When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
- Some combination of the above?
There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.
Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
While no one is cheering for Microsoft for the goof, it's pretty clear this really was just a goof. It happens.On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs.
"We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted.
Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.
And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.
Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.
One of the questions we're most often asked is,
C'mon... do I really need antivirus software? Doesn't it just slow your PC down anyway?
Our answer? "Yes, and no, not really1."
It turns out the need may be even more acute than we believed, as
One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, and according to a Computer World piece, "New malware scanner finds 5% of Windows PCs infected, that's according to Microsoft's own data on their Microsoft Safety Sacnner.
Here's the first kicker: that only counts the number of folks who used the Microsoft tool, and doesn't count those who:
- downloaded the tool on one PC and moved malware from a second (or third or other computer)
- took their computer to Best Buy or their local PC repair shop
- had their geek niece/nephew/neighbor fix their computer
- consulted search engines for to repair their PC on their own
- installed antivirus software on their own
- gave up and purchased a new PC
Here are a couple of other interesting tidbits from the Computer World article,
On average, each of the infected PCs hosted 3.5 threats, which Microsoft defined as either actual malware or clues that a successful attack had been launched against the machine.
This is almost as interesting to me as the 1-in-20 stat. What this seems to show is that when you run your PC without antivirus software, chances are when it gets hit, it gets really hit.
Certainly some portion of those may be multiple infections arising from the same initial infection, but the bulk are no doubt infections happening at different times and perhaps even via different infection techniques.
This means when you lack protection, it's not that you get infected once, and you're done. On the contrary. Having one virus doesn't mean you can't get more. In fact, you'll probably have three-and-a-half.
Another important tidbit: the majority of the infections came via Java exploits, interesting most of all because they
Given that we ourselves test every product we review with live viruses and all sorts of other malware, we know that no antivirus software is perfect. The bottom line is though that antivirus software does give you a significant advantage and help keep your PC protected and virus free.
1Yes, crappy antivirus software slows your machine down. Definitely. The best antivirus software, doesn't.
That may sound like a funny question, but it's one worth asking.
I'll avoid the cliche of, "you get what you pay for," because all too often in life that's just not true. Often you end up with something wonderful and inexpensive or something that's mediocre and expensive.
Instead I'll quote David Hall, Symantec's Asia-Pacific Customer Manager, who said in speaking to BLORGE (a self-described "team of experienced writers from around the world") recently about free antivirus software,
"'Imagine what it must be like for somebody who is not actually charging to be able to pay their security researchers to be able to keep up.
'We’ve made more virus definitions last year than we have in the last 10 years.'"
This is only half the battle as far as we're concerned.
We've discussed the topic of free antivirus software reviews on our site before, and now that Symantec's exec has also shined some light on the subject, I felt it was a good time to add some other considerations to the subject.
Another significant thing about free antivirus software is: what's missing from free antivirus software?
As we've shown in our reviews and our new head-to-head antivirus comparisons, there is a huge difference in support from one antivirus vendor to the next.
And, it's not even a case of you-get-what-you-pay-for, as the software we've rated the 2012 best antivirus software, VIPRE, is also one of the cheapest antivirus software applications made and it has the best support, too.
That said, back to the question: what is missing from free A/V programs?
Some free antivirus programs are lesser offerings from commercial vendors. The biggest "gotchyas" with such offerings are:
|consideration||what it means to you|
|1.||Are you getting the maximum protection from the free version of a company's software?||Free antivirus software from commercial vendors are "stripped down" versions of their commercial software offerings.
What protection are you missing with these stripped down versions?
|2.||Where do you turn for support?||Commonly, there is little, if any, real support for free antivirus software.
You're at the mercy of: the search engines, forums, newsgroups
If you can't get the answer there, you have no alternative short of taking your computer in to your local computer repair center, i.e. Best Buy, etc. or calling your geek friend/relative/neighbor.
[With the former, you're always going to be paying *far* more for the support from a repair center than you would have paid for commercial antivirus software to begin with.
With the latter, the geek friend/relative/neighbor, we're (almost) always happy to help the first time or two that it happens, but after that, believe me, offering free tech support to friends/family gets old. Fast.]
You're also at the mercy of their relative skill levels, too, and as good as they may advertise themselves as or seem to be in speaking with them, do you really want to trust the removal of a virus to someone who isn't an antivirus technician?
|3.||What about licensing?||With many free antivirus programs, you can only use the free versions in home and non-commercial environments.
This means if you work from home, many free A/V programs cannot legally be used.
[Sure, maybe you're "fine" using this software as long as you don't get caught, you justify to yourself, but that's not the point.
If your livelihood depends on the software, and it's not to be used in a commercial environment for free, you should pay for it. Otherwise you're stealing.]
Microsoft Security Essentials / Morro
"'Microsoft’s free product is basically a stripped down version of the OneCare product Microsoft pulled from retail shelves.'
'Consumers don’t need less protection, they need more.'"
Agreed. In 2009, the threats to consumers' and business' computers from viruses, worms, trojans, and such are only getting smarter, more prevalent, and harder-to-detect.
There are so many important considerations with antivirus software, but here are just a few:
(Microsoft, for instance, abandoned OneCare, their previous A/V offering. What will happen with Morro / Microsoft Security Essentials given that it's free? Microsoft is definitely in business to make money, but how can they with a completely free product? Or will they start charging for it? Or will it, too, get abandoned and see no ongoing development?)
The bottom line is this: is protecting your computer from viruses and other security threats worth $20 or $30 a year?
This might just be a case of "you-get-what-you-pay-for" after all.
There's been a bit of a discussion lately about Microsoft's upcoming antivirus software, dubbed "Morro" and currently in beta.
Given the time we've spent in and on Internet security-related software and other matters, I'd like to add another voice on the subject. Some things to consider about Morro:
|Facts about Morro||Considerations|
|1.|| "Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real-time, by examining all of the rerouted traffic."
(Source: ZDNet.com: "Microsoft 'Morro': explicitly explained, fact from fiction")
|Do you really want all of your Internet surfing going through Microsoft's servers?
|2.||How will Microsoft use the data other than for virus detection?||Even if Microsoft claims to be "anonymizing" data (which I haven't heard any mention of), as AOL claimed it was doing when it released search data, this is of great concern here.
AOL couldn't anonymize it all and released tons of sensitive information including people's social security numbers and credit card numbers.
Does anyone expect anything different from Microsoft in this regard?
Truly, this seems like a privacy nightmare. And then some.
|3.|| "How it will remain free is beyond me.
The only viable way Microsoft makes money out of these things is by providing advertisements to their programs and applications.
This is not only why Windows Live and other Microsoft products are free, but you’ll find it’s why the Internet as a whole is pretty much free."
|I'm with Zack on this, and I'll throw in one more thing: what happens when it's time for support?
My own personal experience of calling Microsoft for help--even when I paid their absurd $195.00/call for their so-called "enterprise support"--was, to be purely honest: useless in upwards of 75% of the cases.
In one instance, I called in noting precise URLs to the MS technician revealing that they had a hotfix that would solve my problem, and only after climbing through hoops for nearly an hour did the tech email the patch to me.
In another instance, I called looking for support with a licensing issue, and after, literally, over two dozens calls and transfers, they acknowledged the problem as theirs and solved it.
I'm sure others have had different experiences with Microsoft's support, but the real question here is, "What kind of support do people expect on a free product?"
Given that the best antivirus software out there for 2012 can be had for under $20 and that you get full-fledged U.S. based telephone tech support for your $20, it seems a truly small price to pay for such high-quality, fully supported software.
|4.|| "A replacement for Live OneCare which failed to gain much traction, Morro will, in effect, compete with similar antivirus products from security vendors such as Symantec, McAfee and Trend Micro."
(Source: FierceCIO.com "Microsoft to roll out beta of free antivirus software for PCs soon")
|Microsoft's initial foray into A/V software was called, "Live OneCare," and it was met almost universally with silence.
After failing to get any noteworthy market adoption, it's now being replaced with Morro.
Given Microsoft's history of abandoning products, not just in antivirus, but also with music / media with the Microsoft PlaysForSure* files, this begs the question: what else might the unsuspecting consumer be in store for by using the Microsoft A/V product?
[* Microsoft rolled out PlaysForSure in 2004, only to just two years later in 2006, ironically fail to allow music licensed with the Microsoft PlaysForSure to work on their own Zune player.]
We'll no doubt have more news and commentary on Microsoft's Morro Antivirus as more details become available.
Our friends in Redmond, Washington, are at it again. :-)
Microsoft just announced their own free anti-malware / anti-virus software. cnet has full coverage of Microsoft's Morro anti-virus software and the general consensus amongst security industry companies seems to be a universal shrug.
Here's what reps from some of the leading companies had to say in interviews for the article:
|McAfee||"With more malware attacks than ever before, we believe our advanced technology... will provide consumers the confidence to choose McAfee as their trusted adviser and expert in security."|
|Symantec||"...it's simply not in Microsoft's DNA to provide high-quality, frequently updated security protection."|
|Kaspersky||"[Microsoft has] continued to hold a very low market share in the consumer market, and we don't expect the exit of OneCare to change the playing field drastically."|
Hmmm... doesn't sound like any are quaking at the thought of having Microsoft as a competitor in the antivirus software marketplace anytime soon.