05/10/2017

When Antivirus Software Fails You: How to Spot (and Defeat!) a Real Malware Attack


It isn't every day you get to see what a real Trojan attack looks like.

When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.

But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.

If you've ever wondered what an attack looks like, here's your chance to see one.

Here's the best/worst part: nothing stopped it.

  • Not our Internet Security Software.
  • Not any of our browsers' built-in malware protection
  • Not even Windows 10 built-in security.

See for yourself how it happened and what you can do to stop it.

 



Be the first to know about
our upcoming free workshop!

We'll cover problems like this, plus free, easy-to-do PC optimization, and other useful, real-world PC help topics.

I promise you, it'll be some of the
best, most useful stuff you'll ever see.


Put in your details here to be the first notified.

[Click here to download the printable step-by-step companion "recipe" file.]
This file opens in a new tab / Window for you.


11/30/2011

USPS & Royal Mail Package Delivery Emails New Feature: Trojan Malware



Antivirus vendor Sophos via their SophosLabs "Naked Security" blog is bringing news of a massive trojan spam campaign that ties in postal mail delivery--or lack thereof--with an trojan-bearing email. Here's the scoop:

By using a variety of clever subject lines the spams lead people to believe they've missed a package delivery from the USPS or Royal Mail, and so the spammers trick unsuspecting people into opening their malicious trojan-containing email.

Data on this trojan is inconclusive, but right now according to Sophos:
Contained inside the ZIP file is a Trojan horse, detected by Sophos products proactively as Mal/Bredo-Q.
Detection data is also inconclusive and industry-wide detections appear to be hit-or-miss on this with the following software detections:

Antivirus Software Version Detection
avast 6.0.1289.0 yes
AVG 10.0.0.1190 yes
BitDefender 7.2 yes
ESET 6556 no
F-Secure 9.0.16440.0 yes
Kaspersky 9.0.0.837 yes
Norton 20111.2.0.82 no
McAfee 5.400.0.1158 yes
Panda 10.0.3.5 yes
Trend Micro 9.500.0.1008 no
VIPRE 10808 yes


Here are a couple of samples of these emails. (Thanks and credit to Graham Cluley of SophosLabs for these.)

Here's a sample of the USPS fake:


...and a sample of the Royal Mail fake:
If you've gotten one of these, please contact us, oh, and don't open it--or the attachment.

07/08/2011

[Alert] Free "Smiley" hats & Free Vans shoes a Scam

So far over 300,000 people have been duped into "liking" a facebook page that claims to offer the first 750,000 people who like the page free "Smiley" hats and Vans brand shoes.

Here's what the junk Smiley Hat scam looks like in your facebook account:
...and here's what the fake Vans shoes scam looks like:
Sophos, an antivirus software company specializing in business-oriented antivirus software, appears to be one of the first to break the news of this latest scam on their blog with the aptly named page: "Smiley Hats Vans Facebook Scams".

Graham Cluley, who wrote the piece for Sophos sums it up, saying,
...do you really believe that you are going to be sent a smiley hat?

"And who is this un-named company that is planning to ask 750,000 people for their name and postal address?

"Is it possible they are planning to do anything else with that information if you hand it over to them?


And what - seriously - are the chances that they are going to spend the money shipping that many hats to people who don't even know what brand it is that they are promoting.
Here's my $.02.

If it's legit, how are they planning to collect mailing addresses for that many people?

Think about it. Seven hundred fifty THOUSAND people.

Let's assume the mailing cost alone is $2/hat, we'll be optimistic.

You're talking about 1.5 *million* dollars just in mailing costs. Oh, and what brand is being promoted? Who's footing the bill for mailing the hats?

And we haven't even talked about the technology required to track that many addresses, link them to facebook accounts, and ensure everyone has been mailed one (but not several! hats) as it's going to take days--or even weeks--to get everyone to send in their addresses for the hats.

Oh, yah... and what about the cost of the hats themselves?

Even if they're $1 a piece to make, you're still talking about another $750,000 in costs. All with no mention of a brand behind it.

Methinks there's a rat in here somewhere.

As for Vans, Cluely says they're already disavowed the promotion for free shoes with this post to their official Vans Europe facebook page,


What should I do

If you've already liked either of these scams, do yourself--and your friends--a favor and at least "unlike" them. No reason to help the scammers get any further in their ploy to get your personal information.

Next, pay attention to your inbox. There's little question these scammers are looking to get at your email address to send you spam, phishing, and even spear-phishing emails.

Pay attention to what you click in your inbox. Think about what you're clicking on and who might have really sent that email to you.

And, let's remember: Facebook really is an incredible site with a whole world inside. The problem is, there is a whole world inside, good people and scammers alike.

Just because you're "surrounded" by friends in facebook, doesn't mean you get to check your street smarts at the [login] box.

The bottom line here: if it sounds too good to be true, it probably is.


Thanks and credit to Sophos and Graham Cluely for the find and the screenshots.

05/30/2011

Facebook "Baby Born Amazing Effect" is a Scam

Given the size of the Facebook network, it should be no surprise to any of us that the scammers are trying to target their next victims here, too.

The fine folks at antivirus software company Sophos have been keeping tabs on the latest Facebook scam, "Baby Born Amazing effect". This particular scam is being tracked by Sophos security researcher Graham Cluley who says,

Messages are spreading rapidly across Facebook, as users get tricked into clicking on links claiming to show an amazing video of a big baby being born.

"The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realize that they are invisibly pressing a "Like" button to pass the message onto their online friends.

Now the real questions:

  1. What danger does this pose?
  2. How do I get rid of it?

What danger does this pose>

The actual danger to a Facebook user is pretty negligible.

The scam is that by tricking people into "Liking" their video, they're able to artificially inflate their Facebook "Like" count. Real "Like" counts tend to grow pretty slowly, so for someone looking to make a mint in Facebook, garnering a lot of "Likes" can bring in real money fairly quickly.

How do I get rid of it

Here's how:

    [See: Image 1]
  1. Find the offending message on your Facebook page.
  2. Select Remove post and unlike.
  3. [See: Image 2]
  4. Go into your profile (top right corner)
  5. Select "Activities and Interests"
  6. Remove the "Born Baby Amazing Effect" (and anything else you don't like)


[Image 1]


[Image 2]


[N.B. We have to give full credit to Graham Cluley and Sophos for snagging these screenshots from within Facebook so we can help people get rid of this crap.]

Just to reiterate, this particular scam doesn't carry any typical virus payload and doesn't pose any threat to your PC. The only threat is in tricking other friends of yours to do the same thing and ultimately in helping a scammer inflate his or her bank account.

The one caveat here is that if you've made your Facebook personal profile information public, you have shared this information with the scammer, so who know what they're up to.

Put another way: you might want to reconsider what information you're sharing publicly within Facebook.

09/10/2010

Adobe pdf Exploit Making the Rounds

September is proving to be a busy month for the bad guys. Aside from the latest email worm, dubbed W32/VBMania@MM by McAfee, Adobe is also being exploited by the cyber criminals.

This latest bug (CVE-2010-2883), being called, "Critical," Adobe's highest rating, affects Adobe Reader / Acrobat versions 9.3.4 and earlier on the following platforms:

  • Microsoft Windows
  • Apple Macintosh
  • Unix

According to Adobe, there are mitigation techniques available for Windows users, though an upgrade is definitely a better choice. Their official announcement warns,

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.

"For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited.

"Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

Possible effects of the exploit?

Adobe says, This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system, so, unless you have some very good reason not to upgrade your Adobe Acrobat/Reader immediately, you should.

For more details, here's a post from Sophos on Adobe Acrobat/Reader exploit and the official Adobe Reader/Acrobat security announcement.

05/20/2010

What's with the "Earthquake" Exploit, KHOBE?

Earlier this month, security researchers at Matousec released details of research they've done that, they claim, bypasses 100% of antivirus software.

As you might imagine, there's quite a bit of concern about this, particularly among business users, particularly because mainstream media has started discussing the so-called, KHOBE attack.

Let's dig into this a bit and see what's behind the hype.

What is KHOBE

It's an acronym for:

Kernel
HOOK
Bypassing
Engine

Put another way, it's a way for attackers to trick antivirus software. ZDNet's writer, Adrian Kingsley-Hughes, does a great job describing how this works here,

The attack is a clever 'bait-and-switch' style move.

"Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code.

"The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.

Kingsley-Hughes goes on to say, Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.

OK, now this is starting to sound like a pretty big deal.

Mitigating Factors with KHOBE

Here's where things *do* start to become more positive though:

  Mitigating Factor What It Means
1. Requires a lot of code. Makes it less-than-ideal for most attacks to work.

Since this code has to somehow be transferred to your machine, its current size makes it more difficult to use as a mechanism to bypass security software.
2. The software has to already be on your computer.

Wha? Yes, that's right. From what the antivirus software vendors can tell thus far, the software doesn't actually bypass their software (at least the ones we've heard from) unless it's already there to begin with.

This could be because you're installing their software after you've been infected with this code or because you disabled your antivirus program.
3. There aren't any known exploits--or exploit kits--that rely on this technique.

(At least not yet.)
The chances of encountering this in the real world are still very, very minimal.
4. It only affects antivirus software that uses the System Service Descriptor Table (SSDT), which is being used less-and-less frequently than it once was. Antivirus companies are moving (or have already moved) away from the use of the SSDT since Windows Vista. Windows XP seems to be the last Microsoft Windows OS where the security vendors commonly relied on the SSDT for their antivirus software.

This means if you're running Windows Vista or 7, chances are your antivirus or Internet security software is already immune to this exploit.

Antivirus maker Sophos says, Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all.

VIPRE Antivirus' maker, Sunbelt Software, says, ...it would affect antivirus programs that use SSDT. We don't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
5. It's difficult to make work. The code works, yes, but given the many things that are required for it to work, even if you were to encounter it "in the wild," there's still no guarantee your computer will be infected.

Antivirus Vendor Responses

Sophos and Sunbelt aren't the only antivirus companies refuting the claims, security company F-Secure says,

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

"And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Our Take on KHOBE

This is true not just for F-Secure, but for all Internet security software vendors.

If there were real-world exploits using this attack that they'd encountered, adding signatures for those attacks should be able to defeat the attack pretty easily.

Regardless of the outcome of the debate about this particular exploit, there are still a couple of take-away points as far as we're concerned,

  1. Run the best antivirus software you can afford.
  2. Keep it updated--frequently.
  3. Even if you're updated and protected against known threats, it's critical to regularly backup your system so that if something does get by your defenses, at least you can restore your system to a point before the infection.

11/19/2009

Arrests Made for ZBot / Zeus Trojan

Police in Manchester, England, arrested two people in connection with the Zbot Trojans.

If you're unfamiliar with the ZBot Trojan, also called "Zeus," it's a nasty bugger that was responsible for over $415,000 being stolen from a Kentucky county's bank account earlier in 2009.

But that's not all it's known for.

Zbot/Zeus is, according to mention in a Sophos security blog is,

"...one of the most notorious pieces of malware of recent times.

"It's a data-stealing Trojan horse, designed to grab information from Internet users which would help hackers break into online bank accounts and social networking sites such as Facebook and MySpace."

That's just the start of it. Zbot also gets/got spammed to average people using the Internet using a variety of social engineering tricks to try to trick the unwary into opening an attachment or clicking on a link to a website hosting malware.

So, assuming the right folks were arrested, this could be rather good news. Let's hope that they did get the right folks, and let's hope also that even though they're out on bail already, they soon face the appropriate amount of justice--especially given how many people, companies, governments, and other organizations were harmed by their Trojan malware.

And, to the cops responsible for the arrest, again assuming they caught the right folks, "Well done."

11/04/2009

Windows 7 Virus Vulnerabilities: Is It Getting Better?

There's a lot of hoopla about how much better Windows 7 is than prior versions at keeping viruses and other malware at bay and keeping people safe online.

What's the reality though?

Are the default settings in the Windows 7 User Account Control (UAC) all that's needed to protect your PC?

A lot of people want to know, and here's what we found out from antivirus vendor Sophos.

"We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up.

"Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows.

"The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7."

Hrm... well, that doesn't sound good. Does the UAC work at all?

As it turns out, yes. In the Sophos' tests they saw that the UAC blocked 1 of the malware samples. At least that's a start.

Chester Wisniewski, the writer of the piece, goes on to say,

"User Account Control did block one sample; however, its failure to block anything else just reinforces my warning [Editor's note: registration required] prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware.

"Lesson learned? You still need to run anti-virus on Windows 7.

"Microsoft, in the Microsoft Security Intelligence Report released yesterday, stated that 'The infection rate of Windows Vista SP1 was 61.9 percent less than that of Windows XP SP3.'"

We'll go a step further. It isn't just antivirus software these days that's needed. It's firewall software, too.

Putting the two together (along with solid antispyware), as the Internet security suites do, along with using the Windows 7 UACs offers the best, most complete combination of software to protect your PC.

That said, is the upgrade to Windows 7 worth it from a security standpoint?

We think so.

Regardless of the failure of it to block 9 in 10 sample malware, that's what it's doing today. Give the engineers at Microsoft some time with their next service packs for Windows 7, and they'll no doube improve it even more.

Another thing to consider is that the sample size of 10 viruses isn't terribly big. With a greater number of threats, more representative of those you might actually encounter online, the UACs may help thwart some of the viruses.

But, as we see here, there's still no substitute for antivirus software.

08/17/2009

Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • ALWIL
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)


  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.

    06/26/2009

    Michael Jackson Spam / Malware Attacks

    It didn't take long for the spammers, scammers, and scumware makers to try to take advantage of Michael Jackson's sad passing.

    SophosLabs brings news that,

    "Just after about 8 hours of his demise, SophosLabs witnessed the first wave of spam messages employing the sad news in the subject line and body part to harvest victims’ email addresses."

    A Computerworld.com article, which also mentions the SophosLabs blog, quotes Sophos security researcher Graham Cluely as saying,

    "I wouldn't be surprised to see hackers claiming that they have top-secret footage from the hospital, perhaps [allegedly] taken by the ambulance people, that then asks you to install a video codec"

    Then once you click on the supposed codec update link you're instantly infected with a virus / trojan. Blech.

    Sad as it is to see criminals capitalizing on such events, we're not surprised. There's no depth too low for virus writers to stoop when it comes to trying to infect and take over your computer.

    If you're unsure when the last time your A/V software was updated, you might want to take a look and see; if you're not yet running antivirus / Internet security software, there's no time like the present. I guarantee the people responsible for attacks like these aren't going to be easing up anytime soon--if ever.