When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Let's take a look.
First, Lee Ferran and Rhonda Schwartz of ABC News should get an award. In this piece on Flame, they claim,
I left in the entire paragraph from their article so that it could be seen in all its glory."The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran."
At best, the quote above is misleading. At worst, it's alarmist.
Now, let's set the record straight. For starters, no one compromised a "key Microsoft security system." "Compromised" by most any measure--but particularly in cybersecurity parlance--implies there was an intrusion into Microsoft.
There was no such intrusion.
What really happened? A garden variety compromise of Windows lead to a privilege escalation that allowed the creators of the Flame virus to sign their software as if it had been written by Microsoft. (Garden variety may be a little off the mark, but hopefully, you get the idea. It was Windows itself that was compromised.)
Was it serious pie/mud in Microsoft's face? Sure. Was it [compromise] of "a key Microsoft security system"? Hardly.
What's worse is the article goes on to say, "The same day Microsoft revealed their security breach...." This bears repeating with emphasis.
There was... no... security... breach... at Microsoft.
Virus writers used existing software on the victims computers to trick the user into installing their software. That's it.
Now that that's clear, just what is this thing?
It's a virus, well, technically, it's a worm, and it appears to be of the same vein as Stuxnet in that it appears that it may've been written by a nation-state. And it's been there for a long time--at least five years say Kaspersky's researchers working on its analysis.
OK, so what's it do?
A better question: is there anything it doesn't do?
So far, according to Kasperksy's analysis of Flame it can:
- Ennumerate nearbly bluetooth devices
- Record audio (if there's a microphone)
- Create backdoor accounts on infected machines (HelpAssistant)
- Listen for incoming network requests
- List the PCs directory contents
- Lists "interesting" files
- Logs keystrokes
- Upload collected data to remote servers
- Identifies antivirus software and firewalls
Now the real question. Are you at risk.
As with any virus, the answer is maybe. In this particular case, it's a worm, which makes matters worse since worms, by their very nature, seek out new targets to infect on their own.
Making matters worse is that it appears this bugger has been out there for at least five years, meaning it's had plenty of time to fly under the radar, infect PCs, and do its business.
The (slight) upside of things--at least if you're a home consumer not living in the Middle East--is that it appears it only targets PCs of "value" in the Middle East and according to Kaspersky, it appears to've infected about 1,000 PCs. (In this case "value" means those in some way related to government, military, or defense related organizations, from which it can glean intelligence data.)
Getting Rid of FlameAs complex as this worm is, at least one major antivirus company (in this case BitDefender) has already created a detection and removal tool. If you think your regular antivirus software may've missed it (or you're not running any), here's where you can find out: http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/.
One last thing, if you're looking for more information on the Flame, keep in mind that it goes by other names: Flamer, sKyWIper, and Skywiper, as most virues do.
According to Alexander's research, it looks like Flashfake began its infections via hacked Wordpress blogs.
Good ol' social engineering is what duped the first wave of folks into getting infected. (N.B. Typically, these are the types of infections that are blocked by Internet security software.)From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update.
Next, it appears actual exploits began being used to spread the Trojan via the hacked Wordpress blogs. How many blogs were infected, but it's at least 30,000 according to a Websense report on the Wordpress infections.
Hats off to Kaspersky and Alexander both for the great research and for sharing it.
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.
Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."
What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.
Even still, it's important to realize "more secure" doesn't mean "secure."
In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.
And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.
F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.
And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)
My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.
UPDATETurns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!
What's so significant about that?
Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.
Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.
The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.
This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.
The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.
Here's my reply: (with a little extra added here for clarification)I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Thanks for writing, Martha.
I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)
The first question here is:
Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:
The main risks of viruses are that they tend to be:
- personally invasive
- resource thieves
If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.
On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?
As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.
Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?
The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".
Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.
Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.
As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.
How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.
Easily one of the most Frequently Asked Questions we get is,
What's the difference between antivirus software and an Internet security suite?
Right on the heels of that is the next one,
Is the upgrade worth it?
Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:
- firewall software
- malicious website filtering
Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)
Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.
The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.
What's the point?
You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.
So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.
malicious website filtering
You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."
In either case, the bad guys are on the prowl and are:
- secretly taking over legitimate sites and installing their viruses onto them
- buying domain names that are typos of legitimate sites
- sending spams and phishing emails
Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.
Is the upgrade it worth it?
In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.
Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.
The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.
And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.
Antivirus vendor Sophos via their SophosLabs "Naked Security" blog is bringing news of a massive trojan spam campaign that ties in postal mail delivery--or lack thereof--with an trojan-bearing email. Here's the scoop:
By using a variety of clever subject lines the spams lead people to believe they've missed a package delivery from the USPS or Royal Mail, and so the spammers trick unsuspecting people into opening their malicious trojan-containing email.
Data on this trojan is inconclusive, but right now according to Sophos:
Detection data is also inconclusive and industry-wide detections appear to be hit-or-miss on this with the following software detections:Contained inside the ZIP file is a Trojan horse, detected by Sophos products proactively as Mal/Bredo-Q.
Here are a couple of samples of these emails. (Thanks and credit to Graham Cluley of SophosLabs for these.)
...and a sample of the Royal Mail fake:
Is it legal? It appears not, despite being state sponsored....can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Their analysis isn't just hot air. Further in their report, they go on to say,Significant design and implementation flaws make all of the functionality available to anyone on the internet.[Editor's Note: Emphasis mine.]
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?The analysis also revealed serious security holes that the trojan is tearing into infected systems.
"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.
"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.
"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:
F-SecureIn their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.
KasperskyThe Kaspersky blog details their own analysis which uncovered some other interesting details, including:
So what's the point of this trojan? Good question....there are six components in total – each with a different purpose – all of which have been analyzed by us.
"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.
"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.
"The number of applications infected by the various components is 15 in total.
The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
- VOIP software (like Skype)
- web browsers
- chat software
|Software Monitored by R2D2 Backdoor Trojan
|Internet Explorer web browser
|Mozilla Firefox web browser
|Opera web browser
|Video chat software
So now, the question is are the antivirus software companies detecting the trojan?
Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.
The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created.And Kaspersky says,
All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.
So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.
And, if you're not, why not?
MacDefender now showing up with yet another name, "MacShield."
Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:
Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.
We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.
So far it looks like the same-old-same-old: