Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report

In their most recent McAfee Threats Report, antivirus & security software vendor McAfee covers a lot of ground in the malware arena.

Here are the highlights:
  1. Android is now the most highly targeted platform for mobile / smartphone malware.
  2. More successful legal actions are being taken against cybercriminals
  3. 22% increase in malware samples over 2010
  4. On pace for 75 million malware samples by the end of 2011
  5. Fake antivirus software continuing to grow
  6. 38% increase in rootkits (stealth malware) over 2010
  7. Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
  8. After a brief up-tick, spam is again declining
  9. Over 7,000 new malicious websites per day
  10. Over 2,700 new phishing websites per day
What are the take aways from it?

  1. Smartphone viruses are here, they're real, and they're growing.
  2. It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
  3. Antivirus software is a must.


Best Web Browser for Blocking Malicious Content?


Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.

Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.


Keep Malware on Your PC, Get Jailed?!

In what sounds too hard to believe to be true, Japanese police have arrested their first victim suspect in the controversial Japanese anti-malware law.
The revised Penal Code... bans storage of a computer virus for the purpose of infecting other computers. Violators can be sentenced to a maximum of two years in prison or fined up to 300,000 yen.
Now, let's think this through here.

There are really four types of people that fall into this category:
  1. malware writers
  2. malware distributors
  3. malware researchers
  4. malware infected
Clearly, those folks that fall into the first two categories are up to no good, but what about those of us the fall into the third category? Legitimate researchers like we are?

And, what about the average individual or business owner whose computer(s) have been infected by a virus or other malware and whose computer(s) are now infecting others without their knowledge.

I'm not talking about someone claiming they had no knowledge of something when in fact they did; nor am I talking about someone who's claiming ignorance of the law.

I'm talking about someone like your brother, sister, uncle, aunt, father, mother... like YOU. Your computer is infected, and you don't know it. Now your PC is infecting other people's PCs.

Where does someone like this end up in the eyes of the law?

For those of you out there who're smugly thinking, "Pffft... I'd know if my computer we're infected. Pfft... These people are stupid."

You sure about that, smart guy? So sure you're willing to bet the next two or three years of your life on it? Literally?

As for researchers like us, we here, obviously, store malware explicitly for the purpose of infecting other computers. Granted in our case it's only our own computers we're infecting, but regardless, this law really seems good intent that's terribly misplaced and extremely easy to get around for someone who's arrested under its provisions.

Here are several possible scenarios, all of which start with, "Yes, your honor, I did have this malware on my computer, and...
  • "I've been trying to get rid of it, and it keeps coming back."
  • "I didn't even know it was there."
  • "Many people use my computer. It could belong to any number of people, it certainly wasn't mine.
  • "I'm an antivirus researcher. How else do I do my job without real viruses on my computer?"
How stiff are the penalties?

According to a piece at TheNextWeb on the Japanese antivirus legislation,
the legislation makes the creation or distribution of a computer virus without a reasonable cause punishable by up to three years in prison or 500,000 yen in fines, and the acquisition or storage of one punishable by up to two years in prison or 300,000 yen in fines.
Create or distribute a virus: 3 years or 500,000 yen (about $6,500 USD).
Store a virus: 2 years or 300,000 yen (about $4,000 USD).

There are so many crappy things to this law I don't know where to begin.

So many people who've had their computers infected by malware--particularly a worm or trojan spambot--may be infecting other computers without their knowledge.

And, what about those people who aren't running antivirus software when their PCs get infected?

What about someone who knows their PC is infected but who can't get rid of the infection while it propagates to infecting other PCs on its own.

Rationally, we may say to ourselves, "Oh, but c'mon, they can't be jailed for that!"

Would you be willing to stake the next two or three years of your life on that assumption?


U.S. Official: Pre-infected Computer Technology Entering the Country

For those of us knee-deep in the antivirus and anti-malware arenas, I'm sad to say this isn't a surprise, but that doesn't mean it doesn't make me mad.

In hearings with the House Oversight and Government Reform Committee, Greg Schaffer, a Department of Homeland Security Acting Deputy Undersecretary (National Protection and Programs) was grilled on what going on and what's being done about it.

One Representative, Jason Chaffetz (R-Utah) said,
...the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States... poses, obviously, security and intellectual property risks.

"A, is this happening, Mr. Schaffer? And, B, what are we going to do to fight back against this...

"Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?
The answer:
I am aware that there have been instances where that has happened.
The good stuff starts around 52:00.

What do we do about it as consumers?

Clearly, this is a case where you can't expect the a government--not just the U.S., but all governments of the world--to ever be able to police this. Ever.

It's categorically impossible.

The onus is on y-o-u.

What you can and should do is protect your PC and the information as best you can. Hardware firewalls and routers can be great, but they're only part of the picture.

A software firewall and modern, up-to-date antivirus software are another huge part of it. Nothing is perfect, and no antivirus software will catch every piece of malware under the sun; however, the best antivirus software does at least give you a fighting chance.

Whether it's digital picture frames, USB-based battery chargers, or hardware routers, there are definitely several well-documented cases of hardware entering the U.S. and other countries with different types of viruses or other malware.

Here's an MSN link with a bit more info on the pre-infected computer technology.


Fake Security Software Scammers Nabbed by FBI

By now most of us have seen the scareware, fake antivirus software (like MacDefender), and other scams that play on people's fears.

In nearly all cases, the ads look like legitimate error messages from our computers; in one case it was a fake hard drive failing ad that was made to look like a real error message from Windows.


Whatever the case, and whatever they look like, there will be a few less of them now since in no less than twelve countries (including the U.S. and the U.K.), the FBI and other local law enforcement folks, have raided and shut down one of these malware/scareware gangs.

The BBC has some details of the FBI raid on fake security software gang, but the FBI's own press release has even better info on how they disrupted international cyber crime rings distributing scareware.

Here are some of the best details,
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers [emphasis mine] with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

"The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

"Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129.

"An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses.

"Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership.
The most important part of this quote is, The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.

Which means the bottom line is that this is not a case where a worm or virus is spreading itself onto people's computers.

Instead this is an old-school con job. Plain and simple.

And, they were good at it, too, given that nearly a million people fell for it.

This type of malware is very, very, very difficult for regular antivirus software to detect, but it is one place where Internet Security Suites and "Premium" versions can offer an advantage.

The ISS/Premium versions typically include malicious website filtering/blocking, so often if you try to go to one of the malware sites when you're running Internet Security Software, the Security Suite can often help protect your PC from infection when someone tries to trick you into installing scamware onto your PC.

No, website filters aren't perfect, but between the website filtering in an ISS and your web browser--assuming you're using a good, modern browser and it's malicious site filters are turned on--you do at least stand a fighting chance.


Android Smartphone Malware Detected by F-Secure

Let me start by saying, "You heard it here first. The bad guys are going to start targeting Smartphones/cell phones in a big way soon--probably within the next 6-12 months."

That said, this one doesn't fall into that category because you do get a warning from the Droid phone telling you what it's going to do.

Thanks to F-Secure for posting the original pic of this malware in action.

So, if you see a warning message like this, and you still click "Install," you can't really fault your phone. It's just doing what you told it to do.

And would smartphone antivirus software have stopped it?

(In the case of F-Secure's "Mobile Security," they claim it does in their piece on the Droid Malware.)

Now let's ask the real question here: if you get this malware on your phone, who's to blame here?

A) The user for installing it or
B) The cell phone manufacturer for allowing any program to do these types of actions.

MacShield the Same (Trojan) Horse by a Different Name

MacDefender now showing up with yet another name, "MacShield."

Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:

  • MacDefender
  • MacProtector
  • MacSecurity
  • MacGuard
  • MacShield

Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.

We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.

So far it looks like the same-old-same-old:


MacDefender Screenshots... So Here's What it Looks Like

Joel Esler, one of the members of the Snort.org project has excellent coverage of MacDefender and its variants. It's from May, but I just came across it today, and it's so good it's worth sharing.

There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.

Joel's wrap-up to the piece is great and worth reading. To paraphrase:
  1. Buy software from reputable places you go to
  2. Buying software from a popup window just isn't smart
  3. Educate yourself on what's out there and how to tell
Think the last one is hard? Consider this:

If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.


You've educated yourself.


[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed

One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.

This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.

What does it do?

OSX 10.6.7 Security Preference Pane (General Tab) This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)

(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:

...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.

"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.

I did exactly as described on one of our test PCs and personally confirmed this bug exists.

This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.

Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:

  1. How can I tell when the last time was that OSX updated its malware detection signatures?
  2. How can I force it to manually update if the signatures are old and out-of-date?

Turns out, it's a piece of cake...

Here's how to tell when your OSX malware definitions were updated:

  1. Open Terminal (Finder > Applications > Utilities > Terminal)
  2. type this:
    more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Here's what I saw when I ran it:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LastModification</key> <string>Thu, 26 May 2011 02:24:41 GMT</string> <key>Version</key> <integer>1</integer> </dict> </plist>

Looking closely at the text above, you can see:

<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>

This is the key to everything here, as it shows how current your definitions are.

As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)

So now, how do you force it to run if the definitions aren't current?

  1. Click: Apple > System Preferences > Security
  2. Uncheck then re-check "Automatically update safe downloads list"

Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.

What controls the OSX anti-malware updates?

In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is ...controlled by an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.

So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.

Just make sure your settings are correct and that your Mac antimalware definitions are current.


Apple's MacDefender Tool: Quickly Circumvented, Now Regains Upper Hand

The ongoing battle between the OSX anti-malware team and the MacDefender malware creators has taken some interesting turns this week.

Apparently about eight hours after the anti-MacDefender update (which I talked about it yesterday's blog on MacDefender removal) was released, the bad guys regained the upper hand.

CNet has some great coverage by Topher Kessler who says,

Let the cat and mouse games commence.

"Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware.


Then, earlier today (June 6, 2010), there was this update from cnet:

The cat is back in the lead.

"Apple has updated Snow Leopard's XProtect yet again to tackle the new variant, and did so in less than a day after the original update was circumvented.

"Apple is taking a very active approach to prevent this malware from being a problem for people.

Apple definitely took a bit of a pounding publicly after having taken so long to respond to the MacDefender threat initially. Now though, it looks like they're showing their willingness to take on the Mac malware creators head-on.

Regardless of how effective this strategy is long term, every step they take now will make things more secure and close more and more holes in their operating system.

And, for that Mac owners should be grateful.

Does it eliminate the need for mac antivirus software?

I don't believe so.

It's clear Windows malware is lucrative--very lucrative--or else the malware Windows malware writers would've given up long ago.

And, what the MacDefender creators appear to've shown is that the Apple OS X system, while good, does have holes. How hard they are to find, how far the bad guys are to find them, and how lucrative it is for them to do so all remain to be seen.

The question is: Will Apple's virus situation become as bad as Windows?