May 31 2009 6:56PM GMT
Posted by: Ken Harthun
Microsoft Windows,
Browsers,
Firefox,
Internet Explorer,
Security,
Malware,
Microsoft,
Opinion,
Secure Computing
Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.
One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.
This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.
Apr 22 2009 2:09AM GMT
Posted by: Ken Harthun
Security,
Opinion,
Rant,
Anti-malware,
Anti-virus,
Malware,
insecure
I’m going to take a lot of heat for this post. Maybe. Unless I’m right (which I usually am). So, let me just get it out of the way: The state of security on the Internet today is NOT YOUR FAULT. Neither is it the fault of the clueless surfers who click on any and every link in their email and say “yes” to every popup on their screen. It’s not the fault of those who love to install the “little bitty kitty” screensavers that are loaded with adware and the ones who use the “fun web products” emoticons and stationery with similar bent. No, it’s not your fault.
It’s M….no, it’s U….no, it’s…hell, it’s the software developers who don’t have a clue on how to write a secure application. The end user—be she a geek or a regular consumer user—has no way of knowing that there are security holes on the software she uses. And she shouldn’t have to be concerned about it, now, should she? NO.
The more I have to deal with the malicious–and sometimes just crappy–stuff that people manage to get on their systems, the more I want to grab the programmers, web app developers, and insecure software purveyors by the throat. Conspiracy theorists speculate that since the anti-malware software industry is a multi-billion dollar cash cow, we don’t have a chance of ever seeing truly secure software. I don’t think that’s true. There’s enough crap out there to keep the anti-malware industry busy for a long time.
But it does make one wonder, doesn’t it?
Feb 24 2009 3:37AM GMT
Posted by: Ken Harthun
Anti-malware,
Anti-virus,
Malware,
Social Engineering,
Malicious Software Removal Tool,
Security,
Scam,
Virus
What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)
Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program. [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer. So now I don’t have an antivirus installed. I tried to download another copy of AV 2009, but I couldn’t remember where I got it. Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”
Here is some of the conversation between the hosts:
Host1: And a lot of people have been getting it. And MSRT has been removing it from a lot of machines. So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.
Host2: Yes, because you’re not alone. There are many, many, many people who’ve fallen for this. I get - literally I get this call on the radio show all the time.
Host1: Yes. Yes. So do not go looking for another copy of it. Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer. It is malicious. It’s good that Microsoft MSRT removed it.
Feb 18 2009 5:05PM GMT
Posted by: Ken Harthun
Security,
Malware,
Anti-malware,
Anti-virus,
Cybercrime,
Scam,
Virus
You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”
What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.
Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–”security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.
The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.
- AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
- AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.
- AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
- XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
- WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
- Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
- AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
- Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
- ProAntispyware 2009: You might see this one advertised on the Web, too.
- RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
- Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.
Thanks to Redmond Magazine, bleepingcomputer.com, Microsoft Malware Protection Center, and others for information used to compose this post.
Feb 14 2009 3:54PM GMT
Posted by: Ken Harthun
Microsoft Windows,
Browsers,
Firefox,
Internet Explorer,
Opera,
Malware,
Vulnerabilities,
Secure Computing,
Zero-day vulnerability
Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.
Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:
So which one is guaranteed to make your Internet browsing experience perfectly safe?
None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.
Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:
Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]
You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”
Feb 10 2009 3:02AM GMT
Posted by: Ken Harthun
Security,
Malware,
OpenDNS,
Conficker,
Worm,
Cybercrime,
Anti-malware
With some estimates placing the number of computers infected by the Conficker worm at 10 million or more, Conficker has the potential to become one of the biggest botnets ever. Given that many system administrators probably don’t realize they’re hosting the parasite, it’s a good bet that things will get worse before they get better. Fortunately, the good guys at OpenDNS are offering a free service designed to alert administrators of Conficker’s presence and help them with containment and cleanup.
Though Conficker began spreading late last year, so far none of the infected machines has downloaded any software that would create a botnet or send spam. However, that could change in a blink if the criminals behind Conficker add a malicious payload to any of the domains the drones connect to every day. If a network has any PCs that try to connect to the rogue servers, OpenDNS will pinpoint them. As part of the service, infected machines will be prevented from connecting to the control servers:
What’s interesting about this particular virus is that it uses the Domain Name System in a unique way: Conficker contains an algorithm that checks 250 new domains per day for instructions on what it should do. This puts us in a unique position to keep you safe since we’re in the unique position of providing insight and intelligence into your DNS service. We’ve teamed with Kaspersky Lab to identify those 250 daily domains, and stop resolving them.
Administrators must register for a free account in order to take advantage of the service and must use OpenDNS on their networks. Once the account is set up, it’s a simple matter to check for Conficker’s presence:
To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with.
Jan 30 2009 4:23AM GMT
Posted by: Ken Harthun
Malware,
Cybercrime,
Anti-malware,
Trojan
Talk about irony. You get infected by a cybercriminal’s illegal bot (Ozdok/Mega-D in this case) which takes a screen shot that shows you searching for illegal underage porn; then, security researchers get hold of some screen shots from the bot’s command and control (C&C) server; while going through the shots, the researchers come across those of your screen and notify the authorities (presumably, the FBI).
From a Security Works research note, Ozdok: Watching the Watchers:
Also, a note to the gentleman searching for images of nude preteen girls: You can run all the anti-spyware tools you can find, and employ the best anonymity tools in your web browser - it’s not going to help you if you get infected with an advanced trojan like Ozdok/Mega-D or one of the many others that allow hackers to take screenshots of your computer desktop. Don’t worry though, you probably won’t need a computer in the near term, as we’ve notified the authorities of your name and location (which you conveniently provided in a series of screenshots).
The good news is that you can remove the pest. Here’s what Symantec recommends for their products:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
Complete removal instructions in this article.
Jan 23 2009 2:15AM GMT
Posted by: Ken Harthun
Security,
Malware,
Zero-day vulnerability,
Patch management,
Security bulletin,
Opinion
The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.
Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.
You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.
Jan 17 2009 3:27AM GMT
Posted by: Ken Harthun
Security,
Secure Computing,
Exploits,
Vulnerabilities,
Anti-malware,
Malware,
Cybercrime
With cybercriminals now actively poisoning search results and legitimate websites–unbeknownst to the webmasters–you can’t be too careful when clicking on links. Take a look at this video library presented by Exploit Prevention Labs (XPL) CTO and Chief Researcher Roger Thompson and you’ll see why. The videos show a number of recent exploits. The bad thing about these exploits is that you never see them coming. From the XPL Threat Center:
Exploits deliver their malcode through driveby downloads that happen silently and can be delivered through any kind of site. Most site owners don’t know themselves when their site has been poisoned - it’s happened to every kind of site, from global businesses to individual MySpace pages.
That’s why you should be using XPL’s LinkScanner. This nifty utility integrates with the search engines to check for a variety of threats, so you’ll know whether a site is safe (or not) before you click the link. Take a look at the screenshot of my Google search on “warez.” The red X’s are the LinkScanner results: those sites are dangerous. The green checkmark on the Wikipedia entry indicates that it’s safe to surf.
LinkScanner allows you to check any link on demand by right-clicking on the link and selecting “Quick Scan with LinkScanner.” This is great for checking links in sites you’re surfing. You can also open a console and paste an address for scanning.
You may wonder how LinkScanner compares with McAfee’s SiteAdvisor. So did I. XPL gives an in-depth comparison on their LinkScanner vs SiteAdvisor page. Here’s an excerpt:
LinkScanner’s SearchShield technology actually does a live scan on Google, Yahoo and MSN search results and with no delay in search engine results delivery. This enables LinkScanner to definitively state whether the page behind any link is or is not safe at the only time that matters – the time you plan to visit it.
In contrast, SiteAdvisor “crawls” entire sites over a period of weeks and/or months and renders opinions about entire sites, which are then stored in a central database.
Download LinkScanner Lite it for yourself and you just may find, as I did, that it’s an indispensible tool for secure computing.
