06/02/2011

Apple Releases MacDefender Removal & Prevention Tools

Although it took longer than most Mac users would like, Apple finally released a security update designed to remove (and thwart installation of) MacDefender and its similarly named brethren.

Getting the update is a cinch, even if you're unfamiliar with OSX. Here's how:

  1. Click the Apple logo and choose "Software Update"

    You'll then see a window pop-up identical to this one:

  2. Click "Show Details" (alternately, you can skip ahead and just choose "Install" as shown here)

  3. If you choose "Show Details", you'll want to look for "Security Update 2011-003" as shown here:

    After which you'll want to click "Install [number] item(s)"
    Once you have, you'll see:

    Followed by a confirmation that the update was installed...

    Followed by one last check to ensure there aren't any more updates...
    And finally, you'll get a confirmation that your software is up-to-date.

Now what?

OK, so you've installed the MacDefender Removal & Prevention tool.

How do you know if you've got the malware? And, how do you know if it was removed?

Here are some more screenshots to help you see what OSX is supposed to do now that the MacDefender Removal/Prevention tool is installed.

First of all, let's talk about what you'll see if your Mac has been infected with MacDefender.


Let's be honest, if you see that error message appear, there shouldn't be any confusion, right?

You'll notice the only option here is to hit "OK." There's no other option to get tricked into clicking, and you'll also note that the OS detected and removed the malware on its own.

In other words, there was nothing to buy and nothing to run. It just worked. Great.

MacDefender Prevention

The next thing to be on the lookout for whether or not you've been infected is what to look for so that you don't get hit with this thing.

If you do accidentally download the file, you should expect to see this warning:


Interestingly, Apple choose to leave "Open" as one of the possible options. This is great for those of us in the antivirus field, and as crazy as it may seem, some people will click "Open" instead of "Move to Trash."

Sometimes it's accidental. Sometimes it's intimidation about doing the wrong thing. Sometimes it's just clicking away at things hoping to make boxes like this go away. And, sometimes it's outright stupidity.

It happens. We're only human.

So, the last tidbit of insight I can shed on things here is this: Make sure your "Automatically update safe downloads list" is checked as shown here.


You can find it under "Apple > System Preferences > Security > General."


[Editor's Note: Alternately, you can also get the update to remove MacDefender to install it manually, too.]

05/29/2011

Just How Prevalent are Viruses?

One of the questions we're most often asked is,

C'mon... do I really need antivirus software? Doesn't it just slow your PC down anyway?

Our answer? "Yes, and no, not really1."

It turns out the need may be even more acute than we believed, as One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, and according to a Computer World piece, "New malware scanner finds 5% of Windows PCs infected, that's according to Microsoft's own data on their Microsoft Safety Sacnner.

Yowza.

Here's the first kicker: that only counts the number of folks who used the Microsoft tool, and doesn't count those who:

  1. downloaded the tool on one PC and moved malware from a second (or third or other computer)
  2. took their computer to Best Buy or their local PC repair shop
  3. had their geek niece/nephew/neighbor fix their computer
  4. consulted search engines for to repair their PC on their own
  5. installed antivirus software on their own
  6. gave up and purchased a new PC

Here are a couple of other interesting tidbits from the Computer World article,

On average, each of the infected PCs hosted 3.5 threats, which Microsoft defined as either actual malware or clues that a successful attack had been launched against the machine.

This is almost as interesting to me as the 1-in-20 stat. What this seems to show is that when you run your PC without antivirus software, chances are when it gets hit, it gets really hit.

Why?

Certainly some portion of those may be multiple infections arising from the same initial infection, but the bulk are no doubt infections happening at different times and perhaps even via different infection techniques.

This means when you lack protection, it's not that you get infected once, and you're done. On the contrary. Having one virus doesn't mean you can't get more. In fact, you'll probably have three-and-a-half.

Another important tidbit: the majority of the infections came via Java exploits, interesting most of all because they

Given that we ourselves test every product we review with live viruses and all sorts of other malware, we know that no antivirus software is perfect. The bottom line is though that antivirus software does give you a significant advantage and help keep your PC protected and virus free.


1Yes, crappy antivirus software slows your machine down. Definitely. The best antivirus software, doesn't.

05/25/2011

Mac Defender 2.0... Malware Creator Responds to Apple Update

Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.

In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.

The latest?

According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.

For starters Intego says in their blog post on Mac Defender,

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.

"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.

 

Yikes. Auto-download? That sounds a lot like Windows malware to me.

And, here's where it gets really ugly.

Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.

Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.



What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.

The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.

What do they do? Click 'Continue,' of course!

What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]

This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.

In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.

"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'

"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

 

That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.

Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?

That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?

Maybe this is going to be a long road after all.


[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:

  1. releasing a Mac Defender remover as part of their next update and
  2. having OSX do some sort of realtime intervention if you tried to install the malware.]

05/24/2011

Mac Malware Removal: No Help from Apple Support

Even though our focus (at least for now) is on Windows antivirus software and malware removal, we've had a few people contact us asking about the malware known as Mac Defender1 (previously discussed in our blog on Mac antivirus software).

Here's the short version: it does not automatically install itself onto your Mac. It does require you to manually install it to be infected. And, the main way it's getting installed is when people are tricked into installing it.

How do you get rid of it?

Well, apparently, even though it's not that hard, you can't turn to Apple Support for help, as according to ZDNet there's No Help from Apple Support Reps Removing Mac Defender, although there is now an official Apple help article on Removing Mac Defender.

Although we've not tested the removal steps ourselves, given that the removal instructions come from Apple itself, you can be sure they work and are legit.

And, yes, all the top Mac antivirus software is already detecting and removing the malware.


MacDefender is known alternately as MacSecurity or MacProtector

05/20/2011

Is That Your Hard Drive Failing? Nope, It's Probably Malware

If you've never experienced a real-life hard drive failure consider yourself lucky. And warned.

It's only a matter of time before yours goes south. In my case, being a geek both in my personal and business lives for many years now, I've had more hard drives fail than I can count.

Even if you've got good backup software (and you're sure the backups restore properly), the restoration process is always painful and more time consuming than you expect. If you don't have backups, well, well... you may just be screwed.

Sure, there's special hard drive recovery software that can often be brought in to save the day and there are hard drive recovery services, too, although these services can carry a staggeringly hefty price if you have a lot of data to recover, a complex RAID hard drive setup, and/or an especially tricky drive crash.

No matter what, no one, except those folks in the data recovery business like hard drive failures.

It's this fear of data loss that's motivating the latest malware writers to do their thing and create craptastic software no one needs--and certainly no one wants.

Our friends at Symantec, makers of Norton Antivirus Software have spotted something new: malware that fakes hard drive failure. How icky is that?

In this particular case, the malware, which Symantec is calling, "Trojan.Fakefrag" is they say, essentially a wrapper around UltraDefragger.

How do you know if you've been infected? Here's what Symantec says to look for:

  1. It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
  2. It stops you from changing your background image.
  3. It disables the Task Manager.
  4. It sets both the "HideIcons" and "Superhidden" registry entries to give the impression that more icons have been deleted.

Wow. Just about anyone experiencing these things would probably think their hard drive were failing, too.

What next? Again quoting the Symantec researchers,

It then "helpfully" displays a message recommending that you run a diagnostic utility on your computer, launches the Windows Recovery misleading application, and adds a link it on both your desktop and the start menu.

"The misleading application finishes the job, hoping that the victim will pull out their credit card for the $79.50 price tag.

So what's it look like?

Thankfully, they included a screenshot:
.

If you see this on your PC, and you're running antivirus software already, make sure your antivirus definitions are updated and run a full system scan immediately.

If you're not, now's a good time to take a look at getting some. It's cheaper than the malware's $79.50 price to "fix" your PC, and you'll actually be getting something for your money.

04/16/2011

DOJ and FBI flex muscles: Takedown of international botnet

Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.

The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.

According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.

The "coreflood" malware is believed to have been originated out of Russia and has been active for  ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.

This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).

[Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]

According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.

The government replaced the C&C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.

03/28/2011

Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates

Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.

These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.

The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.

Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.

The Comodo Group, Inc. (the certificate authority) first reported the issue.

A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.

The domain names of the certificates were identified as:

  • addons.mozilla.org
  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (x3)
  • login.skype.com
  • global trustee

The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.

To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.

Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.

Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.

Risk mitigation actions implemented:

  1. Revocation of the certificates
  2. A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
  3. Mozilla released an announcement with some details of the problem.

Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.

Mozilla's security blog reported:

Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.

Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.

Mozilla has requested that Comodo do the following:

  1. Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
  2. Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
  3. Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
  4. Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.

With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.

03/22/2011

Hacker Gang Leader Sentenced to 9 Years for Hospital Computer Attacks

Thanks to a piece by Kevin Poulsen at Wired Magazine, we learned about a successful prosecution of a hacker gang leader, who was convicted of installing malware on PCs in a Texas hospital.

Self video of hacker McGraw carrying out hospital computer attack.
(Video: YouTube)

The ringleader of a former online anarchist group called the Electronik Tribulation Army was sentenced on Thursday to over nine years in prison for installation of malware at a Texas hospital.

Hacker Jesse William McGraw, 26, also known as "GhostExodus", was fined $31,881 and ordered to serve three years of supervised release after serving time in prison.

He came to the attention of the FBI in 2009 after shooting and posting a YouTube video of himself "infiltrating" computers by installing RxBot at a medical office building.

According to the government, the Electronik Tribulation Army was creating a botnet to attack rival hacker gangs, which included Anonymous--known more at the time for hardcore pranks than the 'hacktivism' they've been known for since.

Security Researcher McGrew
Computer security researcher Wesley McGrew.
(Photo: Kristen Hines Baker, courtesy Mississippi State University)

In another video, McGraw showed off his personal infiltration gear, which included items such as lock picks, a cellphone jammer device, and falsified credentials portraying the FBI. The videos were shot at the Norther Central Medical Plaza in Dallas, TX.

McGraw was able to do so easily since he was a night security watchman and had unresricted access to the hospital.

He plead guilty last May to computer-tampering charges for installation of malware on a dozen machines which included a nurse's station with medical records. McGraw also installed a remote-access program called LogMeIn on the hospital's MS Window's-controlled HVAC system.

R. Wesley McGrew of McGrew Security in Mississippi, initially contacted the FBI after seeing screenshots of the HVAC access online. McGrew says,

I think the sentence is appropriate. He jeopardized public health and safety with his actions and I think its important to take a really strong stance against that,"

In the wake of McGraw’s arrest, other members of ETA have campaigned to harrass McGrew, which led to FBI raids of three suspected members, but there were no reported charges.

Although the YouTube videos suggest McGraw wasn't necessarily a critical threat to cyberspace, the FBI took note when it was discovered he'd installed a backdoor in the HVAC unit.

They noted that any failure of the unit--which controlled the first and second floors of the North Central Surgery Center--could have adversely affected patients in the hot summer time or caused refrigerated drugs or medical supplies to go bad.

There are a couple of important lessons here:

  1. Never, ever leave a workstation unlocked when you step away from it. Ever. If you give someone physical access to your computer, all bets are off.
  2. Audit your PCs regularly. The most dangerous phrase in security is, "It's not like...."

    Rather than thinking to yourself, "It's not like someone could ever put a virus on my computer without me knowing!" Assume there are people smarter than you, and they will if they can.
  3. Keep your antivirus software updated, set it up to run automatic scans, and run a manual scan, too, every now-and-again just to be on the safe side.

 

Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.

03/08/2011

Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.

Fake-av-ie-2

Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.

Fake-av-firefox

Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.

Fake-av-chrome

If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.

Fake-av-dafari

These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.