Panda’s Cloud Antivirus (Beta) is a Winner!

I’ve been using Panda Security’s free Cloud Antivirus for awhile and I must say I’m impressed. It’s there, but you’ll never know it unless you look (the little panda icon in the system tray). I rarely get malware of any kind, but Cloud AV has caught a couple of things that were probably drive-bys. It’s so transparent that I actually had to go check on it before I noticed that malware had been caught. This is a perfect set-it-and-forget-it AV for the regular user. It’s free, self-updating and doesn’t require any decisions on the part of the user. You can believe what they have to say:

It’s Not Your Fault

I’m going to take a lot of heat for this post. Maybe. Unless I’m right (which I usually am). So, let me just get it out of the way: The state of security on the Internet today is NOT YOUR FAULT. Neither is it the fault of the clueless surfers who click on any and every link in their email and say “yes” to every popup on their screen. It’s not the fault of those who love to install the “little bitty kitty” screensavers that are loaded with adware and the ones who use the “fun web products” emoticons and stationery with similar bent. No, it’s not your fault.

It’s M….no, it’s U….no, it’s…hell,  it’s the software developers who don’t have a clue on how to write a secure application. The end user—be she a geek or a regular consumer user—has no way of knowing that there are security holes on the software she uses. And she shouldn’t have to be concerned about it, now, should she? NO.

The more I have to deal with the malicious–and sometimes just crappy–stuff that people manage to get on their systems, the more I want to grab the programmers, web app developers, and insecure software purveyors by the throat. Conspiracy theorists speculate that since the anti-malware software industry is a multi-billion dollar cash cow, we don’t have a chance of ever seeing truly secure software. I don’t think that’s true. There’s enough crap out there to keep the anti-malware industry busy for a long time.

But it does make one wonder, doesn’t it?

Conficker’s raison d’etre? Profit, of Course

More than a week after Conficker’s much-hyped April 1st activation date, the botnet has come to life and is using a P2P communication system to update itself on what is believed to be millions of infected PCs. Along with the update, the worm is downloading scareware known as SpywareProtect2009, according to Alex Gostev of Kaspersky Lab:

One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

As is typical with scareware, once SpywareProtect2009 is downloaded, the victim will start seeing the usual popup warning messages asking if they want to “clean and protect” their PC (see screen shot below). Of course, this will cost them $49.95. The criminals will no doubt make millions on these fees alone while amassing a huge database of valid credit card numbers that will likely be sold for additional profit.

Threatpost.com has posted an excellent FAQ and also provides a disinfection tool called KKiller for download.

Scareware – Yes, People Do Fall for the Ruse

What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)

Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program.  [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer.  So now I don’t have an antivirus installed.  I tried to download another copy of AV 2009, but I couldn’t remember where I got it.  Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”

Here is some of the conversation between the hosts:

Host1:  And a lot of people have been getting it.  And MSRT has been removing it from a lot of machines.  So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.

Host2:  Yes, because you’re not alone.  There are many, many, many people who’ve fallen for this.  I get - literally I get this call on the radio show all the time.

Host1:  Yes.  Yes.  So do not go looking for another copy of it.  Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer.  It is malicious.  It’s good that Microsoft MSRT removed it.

Scareware–Using Fear & Deception to Dupe Consumers

You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”

What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.

Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–”security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.

The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.

• AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
• AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.

• AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
• XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
• WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
• Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
• AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
• Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
• ProAntispyware 2009: You might see this one advertised on the Web, too.
• RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
• Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.

Thanks to Redmond Magazine, bleepingcomputer.com, Microsoft Malware Protection Center, and others for information used to compose this post.

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

Using the Malicious Software Removal Tool (MSRT) from the Command Line

In my September 13, 2008 post, “Software for Secure Computing: Microsoft Malicious Software Removal Tool,” I said, “Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.” I wonder how many people know that if you have automatic updates enabled, there’s no need to download MSRT to run it–the latest version is already on your system.

The MSRT can be invoked from the Run dialog or the command line using a simple three-letter command. Several options are available.  Hit Windows Key + R to open the Run dialog and type mrt /? This will bring up an information box as shown below. (The same thing happens if you type the command at a command prompt.)

The options are self-explanatory. If you just type mrt by itself, it will bring up a UI that allows you to point and click to select the type of scan you want. At the first UI screen, you can view a list of malicious software that the tool detects and removes. The signatures are updated monthly on patch Tuesday when Microsoft releases the latest version of the tool.

Remember that the MSRT is not a replacement for an anti-virus product; it targets only a limited set of specific, prevalent malware as determined by Microsoft’s security folks.  You should use a good anti-virus product.

Own a Mac? Get Anti-virus, says Apple

The Mac vs. PC ads are always funny, but this one’s even more of a hoot, especially since Apple quietly snuck out an advisory on November 21 that Mac users should use multiple antivirus programs:

“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Needless to say, this is getting a lot of play in the media.

From The Register:

“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”

From the Washington Post:

“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”

It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.

Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?

An MBR Tool to Combat Mebroot

Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.

MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!

Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.

F-Secure Claims BlackLight Will Remove Mebroot (Sinowal)

Happy Thanksgiving and good luck surviving Black Friday!

I’ve been using F-Secure’s BlackLight Rootkit Eliminator ever since it was first released in early 2005. It’s a solid tool and has saved me from having to completely reload a system on at least three occasions, so I don’t know why I didn’t think of it as a weapon against Mebroot. Thanks to a news update from Windows Secrets, I visited F-Secure’s site and discovered the following in a March 31, 2008 blog post:

“A while ago we blogged about the MBR rootkit, which has been getting attention from all security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

“BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.”

Needless to say, I immediately downloaded the latest version and have it ready to go for any suspected Mebroot infections. Of course, I used it to check all of my own systems and am happy to report that the tool didn’t find anything wrong with my MBR. You can download the standalone BlackLight here.

In my next post, I’ll give you two more tools that you can use to combat this sinister threat: MBR BIOS locking and an MBR backup tool.