$250,000 Reward for Information about the Rustock Botnet

Microsoft made an announcement in their blog today: $250,000 for Rustock botnet information
This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it.

"While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.
Why has Microsoft put so much effort into this particular botnet?

In part because of the serious damage it has done. By Microsoft's estimation, the botnet had capacity for sending 30 billion spams. A day.

Bear in mind, too, that this is after Rustock was taken down through a huge international effort that marshaled industry and academic researchers, legal teams, and governments to do so.

So, what does all this mean?

My own take is that they may never capture the folks responsible, and a lot of infected machines are still out there, mostly unbeknownst to their owners, no doubt, so there's still a lot of work to be done.

My belief is that the botnet will take many years to die completely, because most of the people who're running infected machines aren't running antivirus software, and if they haven't noticed their machines are infected by now, they probably never will.

Thus, they're unlikely to install some and remove the botnet from their PC.

In which case, it'll only die when the infected PCs themselves go to the scrapyard.

In the mean time, at least the technological solutions in place should make it very hard for the infected machines to come back to life and spew more spam.

More information on the $250,000 Rustock award.


Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.


Virus Writers Turning to Online Games

A great piece today from the BBC's technology section called, Video gamers face malware deluge talks about the latest computer security / virus threats.

What may seem strange to some is that one of the main purposes of these viruses is to steal the game players online credentials (i.e. their usernames and passwords) to the video games themselves.

This may come as a surprise to many since typically the primary purpose of viruses is to infect the computers themselves; however, in this case it appears the goal is just to steal your access to the games.


Simple. To make a quick buck.

One of the main things gamers get out of online games is the long-term satisfaction, often including friends and companionship, from playing with the same group of people over a long period of time.

Additionally, gamers as they progress get higher and higher levels of performance their in-game characters get a host of different things including new 'skills', weapons or other attributes. The challenge is the time spent getting there.

Some people, after having seen the excitement that awaits them once they've built up a certain attributes in their in-game character, want to short-circuit the time needed to build up to the high levels, so they purchase the accounts from others who've spent the time playing the game to build up to the high levels.

In some cases these high-level accounts go for hundreds or even thousands of dollars--or more.

And, therein is the profit motive.

These virus writers, rather than attempting to build up their own characters to sell for profit, have created viruses that steal passwords, and by doing so, they can take over the accounts and sell the hard-won, highly lucrative characters to often unsuspecting buyers who're just looking for a way to avoid what some gamers perceive as early-game slog to get to the good stuff.

According to the story,

"Cliff Evans, head of security at Microsoft UK, said its latest look at the software threats facing Windows revealed a strong growth in one family of malicious programs known as taterf.

"In the last six months, Microsoft has seen more than 4.9m infections caused by Taterf - a figure up 156% on the total seen in the last six months of 2008."

Elsewhere in the article, and getting less note since it wasn't the headline, was discussion of worms like Conficker.

Information on the Conficker worm itself and help with Conficker removal have been covered here extensively for a variety of reasons, including as Mr. Evans of Microsoft cites,

"worms that travel networks independently looking for victims were seeing a resurgence.

"Such self-guided programs were now the second biggest security threat to Windows users." [Editor's Note: Emphasis is mine]

Worms, like all malware, are out there for a variety of reasons, but these days the most common one isn't just for the notoriety the virus/worm writer gets as it spreads, as it once was, it's for profit.

The profit may be from selling/using your computer as a spambot, from using it to steal people's banking information or identities, or it may be (as we see now) from selling your online gaming profiles.

All-in-all these worms, viruses, and other malware are threats. Their writers are clever, and they're only coming up with newer, more ingenious ways to ferret themselves into your computer and your life.

 What to do?

  1. Be careful with your passwords. Use different ones for each of your online banks/credit cards/utilities. Use different ones still for your email.

    Using one password everywhere opens you up to even more problems, as if one account is compromised, especially your email, where someone can easily see the places with whom you do business, it's trivial for them to login to these other business' websites and see if your credentials work. 

  2. Be careful with where you point your browser. Avoid using a search engine, even the best ones like Google, Yahoo, MSN/Bing, and Ask just to get to a website whose website address you already know.

  3. Why give the scammers an opportunity to setup a rogue website that looks just like your bank and get it listed in a search engine? It's very, very hard for the engines to know what's a real bank and what's a fake one.

    If you know you're banking with Wells Fargo, for example, why go to Google to get to Wells Fargo? Just type www.wellsfargo.com into your browser and go there directly. Then bookmark it, so you're not subject to a typographical error next time, which could just as easily ensnare you in a malware/phishing trap.

    Taking out that extra step of going to the engines to get to a place you already know could mean the difference between keeping your information safe and not.

All this crapware shows is that it's always smart to run antivirus firewall software, to keep it updated, and to keep your Operating System updated, too.

Lastly, remember: your online safety is your responsibility. Many of the companies you deal with do make efforts to keep your information safe, but in the end it's still your responsibility.


Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker


Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)

  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.


    New Trojan Targets Unpatched Microsoft Excel Flaws

    There's recent news afoot from a number of sources, including The Register about a Microsoft Excel Trojan.

    Several versions of Excel are vulnerable to this particular bit of malware including:

  • Excel 2000
  • Excel 2002
  • Excel 2003
  • Excel 2007
  • Excel 2004/2008 for Mac
  • Excel Viewer
  • Excel Viewer 2003
  • How do you get this trojan

    Since it takes advantage of a flaw in Excel (and the Excel viewer), all you need to do is open an Excel spreadsheet with a specially crafted spreadsheet. Once you open it, the trojan payload is instantly delivered to your system.

    What's being done

    As of this writing, Microsoft's official word on the Excel Vulnerability is,

    "At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability."

    The Microsoft Security Advisory goes on to say they've not yet decided to release a patch as a part of "Patch Tuesday", a service pack, or something "out-of-cycle."

    As with any new virus, trojan, or other malware, we urge readers to make sure you're running current antivirus software and that your antivirus signatures are up to date.

    If you're not sure if your antivirus software is up-to-snuff and does everything it should, we have a page to help you compare antivirus software.


    Microsoft Patch Tuesday: Another Angle

    To the uninitiated, Microsoft has one day monthly, "Patch Tuesday," they call it, where they release bug fixes and patches to their software.

    A recent blog at IT World on Patch Tuesday talks about the once monthly cycle and asks if this is often enough.

    They claim, perhaps accurately, that most IT security pros claim to like the once monthly cycle because it lets them plan better and it lets upper management "manage better." Further, they claim, it actually makes things, "more secure," by making things regular.

    This is total, complete, utter garbage. Garbage on multiple fronts at that. Here's why:

    Just because you as a home user or an IT security pro have updates available by Microsoft (or any other software vendor for that matter) does not mean you have to apply them the same day they're released!

    Let me put it another way...
    If Microsoft were to continually release updates as they were ready for release to the public by their developers (rather than sitting on the patches for the arbitrary "Patch Tuesday,") then individual home users and companies alike could choose when to patch things according to their own schedules and computer security needs.

    If you're a web hosting company with dozens, hundreds, or even thousands of servers under management, you have a very different set of concerns than a home user with three machines, right?

    You also have a different ability to execute tasks, too. Rightly so.

    With that in mind, why not put the power--and the security--in the hands of the customers and let them choose when to patch.

    If a company wants to patch on the second Tuesday of each month, they by all means certainly can; however, if a company--or an individual user--has a particular exploit that is of concern to them, and they need to patch their server(s) today, they by all means certainly can.

    Plan it. Manage it. It's easy.

    But to say that the once monthly cycle makes it easier for IT shops to manage is absurd bordering on delusional. It literally takes management decisions away from the managers and IT pros and shifts the burden of decision making onto Microsoft.

    How does that possibly make sense?

    That's akin to saying it's easier for you as a company (or an individual) to plan paying your bills if your bank only makes your money available to you on the second Tuesday of the month!

    As an individual--and especially as a business--who knows how many times you get paid in a given month (i.e. the developers said the patches were ready), but the bank (i.e. Microsoft) instead sits on the money (i.e. the patches) 'til the second Tuesday.

    For most desktop PCs security at a fairly basic level boils down to: solid firewall software, good antivirus software installed and updated, OS patches applied, and if you're smart other software patched, too. Maybe you throw in anti-spyware, too, to be on the safe side. Fine. (If you're really smart, don't run as Administrator, either.)

    But at least let home and business users make the decision themselves about their respective security... I'll schedule my own bill payments, thanks.


    Conficker Worm Reward Offered by Microsoft

    Our blog has been quiet for a few days as we work on putting together some new guides to securing your computer and some other resources to help our visitors secure their PCs--and keep them that way.

    We hope to have that wrapped up in a couple of days here, but meanwhile, more news from the Conficker /Downandup front.

    Microsoft announced in a press release today they're putting up a tidy reward of $250,000 (US) for info to bring the miscreant[s] to justice. In their press release about the Conficker reward Microsoft disclosed that they're working with ICANN (Internet Corporation for Assigned Names and Numbers) and "operators within the Domain Name System" to disable sites that are targeted by Conficker.

    "To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."

    While it's hard to discern from the lawyerese press release exactly what they're doing, there definitely appears to be a concerted effort to stem the tide of this worm. Among the groups involved are:

  • NeuStar
  • VeriSign
  • Afilias
  • Public Internet Registry
  • Global Domains International Inc.
  • M1D Global
  • AOL
  • Symantec
  • F-Secure
  • ISC
  • researchers from Georgia Tech
  • The Shadowserver Foundation
  • Arbor Networks
  • Support Intelligence

  • Notable on the list to us were the Georgia tech researchers as well as anti-virus software makers Symantec and F-Secure. We salute the private sector and education researchers for working together on this.

    Too bad it takes a worm outbreak to make such an effort happen.

    On February 6, 2009, more information was made available by Microsoft about Protecting Windows from Conficker. We encourage our readers to have a look.


    Antivirus protection the old-fashioned way...

    As most everyone would agree, in this day and age, anti-virus software of some kind is a necessity on your PC. In-the-know PC security experts would even go so far as to say a firewall is necessary, too.

    But what most never bother to talk about is other preventative measures--free ones at that--that you can take to make (and keep) your PC significantly more secure.

    What most consumers--and even some businesses, too--don't know about Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 is that you can setup different accounts with different levels of permission on the computer.

    What's the big deal with this?

    Here's the scoop: there are two basic levels of permissions in Windows: Administrator and User. Practically speaking, all accounts in Windows are one of the two. Here's where things go off the rails...

    Microsoft, in their infinite wisdom, makes all default user accounts Administrator accounts. This means the user account you originally setup your Windows XP with is an Administrator. Administrator accounts can do virtually anything to the computer.

    Administrators can install files. Administrators can kill processes or running programs. Administrators can change the priority of some tasks to make them get more of your machine's horsepower or less.

    That doesn't sound so bad, but here's where the plot thickens. Administrator accounts can even hide processes and other things on the machine, and as we already know, Administrators can install programs.

    What does that have to do with viruses? Well, what is a virus really other than a program with malicious intent?

    Thus, this means many viruses, since they're nothing but evil programs, acutally rely on your account being an Administrator for them to even function!

    So, long story short: since Administrator accounts are needed (in many cases) to have the permission to install the virus, trojan, worm, spyware/adware, or other malware in the first place, what would happen if you weren't an Administrator?

    Elementary, my dear Watson.

    You make it harder for your computer to get infected in the first place. Much harder in fact. There's a really interesting piece over at Computerworld about the benefits of removing administrator rights and running as a regular user. One company, BeyondTrust Corp, is quoted in the article as saying,

    "When BeyondTrust looked at the vulnerabilities patched for Microsoft's browser, Internet Explorer (IE), and its application suite, Office, it found that 89% of the former and 94% of the latter could have been stymied by denying users administrative privileges."

    Wait a second here... you mean to say something like 90% of the vulnerabilities could have been mitigated just by using the right user account on my computer?


    Couple that with Internet security software, and you've got a really solid level of protection against most viruses and most other computer security threats.

    OK, now that we understand there's something else you can do to prevent viruses from getting onto your computer, the question is: how do you make an ordinary User account that doesn't have Administrator rights and how do I use it?

    The single most important thing to remember is this: you must keep at least one Administrator account on your computer, so DO NOT delete the one you're using now.

    Secondly, if you're going to try this, bear in mind that things can go wrong--horribly wrong in some cases--when you try to deal with accounts and permissions issues. If it breaks, you're on your own.

    Here are Microsoft's instructions on how to create & configure user accounts in Windows XP.

    Once you have your new account made, you may need to grant permissions to that new account to run the various programs you intend to run.

    To do this, you'll need to either log out and back in as the Administrator, grant permissions then log out as Administrator and back in as your new User account -OR- familiarize yourself with Microsoft's "RUN AS" command, which temporarily grants your current user account the ability to do a certain task as Administrator without the pain of logging out and back in.

    Now that you've gotten that far, start using the regular "User" account to perform your ordinary day-to-day tasks. After a couple of days of use, you will have probably encountered just about all of the little permissions snags where you need to grant permission to such-and-such software for your new User account to function.

    Then, when you purchase new software and need to install it, just log in temporarily as your Administrator account, install the software, and grant your new User account permission. Then when you log in as that User, you'll have the benefits of both your new software and significantly increased computer security over and above your antivirus software.


    Virus Protection Warning about Autorun.exe (more on Downandup / Conficker)

    Some readers may be unfamiliar with US-CERT. US-CERT is a big deal. It's the official United States Computer Emergency Readiness Team.

    As a division of the Department of Homeland Security, they're charged with helping keep U.S. citizens' computers safe.

    This week, in their revised advisory on Downandup / Conficker, they announced that the recommendations from Microsoft to help protect yourself from the worm are "not fully effective." Ouch.

    We originally covered the Downandup / Conficker worm after Computerworld revealed 1 in 3 PCs was still vulnerable.

    Considering that Microsoft issued a Downandup / Conficker alert and a worm patch way back in October 2008, the responsibility for the worms spread can't really be put at Microsoft's feet. They issued an "out-of-cycle" (i.e. emergency) patch for it, it's up to us as consumers to take action.

    Lastly, lest it go unsaid, remember that firewalls and antivirus software alone are not enough to keep your PC safe. You have to keep it--and all your software--patched, too.