06/05/2012

Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:
  1. Ennumerate nearbly bluetooth devices
  2. Record audio (if there's a microphone)
  3. Create backdoor accounts on infected machines (HelpAssistant)
  4. Listen for incoming network requests
  5. List the PCs directory contents
  6. Lists "interesting" files
  7. Logs keystrokes
  8. Upload collected data to remote servers
  9. Identifies antivirus software and firewalls
This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.

08/29/2011

Morto: Remote Desktop Connection Worm In the Wild, Spreading Actively

The fine folks at Finnish antivirus software maker F-Secure have spotted a new worm in the wild.

For us antivirus folks, worms are among the most feared because of their ability to infect, spread, and replicate on their own.

This one is being dubbed "Morto," and what's so unique about it is it's the first one to use the Microsoft Remote Desktop Connection.



The only surprising thing to me is that it's taken so long for a worm of this type to surface. Remote Desktop gives you direct access to your desktop remotely, so if someone manages to break into your system via the Remote Desktop Service, it gives them direct access to your computer--as if they were working right on your desktop, albeit remotely.

This particular worm isn't exploiting any bugs in Windows or in Remote Desktop; rather, it's exploiting weak passwords, long the bane of good system administrators.

Further, it's attempting to gain access to the default "Administrator" login, giving it maximum permissions on the system. Thus, once it's in, the computer is fully compromised.

Our own networks are seeing this threat attempting to connect to our servers at a rate of about 10 attempts per second, so clearly, this is a threat to take seriously if you have machines that rely on TCP port 3389, the Remote Desktop port.

As for the passwords being attempted, F-Secure's post on the Morto Remote Desktop worm lists these as the passwords being used to attempt the break-ins:
  • admin
  • password
  • server
  • test
  • user
  • pass
  • letmein
  • 1234qwer
  • 1q2w3e
  • 1qaz2wsx
  • aaa
  • abc123
  • abcd1234
  • admin123
  • 111
  • 123
  • 369
  • 1111
  • 12345
  • 111111
  • 123123
  • 123321
  • 123456
  • 654321
  • 666666
  • 888888
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
As you might imagine, there's already Morto worm discussions on the Microsoft Technet forums, so if you think you're at risk, you might want to head over and take a peek at the discussions.

Here's our recommendations to keep this worm at bay:
  1. Change your password. Here's a how-to on choosing a good password.
  2. Rename your "Administrator" account. Since the worm is using "Administrator," alternatives will help keep it at bay.
  3. Block access to TCP port 3389, if possible, or limit access only to IP addresses you trust.
  4. Make sure your antivirus software/Internet security software is up-to-date.
F-Secure is detecting the Morto components as:
  • Backdoor:W32/Morto.A
  • Backdoor:W32/Morto.B

07/28/2011

Move Over Tom Clancy...A Real World Thriller: Stuxnet



WOW.

An incredible piece at Wired.com, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History", details the jaw-dropping, almost impossible to believe international tale of how researchers for Symantec (makers of Norton Antivirus and Norton Internet Security) tracked down and reverse engineered the Stuxnet worm.

It's a long piece that I thought I'd glance through at first, but that I found myself reading every word of.

Hat-tip to Kim Zetter for some incredible reporting and equally good story telling.
...the answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.
Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction.

Image source: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/

10/30/2009

Conficker: 1 Year Later, 7 Million Infected

"'The only thing I can guess at is the person who created this is scared,' said Eric Sites, chief technology officer with Sunbelt Software and a member of the working group.

"'This thing has cost so many companies and people money to get fixed, if they ever find the guys who did this, they're going away for a long time.'"

This from a Network World write-up on Conficker, 1 year later.

What a lot of folks find perhaps most interesting about Conficker is,

"Despite its size, Conficker has rarely been used by the criminals who control it.

"Why it hasn't been used more is a bit of a mystery.

"Some members of the Conficker Working Group believe that Conficker's author may be reluctant to attract more attention, given the worm's overwhelming success at infecting computers."

Regardless of whether or not it has been used a lot 'til now, the fact of the matter is, that the Conficker Working Group estimates 7 million PCs have been infected thus far with variants A and B of the worm.

Another thing that caught our eye about the worm was that it's apparently very (perhaps most?) common in China and Brazil, which according to the Network World piece (although we could not confirm this) cites the Conficker Working Group, as,

"suspect[ing] that many of the infected PCs are running bootlegged copies of Microsoft Windows, and are therefore unable to download the patches or Microsoft's Malicious Software Removal Tool, which could remove the infection."

This policy of Microsoft's is definitely a subject of some debate.

Clearly, regrettably, a lot of people pirate Microsoft's software; that Microsoft in effect actually punishes others by helping to perpetuate the worm by refusing to allow the pirates to update their copies of Windows (or download the Malicious Software Removal Tool), really doesn't make sense.

Microsoft's belief, no doubt, is that if pirates can't use their computers because of the worms, they'll wise-up and buy legitimate copies of Windows.

I doubt it.

If a computer is infected, the solution to the pirate is most often just to re-install their OS from scratch if needed and to take other steps (i.e. like installing antivirus software) to prevent re-infection. Others just think their computers are slow and don't know why or ignore the worm altogether and go on about their day.

Whatever the case in the mean time though, by preventing updates, Microsoft's policy allows Conficker to spread, grow, and perpetuate.

10/11/2009

Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker

09/15/2009

Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers

Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.

Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.

For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:

  1. Be smart about what you do online.
  2. Keep your PC updated with Windows Update
  3. Install (and run!) antivirus software or an Internet security suite


In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)

"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
  1. Identify compromised/infected computers
  2. Contact customer with infected computer(s)
  3. Provide information/advice on how to fix infected computer(s)
  4. Report / alert about serious large-scale threats (including ones that make effect national security)

Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:

If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.

Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.

No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.

05/25/2009

Nearly Two Months In: What's the Latest with Conficker?

In case you thought things had settled down with Conficker, you're wrong.

Just because it's nearly two months after the official Conficker activiation date, and just because the main stream media isn't talking about it anymore, doesn't mean it's not a real threat.

In fact, Computerworld, one of our favorite resources for computer security news, brings word of it in this statistic: 50,000 computers/day are still being infected with Conficker. [Full details on it from them: here.]

We learned via Computerworld that Symantec, like us, made mention of the media hype dying down but Conficker still being alive and well, saying in a recent Conficker blog:

"Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide."

The folks at Symantec even include a world map of Conficker infections.

What this means is that the chances of getting infected by this virus/worm are just as bad as ever. Even if fully 50% of the Conficker worms are caught within a week that still means 175,000 new computers are being infected weekly.

At this point, having covered the Conficker worm (and about removing the Conficker worm) extensively here at our site, it should come as no surprise that this worm is no joke, but what's amazing to me is that after so much has been said about such malware that still so many people go without antivirus protection. Even without our coupons, getting the best antivirus / security software out there for Windows isn't that expensive.

Full sticker price of top-rated antivirus software like, VIPRE or BitDefender is under $30; with our coupons it's even less. Even if the *only* worm in the world were Conficker, which (obviously) it isn't, $30 seems like a small price to pay to avoid the problem altogether, and in the case of Conficker, it's clear, it's not going away anytime soon.