12/08/2011

Ask the Experts: Do I Need Antivirus Software?

Martha tapped a note out to us today that asked,
I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Here's my reply: (with a little extra added here for clarification)



Thanks for writing, Martha.

I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)

The first question here is:

Do I need antivirus software?

Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:

What would happen if your PC got a virus?

The main risks of viruses are that they tend to be:
  1. destructive
  2. personally invasive
  3. resource thieves
The first thing is easy to understand. Viruses can delete your files.

If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.

On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?

As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.

Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?

The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".

Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.

Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.

As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.

How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.

10/19/2011

More Details Emerging about R2D2 Backdoor Trojan

First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:

F-Secure

In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.

Kaspersky

The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software


So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?

09/15/2009

Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers

Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.

Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.

For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:

  1. Be smart about what you do online.
  2. Keep your PC updated with Windows Update
  3. Install (and run!) antivirus software or an Internet security suite


In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)

"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
  1. Identify compromised/infected computers
  2. Contact customer with infected computer(s)
  3. Provide information/advice on how to fix infected computer(s)
  4. Report / alert about serious large-scale threats (including ones that make effect national security)

Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:

If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.

Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.

No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.

08/23/2009

Protecting Yourself From Stealth Keyloggers

There's ample understanding and concern about viruses, worms, and even botnets to some degree.

Most everyone who runs a PC understands that viruses, adware, and the like come with the territory and that it's wise to run antivirus software (or better yet an Internet security suite.)

What's still a bit more murky than viruses and worms are stealth keyloggers--especially ones that report back to a central server in realtime.

What adds to the murkiness is that keyloggers in the eyes of some technologists aren't all necessarily bad.

While some keylogging software definitely is, there's other software out there that are used to help protect kids online and to help monitor employees and public workers who're abusing computer and office time.

The line between good keyloggers and bad ones, really comes down to one thing: what is the keylogger being used for?

In the case of "good" keyloggers, ultimately they're used to protect. Perhaps it's a child, perhaps it's an employer, perhaps it's a government agency, or perhaps it's someone else.

In the case of "bad" keyloggers, they're used to steal, wreck, and ruin. Perhaps it's to steal passwords, perhaps it's credit card numbers or a bank account, perhaps it's an identity, perhaps it's merchandise.

Whatever the case, how evil real-time stealth keyloggers work is a little less of a mystery thanks in part to a New York Times piece in the technology blogs, "Bits," section of nytimes.com

Part of the problem is that these real-time keyloggers are now allowing the cyber-criminals to completely circumvent things like RSA's SecurID system and other similar security technology roadblocks.

As Saul Hansell of the times puts it,

"By going real time, hackers... are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula.

"If your computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account.

"Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location.

"Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see."

"They don’t break the encryption; they just log in at the same time you do."

I'll hand it to them, it's definitely clever, but what's even more amazing and alarming is that,

"When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines.

"Clampi[a particularly nasty Trojan that uses real-time components] has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network.

"...each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites."

As the article asks, "Does this mean the high-tech security tokens and such are a waste?"

Not really, as they still help protect against less sophisticated attacks.

Think of it this way: locking your front door might not deter a criminal willing to smash the window to get it; however, it might deter a good portion who won't smash a window but who would try to turn the doorknob to get in.

Criminals with access to the advanced technologies like real-time keyloggers are still fairly rare; less sophisticated ones aren't.

What's more, even still many of these types of attacks can be thwarted and prevented outright by even "good" antivirus firewall software.

The bottom line is, some security is better than none and multiple layers of security are better than just one. Ideally, you should look to combine:

  1. a software firewall
  2. antivirus software
  3. antispyware