04/13/2012

Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)



People sometimes question why antivirus software that's not a part of the operating system is a must.

With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.

To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.

Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.

Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.

Now, let's bring Apple into the picture.

Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.

Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).

Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.

All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.

Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes the most common variants of the Flashback malware.

Here's what the update looks like in Software Update:

04/06/2012

Nearly 600,000 Macs Hit with Flashback Trojan Malware



Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.

Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."

What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.

Even still, it's important to realize "more secure" doesn't mean "secure."

In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.

And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.

F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.

And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)

My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.


UPDATE

Turns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!

What's so significant about that?

Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.

Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.

The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.

This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.

The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.

12/14/2011

Ask the Experts: Help! My PC is infected! How do I remove a virus?



Mike wrote in today asking a question on a lot of people's minds:
I was surfing the web, I use Firefox, when suddenly my antivirus software started going totally nuts.

"I got a warning that it had blocked something from infecting my system, and I thought everything was fine, but a few second later, my system ground to a halt and my desktop disappeared.

"A few seconds after that, the desktop reappeared and everything seemed to be back to normal.

"Yeah right.

"Right after that I got a pop-up from something that looked like antivirus software, but I knew it wasn't saying my PC was infected.

"The thing is, I know what my antivirus software looks like, and this thing doesn't look anything like it.

"The d##### thing has taken over my system, and they claim unless I pay for a registered version of their so-called "software", it appears I'm screwed.

"What a bunch of a#######.

"So, I've tried doing a manual scan with my current antivirus. It says everything is fine. It's not. The definitions were just updated right before it happened, so I thought everything would be fine.

"I called the company looking for help, and they want to charge me to get rid of the thing. Didn't I already pay for antivirus protection?"

"I don't know who I'm more pissed off at. The jerks who wrote this thing or the antivirus company for trying to stick it to me."

"Now, I'm out looking for an answer, and I came across your site.

"Any tips or ideas on how I can get rid of this thing?


I shot a reply back to Mike immediately with this answer,

Hi Mike,

Sorry to hear about your virus fiasco. What a pain.

Especially since you thought you were covered. Good news and bad news.

First the bad news: as you've found out, not all antivirus software is created equal.

And unfortunately even the best software sometimes has something slip through. It's cat-and-mouse between the good guys and the bad guys every day, and the things like you got are what most of the companies consider their biggest challenge: preventing rogue / fake antivirus software.

Now for the good news: there are a couple of great free rescue tools out there that are ideal for a situation like the one you have on your hands.

The three I like the most are the ones from VIPRE, BitDefender, and Kaspersky.

Here are links for their free rescue CDs:
Effective Rescue CDs for Virus Removal
Info Page Download Page
VIPRE Rescue CD Information Download VIPRE Rescue CD (.exe)
BitDefender Rescue CD Information Download BitDefender Rescue CD (.iso)1
Kaspersky Rescue CD Information Download Kaspersky Rescue CD (.iso)

To use any of them, you need access to another clean PC with a CD-ROM burner or the ability to boot from a USB thumbdrive.

I'll skip the steps to make a CD or USB version since it's a little different for each, and it's covered in detail at their respective sites linked above.

They're all pretty easy to use, but since each of them work a little differently, you'll want to read up a bit on the one you're going to use before you get started.

Any of these rescue CDs should be able to easily detect and remove the virus. If not, write us back, and we'll go into the next steps. Either way, let me know how it goes. Good luck with it.


1The BitDefender Rescue CD file is called "bitdefender-rescue-cd.iso." I didn't link to it directly so if other options appear on their site, you can see what they are.

06/30/2011

TLD4 / TDSS an "Indestructible" Botnet?

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.

No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.

TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.

The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.

So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.

This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.

And, because the MBR is infected, it runs before the operating system even starts. Huh?

Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.

So, how the heck do you detect this thing, much less get rid of it?!

As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.

Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.

Norton Bootable Discovery Tool
Kaspersky Anti-rootkit TDSSKiller

Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,
If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Ouch.

Depending on who you ask, this is either overkill or, really, the best, most cautious approach.

One researcher for Symantec, Vikram Thakur, says,
When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 1.0.15.15640 as of this writing.)

If you get bad news from GMER it'll look like,
As far as an official Microsoft response, the Microsoft Technet blog on Popureb.E says,
If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

Here's how to fix the MBR by hand:
  1. Open a Windows Recovery Console
  2. Use the tool BOOTREC.exe1 to fix the MBR as in:

    bootrec.exe /fixmbr

  3. Restart the computer and you can then scan the system to remove any remaining malware.
Notably, Microsoft adds a critical part almost as an afterthought, If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."

If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.

05/29/2011

Just How Prevalent are Viruses?

One of the questions we're most often asked is,

C'mon... do I really need antivirus software? Doesn't it just slow your PC down anyway?

Our answer? "Yes, and no, not really1."

It turns out the need may be even more acute than we believed, as One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, and according to a Computer World piece, "New malware scanner finds 5% of Windows PCs infected, that's according to Microsoft's own data on their Microsoft Safety Sacnner.

Yowza.

Here's the first kicker: that only counts the number of folks who used the Microsoft tool, and doesn't count those who:

  1. downloaded the tool on one PC and moved malware from a second (or third or other computer)
  2. took their computer to Best Buy or their local PC repair shop
  3. had their geek niece/nephew/neighbor fix their computer
  4. consulted search engines for to repair their PC on their own
  5. installed antivirus software on their own
  6. gave up and purchased a new PC

Here are a couple of other interesting tidbits from the Computer World article,

On average, each of the infected PCs hosted 3.5 threats, which Microsoft defined as either actual malware or clues that a successful attack had been launched against the machine.

This is almost as interesting to me as the 1-in-20 stat. What this seems to show is that when you run your PC without antivirus software, chances are when it gets hit, it gets really hit.

Why?

Certainly some portion of those may be multiple infections arising from the same initial infection, but the bulk are no doubt infections happening at different times and perhaps even via different infection techniques.

This means when you lack protection, it's not that you get infected once, and you're done. On the contrary. Having one virus doesn't mean you can't get more. In fact, you'll probably have three-and-a-half.

Another important tidbit: the majority of the infections came via Java exploits, interesting most of all because they

Given that we ourselves test every product we review with live viruses and all sorts of other malware, we know that no antivirus software is perfect. The bottom line is though that antivirus software does give you a significant advantage and help keep your PC protected and virus free.


1Yes, crappy antivirus software slows your machine down. Definitely. The best antivirus software, doesn't.

03/22/2011

Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.

03/08/2011

Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.

Fake-av-ie-2

Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.

Fake-av-firefox

Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.

Fake-av-chrome

If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.

Fake-av-dafari

These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.

09/15/2009

Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers

Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.

Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.

For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:

  1. Be smart about what you do online.
  2. Keep your PC updated with Windows Update
  3. Install (and run!) antivirus software or an Internet security suite


In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)

"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
  1. Identify compromised/infected computers
  2. Contact customer with infected computer(s)
  3. Provide information/advice on how to fix infected computer(s)
  4. Report / alert about serious large-scale threats (including ones that make effect national security)

Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:

If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.

Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.

No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.