How Prevalent Is Fake Antivirus Software?

Over the past couple of years, we've gotten a lot of calls and emails from people who've been infected by fake antivirus software.

I took a call myself from Joyce in Philadelphia late last week. She told me about how she had to wire money to India to get the viruses removed from her computer.

Their pitch to her? Her antivirus software (their fake software) had expired. When she called their so-called tech support number, they told her there was no way they could remove the virus without her making a payment by Western Union to renew the software for another year.

There were problems (of course) with her computer even after she paid the fees, so she was calling to see what the best antivirus software was because what she bought, she felt, sure wasn't very good.

Sure, some readers are going to say, "Why on Earth did she send a Western Union transfer to India?! What was the thinking??"

Let's put that aside for a while and ask the bigger question: Just how prevlent is this crap?

Funny thing is Kasperksy asked this question, too, in their survey/report Digital Consumer’s Online Trends and Risks.

A whopping 24% of users surveyed worldwide said they're encountered fake antivirus software with the worst three countries for "infection" being Russia (48%), the United States (34%), and the United Kingdom (28%).

What's the take-away message from this?

Well, there's more than just one:
  1. If you've seen fake antivirus software, you're not alone.
  2. Your chances are about 1 in 4 you will.
  3. Make sure you're running real antivirus software
  4. Familiarize yourself with what it's like and how it works
  5. If you're familiar with it, you're more likely to know a fake threat when you encounter it


Should I Be Concerned about the Flame Worm?

Since it was uncovered, there's been a lot of (mis)information on what Flame is, how it works, and what's at risk.

Let's take a look.

First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
"The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
I left in the entire paragraph from their article so that it could be seen in all its glory.

At best, the quote above is misleading. At worst, it's alarmist.

Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.

There was no such intrusion.

What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)

Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.

What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.

There was... no... security... breach... at Microsoft.

Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.

Now that that's clear, just what is this thing?

It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.

OK, so what's it do?

A better question: is there anything it doesn't do?

So far, according to Kasperksy's analysis of Flame it can:
  1. Ennumerate nearbly bluetooth devices
  2. Record audio (if there's a microphone)
  3. Create backdoor accounts on infected machines (HelpAssistant)
  4. Listen for incoming network requests
  5. List the PCs directory contents
  6. Lists "interesting" files
  7. Logs keystrokes
  8. Upload collected data to remote servers
  9. Identifies antivirus software and firewalls
This is a pretty nasty/impressive list of feats.

Now the real question. Are you at risk.

As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.

Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.

The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)

Getting Rid of Flame

As complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.

One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.


Incredible Analysis of Flashback/Fakeflash OSX Trojan

In one of the finest examples of research into the workings of malware most people are likely to ever see, Alexander Gostev of Kaspersky Antivirus begins a full analysis of Flashback/Flashfake.

According to Alexander's research, it looks like Flashfake began its infections via hacked Wordpress blogs.
From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update.
Good ol' social engineering is what duped the first wave of folks into getting infected. (N.B. Typically, these are the types of infections that are blocked by Internet security software.)

Next, it appears actual exploits began being used to spread the Trojan via the hacked Wordpress blogs. How many blogs were infected, but it's at least 30,000 according to a Websense report on the Wordpress infections.

Hats off to Kaspersky and Alexander both for the great research and for sharing it.


Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)

People sometimes question why antivirus software that's not a part of the operating system is a must.

With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.

To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.

Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.

Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.

Now, let's bring Apple into the picture.

Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.

Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).

Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.

All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.

Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes the most common variants of the Flashback malware.

Here's what the update looks like in Software Update:


Mac OS X Flashback Trojan Fix in the Works by Apple

Today Kaspersky's Dennis Fisher brings news that Apple is developing a Flashback Trojan Fix.

First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that Flashback has been around in one form or another for more than six months now.


As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.

This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
  1. customers
  2. security researchers
  3. virus writers
As for the official word from Apple, there's now a document on Flashback malware at Apple's support site.

Unfortunately, it's really nothing more than, Apple is developing software that will detect and remove the Flashback malware.

They do, however, give a good link on how to disable Java in your Mac's browser preferences.

Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.

After all, Java is not the same as Javascript, and since so few sites rely on Java, there's very, very little you'll be missing out on by disabling Java altogether, and heck, if you need it, turn it back on, and shut it off when you're done.


More Details Emerging about R2D2 Backdoor Trojan

First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:


In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.


The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software

So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?


TDSS Botnet Has a Firefox Add-On?!

Too weird and too bold to be true, yet still true.

The TDSS botnet, regarded as the most sophisticated threat today according to Kaspersky Labs, makers of Kaspersky Antivirus.

And now, apparently the botnet is proving to be such a menace and so difficult to detect, its creators have even gone so far as to create a Firefox Add-On to make it easier for anyone using the botnet for anonymous surfing to switch from one hijacked connection to another.

Brian Krebs has more detail on the TDSS Rent-a-Bot Botnet Details.

What's so scary about this aspect of the TDSS botnet, which appears to be capable of being used for anything you can imagine, is that this part of it means you can have someone surfing the web as if they're using your computer to do whatever they want.

Here's a screenshot of a few of the infected PCs being rented for web proxy service:

The evil possibilities are endlesss.

Imagine what you could never imagine you doing yourself on your computer. Imagine what you'd never want your computer being used for. Now, imagine someone else is doing these things on your computer. And you don't even know it.

In my mind, I'd call Kaspersky's assessment spot on.

And if as you read this you're thinking to yourself, "Oh, but I know my computer isn't infected. I'd know it! Pfft. I don't need antivirus software." Sure about that, are you?

Sure enough that you can explain why your computer was downloading illegal pictures at 3AM? Or pirated Hollywood movies? Or stolen data from a military base?

You're that sure, are you?


More Android Smartphone Malware Found, Removed from Marketplace

Kaspersky, makers of Kaspersky Antivirus just posted a lengthy piece on  new Android Malware called the "Plankton Trojan".

Originally discovered by Xuxian Jian (Assistant Professor and his research team at the Department of Computer Science, NC State University), his report on the Android malware disconcertingly begins,
This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.

"In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.

"Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers.

"Its stealthy design also explains why some earlier variants have been there for more than 2 months....

What does this mean?

For starters, it means that the bad guys have found a way to get onto your Android without requiring "root" access, which means that it's able to evade detection and avoid tripping the warning screens and whatnot that you'd expect to see.

The report details how this application silently hooks into the phone, downloads in the background more things it needs to run, and uploads information about your account to computers the bad guys control.

Kasperksy's analysis revealed,
...the virus does not provide root exploits, but supports a number of bot-related commands.

"One interesting function is that the virus can be used collect information on users’ accounts.
What exactly the bad guys are doing with the botnet either isn't yet clear or isn't yet being revealed by Professor Jiang or Kaspersky. And for that matter what they're doing with the users' data isn't clear/revealed either.

This may be a case where they're just trying to test the waters and see what kind of flags they raise and what kind of information they can glean from users.

Regardless, it's definitely cause for some concern amongst users and antivirus researchers alike, as it will require the AV companies to rethink some of their strategies in protecting phones.

What's Google Doing about it?

According to the piece by Kaspersky,
Google has historically taken a hands-off approach to policing the Android Marketplace.

"It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.

"A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.


Adobe Warning Issued For Potential of Attacks on Flash Player Vulnerability

Adobe has issued a warning about a critical vulnerability in Flash that impacts Adobe Reader and Acrobat.

Kaspersky Labs' Threat post reports that the Flash Player vulnerability is a bug that can be used by remote attackers to run arbitrary code and that Adobe has already seen some attacks capitalizing on this.

Adobe issued a security advisory that the vulnerability exists in the following software versions:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player and earlier for Chrome users
  • Adobe Flash Player and earlier for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

There have been some reports of this vulnerability being exploited by embedding a Flash .swf file within a Microsoft Excel (.xls) file being delivered in an email attachment.

Adobe states they are not aware of specific attacks utilizing Adobe Reader and Acrobat.

A fix for this issue is in the works scheduled for release by March 21, 2011.

Even though the new Flash bug apparently wouldn't be exploitable in Reader X, Adobe plans to update that application in its scheduled quarterly Reader patch release on June 14, 2011.

While you're updating your Flash player, take a peek at your antivirus software and make sure it's up to date, too. After all, it's your last line of defense.


Email Worm Hits Outlook Users: VBMania@MM

As if we all hadn't learned the hard-learned lessons from 2001, including (among other things), not to open attachments we're not expecting and to not click links in emails when we're not expecting them, there's a new worm making its rounds today.

With this newest, latest, greatest iteration of the computer worm, this one dubbed "Here you have" or W32/VBMania@MM, we're taught apparently we need to re-learn some of those old lessons once more.

Here are what two of the worm's emails look like:

Subject: Here you have

This is The Document I told you about,you can find it Here.

Please check it and reply as soon as possible.


Subject: Just For you

This is The Free Dowload Sex Movies,you can find it Here. http://www.sharemovies.com/library/SEX21.025542010.wmv

Enjoy Your Time.


A fairly sophisticated worm, according to the write-up on it on McAfee's Antivirus blog, it spreads itself the following ways:

  1. via Outlook, spamming itself to everyone in your contact list
  2. over network shares
  3. AutoRun on removable media (i.e. flash/thumb drives)

All-in-all, it's a combination of the techniques of the old-school Outlook viruses and those of the more recent multi-vector worms, including disabling antivirus software.

Sneaky for sure.

On top of that, it's disguising itself as a .pdf file, when in fact it's an executable program.

As users, we've all been trained for so long that .pdf files are harmless, when in fact they're not, themselves having become an attack vector more than once recently.

At least as far as good news goes, the malware:

  1. isn't auto-executing (as the Outlook viruses were a few years ago)
  2. requires that a user click a link and run the file
  3. is being caught by most antivirus software

As the folks at Kaspersky point out in their post about the "Here You Have Virus",

The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn't rely on a link to a downloading site.

"But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.

Which brings up a point that can't be repeated enough:

  • No matter how tempting: Avoid opening emails from strangers. Subject lines like the ones in this worm are a dead giveaway to their content.
  • If you absolutely must open a stranger's email, don't click on links in them
  • If you absolutely must click the link (or do so accidentally), if you're prompted to 'Run' a file, don't. Just don't.

No matter how tempting, I assure you, you're not missing out on anything except for anger, frustration, tears, heartache, and a trip to your local computer store.