04/13/2017

Mac OSX Fake Installer / Malware Spotted in the Wild

 

OSX-Malware-Social-Engineering-Installer

 

Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)

What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.

As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.

  1. Every media type that matters is playable out of the box on a Mac.
  2. "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
  3. The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
  4. Powered by "MediaDownloader," yet the software is called, "Media Player"? 
  5. What the heck is the Finder icon even doing on a an installer for a third-party product?

 

Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:

cdn.brigeo.info

(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)

So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the  "Accept and Install" button, will ya?

 

 

04/04/2016

"400% Surge In Phishing Attacks This Tax Season" Says The IRS*

Tax-online

The bad guys are in full force this tax season. With so many people doing their taxes online this year, the phishing community is out to snag as many victims as possible.

Even if you don't do your taxes online, the phishers still trick lots of people into entering sensitive tax information that can lead to theft, ransomeware hijacks, identity theft, or worse.

What Is Phishing?

"Phishing" is when you get an email that looks legitimate, but asks you to click a link and enter sensitive information that the bad guys can use to steal information from you.

Typical phishing scams say something like, "Your bank account may have been compromised. Click here to verify your account, etc." The link will then take you to a page that looks exactly like your bank's website, but isn't. Many people are lured into entering their bank login information, and that's when the bad guys have you.

Have a look at this email:

BofA-phishing

Looks official, right? It's not.

Clicking that link would take you to a site that looks just like the real Bank of America site and ask you for your login. Now the bad guys have full access to your bank account.

During tax season, the range of phishing possibilities are even more vast than this, making it even harder for the average person to detect what's real and what isn't.

Here's a tricky one the folks at TurboTax are warning their customers about:

TT-phish

TurboTaxLegit1232015

Can you spot the fake one?

It's the first one. Don't worry, I couldn't either. And that's the point. Despite your best efforts, you still might be a target of phishing attacks this tax season.

How To Protect Yourself


Here are some good tips to avoid phishing scams:

  • Don't open any emails, or click on any links, from an email address you don't know.

  • If you get a message that looks official from your bank, don't click on the links within the email. Instead, go to your browser and login to your bank account the way you normally would. If your bank actually has something urgent for you to attend to, then there will be a notification waiting for you in your real bank account.
    • Still not sure? You can always call up your bank and ask them if they sent you an email.

  • If you've filed your taxes online, or used any kind of tax preparation software, and you get asked for any kind of "password recovery" or something along those lines, go and login to your tax account the way you normally would and check if things are OK. 
    • The most obvious thing to ask yourself is, "Did I request this information?" You probably didn't, so don't risk clicking it.

  • Same goes for anything "official" from he IRS. If the IRS really needs to contact you, they generally do it the old-fashioned way: with paper mail. So, if you get an email from the IRS, make sure it has some kind of information identifying you first. Plus, you can always call them to make sure they really need something from you. Chances are, if they do, they've already sent you something in the mail.

  • If you do accidentally click, all is not lost. At this point, you need to stop and pay close attention to the URL in your browser. The URL should be from whichever company/agency is trying to contact you.

    • Let's examine a few examples: www.password-reset.irs.gov.rq345.com/IRS-Tax. It almost looks legitimate, doesn't it? How do we know it's not really from the the IRS? An IRS URL looks like this: https://www.irs.gov/uac/IRS-Tax-Tips. "irs.gov" is the last part of the URL before a "/". In the fake example above, the URL ends in "irs.gov.rq345.com" before the "/". "rq345.com" is not the IRS website.

    • How about this one: https://myturbotax.axklomix.com/. I've never heard of "axklomix.com" have you? Here's what a real TurboTax URL looks like: https://myturbotax.intuit.com/. "intuit.com" are the people that make TurboTax, so that's where you would access TurboTax if that's how you're filing your taxes.

  • Your final line of defense comes in only one form: antiphishing protection. Antiphishing protection is built-in to some antivirus programs and most Internet Security suites. It works like this: if you do accidentally click a phishing link from your email, your antivirus software should kick in, identify the phishing link, then block you from viewing the site (to prevent you from accidentally giving them any sensitive information).


During our rounds of testing, the top three Internet Security suites that scored a perfect 100% in blocking every phishing site we threw at them where:

VIPRE Internet Security 2016

VIPRE

We particularly like that VIPRE completely blocks the site keeping you away from danger.

ESET Smart Security 9

ESET

While ESET scored a perfect 100% in our tests as well, we'd like to see them remove the "Ignore Threat" option to prevent accidental damage.

BitDefender Internet Security 2016

BitDefender

BitDefender scored a perfect 100% as well, but again, we'd like to see them completely block the page with no option to continue.

All other brands we tested scored 90% or below.

In the end, being diligent and alert when it comes to phishing attempts is your best line of defense. But despite your best diligence, there's always going to be that one that slips past you. That's when you need to make sure you've got the best Internet Security protection available with the best anti-phishing protection built-in.

Here are our top three recommendations for excellent protection against tax-season phishing this year:

VIPRE Internet Security 2016

ESET Smart Security 9

BitDefender Internet Security 2016

Even if you already have antivirus or Internet Security software installed, it might be time to make a change now. A few dollars spent could save you hundreds or even thousands from an accidental phishing click later on.

 *https://www.irs.gov/uac/Tax-Scams-Consumer-Alerts

06/05/2012

Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:
  1. Ennumerate nearbly bluetooth devices
  2. Record audio (if there's a microphone)
  3. Create backdoor accounts on infected machines (HelpAssistant)
  4. Listen for incoming network requests
  5. List the PCs directory contents
  6. Lists "interesting" files
  7. Logs keystrokes
  8. Upload collected data to remote servers
  9. Identifies antivirus software and firewalls
This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.

12/13/2011

Ask the Experts: What's the best antivirus software for our small office?



This weekend we heard from Judy, office manager for a small doctor's office, who wrote in asking,
Hey guys,

"I'm on your mailing list, so I get your coupon deals when they come out. I saw one recently where almost everything was on sale. I didn't need a deal then, but I need one now (haha) and I don't know what to get. I'm office manager for a doctor's office.

"There are three physicians in the practice and a couple of nurses and lab techs, a billing person, plus me. About 9 people full-time.

"As if I don't have enough to do already (hahah), they asked me to research and upgrade the antivirus software we have now since ours that came on the computers when I bought them is about to expire.

"It was probably pretty dumb, but I didn't know any better and got all the computers at Best Buy since there's one really close to our office. At least it was easy.

"Wow. Sorry for so much detail. I'm totally dreading doing all this research. I'm so not a 'tech person.'

"Thanks for the help!!!

Merry Christmas,
Judy
"P.S. I've got a small budget. Anything I don't spend on antivirus software I get to use to upgrade my tired printer, so I need cheap and good.


Here's my reply:

Hi Judy,

We've gotten a lot of good questions the past few days; this is a great one. Thanks.

For starters, forget about going to a store like Best Buy--or even Office Max--to renew your antivirus software. The retail stores sell home versions of the antivirus software. What you need is business or enterprise antivirus software.

(I can already hear some readers grumbling about my answer, but just keep reading, everything will be clear in a second.)

Fundamentally, home and enterprise antivirus software are exactly the same. They prevent, detect, and removes viruses (and other malware.) Fine.

The big difference is with business antivirus software you get centralized management, which you don't with home antivirus software1.

Here's the deal: when you're managing the antivirus software now, you have to walk from one computer to the next, asking the users if you can interrupt them and use their PC for a few minutes. Bleh. It's a pain in the neck.

With business antivirus software, you do everything from one place: your PC.

From your own desktop you can remotely manage the antivirus software on every PC on your network.

Got a malware issue popping up on one of the lab techs PCs? You won't have to wait for them to tell you about it--you'll see it in the central management console on your computer.

The next biggest thing about business antivirus software is some manufacturers offer different support options for businesses than they do the average home user.

You may be able to get things like 24x7x365 support, priority phone queuing, and so on.

"Sounds great," you're saying, "Now how much does all this cost?! Think of my poor printer!"

No sweat... most antivirus software for businesses is comparable in price to their home/consumer versions. What's the catch? All the A/V companies require a minimum of five users for you to qualify for their business version.

With nine users in your office, you easily qualify for business antivirus software.

So, how do you get it?

Easy. Contact us. We're available by phone, too, (1-800-297-5134) which is usually faster and easier for something like this.

In a couple of minutes we'll figure out your needs and what's the best enterprise antivirus software for your office--and get you prices.

Oh, and in case you the thought crossed your mind, most antivirus software for business is almost as easy to setup as home software. There's usually a step or two more, but that's it.

And if you do get stuck, because it's enterprise-class software, you'll most likely be getting a different level of support than you're used to, so someone will help you with any snags you hit.

Chances are it'll go just fine though. You'll probably have more issues un-boxing and setting up that new printer you've been oogling. ;-)


1 BitDefender Antivirus and BitDefender Internet Security home versions also include central management for up to five PCs. It really makes things easier for a multi-PC home, but it's not intended for use in a business.

05/12/2010

Trojan in So-Called Windows 7 Compatibility Checker

Antivirus firms BitDefender and Sunbelt Software, among others, have identified new malware they're calling, "Trojan.Generic.3783603"

According to Sunbelt, The malware immediately creates a backdoor to the user's system, which then allows remote access for cyber-criminals to obtain confidential information or install more malicious software.

While the delivery vehicle isn't unique, it targets its victims randomly through spam emails, this appears to be the first one disguised as a so-called, "Windows 7 Compatibility Checker." Even though Windows 7 has been widely available since October 2009, here we are over six months later with unsuspecting users now being duped into installing this scumware.

BitDefender says in their notice,

The infection rates reflected by the BitDefender Real-Time Virus Reporting System indicate the beginning of a massive spreading of Tojan.Generic.3783603.

"Although this phenomenon has just started, it seems that it’s just a matter of time before the cybercriminals control a huge number of systems.

"Infection rates are also expected to boom because of the effective social engineering ingredient of this mechanism, namely the reference to the highly popular Microsoft® Windows® OS.

While security professionals shouldn't have to keep saying it, evidently it needs to be said:

  1. Never, ever open an attachment from unknown contacts
  2. Be wary of opening an attachment sent from someone you know when you're not expecting it first. (Many computers have been infected when one person's computer gets infected then the virus emails itself to everyone in the infected person's address book.)
  3. Install, run, and keep updated the best antivirus firewall software or Internet security suite you can afford.

06/04/2009

Sluggish System? Your Antivirus Software is Probably to Blame

While many consumers are starting to realize the importance of antivirus software, many are unaware of the significant differences in performance from one antivirus program to another.

Why is this so important?

Realizing that many consumers just go with whatever is pre-installed on their system when they get it or with whatever their ISP installs/recommends, it seemed important to question the rationale behind that.

Often, the security application that has been installed is chosen for one reason: money.

Understanding the relationship between the PC manufacturers and ISPs and the antivirus vendors is an easy one: the AV makers often pay to have their software installed (if not, they often let the manufacturers install it for free.) Huh?

The reason is, the A/V makers realize that many, if not most, consumers will renew their antivirus subscription when it expires, thus while they may have to "pay" for their antivirus software when they get their computer, they do buy the renewal subscription.

And, once they're in there, they have a revenue stream from you.

Sluggish System?

So, you're cruising around with your PC for a while--maybe even a year or more, when it just doesn't feel as fast as it once did.

All those files and pictures and videos you've created and viewed over the many moons you've had your computer are stored somewhere, often they live in your Temporary Internet Files directory.

Over time, as these files accumulate in the various places of your hard drive, your antivirus software has to work harder and harder to keep up.

What happens next is where it gets ugly.

You get fed up with it slowing things down and disable it, "just to get some stuff done."

The problem is the software stays off for a while--sometimes for a long while, maybe even forever.

Now that antivirus subscription you just renewed is totally, completely, utterly useless.

Real Antivirus Solutions

What this boils down to is that choosing your antivirus software, and not just taking the easy route, is critical.

This is part of the reason we rate VIPRE antivirus so highly: it's highly efficient and uses very few CPU, RAM, and system resources to keep your computer safe and virus-free.

We're not the only ones saying this, either. I just came across a VIPRE review from August 2008 on ZDNet's Hardware 2.0 blog by the much-respected Adrian Kingsley-Hughes.

The lowdown:
"Security software can have a shocking effect on performance, and can take a new system and make it feel like one that’s a few years old.

I’m pleased to see that Sunbelt Software’s claim that VIPRE doesn’t hog system resources and doesn’t slow down a PC isn’t just marketing hyperbole but is actually true."

(N.B. emphasis mine)

Adrian's images, originally located here ZDNet (archived now at our site), really tell the story about VIPRE well. (Visit ZDNet for complete details.)

In his review, he compares system performance with:
Take a look at the below images and judge for yourself...

Original source: http://i.zdnet.com/blogs/av_shootout_system01.png



Original source: http://i.zdnet.com/blogs/av_shootout_system02.png



Original source: http://i.zdnet.com/blogs/av_shootout_system03.png


It's good to see we're not alone in leading antivirus review sites singing VIPRE's praises, they're well-deserved.

05/25/2009

Nearly Two Months In: What's the Latest with Conficker?

In case you thought things had settled down with Conficker, you're wrong.

Just because it's nearly two months after the official Conficker activiation date, and just because the main stream media isn't talking about it anymore, doesn't mean it's not a real threat.

In fact, Computerworld, one of our favorite resources for computer security news, brings word of it in this statistic: 50,000 computers/day are still being infected with Conficker. [Full details on it from them: here.]

We learned via Computerworld that Symantec, like us, made mention of the media hype dying down but Conficker still being alive and well, saying in a recent Conficker blog:

"Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide."

The folks at Symantec even include a world map of Conficker infections.

What this means is that the chances of getting infected by this virus/worm are just as bad as ever. Even if fully 50% of the Conficker worms are caught within a week that still means 175,000 new computers are being infected weekly.

At this point, having covered the Conficker worm (and about removing the Conficker worm) extensively here at our site, it should come as no surprise that this worm is no joke, but what's amazing to me is that after so much has been said about such malware that still so many people go without antivirus protection. Even without our coupons, getting the best antivirus / security software out there for Windows isn't that expensive.

Full sticker price of top-rated antivirus software like, VIPRE or BitDefender is under $30; with our coupons it's even less. Even if the *only* worm in the world were Conficker, which (obviously) it isn't, $30 seems like a small price to pay to avoid the problem altogether, and in the case of Conficker, it's clear, it's not going away anytime soon.