It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.
So, are these exploits worth being worried about?
Let's get the answer to this question by asking two more:
- Are you at risk?
- What's the best way to protect yourself?
Let's start with:
What Is Heartbleed?Although not a virus or malware in the traditional sense, the heartbleed vulnerability is a mechanism by which attackers can gain accesss to your confidential information when you access vulnerable websites, email, and other servers.
If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.
Confused? Let me put it in real world terms.
Let's say you go to your bank or credit card online.
You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.
Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.
And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.
It's not just bank accounts either.
According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.
Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.
Now, some good news.
- Microsoft web server are not vulnerable. (This doesn't mean people using Windows as their desktop OS aren't vulnerable. It just means the web sites themselves aren't.
- Most banks and other financial institutions that were at risk have now patched their servers, eliminating the vulnerability.
- There's a Plug-In for Google's Chrome Browser called, "Chromebleed," that tests for the vulnerability.
I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
- Change your Google, Facebook, Yahoo!, and Dropbox passwords.
- Log out of all apps on your phone, iPad, etc., then log back in.
- If a website asks you to update your password, do it.
- Update your OS (regardless of what you run, Windows, Mac, Linux, BSD, whatever.
- Set up two-factor authentication. (This is just a smart thing to do anyway.)
What About Shellshock?Shellshock, also called "Bashdoor," is an attack, primarily on servers, that leverages a series of flaws in software called, "Bash," that's commonly installed on web, email, and other servers.
Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?
Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)
The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.
On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.
In an outstanding article on Shellshock by Troy Hunt, he says,
The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk.
"In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them.
OK, brass tacks, what does this mean?First, it means your computers, laptops, phones, and tablets are probably not directly vulnerable.
HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.
This is a strong case for considering Internet Security software over garden varity antivirus.
The two things most commonly found in Internet Security software absent in most antivirus programs are:
- malicious website blocking
- software firewall
What we've got here, my friends, is a list of the top five Add-Ons we like most (and use.)
In one way or another, the ones we've chosen are all geared towards improving your online privacy, security, or both. Sure, some of our favorites are popular and used by a lot of people; chances are though that even most security conscious uber geeks haven't heard of all of 'em we list.
Have a look at our list and feel free to throw your own $.02 in if there are ones you know of we missed.
Five Great Firefox Add-Ons(At Least Some of Which You've Never Heard Of)
|Add-On Name / Link||About The Add-On|
Perspectives ProjectIs that secure site really who it says it is?
The SSL system is imperfect. At its core are the Certificate Authorities (CAs). The first problem: it's possible to perform a Man-in-the-Middle (MiTM) attack against a CA.
The second problem: the CAs, while historically among the most secure organizations online, are also not impervious to attacks. Crackers have breached the gates and gotten into CAs.
In either case, all bets are off. That site you think is secure is anything but. Once a CA is compromised, any communcations you have with a "secure" site can be intercepted and read like it's on the front page of Yahoo.
The Perspectives Project solution is a system of public network notaries to monitor the world's SSL certificates and help ensure the certificates are legit.
Running the Firefox Add-on is a cinch, and once you've used it even for a few minutes, you'll likely have the same, "Oh!" feeling like we did when we first started running it.
ShareMeNotThe ubiquitous social media icons you see on just about every site (including ours), are tracking what we do and where we go online. How can you keep their functionality and lose Big Brother?
To web geeks, it's no surprise that these little icons are tracking our every move online. What may be a surprise? It's very easy to keep their functionality and ditch their privacy-invading tracking with ShareMeNot.
Aside from how easy to use it is, the best part is that even if you forget to log out of your Facebook, Twitter, LinkedIn, Google/GMail, or Digg account (among others), ShareMeNot has still got your back.
In fact, that's when it works best. You can stay logged into your Facebook or GMail account and keep the great functionality of the "Like" and "+1" buttons as you surf but don't let 'em track where you're going online or what you're doing.
NoScriptScripts are everywhere. Some are good; some are evil.
Tip the scale in your favor.
NoScript creator Giorgio Maone and the folks who develop NoScript take a unique approach to scripts: don't trust any. Until you do.
And, interestingly, not only do most sites still work even when scripts are disabled, but enabling necessary scripts on sites you trust is a piece of cake.
All-in-all it's a beautiful piece of work.
Adblock PlusGet the content, kill the ads.
Advertising is one thing. Intrusive, annoying ads are another.
Adblock plus is a great answer to the problem.
Sure, there's overlap between what NoScript and Adblock can do, but Adblock is geared more towards stopping ads than NoScript.
Another interesting feature is it lets you "collapse" (i.e. hide) sections of a web page. Great for getting the content you want and avoiding the seemingly unavoidable in-your-face ads.
Using it is easy, too--just start with any of the 50+ existing lists. Then if and when you want to customize it, you can do that, too.
BetterPrivacyThere are cookies, and there are evil LSO cookies. Luckily, dealing with them isn't as hard as it once was.
Local Shared Object (LSOs) are a special, particularly evil type of cookie. Known as "Super Cookies," they're Flash, and they get placed onto your system's central folder. Thus, they're much, much more permanent than regular browser based cookies. Super Cookies go where you go, and you can't see or delete them with a garden variety "delete cookies."
This is where BetterPrivacy comes in.
With it you can manually manage LSOs, or set it up to automatically delete 'em when anytime you close (or open) a browser. And you can keep the LSOs/Super Cookies where they belong... not on your system.
Sheryl writes in to ask,
OK, so I'm not happy with the anti-virus software that came on my laptop, and it's nagging me all the time to "renew my subscription"--one I didn't even know I had.
"I'd love to get rid of it just because I'm fed up with their nagging me.
"I'm assuming it's possible to replace with a new anti-virus program, but I don't know how.
"Can you help?? Please??
Here's my reply:
Yes, it's possible. It's easy, and I'm glad to help.
STEP 1: PICK THE NEW SOFTWARE
For starters, you'll want to figure out what antivirus software (or Internet security suite) you're going to get to replace what's on there now with.
Doesn't make sense to rip the old one out 'til you know what's going in its place.
My suggestion would be to start with our antivirus software Buyer's Guide. (It's on the right side of every antivirus software review page of our site.)
STEP 2: UNINSTALL THE OLD SOFTWARE
We'll assume you've got the new software chosen, so next we'll get rid of the old software.
The easiest way to get rid of uninstall any (legitimate) program on Windows is to use the "Uninstall a program"1 link within the Windows Control Panel.
[Shown here: Accessing the "Uninstall a Program" link]
[Shown here: Find the program in the list. Click "Uninstall".]
STEP 3: INSTALL THE NEW SOFTWARE
"Duh... of course," some of you might be thinking, but here's the deal: in Step 1, your goal is to figure out what A/V software you're going to use NOT to install it then and there.
First we've got to get rid of your old antivirus software. In the mean time, we want the PC to go without security software for as little time as possible.
Since figuring out what antivirus program is best for your needs takes more than a few seconds, you don't want to uninstall the old 'til you know what the new program is going to be.
1If you're using a versions of Windows prior to Vista, you'll find it in the "Add/Remove Programs" button in the Control Panel.
Another great question! And another one of our most frequently asked ones, too.Other than using a real virus, which seems crazy to me, is there a way for me to test to make sure my antivirus software is actually working?
Here's my reply:
Yes, there's actually a harmless little test virus called, "EICAR," that's designed to do just that.
As long as it's downloaded from the right place, it's completely benign. It's only purpose is to trigger an alert from your antivirus software. That's it.
The official site, and only safe place to download it, eicar.org, describes EICAR as a
...legitimate DOS program, [that] produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").
We actually use EICAR ourselves when we take our screenshots of each antivirus program successfully detecting a virus.
(We don't use real viruses for our screenshots because we don't want overly curious visitors to, upon seeing real virus names, then go searching for those real viruses on the Internet to try for themselves.)
So, leave the real antivirus software testing to us, but use EICAR when you want to test that your A/V software is really working.
Got a question about antivirus software or PC security? Why not Ask the Experts?
Easily one of the most Frequently Asked Questions we get is,
What's the difference between antivirus software and an Internet security suite?
Right on the heels of that is the next one,
Is the upgrade worth it?
Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:
- firewall software
- malicious website filtering
Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)
Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.
The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.
What's the point?
You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.
So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.
malicious website filtering
You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."
In either case, the bad guys are on the prowl and are:
- secretly taking over legitimate sites and installing their viruses onto them
- buying domain names that are typos of legitimate sites
- sending spams and phishing emails
Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.
Is the upgrade it worth it?
In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.
Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.
The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.
And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.
- Some combination of the above?
There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.
Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
While no one is cheering for Microsoft for the goof, it's pretty clear this really was just a goof. It happens.On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs.
"We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted.
Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.
And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.
Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.
Advanced virus detection techniques, Firefox plugins, apps that keep your private data safe on your smart phone, and Wi-Fi network hacking drones are just a start this year.
The list of the ten winning recipients from our 2011 Security Research Grant/Gift Fund this year is incredibly impressive.
Each of the projects is very, very good in its own right; so good that any of them could have won our top award.
As it turns out, our top award went to Kevin Roundy and his research advisor at the University of Wisconsin-Madison Computer Science Department, Dr. Barton P. Miller, for their project SD-Dynist which is helping figure out some of the cunning things the virus writers are up to and what they're doing to try to beat the best antivirus software and avoid detection.
Each of the winning projects we're helping fund offers something unique, but they all have one thing in common: making the Internet safer for us all.
Complete details about winning projects can be found here:
Thank you and congratulations to all the great projects of 2011--and the great minds behind them!
About the $10,000 grant, Giorgio Maone, who leads NoScript's development, said,
In non-geek speak: your Android phone and your PC will be able to share NoScript configuration data, and they'll be easy to use, too.The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environments and NSA (NoScript 3.0 alpha for Android, generously aided by the NLNet Foundation).
"...it will support the implementation of a desktop UI [and] will allow an unified 'NoScript Anywhere' package to be installed indifferently on PCs and mobile devices, sharing the same configuration and permissions everywhere via secure remote synchronization.
If you're a fan of Firefox, which we are here, running NoScript adds another layer of security to your web surfing; it's great to see DRG recognizing how important NoScript is and to help fund its continued development.
If you haven't used Firefox in a while (or haven't updated yours in a while), here's where you can Download Firefox.
The first week or so you're running NoScript, like a software firewall, it needs a little training to get it to understand what sites you regularly visit and are "trusted," but after that, it's always on guard against the rogue site doing things it shouldn't to your PC.
Josh, this site's other editor, likes to call it the "firewall for Firefox." Sure, techies may take umbrage with his metaphor, but it gets the point across: NoScript blocks things from happening in and to Firefox.
Regardless of whether or not you run antivirus or Internet security software, NoScript adds another layer of security to Firefox and to your PC and information security.
It's definitely worth a look.
What does this mean?
It means if you're running Firefox, you must upgrade to keep your PC secure.
No ifs, ands, or buts.
As far as looks go, it's pretty much identical to Firefox 4, so there won't be any surprises there.
Computerworld has a brief write-up of the changes, although this bit summarizes everything handily,
"So now what?" you ask?Although the company said it added more than 1,000 improvements to the browser, most were minor bug fixes or tweaks.
"Among the most significant changes were enhanced support for HTML5 and new support for CSS (cascading style sheet) animations.
If you're running Firefox, upgrade now. Don't wait. Don't put it off. Do it now. Older versions are--as of June 21, 2011--officially unsupported.
Translation: no security updates.
So, if the bad guys start targeting the old version of Firefox, which they will, you're putting yourself at risk. It's not worth it.
Just take care of it. It's free. It's fast. It's easy.
Where do you get it?
Download Firefox here.