It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.
Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."
What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.
Even still, it's important to realize "more secure" doesn't mean "secure."
In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.
And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.
F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.
And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)
My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.
UPDATETurns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!
What's so significant about that?
Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.
Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.
The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.
This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.
The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.
Mike wrote in today asking a question on a lot of people's minds:
I was surfing the web, I use Firefox, when suddenly my antivirus software started going totally nuts.
"I got a warning that it had blocked something from infecting my system, and I thought everything was fine, but a few second later, my system ground to a halt and my desktop disappeared.
"A few seconds after that, the desktop reappeared and everything seemed to be back to normal.
"Right after that I got a pop-up from something that looked like antivirus software, but I knew it wasn't saying my PC was infected.
"The thing is, I know what my antivirus software looks like, and this thing doesn't look anything like it.
"The d##### thing has taken over my system, and they claim unless I pay for a registered version of their so-called "software", it appears I'm screwed.
"What a bunch of a#######.
"So, I've tried doing a manual scan with my current antivirus. It says everything is fine. It's not. The definitions were just updated right before it happened, so I thought everything would be fine.
"I called the company looking for help, and they want to charge me to get rid of the thing. Didn't I already pay for antivirus protection?"
"I don't know who I'm more pissed off at. The jerks who wrote this thing or the antivirus company for trying to stick it to me."
"Now, I'm out looking for an answer, and I came across your site.
"Any tips or ideas on how I can get rid of this thing?
I shot a reply back to Mike immediately with this answer,
Sorry to hear about your virus fiasco. What a pain.
Especially since you thought you were covered. Good news and bad news.
First the bad news: as you've found out, not all antivirus software is created equal.
And unfortunately even the best software sometimes has something slip through. It's cat-and-mouse between the good guys and the bad guys every day, and the things like you got are what most of the companies consider their biggest challenge: preventing rogue / fake antivirus software.
Now for the good news: there are a couple of great free rescue tools out there that are ideal for a situation like the one you have on your hands.
The three I like the most are the ones from VIPRE, BitDefender, and Kaspersky.
Here are links for their free rescue CDs:
|Effective Rescue CDs for Virus Removal|
|Info Page||Download Page|
|VIPRE Rescue CD Information||Download VIPRE Rescue CD (.exe)|
|BitDefender Rescue CD Information||Download BitDefender Rescue CD (.iso)1|
|Kaspersky Rescue CD Information||Download Kaspersky Rescue CD (.iso)|
To use any of them, you need access to another clean PC with a CD-ROM burner or the ability to boot from a USB thumbdrive.
I'll skip the steps to make a CD or USB version since it's a little different for each, and it's covered in detail at their respective sites linked above.
They're all pretty easy to use, but since each of them work a little differently, you'll want to read up a bit on the one you're going to use before you get started.
Any of these rescue CDs should be able to easily detect and remove the virus. If not, write us back, and we'll go into the next steps. Either way, let me know how it goes. Good luck with it.
1The BitDefender Rescue CD file is called "bitdefender-rescue-cd.iso." I didn't link to it directly so if other options appear on their site, you can see what they are.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.
TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.
So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.
This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
And, because the MBR is infected, it runs before the operating system even starts. Huh?
Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.
So, how the heck do you detect this thing, much less get rid of it?!
As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.
Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.
Kaspersky Anti-rootkit TDSSKiller
Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
Ouch.If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Depending on who you ask, this is either overkill or, really, the best, most cautious approach.
One researcher for Symantec, Vikram Thakur, says,
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 126.96.36.19940 as of this writing.)When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you get bad news from GMER it'll look like,
Notably, Microsoft adds a critical part almost as an afterthought,If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.
Here's how to fix the MBR by hand:
- Open a Windows Recovery Console
- For Windows XP:
Installing and using the Recovery Console in Windows XP
- For Windows Vista:
System Recovery Options in Windows Vista
- For Windows 7:
System Recovery Options in Windows 7
- Use the tool BOOTREC.exe1 to fix the MBR as in:
- Restart the computer and you can then scan the system to remove any remaining malware.
If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.
The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."
If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.
One of the questions we're most often asked is,
C'mon... do I really need antivirus software? Doesn't it just slow your PC down anyway?
Our answer? "Yes, and no, not really1."
It turns out the need may be even more acute than we believed, as
One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, and according to a Computer World piece, "New malware scanner finds 5% of Windows PCs infected, that's according to Microsoft's own data on their Microsoft Safety Sacnner.
Here's the first kicker: that only counts the number of folks who used the Microsoft tool, and doesn't count those who:
- downloaded the tool on one PC and moved malware from a second (or third or other computer)
- took their computer to Best Buy or their local PC repair shop
- had their geek niece/nephew/neighbor fix their computer
- consulted search engines for to repair their PC on their own
- installed antivirus software on their own
- gave up and purchased a new PC
Here are a couple of other interesting tidbits from the Computer World article,
On average, each of the infected PCs hosted 3.5 threats, which Microsoft defined as either actual malware or clues that a successful attack had been launched against the machine.
This is almost as interesting to me as the 1-in-20 stat. What this seems to show is that when you run your PC without antivirus software, chances are when it gets hit, it gets really hit.
Certainly some portion of those may be multiple infections arising from the same initial infection, but the bulk are no doubt infections happening at different times and perhaps even via different infection techniques.
This means when you lack protection, it's not that you get infected once, and you're done. On the contrary. Having one virus doesn't mean you can't get more. In fact, you'll probably have three-and-a-half.
Another important tidbit: the majority of the infections came via Java exploits, interesting most of all because they
Given that we ourselves test every product we review with live viruses and all sorts of other malware, we know that no antivirus software is perfect. The bottom line is though that antivirus software does give you a significant advantage and help keep your PC protected and virus free.
1Yes, crappy antivirus software slows your machine down. Definitely. The best antivirus software, doesn't.
Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.
Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)
A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.
Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.
Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily
In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.
What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.
That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.
This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.
All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.
We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.
Blogger Dan Goodwin at The Register talks about how browser malware is growing.
For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.
Well...not so anymore.
With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.
Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.
Here's what the malware looks like in various web browsers:
Internet Explorer users get the typical Windows 7 Security Alert.
Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.
Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.
If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.
Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.
These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.
I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.
"I've never seen targeted fake AV pages for so many different browsers.
According to Dan Goodwin, some sites that redirect to this scam are:
If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.
At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.
It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.
Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.
Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.
For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:
In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)
"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:
If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.
Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.
No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.