06/30/2011

TLD4 / TDSS an "Indestructible" Botnet?

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.

No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.

TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.

The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.

So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.

This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.

And, because the MBR is infected, it runs before the operating system even starts. Huh?

Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.

So, how the heck do you detect this thing, much less get rid of it?!

As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.

Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.

Norton Bootable Discovery Tool
Kaspersky Anti-rootkit TDSSKiller

Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,
If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Ouch.

Depending on who you ask, this is either overkill or, really, the best, most cautious approach.

One researcher for Symantec, Vikram Thakur, says,
When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 1.0.15.15640 as of this writing.)

If you get bad news from GMER it'll look like,
As far as an official Microsoft response, the Microsoft Technet blog on Popureb.E says,
If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

Here's how to fix the MBR by hand:
  1. Open a Windows Recovery Console
  2. Use the tool BOOTREC.exe1 to fix the MBR as in:

    bootrec.exe /fixmbr

  3. Restart the computer and you can then scan the system to remove any remaining malware.
Notably, Microsoft adds a critical part almost as an afterthought, If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."

If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.

06/23/2011

Fake Security Software Scammers Nabbed by FBI

By now most of us have seen the scareware, fake antivirus software (like MacDefender), and other scams that play on people's fears.

In nearly all cases, the ads look like legitimate error messages from our computers; in one case it was a fake hard drive failing ad that was made to look like a real error message from Windows.

Bleh.

Whatever the case, and whatever they look like, there will be a few less of them now since in no less than twelve countries (including the U.S. and the U.K.), the FBI and other local law enforcement folks, have raided and shut down one of these malware/scareware gangs.

The BBC has some details of the FBI raid on fake security software gang, but the FBI's own press release has even better info on how they disrupted international cyber crime rings distributing scareware.

Here are some of the best details,
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers [emphasis mine] with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

"The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

"Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129.

"An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses.

"Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership.
The most important part of this quote is, The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

Which means the bottom line is that this is not a case where a worm or virus is spreading itself onto people's computers.

Instead this is an old-school con job. Plain and simple.

And, they were good at it, too, given that nearly a million people fell for it.

This type of malware is very, very, very difficult for regular antivirus software to detect, but it is one place where Internet Security Suites and "Premium" versions can offer an advantage.

The ISS/Premium versions typically include malicious website filtering/blocking, so often if you try to go to one of the malware sites when you're running Internet Security Software, the Security Suite can often help protect your PC from infection when someone tries to trick you into installing scamware onto your PC.

No, website filters aren't perfect, but between the website filtering in an ISS and your web browser--assuming you're using a good, modern browser and it's malicious site filters are turned on--you do at least stand a fighting chance.

06/22/2011

Firefox 5 Released by Mozilla Foundation

Despite Firefox 4 having been released just three months ago, the Mozilla Foundation, the organization behind the Firefox web browser, has already rolled out Firefox 5, and here's the kicker, Firefox 4 is no longer being supported.

What does this mean?

It means if you're running Firefox, you must upgrade to keep your PC secure.

No ifs, ands, or buts.

What's different?

As far as looks go, it's pretty much identical to Firefox 4, so there won't be any surprises there.

Computerworld has a brief write-up of the changes, although this bit summarizes everything handily,
Although the company said it added more than 1,000 improvements to the browser, most were minor bug fixes or tweaks.

"Among the most significant changes were enhanced support for HTML5 and new support for CSS (cascading style sheet) animations.
"So now what?" you ask?

If you're running Firefox, upgrade now. Don't wait. Don't put it off. Do it now. Older versions are--as of June 21, 2011--officially unsupported.

Translation: no security updates.

So, if the bad guys start targeting the old version of Firefox, which they will, you're putting yourself at risk. It's not worth it.

Just take care of it. It's free. It's fast. It's easy.

Where do you get it?

Download Firefox here.

06/15/2011

More Android Smartphone Malware Found, Removed from Marketplace

Kaspersky, makers of Kaspersky Antivirus just posted a lengthy piece on  new Android Malware called the "Plankton Trojan".

Originally discovered by Xuxian Jian (Assistant Professor and his research team at the Department of Computer Science, NC State University), his report on the Android malware disconcertingly begins,
This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.

"In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.

"Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers.

"Its stealthy design also explains why some earlier variants have been there for more than 2 months....

What does this mean?

For starters, it means that the bad guys have found a way to get onto your Android without requiring "root" access, which means that it's able to evade detection and avoid tripping the warning screens and whatnot that you'd expect to see.

The report details how this application silently hooks into the phone, downloads in the background more things it needs to run, and uploads information about your account to computers the bad guys control.

Kasperksy's analysis revealed,
...the virus does not provide root exploits, but supports a number of bot-related commands.

"One interesting function is that the virus can be used collect information on users’ accounts.
What exactly the bad guys are doing with the botnet either isn't yet clear or isn't yet being revealed by Professor Jiang or Kaspersky. And for that matter what they're doing with the users' data isn't clear/revealed either.

This may be a case where they're just trying to test the waters and see what kind of flags they raise and what kind of information they can glean from users.

Regardless, it's definitely cause for some concern amongst users and antivirus researchers alike, as it will require the AV companies to rethink some of their strategies in protecting phones.

What's Google Doing about it?

According to the piece by Kaspersky,
Google has historically taken a hands-off approach to policing the Android Marketplace.

"It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.

"A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.

06/13/2011

Firefox Users Not Safe from Scareware

Just when you thought it was safe to surf the web with Firefox, the bad guys are at it again with a new "scareware" virus.

The news is out about a brand-new piece of malware that mimics a virus attack (sometimes called "rogue antivirus"), which then prompts you to hurry up and get the latest Windows update. But the catch is, you have to pay for it or else your PC is doomed to be destroyed (hence the "scare" tactic).

But of course, you shouldn't pay anybody anything for these scareware viruses. It's all just a scam to take your money.

We've seen plenty of scareware and rogue antivirus before, so what's different about this one? This one targets Firefox users specifically.

This is the first major red-flag. Any legitimate Windows update can only be accessed through Microsoft Internet Explorer, or run in the background of Windows: a Windows prompt will never originate from Firefox like this scareware has.

The other tricky factor, is the scareware takes you to a Windows update page that looks amazingly like a real Windows update website.



It's easy for anyone to get scared into thinking their PC is about to crash and/or become highly infected, then start clicking buttons and paying someone (whom you think is legitimately Microsoft in this case) in a hurry to save your computer.

How to protect yourself?

  1. First, don't panic when you see these doomsday warnings. Take a deep breath and look at the warning carefully. If the warning is completely blocking your ability to access any part of your PC, or completely interrupting all actions on your PC, it's probably scareware.

  2. If you click the warning button, and are taken to a new site to pay for the scareware "removal" or "update," examine the website URL carefully. The site may look very real and very legitimate (it's actually very easy to design a fake webpage of any kind). But look at the URL. Does it have "update.microsoft.com/" in there somewhere?

    Be careful though, some bad guys are very tricky and will put the word "microsoft" (or some other legitimate URL) somewhere in the URL string just to make it look real. Make sure the URL says "update.microsoft.com/".

    The important part is that the URL have the real address just before the first trailing slash (a real site may still have a bunch of stuff before the final ___.com/ string, but will always have the real URL before the first trailing slash).

  3. Finally, don't give anyone your money for these scare tactics. Microsoft won't ask you for any money for a simple update if you're already using Windows OS. And if you already own antivirus software, they won't demand any money to fix your problems.

The bottom line is, Firefox users need to be just as careful as Internet Explorer users. The bad guys may not target you as often, but you're still at risk.

Be careful what you click, and make sure your antivirus software is up to date.

06/10/2011

Android Smartphone Malware Detected by F-Secure

Let me start by saying, "You heard it here first. The bad guys are going to start targeting Smartphones/cell phones in a big way soon--probably within the next 6-12 months."

That said, this one doesn't fall into that category because you do get a warning from the Droid phone telling you what it's going to do.

Thanks to F-Secure for posting the original pic of this malware in action.

So, if you see a warning message like this, and you still click "Install," you can't really fault your phone. It's just doing what you told it to do.

And would smartphone antivirus software have stopped it?

(In the case of F-Secure's "Mobile Security," they claim it does in their piece on the Droid Malware.)

Now let's ask the real question here: if you get this malware on your phone, who's to blame here?

A) The user for installing it or
B) The cell phone manufacturer for allowing any program to do these types of actions.

MacShield the Same (Trojan) Horse by a Different Name

MacDefender now showing up with yet another name, "MacShield."

Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:

  • MacDefender
  • MacProtector
  • MacSecurity
  • MacGuard
  • MacShield

Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.

We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.

So far it looks like the same-old-same-old:

06/09/2011

MacDefender Screenshots... So Here's What it Looks Like

Joel Esler, one of the members of the Snort.org project has excellent coverage of MacDefender and its variants. It's from May, but I just came across it today, and it's so good it's worth sharing.

There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.

Joel's wrap-up to the piece is great and worth reading. To paraphrase:
  1. Buy software from reputable places you go to
  2. Buying software from a popup window just isn't smart
  3. Educate yourself on what's out there and how to tell
Think the last one is hard? Consider this:

If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.

Why?

You've educated yourself.

06/07/2011

MacDefender Now Spreading Via Facebook--Windows Users at Risk, Too

MacDefender, the (in)famous fake antivirus software that prompted Apple to release updates to OSX specifically to help protect its users, is now on the loose on Facebook, too, and according to Sophos antivirus staffer Graham Cluely

Mac OS X malware is being spread by sick messages spreading virally across Facebook, claiming to be a video of controversial IMF boss Dominique Strauss-Kahn.

"The fake anti-virus attack first appears in your timeline as a message apparently posted by one of your friends.
This screenshot from his post to the Sophos blog on MacDefender spreading on Facebook shows what the fake post looks like:


The contents of the fake post are awful; what's next is also awful. Here's what Cluely describes happened to him:

Clicking on the link takes you to a webpage, which appears to consist of a still from a sex movie.

"However, when I visited the page on my Apple Mac I was rapidly redirected to a 'Mac Defender'-style fake anti-virus attack, written specifically with the intention of infecting my computer.
This time, we see a slightly different warning screen than prior ones that have surfaced.

Here's the first screenshot of MacDefender's bogus warnings:


...and now here's the most recent one Cluely saw:



It's a little different but the bogus message is the same, your computer is infected!

Whatever the case, it's 100% bogus and relies on users to install the malware, which is a trojan, by the way--definitely no good.

One last thing that's important to know about this MacDefender on Facebook problem: It's not just limited to Mac users: Windows users are now vulnerable, too, as,
If you click on the link from a Windows computer it's possible you could be taken to a webpage that attempts to infect you with the Troj/Mdrop-DMN Trojan horse.
So now what?

The bottom line is regardless of if you're running Mac or Windows, MacDefender is trying to get you in its crosshairs.

No matter what it's called or how it works, it's bogus.

Don't install it. If you do try to, and you're a Mac user, chances are the latest Mac update should help prevent installation or remove it if you've already got it. (If you need it, here are complete MacDefender removal instructions.)

If you're a windows user, removing it on your own is going to be more of a task and short of re-install Windows from scratch, it may require antivirus software to get rid of it.

06/03/2011

SonyPictures.com Breached... How Does That Affect You?

Sony has had a couple of rough days months.

First the Sony Playstation Network (PSN) was hacked. Then there was disclosure that they were notified weeks in advance that their servers were running outdated software and that they weren't firewalled.

Sometime along the way were disclosures how many accounts were affected. First it was 80, then it was 100 million users.

Then came the news that those stolen accounts included personal information and credit card numbers.

Not too long after that there were U.S. Congressional hearings and a refusal by Japanese officials to allow Sony to relaunch the network in Japan.

Wow. A tough few days indeed.

Finally, the network relaunched. Then it was taken down for a while and relaunched again.

Unfortunately, the story doesn't end there. Sony's SonyPictures.com site has been hacked by a group called "LulzSec," and over 1,000,000 user accounts were compromised.

pcmag.com has excellent coverage of the LulzSec SonyPictures.com hack.

The most important part of the pcmag.com coverage is this (fairly long quote), which should hopefully reduce the amount of FUD being spewed,

What do I do?

Fortunately, the hack does not appear to involve any direct credit card or financial data.

But if you use the same password all over the Web—like for online banking or credit card payments—others accounts could be compromised.

As a result, you might want to change your password asap and enable things like two-factor authentication on services that offer it.

LulzSec isn't exactly keeping your data under lock and key.
'I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere,'
the group tweeted earlier.

It also urged 'innocent people whose data we leaked' to blame Sony.

So, the bottom line,

  1. Use different passwords in different places. Always.
  2. If you have an account at SonyPictures.com, make sure the password you used there isn't being used anywhere else--especially at a banking or credit card site.