05/28/2010

Scareware Sellers Facing Hefty Charges

We have good news to share today in the fight against scareware, scumware, and malware purveyors.

Robert McMillan of the IDG News Service writes in an article appearing at NetworkWorld about scareware sellers facing charges.

Three men are facing federal fraud charges for allegedly raking in more than US$100 million while running an illegal "scareware" business that tricked victims into installing bogus software.

The backstory on this is that the products offered by Innovative Marketing, a so-called antivirus company sold products including:

  • WinFixer
  • Antivirus 2008
  • Malware Alarm
  • VirusRemover 2008

were nothing but scams.

Here's how the scam worked:

Innovative Marketing is alleged to've setup phony ad agencies which purchased online ad space from legit companies. They'd then have these legit companies display ads and pop-ups, which to most folks, looked like genuine error error messages and antivirus scans.

We've all seen these ads; unfortunately, a lot of folks took the bait, becoming victims of the scams, and plonking down their hard earned cash to rid themselves of what they believed were genuine threats on their PCs.

The thing is, a lot of people didn't take the bait though, and in fact, the article says, The company's products generated so many consumer complaints that the FTC brought a civil action against Innovative Marketing and Byte Hosting in 2008, effectively putting them out of business.

On Wednesday, May 26th, a Chicago grand jury handed down criminal charges to the company for their actions. Because of that and if they're convicted, the three could face time in prison.

Worth mentioning though is that two of the three involved, the ones that operated Innovated Marketing, both live overseas. (Bjorn Sundin is believed to live in Sweden; Shaileshkumar Jain is believed to live in Ukraine.)

The one U.S. resident, James Reno, the man behind the company operating the call centers that handled customer calls with a company called, "Byte Hosting Internet Services," was expected to turn himself in for arraignment.

Where does that leave consumers who purchased their products?

As for getting money back, sadly, that seems to be a very slim possibility at this point--even if the Justice Department successfully seizes funds as part of the conviction; as for getting consumers' PCs cleaned-up and the process to remove malware these guys installed, to our knowledge all real antivirus software can quickly, safely rid PCs of it.

05/20/2010

What's with the "Earthquake" Exploit, KHOBE?

Earlier this month, security researchers at Matousec released details of research they've done that, they claim, bypasses 100% of antivirus software.

As you might imagine, there's quite a bit of concern about this, particularly among business users, particularly because mainstream media has started discussing the so-called, KHOBE attack.

Let's dig into this a bit and see what's behind the hype.

What is KHOBE

It's an acronym for:

Kernel
HOOK
Bypassing
Engine

Put another way, it's a way for attackers to trick antivirus software. ZDNet's writer, Adrian Kingsley-Hughes, does a great job describing how this works here,

The attack is a clever 'bait-and-switch' style move.

"Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code.

"The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.

Kingsley-Hughes goes on to say, Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.

OK, now this is starting to sound like a pretty big deal.

Mitigating Factors with KHOBE

Here's where things *do* start to become more positive though:

  Mitigating Factor What It Means
1. Requires a lot of code. Makes it less-than-ideal for most attacks to work.

Since this code has to somehow be transferred to your machine, its current size makes it more difficult to use as a mechanism to bypass security software.
2. The software has to already be on your computer.

Wha? Yes, that's right. From what the antivirus software vendors can tell thus far, the software doesn't actually bypass their software (at least the ones we've heard from) unless it's already there to begin with.

This could be because you're installing their software after you've been infected with this code or because you disabled your antivirus program.
3. There aren't any known exploits--or exploit kits--that rely on this technique.

(At least not yet.)
The chances of encountering this in the real world are still very, very minimal.
4. It only affects antivirus software that uses the System Service Descriptor Table (SSDT), which is being used less-and-less frequently than it once was. Antivirus companies are moving (or have already moved) away from the use of the SSDT since Windows Vista. Windows XP seems to be the last Microsoft Windows OS where the security vendors commonly relied on the SSDT for their antivirus software.

This means if you're running Windows Vista or 7, chances are your antivirus or Internet security software is already immune to this exploit.

Antivirus maker Sophos says, Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all.

VIPRE Antivirus' maker, Sunbelt Software, says, ...it would affect antivirus programs that use SSDT. We don't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
5. It's difficult to make work. The code works, yes, but given the many things that are required for it to work, even if you were to encounter it "in the wild," there's still no guarantee your computer will be infected.

Antivirus Vendor Responses

Sophos and Sunbelt aren't the only antivirus companies refuting the claims, security company F-Secure says,

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

"And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Our Take on KHOBE

This is true not just for F-Secure, but for all Internet security software vendors.

If there were real-world exploits using this attack that they'd encountered, adding signatures for those attacks should be able to defeat the attack pretty easily.

Regardless of the outcome of the debate about this particular exploit, there are still a couple of take-away points as far as we're concerned,

  1. Run the best antivirus software you can afford.
  2. Keep it updated--frequently.
  3. Even if you're updated and protected against known threats, it's critical to regularly backup your system so that if something does get by your defenses, at least you can restore your system to a point before the infection.

05/12/2010

Trojan in So-Called Windows 7 Compatibility Checker

Antivirus firms BitDefender and Sunbelt Software, among others, have identified new malware they're calling, "Trojan.Generic.3783603"

According to Sunbelt, The malware immediately creates a backdoor to the user's system, which then allows remote access for cyber-criminals to obtain confidential information or install more malicious software.

While the delivery vehicle isn't unique, it targets its victims randomly through spam emails, this appears to be the first one disguised as a so-called, "Windows 7 Compatibility Checker." Even though Windows 7 has been widely available since October 2009, here we are over six months later with unsuspecting users now being duped into installing this scumware.

BitDefender says in their notice,

The infection rates reflected by the BitDefender Real-Time Virus Reporting System indicate the beginning of a massive spreading of Tojan.Generic.3783603.

"Although this phenomenon has just started, it seems that it’s just a matter of time before the cybercriminals control a huge number of systems.

"Infection rates are also expected to boom because of the effective social engineering ingredient of this mechanism, namely the reference to the highly popular Microsoft® Windows® OS.

While security professionals shouldn't have to keep saying it, evidently it needs to be said:

  1. Never, ever open an attachment from unknown contacts
  2. Be wary of opening an attachment sent from someone you know when you're not expecting it first. (Many computers have been infected when one person's computer gets infected then the virus emails itself to everyone in the infected person's address book.)
  3. Install, run, and keep updated the best antivirus firewall software or Internet security suite you can afford.