It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
With a lot of the things we as consumers buy--especially things we buy rarely--we narrow the field down from a huge list of options to the two or three things we're most serious about buying.
And since most of us renew our antivirus software for somewhere between one and three years, it's no different. Easily the most common of these narrowed down head-to-head comparisons in the world of virus protection is Norton vs McAfee.
The two questions all of us ask at a time like when we're comparing two things are:
- What's better?
- If the more expensive is better, it worth it?
So, let's take a look at these two heavyweights and get this question answered!
Norton Antivirus 2012 vs.
Norton Antivirus 2012
McAfee AntiVirus 2012
|Virus & Spyware Protection|
Prevention / Real-time Protection
|Consistently scores among the top programs in our tests at preventing new virus infections. Earned an "excellent" rating against "zero day" threats in each of our 2012 tests.||Does quite well against most new viruses and earns a "very good" rating in this part of our tests; however, it comes at a huge performance cost that sometimes makes using the web painfully slow.|
Manual Virus Scanning & Removal
|Did nearly as well at detecting and removing viruses on our test PCs as it did at preventing them from getting there in the first place. Another "excellent" rating.||Mysteriously, McAfee outright missed about 50% of the viruses we tested with, and some of those that it did find, it had a tough time removing.|
|Not as impressive against spyware/adware as it is against viruses, but it still earns a "Good" rating in our tests both for preventing infection and successful removal.||Not good, not bad against spyware, truly "Average." It did, however, do better at stopping spyware from getting in than it did at removing it.|
|Verdict||Category Winner: Norton|
|Installation, Usability & Tech Support|
The best installer of 2012.
If we had a rating for "Outstanding," it would earn it. Instead, its 100% score earns it an "Excellent" rating in our scoring grid.
The complete opposite of Norton's installer. Account setup required, very large, slow installer has to be manually downloaded onto each PC you install the software onto.
Too many hoops to jump through. Really a terrible experience from start to finish. Rating: "Poor"
|Black interface takes some getting used to, but it's aesthetically pleasing and mostly easy to use. Some screens feel a bit bolted on. Overall it's fast and works well.||
At the risk of sounding overly harsh, this is a flawed interface by most any measure. Its tiny main window (and huge top label section) forces everything to be done in a window about 2" x 3".
Some features require multiple scroll bars to work. Needs a complete redesign.
|While many help beyond basic installation and upgrades is a "Premium" service (i.e. they charge you for it), the Norton support (long complained about by consumers) has gotten much better. Just don't expect to talk to them for free if you need help.||
Like Norton, McAfee charges for most everything beyond help with basic installation and upgrades.
Overall, a "Good" experience; expect the basic techs to stick to a script, even if your needs aren't on their script.
|Verdict||Category Winner: Norton|
Norton Antivirus 2012
McAfee AntiVirus 2012
|Money Back Guarantee||
60 Days (The longest available.)
30 Days (Industry average.)
|Verdict||Overall Winner: Norton|
An incredible piece at Wired.com, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History", details the jaw-dropping, almost impossible to believe international tale of how researchers for Symantec (makers of Norton Antivirus and Norton Internet Security) tracked down and reverse engineered the Stuxnet worm.
It's a long piece that I thought I'd glance through at first, but that I found myself reading every word of.
Hat-tip to Kim Zetter for some incredible reporting and equally good story telling.
...the answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.
Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction.
Image source: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.
TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.
So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.
This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
And, because the MBR is infected, it runs before the operating system even starts. Huh?
Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.
So, how the heck do you detect this thing, much less get rid of it?!
As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.
Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.
Kaspersky Anti-rootkit TDSSKiller
Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
Ouch.If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Depending on who you ask, this is either overkill or, really, the best, most cautious approach.
One researcher for Symantec, Vikram Thakur, says,
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 184.108.40.20640 as of this writing.)When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you get bad news from GMER it'll look like,
Notably, Microsoft adds a critical part almost as an afterthought,If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.
Here's how to fix the MBR by hand:
- Open a Windows Recovery Console
- For Windows XP:
Installing and using the Recovery Console in Windows XP
- For Windows Vista:
System Recovery Options in Windows Vista
- For Windows 7:
System Recovery Options in Windows 7
- Use the tool BOOTREC.exe1 to fix the MBR as in:
- Restart the computer and you can then scan the system to remove any remaining malware.
If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.
The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."
If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.
If you've never experienced a real-life hard drive failure consider yourself lucky. And warned.
It's only a matter of time before yours goes south. In my case, being a geek both in my personal and business lives for many years now, I've had more hard drives fail than I can count.
Even if you've got good backup software (and you're sure the backups restore properly), the restoration process is always painful and more time consuming than you expect. If you don't have backups, well, well... you may just be screwed.
Sure, there's special hard drive recovery software that can often be brought in to save the day and there are hard drive recovery services, too, although these services can carry a staggeringly hefty price if you have a lot of data to recover, a complex RAID hard drive setup, and/or an especially tricky drive crash.
No matter what, no one, except those folks in the data recovery business like hard drive failures.
It's this fear of data loss that's motivating the latest malware writers to do their thing and create craptastic software no one needs--and certainly no one wants.
In this particular case, the malware, which Symantec is calling, "Trojan.Fakefrag" is they say,
essentially a wrapper around UltraDefragger.
How do you know if you've been infected? Here's what Symantec says to look for:
- It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
- It stops you from changing your background image.
- It disables the Task Manager.
- It sets both the "HideIcons" and "Superhidden" registry entries to give the impression that more icons have been deleted.
Wow. Just about anyone experiencing these things would probably think their hard drive were failing, too.
What next? Again quoting the Symantec researchers,
It then "helpfully" displays a message recommending that you run a diagnostic utility on your computer, launches the Windows Recovery misleading application, and adds a link it on both your desktop and the start menu.
"The misleading application finishes the job, hoping that the victim will pull out their credit card for the $79.50 price tag.
So what's it look like?
Thankfully, they included a screenshot:
If you see this on your PC, and you're running antivirus software already, make sure your antivirus definitions are updated and run a full system scan immediately.
If you're not, now's a good time to take a look at getting some. It's cheaper than the malware's $79.50 price to "fix" your PC, and you'll actually be getting something for your money.
Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.
Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)
A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.
Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.
Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily
In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.
What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.
That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.
This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.
All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.
We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.
Now that researchers at places like Symantec (makers of Norton Antivirus), have had a chance to delve into the exploit, some theories are starting to come out about who's behind it.
Karthik Selvara, a researcher for Symantec says, in a Symantec blog,
While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January....
Where it gets interesting is in the disection Karthik does.
He takes apart various parts of the email, the social engineering, and the exploit itself, and lo and behold, the techniques are eerily similar.
The next quote is a little long, but given how concisely Symantec describes the exploit and attck, we'll let the Symantec blog speak for itself here,
If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks.
"In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation.
"Furthermore, we have seen a large number of detections of unique versions of the PDF--not yet seen elsewhere in the wild--coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks. [Editor's Note: Emphasis mine.]
"All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators.
"The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.
Huh. Attacks based in China. Who would have guessed?
Frequent readers may recall a list we shared not long ago of the Top 10 Riskiest Domains by Extensions, where China placed third in this notorious list.
All-in-all, aside from the excellent analysis by Symantec's researchers, we'd also like to echo their equally excellent suggestions about pdfs.
- keep your antivirus software up to date
- exercise caution when dealing with PDF files
One last note, all the major antivirus vendors are detecting this attack, with Norton snaring it as, "Bloodhound.PDF!gen1" and as Bloodhound.Exploit.357.
In a recent post to its security blog Symantec, makers of Norton antivirus revealed,
a new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well.
The announcement of the Internet Explorer exploit was surprising to many because of how it targets Cascading Style Sheets, something that hasn't typically been used in these types of attacks.
The exploit got notoriety when a security researcher has published code that could allow an attacker to take over an unsuspecting user's Internet Explorer and install code on the person's computer and then when Symantec took notice and began doing research of their own.
There has always been--and likely always will be--a large degree of controversy around so-called "full-disclosure" security like this because one group of people believe that it's most responsible for the researchers to first notify the manufacturers about the vulnerability so that things can be kept quiet 'til patches are ready.
The other group believes that it's most responsible for the researchers to first notify the community about the vulnerability so that users can take steps to protect themselves against attack.
The debate is though that on one hand if you're only disclosing to the manufacturers and don't notify the community, there could very well be active exploits in the world that other hackers are already using. So, if you don't notify the community, you're being irresponsible by holding back information that may users to protect themselves.
In contrast, if you don't first notify the manufacturers and immediately post the exploit, you're allowing hackers to get information on how to take over your computer without giving any chance for the manufacturers to develop patches.
There are definitely valid points to both sides of the debate, regardless, though in this case the exploit was released to the community first and not to the manufacturer, in this case Microsoft, so there's a new attack on Internet Explorer for which there's no patch available yet.
The good news is that it appears that the best antivirus software is already able to protect against this exploit. Symantec for instance on their Security Blog says,
"Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now.
"A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit.
As of the writing of this post, there's still no patch; however, by following the steps recommended by Symantec users should be reasonably well protected against this exploit.
Just a few days into October and already there's news of a computer virus attack that's,
"...wreaking havoc with Integral Energy's computer network, forcing it to rebuild all 1000 of its desktop computers before the 'particularly sinister' bug spreads to the machines controlling the power grid."
We learned of this from the Sydney Morning Herald, one of Australia's most highly regarded daily newspapers.
The article quotes an Integral Energy spokesman as saying they had to,
rebuild all desktop computers to contain and remove the virus.
Now, if you're like me, one of the first questions you'll likely ask is, "Didn't they have antivirus software installed?"
Well, according to the article, yes. In fact.
"Integral Energy said the virus was the W32.Virut.CF strain, which computer security company Symantec describes on its website as 'a particularly sinister file infector' that spreads quickly and 'is proving difficult to remove from infected networks'.
"Ironically, Integral Energy's computer networks are protected by a Symantec security solution, a source said. Symantec has had a virus signature for W32.Virut.CF since February."
[Editor's note: Symantec is perhaps best known for their A/V software Norton Antivirus.]
This brings up the next question: How did the virus evade detection by the antivirus security software. Although I don't have evidence of this, typically, corporations don't run the consumer version of software but so-called "corporate" editions, which commonly have advanced heuristics and central management consoles for managing all the desktops from one central location.
In many cases, when antivirus firewall software is installed into a corporate environment, the software may even be the Internet security suite version of a particular product.
Given that they were probably running business antivirus software, I'm even more puzzled how it went undetected. Was this really a case where:
- the antivirus software failed
- human error allowed it to go unnoticed
- an insider intentionally set the virus loose on the network
- some combination of the above
We'll be following this story closely to see what develops. Hopefully, more light will be shed on this outbreak so we can help our business and home users alike prevent such a PC virus from hitting their computers.
One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.
The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.
There's nothing real about the fake software, except the threat it poses.
The process works like this:
- Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
- Get consumer to install the phony (but very real looking) antivirus application
- Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
- Use the newly infected computer to do their bidding, including (among other things):
- identity theft
- credit card fraud
- bank theft
- infecting other computers
Solution to the Fake Antivirus Software Problem
Word is filtering out today about a way to tell fake antivirus software from legitimate ones.
A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.
In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.
In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:
|Legitimate Antivirus Software Vendors|
You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.
If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.