12/03/2009

Cameroon Domains (.cm) Most Likely to Host Malware

An interesting post yesterday on malware statistics at The Register caught my eye: more than one in three (36.7 per cent) of domains registered in the West African country hosting viruses or malicious code.

Cameroon domains are those that end in .cm and are easily arrived at as keyboard typos.

Imagine you've just meant to go to: www.example.com

Instead though, you've just typed: www.example.cm

That missing 'o' in .com in millions of domain names will take you to a different site than what you intended, and in this case, the .cm domain extension belongs to domains that are supposed to be site in and of Cameroon.

This little typo, according to a report called, "Mapping the Mal Web, The World's Riskiest Domains," [.pdf] by McAfee, Inc., makers of McAfee Antivirus,

"may explain why cybercriminals have set up fake typo-squatting sites that lead to malicious downloads or spyware under the country's domain."

It doesn't take a rocket scientist to figure this one out. With such an easy typo and a country not known for Internet security is all it takes to ensnare many unsuspecting computer users.

By setting up a bogus site at domains ending in .cm, the malware and virus writers are easily able to get people to visit their servers that host scripts that can automatically infect your computer with a virus, trojan, keylogger, or other malware.

Unless you're highly technically competent and can setup your own DNS server, the only practical solutions for most consumers is to do all of the following:

1. Keep your computer patched.
A PC with the latest Microsoft Windows updates is significantly harder to infect than an unpatched computer.

2. Don't run as Administrator (or with Administrator privileges.)
By running with a user account with lower permissions, it makes it harder for some viruses and malware to infect your machine.

In contrast, when you run with Admin privileges, you're giving the edge to the viruses, as your account has all the permissions they need to infect your machine, hide themselves, and become even harder to remove.

3. Check your web browser's security settings.
Sometimes, regardless of if you're running Internet Explorer, Firefox, or Opera, when you're web surfing, the default permissions can get in the way of you doing what you need to.

Because of this, you may have altered the default permissions to looser ones than can make it easier--or even enable--these types of malware attacks.

4. Run antivirus firewall software.
Internet security software, including a firewall, antivirus software, and antispyware can help prevent the malware scripts from infecting your machine.

The piece did have some positive news... it looks like Hong Kong is taking things seriously on the virus and malware front:

"Hong Kong (.hk) websites have successfully managed to purge themselves of malware threats – droppings from the most risky domain last year, to a mid-table (34th) position next year.

"This year only 1.1 per cent of .hk sites pose a risk, compared to one in five .hk Web sites setting off warning bells in McAfee's equivalent report last year.

"McAfee credits 'aggressive measures' from .hk’s domain managers in clamping down on dodgy registrations for the drop."

Hats off to the domain registrars in Hong Kong.

Top 10 Riskiest Top Level Domain Extensions1
Rank Country / Name Extension
1 Cameroon .cm
2 Commerical .com
3 China .cn
4 Samoa .ws
5 Information .info
6 Phillipines .ph
7 Network .net
8 Former Soviet Union .su
9 Russia .ru
10 Singapore .sg
1 Data originally published in McAfee's "Mapping the Mal Web, The World's Riskiest Domains," [.pdf]

11/02/2009

Virus Writers Turning to Online Games

A great piece today from the BBC's technology section called, Video gamers face malware deluge talks about the latest computer security / virus threats.

What may seem strange to some is that one of the main purposes of these viruses is to steal the game players online credentials (i.e. their usernames and passwords) to the video games themselves.

This may come as a surprise to many since typically the primary purpose of viruses is to infect the computers themselves; however, in this case it appears the goal is just to steal your access to the games.

Why?

Simple. To make a quick buck.

One of the main things gamers get out of online games is the long-term satisfaction, often including friends and companionship, from playing with the same group of people over a long period of time.

Additionally, gamers as they progress get higher and higher levels of performance their in-game characters get a host of different things including new 'skills', weapons or other attributes. The challenge is the time spent getting there.

Some people, after having seen the excitement that awaits them once they've built up a certain attributes in their in-game character, want to short-circuit the time needed to build up to the high levels, so they purchase the accounts from others who've spent the time playing the game to build up to the high levels.

In some cases these high-level accounts go for hundreds or even thousands of dollars--or more.

And, therein is the profit motive.

These virus writers, rather than attempting to build up their own characters to sell for profit, have created viruses that steal passwords, and by doing so, they can take over the accounts and sell the hard-won, highly lucrative characters to often unsuspecting buyers who're just looking for a way to avoid what some gamers perceive as early-game slog to get to the good stuff.

According to the story,

"Cliff Evans, head of security at Microsoft UK, said its latest look at the software threats facing Windows revealed a strong growth in one family of malicious programs known as taterf.

"In the last six months, Microsoft has seen more than 4.9m infections caused by Taterf - a figure up 156% on the total seen in the last six months of 2008."

Elsewhere in the article, and getting less note since it wasn't the headline, was discussion of worms like Conficker.

Information on the Conficker worm itself and help with Conficker removal have been covered here extensively for a variety of reasons, including as Mr. Evans of Microsoft cites,

"worms that travel networks independently looking for victims were seeing a resurgence.

"Such self-guided programs were now the second biggest security threat to Windows users." [Editor's Note: Emphasis is mine]

Worms, like all malware, are out there for a variety of reasons, but these days the most common one isn't just for the notoriety the virus/worm writer gets as it spreads, as it once was, it's for profit.

The profit may be from selling/using your computer as a spambot, from using it to steal people's banking information or identities, or it may be (as we see now) from selling your online gaming profiles.

All-in-all these worms, viruses, and other malware are threats. Their writers are clever, and they're only coming up with newer, more ingenious ways to ferret themselves into your computer and your life.

 What to do?

  1. Be careful with your passwords. Use different ones for each of your online banks/credit cards/utilities. Use different ones still for your email.

    Using one password everywhere opens you up to even more problems, as if one account is compromised, especially your email, where someone can easily see the places with whom you do business, it's trivial for them to login to these other business' websites and see if your credentials work. 

  2. Be careful with where you point your browser. Avoid using a search engine, even the best ones like Google, Yahoo, MSN/Bing, and Ask just to get to a website whose website address you already know.

  3. Why give the scammers an opportunity to setup a rogue website that looks just like your bank and get it listed in a search engine? It's very, very hard for the engines to know what's a real bank and what's a fake one.

    If you know you're banking with Wells Fargo, for example, why go to Google to get to Wells Fargo? Just type www.wellsfargo.com into your browser and go there directly. Then bookmark it, so you're not subject to a typographical error next time, which could just as easily ensnare you in a malware/phishing trap.

    Taking out that extra step of going to the engines to get to a place you already know could mean the difference between keeping your information safe and not.

All this crapware shows is that it's always smart to run antivirus firewall software, to keep it updated, and to keep your Operating System updated, too.

Lastly, remember: your online safety is your responsibility. Many of the companies you deal with do make efforts to keep your information safe, but in the end it's still your responsibility.

10/11/2009

Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker

09/15/2009

Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers

Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.

Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.

For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:

  1. Be smart about what you do online.
  2. Keep your PC updated with Windows Update
  3. Install (and run!) antivirus software or an Internet security suite


In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)

"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
  1. Identify compromised/infected computers
  2. Contact customer with infected computer(s)
  3. Provide information/advice on how to fix infected computer(s)
  4. Report / alert about serious large-scale threats (including ones that make effect national security)

Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:

If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.

Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.

No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.

09/06/2009

USB Memory Sticks: More Ways Computer Viruses Spread

Perhaps the single biggest mistake people make in computer security and in keeping themselves virus-free is that they take for granted that viruses spread in ways that look harmless.

In fact, the virus writers play on that very fact: they hope you're going to take for granted that an email, a link, a web page, or even a USB thumb drive / memory stick contains a virus by making it look like it's perfectly normal.

Meanwhile, they've hidden their insidious virus or other malware inside the shell of something trustworthy and harmless looking.

Such was the case in fact in London recently when the Ealin council was forced to "cut Internet and phone links to preserve 'core systems and data'., according to the London Evening Standard's site, ThisIsLondon.co.uk.

In the piece on the USB thumbdrive-based virus attack, the article's author, Felix Allen, goes on to say,

"Further shutdowns followed when the network was reinfected twice in the next week, and all terminals had to be rebuilt or replaced.

"This left cash-strapped Ealing with a [Over $820,000 US] bill for the emergency recovery and in lost revenue. But a report being considered by councillors tonight warns the final cost could top £1.1 million if a new computer security system is needed."

Yikes.

All this because someone inserted a keychain drive into the network and no doubt because it wasn't properly scanned by antivirus software first.

Here's a partial list of the damage to the network:

  1. Over £501,000/$820,000(US) in actual damage
  2. As much as £1,100,000/$1,600,000(US) in possible damage
  3. Entire computer network was disabled in its entirety for four days
  4. Services weren't restored fully for 'several weeks'
  5. 1,838 parking tickets had to be cancelled
  6. Rent couldn't be collected
  7. Repairs were re-ordered because contractors' invoices couldn't be validated.
  8. Libraries lost £25,000 (a full month's worth of income) since they couldn't take any fines and booking fees
  9. £14,000 in overtime was paid to take care of the housing benefit claims backlog.

I'm sure the responsible party is no doubt embarrassed and very, very sorry. This doesn't let either the IT people off the hook for insufficient antivirus firewall software or the responsible user off the hook for failing to ensure their memory stick was virus-free.

As seen here, when it comes to computer viruses, you definitely cannot trust things just because they look harmless.

07/21/2009

Sunbelt Software Joins Fight Against Malware

We came across some great news today on darkREADING.com: Sunbelt Software, makers of VIPRE, our top-rated best antivirus program for 2012, is joining Trend Micro and others in contributing data to StopBadware.org. 

StopBadware, which has its home at Harvard University's Berkman Center for Internet & Society, is described in the article on darkREADING's efforts to fight malware as a,

"collaborative initiative to combat viruses, spyware, and other bad software...."

The process StopBadware uses is perhaps the largest of its kind. The idea behind it is simple:

"...[collect] the URLs of these badware websites, whether malicious or compromised, from its data partners.

"It uses the information to support and encourage site owners and web hosting companies in cleaning up and protecting their sites.

"The initiative also conducts analysis of infection trends, offers independent reviews of its partners' findings, and operates a community website, BadwareBusters.org, that provides help to people who have been victims-or wish to avoid becoming victims-of badware."

Obviously, we're happy to see any collaborative effort to thwart and stop any viruses or other malware, but this one garners special attention for several reasons, including who's involved:

  • Trend Micro (maker's of Trend Micro AntiVirus)
  • GFI/Sunbelt Software (makers's of VIPRE antivirus)
  • Harvard's Berkman Center
  • Paypal
  • Mozilla (maker's of Firefox and Thunderbird)
  • AOL
  • ...and last and not least:
  • Google


  • As for Sunbelt's role in the project, they will be contributing,

    "...research data via ThreatTrackT, a comprehensive array of malicious url and malware data feeds.

    "The data in these feeds is derived from multiple sources including: research from Sunbelt Labs; ThreatNetT, Sunbelt's VIPRE user community that anonymously sends information on potential threats to Sunbelt Labs"

    What this means to users like you and me is that by sending malware and viruses that your Trend Micro AntiVirus and Sunbelt VIPRE catch to the respective companies, you're helping the project to ensure someone else doesn't get nailed with that same--or a similar--virus.

    In turn this means that when many people across the globe are sending in their samples to the project, too, they're helping you.

    05/19/2009

    US-CERT: "Malware Exploit Circulating"

    One of the places we keep an eye on here is US-CERT.gov, the United States Computer Emergency Readiness Team. Their crack team of computer commandos (read: geeks) keep a watchful eye on all things relating to computer security that might have effects at the national/international level.

    We like their view of things because it tends to have a "Just the facts, ma'am," approach to security news. Rather than being a bunch of FUD spreading that sometimes tends to come from security software vendors.

    One of the things we took note of was their posting yesterday about what's being called, Gumblar malware.

    Typically we avoid long quotes because there's seldom that much worth quoting, but this one is worth citing in whole, so quoting their posting,

    "US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar.

    The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them.

    Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.

    The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware.

    This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits.

    Additionally, this malware may also redirect Google search results for the infected user.

    US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."

    There are several noteworthy things in this posting that we felt warranted clarification to our newer readers:

    Security Problem 1: Drive-by-download exploit

     

    Security Meaning:

    These are viruses and other malware that can infect your computer just by visiting certain websites.

    How?

    Web browsers, despite their user-friendliness (in fact because of it), have software bugs in them. These bugs are often very, very hard to detect for the programmers when they're creating the web browser software, but they're still there.

    Crackers then begin attempting to trick the web browser into doing things it wasn't designed for--like installing software on your computer without your permission-- or even your knowledge.

    Sometimes these bugs involve two components, perhaps a web browser like Internet Explorer and a .pdf reader like Adobe Acrobat.

    Security Solution:

    Make sure you run updated antivirus software.

    Modern antivirus software can often stop these malware exploits in their tracks.

    Thus, by running antivirus software you're doing a lot to mitigate risks from this type of malware delivered via your web browser.
     

    Security Problem 2: Stolen FTP credentials

     

    Security Meaning:

    FTP is one of the most popular mechanisms used by web designers for transferring file to-and-from their web sites. FTP is fairly ubiquitous in the web design world; it's also completely insecure. Here's why:

    FTP sends the web master's username and password, needed for them to make changes to their site, in "cleartext."

    This means anyone on the same network segment or unsecured wireless connection as the web designer can actually silently intercept their usernames and passwords every time they make changes to their site.

    If you can get a webmaster's FTP username and password, all bets are off.

    This means crackers can then make changes of their own to the unsuspecting web master's website, including uploading files to do harm to your computer, just for visiting the website.

    Chances are the webmaster of the site means you no harm and chances are they don't even know their site has been broken into, but that's exactly the point: get good sites to do bad for them without the webmaster's knowledge.

    Security Solution:

    If you're a webmaster, consider switching to SFTP, Secure File Transfer Protocol. SFTP's most popular variant is a part of OpenSSH, and it's totally, completely 100% free.

    Nearly all Unix, BSD, Linux machines have support for SFTP. Windows web servers can run SFTP, too, under Cygwin.

    Whatever your particular case, if you're renting a server from a web hosting, you'll want to check with them to see what options are available. Whatever the case, chances are, it's inexpensive and well worth the cost to minimize the risk of someone breaking into your website.

    As all of us web site users, it's impractical to recommend something absurd like, "avoid unknown websites."

    That's half the point of the Internet to begin with!

    The real solution is to run antivirus software and make sure it's properly configured to provide "realtime" protection and protection at the web browser level.
     

    Security Problem 3: updates for known PDF and Flash Player vulnerabilities

     

    Security Meaning:

    Like web browsers, PDF viewers like Acrobat and Flash players, have bugs, too.

    These programs, in part because they're integral parts of web browsers today, can become part of the process that crackers use to get their viruses and malware onto your machine.

    We've all been told about a million times is, "Don't open unknown attachments!"

    Ok, got it. But these aren't even attachments... they're malicious viruses and the like that attack your computer whenever it visits a web page that has a .pdf of flash video, so now what?

    Security Solution:

    There are two important parts to this solution:

    1. Keeping your system and your software up-to-date.

    2. Typically, software from companies other than Microsoft needs to be updated outside of the "Windows Update" mechanism.

      This means going into applications like Adobe Acrobat and manually updating each piece of software in addition to using the software's autoupdate mechanisms, too.

      Autoupdate is great; however, we caution against becoming too dependent upon autoupdating software since there may be unknown reliability issues or other problems with these tools.

      It's important to know and understand what's going on with your computer.

    3. Antivirus software.
    4. Install it. Run it. Update it. Make sure it's properly configured.
     

    Security Problem 4: redirect Google search results

     

    Security Meaning:

    For a lot of people Google practically is the Internet. Unfortunately, because of the trust put in Google, whatever shows up in their search results is often taken for gospel.

    What this particular exploit is doing is swapping out the real Google results with phony ones. Why?

    Most commonly this is because the crackers want you to visit sites they own or other site they make money from for sending traffic to.

    Sometimes these sites they're sending traffic to have no idea they're getting traffic from malware that's been installed on their computer.

    Security Solution:

    Once again, the real solution is... that's right, you guessed it: antivirus software.



    What we also took note of in the article was that US-CERT says, "US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."

    Huh.

    Sure sounds like they're beating the same drum we do.