Virus

Scareware – Yes, People Do Fall for the Ruse

What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)

Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program.  [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer.  So now I don’t have an antivirus installed.  I tried to download another copy of AV 2009, but I couldn’t remember where I got it.  Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”

Here is some of the conversation between the hosts:

Host1:  And a lot of people have been getting it.  And MSRT has been removing it from a lot of machines.  So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.

Host2:  Yes, because you’re not alone.  There are many, many, many people who’ve fallen for this.  I get - literally I get this call on the radio show all the time.

Host1:  Yes.  Yes.  So do not go looking for another copy of it.  Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer.  It is malicious.  It’s good that Microsoft MSRT removed it.

Scareware–Using Fear & Deception to Dupe Consumers

You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”

What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.

Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–”security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.

The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.

• AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
• AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.

• AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
• XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
• WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
• Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
• AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
• Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
• ProAntispyware 2009: You might see this one advertised on the Web, too.
• RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
• Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.

Thanks to Redmond Magazine, bleepingcomputer.com, Microsoft Malware Protection Center, and others for information used to compose this post.

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

Own a Mac? Get Anti-virus, says Apple

The Mac vs. PC ads are always funny, but this one’s even more of a hoot, especially since Apple quietly snuck out an advisory on November 21 that Mac users should use multiple antivirus programs:

“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Needless to say, this is getting a lot of play in the media.

From The Register:

“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”

From the Washington Post:

“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”

It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.

Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?

An MBR Tool to Combat Mebroot

Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.

MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!

Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.

Software for Secure Computing: Trend Micro’s RUBotted

I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.

The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however:  Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”

I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.

Antivirus XP 2008/2009 Malware Up the Ante

According to US-CERT, the cybercriminals who are foisting fake antivirus programs, such as Antivirus XP 2008 and 2009 off on innocent users, are now doing more than just ripping people off for the purchase price of their worthless programs–they’re going after personal and financial information. “If the user purchases the bogus software, the attacker may be able to obtain personal and credit card information for use in additional scams and fraudulent activity,” US-CERT reports. Their site has some recommendations on preventive measures to take.

US-CERT encourages users to perform the following preventative measures to help mitigate the risks:

• Install legitimate antivirus software from a trusted vendor, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links found in email messages or instant messages.
• Use caution when visiting untrusted websites.
• Do not install untrusted software.

My bootable linux thumb drive virus scanner will remove this infection, but the best thing is not to get infected in first place.

Be careful out there.

Worm Infects International Space Station Laptops

Houston, we have malware. (Sorry, I had to do that.)

Apollo 13 had real live mechanical malfunctions that could have resulted in the mission earning a place in our space program’s disaster timeline between Apollo 1 in 1967 and the Challenger disaster in 1986. Fortunately, that didn’t happen–Apollo 13 went down in history as a close call. Unfortunately, physical problems with the heat shield tiles resulted in the Columbia disaster in 2003. Now, the space program faces another threat–this time, a non-physical one–in the form of malware invading laptops aboard the International Space Station (ISS).

In the article, “Houston, we have a virus” in The Register, “The infected machines were not considered mission critical, meaning they weren’t responsible for command and control. The NASA spokesman was unable to say if the infected laptops were connected to mission-critical systems.”

What if there are?

Security is not optional–it’s mandatory. Especially when lives are at stake.

Oscarbot.UG Eludes Detection with Intelligent Stealth

According to Panda Security, the Oscarbot.UG virus, first detected on August 17, 2008, uses intelligent stealth techniques to avoid detection.  “It deletes the original file from which it was run once it is installed on the computer. It uses several methods in order to avoid detection by antivirus companies [one of them being that it] terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.”

As reported by Help Net Security, the worm “stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).

The good news is that anyone running a virtual environment is safe from infection: The worm won’t run and when you shut down the virtual machine, it’s gone. The bad news is that malware using this type of intelligent stealth is on the rise, raising the bar for anti-malware researchers.

At what point do we switch from a reactive anti-malware approach (blacklisting) to a pro-active one (whitelisting)? The day is fast approaching (it may already be here) when the programs designed to protect us become so huge and so invasive that they prevent us from getting any useful work done.

The best way to combat malware would be to take the profit out of spam, phishing scams, and other cyber-fraud crimes.

I don’t have the answer for that one.