A
  • Backdoor:W32/Morto.B

08/16/2011

Best Web Browser for Blocking Malicious Content?


2

Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.



Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.

08/10/2011

Huge Security Update Batch from Microsoft



If you haven't already gotten notice from your PC that there are updates waiting to be installed, you're now on notice.

This batch of patches covers a lot of ground: Windows, Internet Explorer, and even Microsoft Office (which you'll likely need to take care of separately).

With so many patches, you can count on one thing: the bad guys are watching these updates, too, to see what things they can exploit on un-patched PCs.

According to a great summary at ComputerWorld on the Microsoft Security Updates,
Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.'
Here's how the 13 updates break down:
  1. Critical: 2
  2. Important: 9
  3. Moderate: 2
Curiously, there's some debate about what updates are most important among security researchers,
Other security experts from Symantec [makers of Norton Antivirus and Kaspersky Lab also highlighted the IE update as the one users should deploy first.
Given this many updates, and this many high-priority updates, there's no question, this batch of updates is worth taking the time, including reboot, needed to get them all applied.

As far as I'm concerned, no one should be wondering, "Gosh, which ones should I apply?" or, "Which ones should I apply first?"

Simple. Do them all. Immediately.

The one in particular that caught a lot of people's attention was the "Ping of Death" patch, which sounds to a lot of people like the old "Ping of Death" that could be done to PCs years ago.

This begs the question: are there already exploits for this bug?

Equally important though is why is this only labeled as, "Important" and not "Critical?"

Regardless, it really is "Critical" in my opinion because of the ramifications of having an unpatched system.

Exploiting this bug requires very little technical knowledge, and it can allow an attacker to easily prevent your computer from having any Internet access, effectively shutting your PC down.

In Ye Olden Days, a similar attack would even cause the computer to reboot, and continue to reboot, 'til the attacker stopped their attack or you disconnected your PC from the Internet. Ouch.

Bugs like this are one of the main reasons why looking at an Internet Security Suite with built in firewall software is so important. In most cases a PC protected by a software firewall would be immune to this and similar attacks.

Regardless of whether or not you have an ISS with a software firewall, there are still a lot of other things these updates take care of, so get it done!

Here's where you can get the patches:

08/02/2011

Windows XP: Still a Force to be Reckoned With

At the end of July 2011, Microsoft can say that Windows XP finally fell below the 50 percent mark. In other words, Redmond's decade-old operating system is now used by less than half of all Internet users.
So says a TechSpot bit about the current OS marketshare.

Our own site stats are a little different but show XP remains a force to be reckoned with. Here's what things look like for us compared to this time last year:

Operating System July 2010 July 2011 Percent Change
Windows XP 46% 33% (30%)
Windows 7 32% 54% 69%
Windows Vista 21% 12% (41%)
Windows Server 2003 0.5% 0.4% (10%)
Windows 2000 0.25% 0.1% (60%)

As you can see with our own website stats, Windows 7 is, thankfully, the only Windows version increasing its marketshare compared to what we were seeing last year.

In contrast, all the others, especially Windows XP and old-as-dirt Windows 2000 are on the decline.

The much maligned Windows Vista is also on the decline, where we're seeing a 40% year-over-year drop in the percentage of users visiting our site who're running Vista.

Given as many complaints as Vista generated, it's understandable why folks are holding on to XP.

There's certainly--amongst a lot of consumers--a cloud of unease still looming over the Windows versions after XP. To a lot of consumers, if Vista was no good, what's so special about Windows 7?

And for that matter, what's so wrong with Windows XP that you've absolutely got to upgrade?

Let's be honest: Windows XP works. It's a good OS, and with Microsoft now promising to support it 'til 2014, it's going to take a lot to pry it from a lot of folks hands, despite it having lesser baked-in, underhood security than Windows 7.

Which is actually the only real reason to upgrade, frankly: Windows 7 has far better security within it than XP does. How's that?

Windows XP was definitely an improvement over Windows 98 and Windows 2000, for sure. Since then though with Vista and 7, Microsoft engineers spent a lot of time working on a truckload of new technologies to help the OS be a lot more resilient to attacks, web-based and otherwise.

Without getting into all the geek-speak, suffice it to say: it's safer. Even the way antivirus software communicates with Windows 7 has changed over the way it communicated with Windows 7. It's that different.

That said, we're realists, and from our perspective, Windows XP visitors still represent about one in three people to our site. A lot of things are keeping people on Windows XP, not the least of which is uncertainty about what upgrading to Windows 7 means.

For a lot of people, spending $20 or $30 for the best antivirus software, which they'd need with Windows 7 anyway, and getting another year or two out of their old PC makes a lot more financial sense than a large outlay of cash on a new PC or an OS upgrade.

Certainly, we ourselves are happy to help everyone running XP find the right antivirus software for their needs--it's still a LOT of people, and antivirus software companies are still definitely supporting XP.

In fact, we still do some of our antivirus software testing on Windows XP. Sure, our tests always center around Microsoft's latest OS, but we still test with XP also.

And from a security standpoint, I believe antivirus software companies will still be supporting Windows XP as long as Microsoft does.

Practically speaking, if Windows XP works, Microsoft is still supporting it, and you can still get antivirus and Internet security software for it, the only thing that will cause most people to upgrade is when they have a hardware failure or other reason to get a new PC.

In the mean time, remember to keep your OS and applications patched regardless of what version of Windows you're running.

07/18/2011

$250,000 Reward for Information about the Rustock Botnet


Microsoft made an announcement in their blog today: $250,000 for Rustock botnet information
This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it.

"While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.
Why has Microsoft put so much effort into this particular botnet?

In part because of the serious damage it has done. By Microsoft's estimation, the botnet had capacity for sending 30 billion spams. A day.

Bear in mind, too, that this is after Rustock was taken down through a huge international effort that marshaled industry and academic researchers, legal teams, and governments to do so.

So, what does all this mean?

My own take is that they may never capture the folks responsible, and a lot of infected machines are still out there, mostly unbeknownst to their owners, no doubt, so there's still a lot of work to be done.

My belief is that the botnet will take many years to die completely, because most of the people who're running infected machines aren't running antivirus software, and if they haven't noticed their machines are infected by now, they probably never will.

Thus, they're unlikely to install some and remove the botnet from their PC.

In which case, it'll only die when the infected PCs themselves go to the scrapyard.

In the mean time, at least the technological solutions in place should make it very hard for the infected machines to come back to life and spew more spam.

More information on the $250,000 Rustock award.