Archive for the ‘Malware, Viruses and Bugs Galore’ category

« Older Entries

Israeli engineer finds a new Windows flaw in ‘win32k.sys’ file

August 10th, 2010

Israeli engineer, and researcher, Gil Dabah Friday describes a just discovered Windows security problem which lets a local user push a BSOD(‘blue-screen of death’) crash to every current, supported versions of the Windows operating system; thereby potentially giving attackers the ability to run code on the machine with their choice of kernel privileges.

According to the report given by Dabah, the flaw is inside of ‘win32k. sys’ – a kernel-mode file that is responsible for the majority of vital Windows features, such as window management and 2D graphics.

As the vulnerability found is related to the Windows clipboard, the user screen can be garbled, or the machine made to completely crash, if particularly malicious data is placed into the clipboard.

In early Windows operating systems (pre Windows NT 4), this vulnerability did not really present itself, as win32k.sys did not run in kernel mode.  Since the move over, however, it can affect every subsequent version of Windows, including Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, for both x86 and x64, both with or without Service Packs.

Despite this, since the issue has gotten a “Less Critical” rating – which means the lack of remote exploitability of the flaw and the complexities in utilizing it for the execution of an attacker’s code – by security group Secunia, Microsoft has not yet declared a patch for the vulnerability even though the company is aware of it’s existence.

No comments »

Posted in Malware, Viruses and Bugs Galore

Chuck Norris Says Change Your Router Password… or He’ll Kick Your Butt

March 30th, 2010

Recently, a new botnet (group of devices working together to attack or distribute infections to other systems) was discovered infecting everyday routers as well as enterprise routers worldwide.  This cleverly crafted infestation attacks even Linus-based devices.  Egads!  How is this possible?  Isn’t Linux immune to infection?

Not if you don’t change the default username and password combination your system shipped with, it’s not.  This is how the Chuck Norris infection attacks a system – buy guessing common username / password combinations it has in it’s database.  Incredibly simple, as most people don’t change the login security on their routers.  Most don’t even change the SSID (name that’s broadcast by your router) which makes it really easy to guess the security login if you have even rudimentary knowledge of popular routers.

Windows-based computers are inherently insecure.  Almost all viruses are engineered to attack Windows systems, as they constitute the largest percentage of computers worldwide.  That being said, it is a lot easier to infect any device if you can bypass it’s login security.  This is what makes the Chuck Norris infection to clever.  It is OS-independent.

So if you’re infected, what do you do?

Reboot your router?  Since Chuck Norris is memory resident and doesn’t alter any code – or actually “infect” your router, just reboot it.  Not sure how?  Just pull the plug.  Wait a couple of minutes and plug the power back in.  You’re now un-infected?

Want to stay that way – and keep from being hacked by every neighbor kid with a laptop?

  1. This infection also exploits a known vulnerability in D-Link routers.  If you have one, check for updates to your router and install them.
  2. Login to your router as administrator.  Find your router documentation if you don’t know how
    (whoever setup your router should have provided you with this information – we do.)
  3. Change the SSID on your router to something that does NOT give away your name, location or street address.
  4. Change the administrator user name and password for your router
  5. WRITE THIS DOWN SOMEWHERE!
  6. Reboot your router.
  7. Reconfigure all your wireless devices to talk to the new SSID.
  8. You’re secure.

1 comment »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations, Tech Tips

Tags:

Facebook Infections Continue

February 24th, 2010

Several times a day we get people bringing in badly infected computers with the current variety of the Fake Antivirus family of Trojan Horse bug in circulation.  These infections are all the same, look similar in spite of having different names (because they’re all created with the same toolbox) – and have the same goal:  Their purpose is to extort money from you under the pretense of “protecting” you from the infections they tell you they’ve found — AND to run your credit card over it’s limit with worldwide purchases galore — AND to harvest your personal identity information from your computer so they can open accounts under your name and empty them, thereby destroying your credit rating while lining their pockets nicely.

As we have said since June of 2008:

STAY AWAY FROM FACEBOOK unless you’re using a Mac or a Linux-based computer.  PCs CANNOT be protected from these infections.  The authors of these pests discovered about a year ago, that they could circumvent most of the internet Security products (Norton, McAfee, Trend Micro, Kaspersky, Avast, AVG, etc.) by updating their code so frequently that NO Antivirus product can keep up with them.  Brilliant.  And impossible to protect against using the current popular mechanism.  We have disinfected over 300 computers since June of 2008 so far and the number grows every day.  Two years ago we would clean these computers, install AVG AntiVirus and send folks on their way telling them they were protected.  Not Any More!  Now we tell our clients, after cleaning (or more likely reinstalling) and installing AVG, that they are NOT 100% protected – and if they do what they did prior to infection, they will likely be infected AGAIN.

So for now:

Whatever AntiVirus / Internet Security product YOU think is the best, employing it will NOT protect you.  Period.

STAY AWAY FROM FACEBOOK

and MySpace

and be Very Careful what you click on in a Google or Yahoo search.  A growing percentage of search results (even the sponsored (yellow background ads at the top of Google’s listings) are infected and the second you click on the link, it’s OVER.  Even hovering over the link with Google’s page preview turned on will infect you.

The Internet is no longer safe and you need to be very careful how you use it.

If this scares you…  Good.  Maybe you will be careful enough to remain infection-free.

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, Recommendations

Tags:

Search Engine Infections on the Rise

February 5th, 2010

The bulk of the Fake Antivirus infections making up the viral epidemic spreading like wildfire since June of 2008, had been coming from Facebook and Myspace web pages until recently.  Lately, we have seen a shift in the source of infection to web search results.  Both Google and Yahoo searches have been bringing up infected results.  These infections show up not only in the actual main search results, but in the Sponsored search results (on Google, these show up at the top of the list with a yellow shaded background).  Sponsored search results are ads that Google receives vast sums of money to place at the very top of search results for certain keywords or phrases.  In other words, the criminals responsible for the infection on your computer are paying good money (to Google) to effect this result.  They do this because they know the end result is well worth their investment.

Also, over the last year we have seen a change in the methodology implemented by the miscreants distributing these infections.  Around this time a year ago, someone realized they could permanently circumvent all of the Internet security products that exist today, by simply updating the code to their little “pets” on a very rapid basis (say every 30 minutes).  Since even the most advanced Antivirus products only update their definitions every 4 hours, there is no way they can keep up with the new virus code being distributed.  We fine-tune our AVG antivirus install to update every Hour.  That is still inadequate.  We have lost the battle.  Period.  Until the methodology employed by the people protecting us changes to a hardware-based solution that simply does not allow viral behavior, we are all screwed.

What does all this mean to you?  It means, regardless of the Internet security product you think is the best, implementing it will NOT protect you 100%.  Nothing will protect you 100%.  If you are not extremely circumspect about where you go on the Internet and what you click on, your computer WILL be infected and you will NOT be able to resolve the problem yourself.  Even attempting to fix it yourself will likely make the problem worse, resulting in an un-bootable computer after all your personal information has been stolen and while your identity is being compromised.

What’s the solution?

  1. Buy an Apple computer. (I am typing this on a Mac Pro)
  2. Use a computer with a Linux Operating System.
  3. Stay off of Facebook and Myspace. (No, it doesn’t matter that you “don’t click on anything”)
  4. Be VERY careful what you click on when searching, reading emails or using IM.
  5. Use our recommendations for AntiVirus / Internet Security.  We know what we’re talking about.  We disinfect dozens of computers a week.
  6. Keep your computer backed up every single day so you can restore the Operating System (and your data) in case of infection.

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations

Tags:

Facebook Security Warning

September 20th, 2009

We’ve been telling people this for over a year, even published a security bulletin from AVG to this effect, but apparently never published an actual warning regarding the real risks associated with using Facebook (and MySpace).

Both of these Social Networking sites have been under attack since May 2008 by criminals intent on extorting money from individuals they infect with their Malware (also known as HostageWare, FakeAlert Software).  When your computer produces a warning screen or popups in the lower right corner warning you of infections and an offer to “fix” the problem for $49.95 (up to $89.95 in some cases) it is TOO LATE.  You are infected. You will not be able to fix this yourself.  If you gave them your credit card information you will quickly find your card canceled due to fraudulent activity.  (Call your credit provider card immediately if you have fallen prey to this scam)

This has been the pattern with these brilliant criminals working out of Eastern Europe for over a year now and there are no signs of the problem getting better.  Many people ask “why do they do this?”  ”Money” is the obvious answer.  No legitimate product will EVER pop up on your screen and ask for money to “fix” something wrong with your computer.  These Fake Security / AntiVirus / Performance Tuning / Registry Repair tools are all infections, plain and simple.

  • Just working with very small, easy to calculate examples at the low end of probability for these schemes, let’s say that one of these virus authors gets only 1000 people a day to “bite” on the offer to “protect” their computers.  At $49.95 each, that’s Fifty Thousand Dollars a day.  Pretty good money for sitting around eating Cheetos in your underwear in an (very nice) apartment in Kiev (Moscow, etc).
  • Now factor in the bonus as a result of having all the victim’s credit card information entered during this transaction.  Can you spell SHOPPING?  Our resourceful virus writer is spending your credit card limit in a heartbeat – so fast your credit card company won’t be able to stop it before this thief cashes in nicely on your plastic.
  • But the big payoff is gaining access you your personal identity information stored on your computer.  Credit card numbers, social security numbers, user login information - anything stored or cached on your computer from previous transactions or for your own records can now be in their hands to use as they please.  Identity theft is big business and can ruin your life.

We have disinfected over 250 computers since June of 2008 with one variety or another of these nasty infections.  (Refer to our Bad Bugs List here in the blog for the growing collection of these pests)  Absolutely nothing stops them, as these bugs are reinvented on an hourly basis.  The best antivirus you can buy (AVG) will still not provide 100% protection against these thieves.

We have been recommending to everyone since this problem surfaced to AVOID FACEBOOK AND MYSPACE unless you are using a Mac or Linux-based system, as they are immune to this infection (for the time being).  If you do not heed this warning, YOU WILL BE INFECTED.  Period.  Even the New York Times website was hacked and infecting their readers earlier this month, so it’s not just a Social Networking issue, but they are the primary focus.

“But I never click on anything.  I just check my messages…”  Great.  But no protection.  Most of these infestations are distributed by infected banner ads.  As soon as the ad displays on the page you’ve loaded, IT’S OVER. YOU’RE INFECTED.  It is NOT necessary to click on one of these ads for it to deliver it’s payload.  The criminals actually pay for advertising so they can infect your computer and extort money from you, steal your identity, etcetera.  They also hack user accounts so they can send messages that appear to be from your friends, but actually contain infected links.  It has happened to my friends.

Why isn’t Facebook doing more to protect it’s users?  We recommend you ask them exactly that.  Also, send them the bill for cleaning or reinstalling your computer the next time it gets infected.  See what happens.

And another thing.  Be careful what surveys or “tests” or other cute features or add-ons you participate in on Facebook.  Anything that requires a phone number to be involved will possibly start charging you every month for some infernal news feed while you get junk text messages you didn’t want.  If you are getting these already, simply reply with STOP or QUIT – and they should remove you immediately.  Also, dial 611 (assuming it’s your cell phone) and ask your provider to cancel the service you “signed up for” and refund the charges.  If you get a decent rep, it should be no problem.  If they are not being helpful, demand to speak to a Supervisor.

[Oh, and Google... Did you know these same miscreants are paying for top Google ad placement to sell you infected, fake AntiVirus products?  We've seen them time and again at the very top of the sponsored links in Google search result pages...]

Panda Labs recently uncovered a website that offers to hack any Facebook account for $100.00.  Once they have successfully gained access to your account, everything you have posted in that account is THEIRS.  The result:  Identity theft — YOURS!  According to this website, only 1% of all Facebook accounts cannot be hacked!  Once they have hacked an account, they have full access to your Friends’ contact information and now they can send them infected links or images, ostensibly from YOU.  Nice.

Just say “NO” to Facebook!

Unless you’re using a Mac…
(I know, you NEED your Facebook fix…  I use it all the time, just never from the office where we use all PCs.  Only from home where I use an Apple OS x based computer.

Now for the serious part…

If you have given these clever criminals the money they ask for, call your credit card company immediately so they can start the process of issuing you a new card.  If you have logged into any financial institution within a few days either side of the date when you first noticed the infection or during the infection period, CALL these institutions and have your password changed IMMEDIATELY.  This is a good idea from time to time anyway, but after your computer has been infected it is mandatory.

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations, URGENT

Tags:

We Have a Winner!

July 17th, 2009

We Have a Winner! (insert sounds of a slot machine hitting the jackpot here…)

Up until now, the hands-down winner for infections in our shop was a Hewlett Packard computer with 34, 363 virus-infected files.  This machine, from a 2007 Work Order, had been “protected” by Norton Internet Security, but hijacked and turned into a Zombie by a collection of Trojans so impressive and destructive, we had no choice but to back up the data and reinstall the computer.

That record, however, has just been shattered by a laptop recently brought into our office, clearly infected by the  Sysguard virus.  After removing the hard drive to backup the client’s data, we connected the drive to one of our diagnostic machines.  We started the data copy process, which was almost immediately brought to a halt as one of the files was locked and could not be transferred.  This is almost always due to a viral infection being removed or quarantined by AVG 8.5 on our diagnostic machine.  As soon as this happened, we aborted the data copy process and started a virus scan on the client’s drive.  By the time AVG had completed it’s scan, 150,072 files had been quarantined.  That’s right, One Hundred Fifty THOUSAND and Seventy Two files on one computer.  Almost all were Trojans designed to imitate expensive software, movies, music and assorted commercial products for download from this computer.  This is done to bait unsuspecting web surfers into infecting their computers while downloading something for “free”.  This is exactly the same type of infection that held the prior record.

We were SO impressed.

After removing the infections we easily finished the data transfer.

The AntiVirus protecting this impressively-infected machine?  AVG version 8.  We don’t know when it was installed or whether it had been given an opportunity to scan the drive, but Our installation of AVG 8.5 easily removed all infections without our diagnostic machine suffering any ill effects.

As we’ve told our clients for years: If you aren’t going to follow our installation instructions, let us do it for you.  You’ll be glad you did.

Did I mention the previous runner-up, with 29,400 infections was a machine from 2007 protected by the AVG Free edition?

There really is No Free Lunch, you know…  No reputable software vendor will give away their flagship product, right?

Don’t trust your computer to “Free” protection.  The repairs can be much more expensive than the full commercial version of AVG.

No comments »

Posted in Information, Malware, Viruses and Bugs Galore, News, Recommendations

Tags:

Sysguard.exe Infection at Record Levels

July 16th, 2009

Over the last 2 weeks we’ve seen a dramatic rise in the infection rate from Sysguard.exe.  This infection masquerades as an Antivirus / System Security Center interface, reporting dozens of infections allegedly from an assortment of fake viruses, trojans and worms.  Whatever you do, DON’T give in to the threats and intimidation to pay them for protection.  The indicator you’re infected by this bug is twofold.

1: You will see a diagonally tiger-striped shield in your system tray.

2: Your Windows Desktop wallpaper will be replaced with a black or blue background with bright red lettering stating “Your’re” computer is infected.  Note the misspelling of “your”.

Don’t try to remove this infection.  It’s impossible for even most of the best computer techs.  We can do it, but it’s expensive.  We generally backup your data and restore your system, as it is less expensive and faster than “cleaning”.  All your system tools will be disabled.  You will not be able to edit your registry, manipulate the Windows startup applications or launch Task Manager when this pest strikes.

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations, URGENT

New Amazon.com Phishing Scam

April 3rd, 2009

I received 2 of these today, in two different email accounts and was impressed by the mechanism.  What you see below is an actual image. The email contains no text – just this image which links to a bogus website when you click anywhere in the “text”.

Your first clue should be the fact that this scam alleges Amazon will credit $70 dollars to your account just for filling out a survey.  If it seems to good to be true…

Your second clue should be that if you hold your cursor over the link you’re supposed to click on, it doesn’t go to the same address.  If you look in the Status Bar at the bottom of your email message you will see where you will be taken when you click a hyperlink.

In this case it is (http://dianahaddadonline.com/users/info/index.html)

Notice this has nothing to do with Amazon.com

Always check out the destination of any link in any email before clicking to be sure it goes where the link indicates.  This is a common ruse to redirect you to a location that will infect your computer or steal your identity.

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations

Conficker’s Gonna Gitcha!

March 31st, 2009

The biggest question of the hour is one or more of the following:

  • “OMG, is this Conficker thing for real?”
  • “What should I do to protect myself?”
  • “On April 1st is my computer going to be hosed?”

ad nauseum…

Since you apparently didn’t read my other TWO posts on this topic, read THIS ONE, OK?

Yes, variant C of the Conficker / Kido / Downadup worm is slated to take on a whole new characteristic on April Fools Day and, if you’re not properly protected, you will be in deep, deep donkey dung.

Clear enough?

If you had read my post on the Out-of-Band Windows Security Update last October (and installed it) you would already be protected and (hopefully) not pestering me about this issue.  Also, if you read my post from February 9th, when Downadup was first discovered, that pointed out exactly what I said in the previous sentence… Again… you would not be asking this question.

So to cover much of the same territory again…

On April 1st, this World Wide Pest is going to implement new insulation methods to protect itself.  Conficker C finds computers and network shares with weak passwords (or none at all), disables security services, antivirus protection, Windows Updates, and blocks access to websites run by legitimate security firms like Symantec and McAfee.  Smart as a whip, Downadup also spreads via removable devices, such as USB thumb drives or removable camera memory, using an infected Autorun file.  Conficker is wickedly clever and nothing if not tenacious.  It will attempt to “brute force” (guess) network Administrator passwords, so if you have some ridiculously easy password (like “password”) or no password at all… You guessed it – You’re SCREWED!

It is a very BAD idea to avail yourself of free website scans to detect this pest, as many of these so-called tools are a whole new breed of infection, taking advantage of all the hype to infect your computer.  There are legitimate free scanning tools from Microsoft, Symantec and McAfee, but if you have the appropriate current Windows security updates and our recommended AntiVirus (AVG) you should be immune to infection.

None of this is news.  We’ve been saying this Since early February. 
Follow these steps to protect yourself:

  • Manually check your Windows Updates and ONLY install Security Updates.
  • Do NOT install Service Pack 3!
  • Make sure your AntiVirus (AVG I hope) is fully functional, with no errors and has all current updates.  If the icon is the appropriate blue, red, green and yellow (and not gray), you’re OK.  If not, open AVG’s control panel and find out why – and fix it.
  • If your internet connection seems especially S-L-O-W – with no apparent event to trigger the slowdown, be suspicious and perform a full virus scan.  If you actually find anything, call us and let us clean up the mess.  Anything that slipped by is an indication of inferior protection or a VERY smart bug.  Neither is a good thing.
  • You can block the Autorun function of your Operating System.  Here are the instructions – but be very careful, as this modifies your registry.  One wrong keystroke and your computer no longer boots!
  • You DO have a current backup, right?

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, Recommendations, URGENT

Ebay Auction Tool Site Infected.

February 25th, 2009

 

Last week, web surfers accessing Auctiva.com’s website (a web site offering eBay auction tools) were taken aback by warnings issued by Google that the server they were accessing was infected by a Trojan.  The problem was publicized when Google’s malware warning system started issuing warningssaying Auctiva was infected with malware upon loading Auctiva’s home page.  Google will display a warning page when certain sites are browsed that are known to contain malware.

“It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China,” according to Auctiva’s community forum. ”The malware we believe to be at fault has also hit a number of other high-profile websites over the past six months.”

Auctiva is recommending use of Firefox as opposed to Internet Explorer, as it is ”less susceptible to this sort of malware than Internet Explorer.”

According to one poster on Auctiva’s forum, he may have allowed the infection to propagate by clicking “ignore” when confronted with Google’s warnings. Even when Google issues a warning, there is still the option to bypass the protection and load the infected page.  Auctiva is said to be working with Google to clear the warning now that their servers have been disinfected.

People who accessed Auctiva’s site between Thursday and Saturday afternoon Pacific Time should have their computers scrubbed to ensure they are no longer infected.

 

No comments »

Posted in Bad Things in General, Information, Malware, Viruses and Bugs Galore, News, URGENT

1 2 3