New Computers with Viruses on Them?

OK. So, you just bought a new computer. It still even has that brand-new-in-the-box / fresh-PC-smell.

And it's already got a virus.

Oh, did I mention it came that way straight from the factory?

That's exactly what the folks at Kaspersky Labs, makers of highly-rated, Kaspersky Anti-Virus 2009, discovered on a new netbook they just bought: a new netbook computer, straight from the factory with viruses.

Roel Schouwenberg discusses this in the Kaspersky Blog saying in the May 19, 2009, blog:

"The other day we bought a brand new M&A; Companion Touch to test. After initial checks, the testing group contacted me since they suspected a malware infection. Could this be yet another example of a factory-infected device?"

As it turns out, their brand new M&A; Companion Touch had not one but three bits of malware of just about every type imaginable: worm, rootkit, and trojan.

Malware Name Type MD5 Checksum
Worm.Win32.Autorun.aayn Worm 0x4f90e62489e5a891a1d9520408164b8c
Rootkit.Win32.Agent.hwq Rootkit 0x7f289b08a41ef6c26b684dc4d95028ee
Packed.Win32.Krap.g Trojan 0x1928c09bdb7d2c7d1180bf2105e1315a

After some digging, the Kaspersky specialist, "...was able to determine that these files had been present since February 2009, a long time before we got the netbook."

"This case shows once again that even brand new products can leave the factory infected.

Safeguarding against infected new devices is particularly difficult.

Doing an offline scan with an up to date security solution normally is the most effective solution.

As there will have been a time lapse between the device getting infected and you getting your hands on it, your security solution should have no problem detecting the malware."

That last sentence is one I took note of. Sure, it's no longer possible to trust brand new computers straight from the factory; however, it does mean that by installing antivirus software, you're likely to stop such malware in its tracks as the folks at Kaspersky have shown.

[Editor's Note: this isn't the first time we've seen factory-new products with viruses, we discussed the Samsung Digital Picture Frame virus last December.]


Nearly Two Months In: What's the Latest with Conficker?

In case you thought things had settled down with Conficker, you're wrong.

Just because it's nearly two months after the official Conficker activiation date, and just because the main stream media isn't talking about it anymore, doesn't mean it's not a real threat.

In fact, Computerworld, one of our favorite resources for computer security news, brings word of it in this statistic: 50,000 computers/day are still being infected with Conficker. [Full details on it from them: here.]

We learned via Computerworld that Symantec, like us, made mention of the media hype dying down but Conficker still being alive and well, saying in a recent Conficker blog:

"Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide."

The folks at Symantec even include a world map of Conficker infections.

What this means is that the chances of getting infected by this virus/worm are just as bad as ever. Even if fully 50% of the Conficker worms are caught within a week that still means 175,000 new computers are being infected weekly.

At this point, having covered the Conficker worm (and about removing the Conficker worm) extensively here at our site, it should come as no surprise that this worm is no joke, but what's amazing to me is that after so much has been said about such malware that still so many people go without antivirus protection. Even without our coupons, getting the best antivirus / security software out there for Windows isn't that expensive.

Full sticker price of top-rated antivirus software like, VIPRE or BitDefender is under $30; with our coupons it's even less. Even if the *only* worm in the world were Conficker, which (obviously) it isn't, $30 seems like a small price to pay to avoid the problem altogether, and in the case of Conficker, it's clear, it's not going away anytime soon.


US-CERT: "Malware Exploit Circulating"

One of the places we keep an eye on here is US-CERT.gov, the United States Computer Emergency Readiness Team. Their crack team of computer commandos (read: geeks) keep a watchful eye on all things relating to computer security that might have effects at the national/international level.

We like their view of things because it tends to have a "Just the facts, ma'am," approach to security news. Rather than being a bunch of FUD spreading that sometimes tends to come from security software vendors.

One of the things we took note of was their posting yesterday about what's being called, Gumblar malware.

Typically we avoid long quotes because there's seldom that much worth quoting, but this one is worth citing in whole, so quoting their posting,

"US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar.

The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them.

Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.

The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware.

This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits.

Additionally, this malware may also redirect Google search results for the infected user.

US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."

There are several noteworthy things in this posting that we felt warranted clarification to our newer readers:

Security Problem 1: Drive-by-download exploit


Security Meaning:

These are viruses and other malware that can infect your computer just by visiting certain websites.


Web browsers, despite their user-friendliness (in fact because of it), have software bugs in them. These bugs are often very, very hard to detect for the programmers when they're creating the web browser software, but they're still there.

Crackers then begin attempting to trick the web browser into doing things it wasn't designed for--like installing software on your computer without your permission-- or even your knowledge.

Sometimes these bugs involve two components, perhaps a web browser like Internet Explorer and a .pdf reader like Adobe Acrobat.

Security Solution:

Make sure you run updated antivirus software.

Modern antivirus software can often stop these malware exploits in their tracks.

Thus, by running antivirus software you're doing a lot to mitigate risks from this type of malware delivered via your web browser.

Security Problem 2: Stolen FTP credentials


Security Meaning:

FTP is one of the most popular mechanisms used by web designers for transferring file to-and-from their web sites. FTP is fairly ubiquitous in the web design world; it's also completely insecure. Here's why:

FTP sends the web master's username and password, needed for them to make changes to their site, in "cleartext."

This means anyone on the same network segment or unsecured wireless connection as the web designer can actually silently intercept their usernames and passwords every time they make changes to their site.

If you can get a webmaster's FTP username and password, all bets are off.

This means crackers can then make changes of their own to the unsuspecting web master's website, including uploading files to do harm to your computer, just for visiting the website.

Chances are the webmaster of the site means you no harm and chances are they don't even know their site has been broken into, but that's exactly the point: get good sites to do bad for them without the webmaster's knowledge.

Security Solution:

If you're a webmaster, consider switching to SFTP, Secure File Transfer Protocol. SFTP's most popular variant is a part of OpenSSH, and it's totally, completely 100% free.

Nearly all Unix, BSD, Linux machines have support for SFTP. Windows web servers can run SFTP, too, under Cygwin.

Whatever your particular case, if you're renting a server from a web hosting, you'll want to check with them to see what options are available. Whatever the case, chances are, it's inexpensive and well worth the cost to minimize the risk of someone breaking into your website.

As all of us web site users, it's impractical to recommend something absurd like, "avoid unknown websites."

That's half the point of the Internet to begin with!

The real solution is to run antivirus software and make sure it's properly configured to provide "realtime" protection and protection at the web browser level.

Security Problem 3: updates for known PDF and Flash Player vulnerabilities


Security Meaning:

Like web browsers, PDF viewers like Acrobat and Flash players, have bugs, too.

These programs, in part because they're integral parts of web browsers today, can become part of the process that crackers use to get their viruses and malware onto your machine.

We've all been told about a million times is, "Don't open unknown attachments!"

Ok, got it. But these aren't even attachments... they're malicious viruses and the like that attack your computer whenever it visits a web page that has a .pdf of flash video, so now what?

Security Solution:

There are two important parts to this solution:

  1. Keeping your system and your software up-to-date.

  2. Typically, software from companies other than Microsoft needs to be updated outside of the "Windows Update" mechanism.

    This means going into applications like Adobe Acrobat and manually updating each piece of software in addition to using the software's autoupdate mechanisms, too.

    Autoupdate is great; however, we caution against becoming too dependent upon autoupdating software since there may be unknown reliability issues or other problems with these tools.

    It's important to know and understand what's going on with your computer.

  3. Antivirus software.
  4. Install it. Run it. Update it. Make sure it's properly configured.

Security Problem 4: redirect Google search results


Security Meaning:

For a lot of people Google practically is the Internet. Unfortunately, because of the trust put in Google, whatever shows up in their search results is often taken for gospel.

What this particular exploit is doing is swapping out the real Google results with phony ones. Why?

Most commonly this is because the crackers want you to visit sites they own or other site they make money from for sending traffic to.

Sometimes these sites they're sending traffic to have no idea they're getting traffic from malware that's been installed on their computer.

Security Solution:

Once again, the real solution is... that's right, you guessed it: antivirus software.

What we also took note of in the article was that US-CERT says, "US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."


Sure sounds like they're beating the same drum we do.


Are Viruses Getting Worse?

As you might imagine, we get a lot of email. Most of it is from really nice people all around the world looking for help choosing the best antivirus software for a new computer or are looking to upgrade antivirus software to a newer version.

Although it's asked a million different ways, one of the most common questions that comes from these emails is,

"Do I really need to upgrade my antivirus software or can I just keep getting new definitions?"

There should be no question in anyone's mind that the malware creators are constantly getting smarter and are making their viruses, worms, trojans, keyloggers, and the like more clever and harder to detect. In fact, an article in ZDNet talks about this very problem and that it's getting harder to detect viruses. The article cites, Konstantin Sapronov, one of the Kaspersky antivirus lab heads is paraphrased in the article, saying,

"new methods of infiltration have also rendered it nearly impossible for users to avoid infection, even if they are careful. Seemingly clean sites can also perform backend redirection to malware-ridden sites."

It's definitely a game of cat-and-mouse where the antivirus companies are always on the prowl looking for ways to refine their tools to make them smarter, faster, and more able. Likewise, the malware writers are constantly doing their best to avoid detection.

Do I Need to Upgrade Antivirus Software?

When considering whether to keep your existing software and extend your definition subscription or to purchase new antivirus software or upgrade versions, the buying decision can be boiled down to a few questions:

  1. Are you happy with the overall performance of your current software?
  2. In other words, does it run smoothly for you or is your system slow when the software is running?

    Today's best antivirus software really should run smoothly nearly all the time. In fact, most of the time you really should barely notice it.

  3. Do you get a lot of "false positives?"
  4. These are warnings about a virus or other infection that turn out to be nothing at all. If you're getting a lot of false positives this can often lead you to disable the software even though you know better.

    If you're disabling the software frequently (and not just when you're installing new software onto your computer), the software isn't doing it's job. Plain and simple. First of all, if it's disabled, it can't do its job. Secondly, if you didn't have the false positives, you wouldn't have to disable it.

    So, if you're disabling your antivirus software, it's not doing its job.

  5. How long has it been since you purchased your current antivirus protection?
  6. As a rule of thumb, if it has been more than six months, you should look at what's new. That doesn't mean go buy new software every six months. It means be aware of what's out there.

    Sometimes, there's little more than cosmetic changes to software; other times the underlying antivirus detection engine has had significant upgrades to detect new threats, minimize false positives, run lighter, or any number of other improvements.

    When the changes are mostly cosmetic, it's usually safe to skip a version and stick with your older software; when the changes are fundamental to the way the software works, it's wise to consider an upgrade.

    This doesn't necessarily mean you should upgrade, just that you should take time every few months to see what's new and if your needs are better suited to a new version.

    Ultimately, you're responsible for your own computer's security, so chances are no one will remind you to go check out what's new in the latest antivirus software.


Top 10 Worst PC Viruses


I came across an interesting find today from some of our peers at pcAuthority.com.au. They make a list--and a good one at that--of the Top 10 Worst Computer Viruses of all time.

Internet security tends to have a short memory once we're past a computer virus outbreak. We tend to breath a collective sigh of relief whether we dodged the problem altogether or finally got a virus cleaned up.

After that, we move on to other tasks and before we know it (especially if we weren't hit by a particular virus ourselves), we've forgotten how damaging a particular virus or worm was.

As I read through this list, I found myself nodding again and again and remembering some what dread these malware nasties caused for so many businesses and personal computer users.

 The things that stood out for me as I perused the list were:

  1. There are three types of viruses:
    1. Those that cause damage intentionally.
    2. Those that cause damage unintentionally, i.e. mostly collateral damage/clean-up damage for those who have to take care of the mess
    3. Those that don't do much of anything and are really just irritating.
  2. Even years later some viruses/worms/malware are still causing problems.
  3. As viruses have grown in sophistication, an ounce of prevention is still worth a pound of cure.

    Put another way: look at the reviews we've put together at our homepage, www.pcAntivirusReviews.com, choose the software that's right for you, and you're much less likely to have issues.





Virus Payload / Damage

1 MyDoom Automatically used your address book to send itself to... everyone in your address book. Wash, rinse, repeat for everyone in those people's address books and so on.

What was particularly vexing though was that it also used the Kazaa file sharing network, leveraging the peer-to-peer network to spread even further.

From there the entire network then turned itself against SCO networks at www.sco.com, launching a massive distributed-denial-of-service (DDoS) network against the company's website.

Whether you like SCO or not, such DDoS attacks put chills into many a network administrator, who feared their networks could just as easily fall victim to such attacks.
2 Nimda According to pcAuthority, Nimda went "from nowhere to become the most common virus online in 22 minutes...."

Nimda used a variety of methods to target users, including: email, network shares, Microsoft IIS vulnerabilities, and even other web sites to spread from one computer to the next.

Once there, it continued to attack other computers in similar fashion.

The real threat--and damage--from Nimda was the resources it could quickly consume on a particular PC--and a network--as the worm hopped and spread from one machine to the next, overloading network switches and mail servers in the process.
3 Melissa The backstory behind this worm is hard to believe but true: a New Jersey hacker wrote the virus to impress a stripper he met in Florida. No, really.
"The real damage of Melissa was not in the code itself, but in its spamming capabilities.

The software caused massive overload of email systems and generated enough traffic to make it highly visible.

Current computer malware writers have taken note of code like Melissa and now fly much lower under the wire to attract less attention.
4 Storm The goal of Storm was to create a botent. It succeeded. And as the article points out,
"While Storm has since been eclipsed by newer botnets, the name still brings to mind one of the most menacing attacks seen in recent years."
Storm's real threat came in how cleverly it tricked people into clicking on it by making reference to current events and holidays.

Somehow the use of these in the various videos files and greeting cards it disguised itself as, put people at ease and helped the botnet quickly spread and grow.
5 ExplorerZip Like many worms / viruses, ExplorerZip was / is spread via email.

This virus, unlike some of the others which only setup botnets for spamming or only spread for the purposes of spreading, actually did real damage to your files if you got infected, writing nothing but zeros to your Microsoft Word docs and even doing what pcAuthority describes as, "some damage to the operating system itself."

6 Conficker We've covered both the "What is Conficker?" and the "How to Remove Conficker" quite a bit on our blog, and while so far it's, "just another botnet builder just like most other malware," according to pcAuthority's Iain Thomson, one fact remains:

millions of computers were infected, taken over really, and because of that, the botnet can be used for just about anything.
It's not just a simple virus or worm as it relies on very sophisticated components like the new MD6 hashing standard.

I'm sure we haven't heard the last of this bugger.
7 Klez Klez first showed up on the scene some seven years ago caused many a user and network administrator a *lot* of grief. Once again quoting pcAuthority.com.au:
"The most common varient, Klez H, spoofs email addresses by randomly picking one from an infected machine before sending itself on to other users. This makes backtracing the identity of the infected machine particularly difficult, since any email stored for any reason can be used."

All-in-all it really was a nuisance virus rather than something truly destructive, though email systems administrators who had to clean up the mess it left in its wake likely have a different opinion.
8 Elk Cloner
"It had little in the way of a payload. Every fiftieth time a person booted an infected disc the software ran a little program on the computer screen, and that was it. Nevertheless it was a serious annoyance and was a harbinger of things to come."
The thing the article points out that I hadn't really considered was that it spread though "boot sector" infection.

On the surface this might not seem like much, but it really helped make the whole boot sector infection a pretty standard technique in the process of spreading viruses.
9 Brain Known for being the first Microsoft DOS virus, it was originally developed to help two programmer brothers stop piracy of their medical software.

The problem came because the snippet of anti-piracy code was yanked out by other unscrupulous coders who then turned it into its own virus.
10 Creeper Other than being widely known as the first computer virus, there really wasn't much to it.
It displayed a message, "I'm the creeper, catch me if you can!" and even came with its own removal program, "Reaper."
Editor's note: Rankings were re-numbered from the original list to make the concept of a "Top 10" end at "#1" instead of "#3" as the original source had them.