When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)
What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.
As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.
- Every media type that matters is playable out of the box on a Mac.
- "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
- The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
- Powered by "MediaDownloader," yet the software is called, "Media Player"?
- What the heck is the Finder icon even doing on a an installer for a third-party product?
Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:
(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)
So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the "Accept and Install" button, will ya?
On Feb 18, the entire computer system at Hollywood Presbyterian Medical Center was locked and held for ransom.
The hackers who easily infiltrated the hospital's system locked and encrypted all of the hospital's medical files and computers making it impossible to work and help patients. The hackers demanded $17,000 to unlock the hospital's computer system. The hospital staff had to resort to pen and paper to get anything done, and many critical patients had to be diverted to other hospitals for care.
And if you think you're not vulnerable to ransomware attacks, think again:
The Lockie ransomeware malware can be targeted at anyone, anytime. Whether you're a big company or a single person, Lockie makes it incredibly easy to infect and hold your PC... or many PCs... for ransom. Local resident Brandi C. was hit by Lockie at home.
Brandi had to pay $300 to the hackers so they would unlock and release her computer back to her.
How Does This Happen?
The Lockie ransomware is spread primarily through emails. Proofpoint CEO Gary Steele says their security firm saw 10 million messages go out in one day that contained the Lockie ransomware.
Lockie is typically delivered via email as an attachment. By clicking open a simple Word document attached to your email, you could instantly infect your system with Lockie. Your entire computer would then be locked and encrypted with a demand from the hackers to pay hundreds or even thousands of dollars to unlock your computer.
How To Avoid Lockie and Other Ransomware
- Don't click on suspicious links or attachments in your emails. If you get an email from someone you don't know that has an attachment, you have two options:
- Delete the email immediately without opening. This is your best and safest option.
- Use your antivirus software to scan the file before opening it (most antivirus software has a feature that lets you right click a file and scan it. Caution: be extremely careful that you don't actually double click to open it. If you do, you could instantly infect your PC. If you do get infected with Lockie or any ransomware, try The FixMeStick to get rid of it.
- Delete the email immediately without opening. This is your best and safest option.
- Backup all your data regularly. If you're not already backing up your files... you should be. A good backup software is a critical piece of online security that many people overlook. Backup always and often.
- Be sure you have a good antivirus or Internet Security software installed. We say it over and over, but people still get hit with ransomware and other malware all the time because they have poor antivirus software. A good antivirus program will scan attachments before they can do any damage.
In the end, the hospital paid the $17,000 ransom to get their files back. They panicked because they felt they had no other choice. They should've trained their staff to better identify suspicious email attachments, and they should've had better antivirus software running.
And Brandi, and thousands more like her, was an innocent bystander who got hit with this devious malware... and you could too. Be alert when you're online just like you would in a bad part of town. Keep your eyes and ears open and don't be too quick to click.
Softpedia has a nice write up on the new Emsisoft tool to decrypt the DecryptorMax ransomware (aka CryptInfinite).
This tool is great news for the good guys and for the consumers who've been affected by this scumware.
And, as to how to use it, the fine folks at BleepingComputer.com have a tutorial on using the ryptInfinite / DecryptorMax decryption tool.
By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.
So, are these exploits worth being worried about?
Let's get the answer to this question by asking two more:
- Are you at risk?
- What's the best way to protect yourself?
Let's start with:
What Is Heartbleed?Although not a virus or malware in the traditional sense, the heartbleed vulnerability is a mechanism by which attackers can gain accesss to your confidential information when you access vulnerable websites, email, and other servers.
If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.
Confused? Let me put it in real world terms.
Let's say you go to your bank or credit card online.
You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.
Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.
And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.
It's not just bank accounts either.
According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.
Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.
Now, some good news.
- Microsoft web server are not vulnerable. (This doesn't mean people using Windows as their desktop OS aren't vulnerable. It just means the web sites themselves aren't.
- Most banks and other financial institutions that were at risk have now patched their servers, eliminating the vulnerability.
- There's a Plug-In for Google's Chrome Browser called, "Chromebleed," that tests for the vulnerability.
I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
- Change your Google, Facebook, Yahoo!, and Dropbox passwords.
- Log out of all apps on your phone, iPad, etc., then log back in.
- If a website asks you to update your password, do it.
- Update your OS (regardless of what you run, Windows, Mac, Linux, BSD, whatever.
- Set up two-factor authentication. (This is just a smart thing to do anyway.)
What About Shellshock?Shellshock, also called "Bashdoor," is an attack, primarily on servers, that leverages a series of flaws in software called, "Bash," that's commonly installed on web, email, and other servers.
Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?
Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)
The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.
On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.
In an outstanding article on Shellshock by Troy Hunt, he says,
The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk.
"In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them.
OK, brass tacks, what does this mean?First, it means your computers, laptops, phones, and tablets are probably not directly vulnerable.
HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.
This is a strong case for considering Internet Security software over garden varity antivirus.
The two things most commonly found in Internet Security software absent in most antivirus programs are:
- malicious website blocking
- software firewall
Is this a hoax, or some kind of Y2K scare tactic? Unfortunately, it's very real for about 65,000 U.S. citizens.
I'll give you the good new first: if you've been running antivirus software for the past couple of years, you're probably fine and won't be affected. All the major antivirus companies have been on top of DNS Changer since it came out a few years back and have either blocked or removed it from any infected computer.
So, what exactly is going on?
Over the past 5 years, some Estonian cybercriminals infected approximately 4 million computers with a virus called "DNS Changer." The FBI (and other International law enforcement agencies) finally caught up with these criminals, arrested them, and seized the infected server farm that was doing all the damage.
Then everything should be fine, right?
Not exactly. The problem is, the FBI had to keep those infected servers running since March. Why? Anyone who has a computer infected with DNS Changer would instantly lose Internet access if these servers were shut down (since the infected computers rely entirely on these malicious servers for Internet access).
The FBI decided to give people a chance to clean up their computers before they pull the plug on these malicious servers this coming Monday (7/9/2012). If for some reason you don't run antivirus software, or are just unsure if you're infected, you may lose Internet access on Monday for several hours.
What exactly does DNS Changer do?
In a nut shell, DNS Changer takes over your computer's DNS and points you towards fake search results populated with malicious websites. Any one of these fake sites will further infect you with trojans or other viruses designed to steal passwords, send you spam, or just steal your money flat out. Nasty business.
For instance, if you were infected with DNS Changer, and you did a search for "Netflix," then clicked one of the fake search results, you would be redirected to a bogus (and dangerous) site called "BudgetMatch" instead.
Or if you clicked a search result for ESPN, you might see fake ads on ESPN's site directing you to a fake timeshare business.
As I mentioned above, if you've been regularly running antivirus or Internet security software on your computer, you're almost certainly safe from losing Internet access this Monday, but we recommend that you at least do a simple test to make sure.
U.S. users can click this link to see if their DNS is working properly (which indicates DNS Changer isn't affecting you): http://www.dns-ok.us/
You should see this if your computer is safe:
For other countries, and more information, you can visit this site: http://www.dcwg.org/detect/
If you do find that you're infected, you should install some antivirus software to try to get rid of DNS Changer. In many cases, however, your computer may be so infected that it might be too late even for that. In that case, you should seek out a professional to diagnose and solve the issue.
What's clear though is that more folks like us (i.e. people who are *not* employees of the top antivirus manufacturers) are beginning to start beating this drum, too.
PCWorld's Dan Tynan wrote a piece back in November 2011 called, Mobile Malware Epidemic Looms. Now there's a piece in the NYTimes. Build Up Your Phone’s Defenses Against Hackers.
No disrespect to mainstream media, especially the NY Times, which I love, but c'mon... by the time this kind of thing hits The Times, it's arguably already old news. Certainly, it's well beyond the point of being "theory."
The opening sentence of Dan's piece in PCWorld says it all,
At the risk of offending the sensibilities of some of my readers who think they're immune, let me ask a few questions about what you do with your phone.I know it’s a tad early for new year predictions but I’m going to beat the rush and make mine now: 2012 will be the year of mobile malware.
(N.B. For brevity, I'm lumping smart phones and tablet PCs into one category "phones".) With your phone do you...
- Use bluetooth?
- Browse the web?
- Send or receive email?
- Send or receive text messages?
- Charge via a USB connection?
- Charge at public charging kiosks?
- Use QR / "Scan Me" codes?1
Now, shift gears for a second and think about not just the ubiquity of the cell phone but the utility. Not only are cell phones everywhere, they're *really* useful, which makes them all the more ubiquitous, which makes them even more useful, and so on.
And, now for the deathblow in the argument against cell phone antivirus software.
Phones are computers. Period.
If there's a microprocessor in it, it's a computer. And, I don't care how much time, money, energy, blood, sweat, and tears a manufacturer has put into their phone. It only takes one oh-so-subtle mistake by a well-intentioned programmer to make the code vulnerable to traditional malware attacks.
Consider this. Just to create the homepage of our site (and just the homepage) takes over three thousand lines.2 And that doesn't even count the code your web browser had to have to understand how to display our site properly for you.
My point: even if you have no clue how many lines of programming it takes to make a cell phone, rest assured it takes millions. Many, many millions. We ourselves are always finding and fixing little errors and typos throughout our site. If we have a hard time finding them in our own back yard, imagine how hard it is for a programmer to think about what problems they're going to encounter when millions of customers start using phones in millions of different ways.
Every mistake, no matter how subtle is a possible virus entry point. Maybe it'll never be discovered. Maybe it will. But in millions of lines of code, there are lots of opportunities for mistakes.
Next is the issue of "social engineering," where you're just out-and-out tricked into running malicious code. Maybe you click, "Yes" accidentally. Maybe you didn't understand what was going on and clicked, "Yes." Regardless, you clicked, "Yes" and installed something evil onto your phone.
What's it going to do?
Who knows? For starters it is a PC. The problem is, it's a whole lot more, too. It's a phone. It's a camera. It's an MP3 player.
Common things (so far) for cell phone malware are things like secretly calling 900 numbers, listening for credit card numbers, stealing contact information, logging keystrokes at your bank, brokerage, and credit card accounts... and the list goes on.
No matter how you look at it, cellphone viruses are here and cellphone antivirus software is a must. Android. iPhone. Blackberry. Windows. Palm. It doesn't matter what platform your phone (or tablet PC) runs, rest assured, it's vulnerable to viruses. Today.
How convinced are we? We're putting our own R & D money on the line: fitting right in line with our regular PC antivirus reviews, we're working on our own cellphone antivirus review site. No launch date just yet, but if what we've already seen in terms of mobile malware is any indication, it had better be soon.
1 QR / "Scan Me" codes are those funny square scan code things that are popping up everywhere offering everything from discount coupons to manufacturer direct purchasing.
2 For some more perspective, we estimate--conservatively--that since 2006 our site has produced well over 1,000,000 lines of code. And that's just the site itself.
Here's my reply: (with a little extra added here for clarification)I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Thanks for writing, Martha.
I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)
The first question here is:
Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:
The main risks of viruses are that they tend to be:
- personally invasive
- resource thieves
If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.
On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?
As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.
Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?
The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".
Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.
Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.
As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.
How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.
Easily one of the most Frequently Asked Questions we get is,
What's the difference between antivirus software and an Internet security suite?
Right on the heels of that is the next one,
Is the upgrade worth it?
Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:
- firewall software
- malicious website filtering
Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)
Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.
The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.
What's the point?
You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.
So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.
malicious website filtering
You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."
In either case, the bad guys are on the prowl and are:
- secretly taking over legitimate sites and installing their viruses onto them
- buying domain names that are typos of legitimate sites
- sending spams and phishing emails
Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.
Is the upgrade it worth it?
In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.
Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.
The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.
And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.
Ironically, just two weeks after his piece, uTorrent (a company offering legitimate BitTorrent software) saw their web servers hacked into and their legitimate BitTorrent software replaced with fake antivirus software.The fake-antivirus business was a big money-maker in the first half of this year.
"Then, at the end of June, fake-AV products practically disappeared from the web.
"Was it technology, or does traditional law enforcement deserve the credit?
As it turns out, the server in question, according to the geek.com piece, was only online with the phony antivirus software/malware for an hour and 40 minutes, from 4:20AM 'til 6AM PST.
A response of under two hours to identify the breach and take the server offline, especially in the wee hours of the morning, is really quite good. (Unless, of course, you downloaded uTorrent in that block of time.)
Here's what one version of the Security Shield fake antivirus software looks like:
(Notice the bad grammar in the fake software's interface,
Protect your PC in new level.)
Matthew Humphries, the geek.com writer behind the story, goes on to say,
I couldn't have said it better myself.uTorrent has now apologized and managed to get their servers back online after removing the rogue files.
"If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.
And that, my friends, is why antivirus software is a must.
Even huge companies like Sony have suffered major break-ins in recent months, like Sony's entire Playstation Network (PSN) being taken down for weeks as a result, so even when you're downloading software from a known, trusted source, who's to say their servers haven't been compromised?