The Computer Clarity Blog

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

PandaLabs, the anti-malware laboratory of Panda Security –The Cloud Security Company- has published its Annual Malware Report.

The report reviews the major incidents and events concerning IT security in 2009. The outstanding trend of the last 12 months has been the prolific production of new malware: 25 million new strains were created in just one year, compared to a combined total of 15 million throughout the rest of the company’s 20-year history.

This latest surge of activity included countless new examples of banker Trojans (some 66%) as well as a host of fake antivirus programs (rogueware). The report also draws attention to the resurgence of traditional viruses, previously on the verge of extinction, such as Conficker, Sality or the veteran Virutas. See the graph here.

During 2009, spam was also highly active: some 92% of all email traffic was identified as spam. The tricks used to dupe potential victims into opening these emails have focused heavily on exploiting current affairs and dramatic news stories -a tendency which also applied to SEO attacks-. As such, we saw waves of junk mail related to celebrity scandals or deaths (real or fictitious), swine flu, compromising videos of politicians, etc. This year PandaLabs also tracked how spam impacted different industrial sectors, revealing how the automobile and electrical industries were the worst affected, followed by government institutions.

As regards malware distribution channels, social networks (mainly Facebook, Twitter, YouTube or Digg), and SEO attacks (directing users to malware-laden websites) have been favored by cyber-criminals, who have been consolidating underground business models to increase revenues.

The Annual Malware Report also examines how individual countries and regions have been affected throughout the year, based on the data gathered from computers scanned and disinfected free of charge with Panda ActiveScan. Taiwan tops the rankings, followed by Russia, Poland, Turkey, Colombia, Argentina and Spain. Countries suffering fewest infections include Portugal and Sweden.
You can see this graph here.

Last year also saw a rise in the number of news stories related to cyber-attacks with political motives or targets, suggesting that this is no longer the preserve of sci-fi movies and conspiracy theorists and is now becoming a reality.

Finally, and as we announced some days ago, PandaLabs has predicted that the amount of malware in circulation will continue to grow during 2010. Windows 7 will surely attract the interest of hackers when it comes to designing new malware, and attacks on Mac will increase. While we are likely to witness more politically motivated attacks the report concludes that, once again, this will not be the year of the cell phone virus.

Computer Clarity

This week’s PandaLabs report looks at two fake antiviruses: PcLiveGuard and GreatDefender.

This type of malware passes itself off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate threats on their computers.  Panda Security has published a report on fake antiviruses, available at:

http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf

Similarly, the PandaLabs Annual Report also provides information about the situation of this malware at:http://www.pandasecurity.com/img/enc/Annual_Report_PandaLabs_2009.pdf

PcLiveGuard’s icon resembles a legitimate antivirus icon. When run, a typical screen is displayed, asking users if they want to scan their PCs. See pic at: http://www.flickr.com/photos/panda_security/4255539533/

Regardless of whether users accept or not, it will indicate their computer is infected. Here is the image that will be displayed if users scan their PC (http://www.flickr.com/photos/panda_security/4256301498/).

If users do not scan their PC with the fake antivirus, infection warnings are displayed to scare them into purchasing the product.

GreatDefender is a fake antivirus which informs about potentially dangerous software on the computer, due to it not being correctly protected. It tries to get users to pay with their credit cards in order to install the solution.  The objective of the antivirus is to collect personal and bank details provided by users on purchasing it. As this type of malware cannot reproduce itself, it requires user interaction to infect the PC. To do so, it uses its own websites on which it is advertised as one of the best anti-spyware solutions in the market.

Picture available at: http://www.flickr.com/photos/panda_security/4256301526/

When users access the website, they are given the option to download the antivirus, but when they try, the trial version is unavailable and they are redirected to the pay version.  The installation process is similar to that of any antivirus, allowing users to select the language and location of the files. Once the installation ends, the fake antivirus carries out a full system scan.  It then falsely ensures users that their computers are free from any infections.  To make users believe they are protected, an icon is displayed in the Windows desktop, the quick taskbar and the Windows start menu, to make it look as authentic as possible.

Computer Clarity

According to Panda Security and PandaLabs, the global leaders in computer security, “Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats.”  They also point out the following facts:

• Rogueware attacks generate approximately $34 million per month for cybercriminals
• Each month rogueware infects approximately 35 million computers
• Twitter, Facebook, MySpace, and Digg, are used to spread rogueware
• Eastern Europe is the source of the majority of cybercriminals
• Rogueware is difficult to detect because it changes quickly

Because of these facts, your computer will encounter rogueware and your antivirus might not catch it.  So, what does a rogueware attack look like?  A window appears on your computer screen announcing the presence of viruses on your computer and offering to remove them if you pay them $40-$90.  If you don’t, the program starts hiding different windows controls and continues to warn you with popup windows until you do pay.  Then they will wait a random period of time before they do it again.  Once the rogueware is installed, it can be very difficult to remove, so it is best to catch and stop the installation attempt.  Fortunately this is very easy.  Rogueware tries to look like an antivirus.  You must know who your antivirus company is and don’t trust any other antivirus warning.  When you see a warning, identify what program is issuing the warning.  If it is not your antivirus software, then it is a rogue security officer trying to gain entry into your computer.

When this occurs on your computer you must close the window without following any of its instructions and without touching the window.   You must use the taskbar button below that represents the window, right click it, then hit close.  This should close the window, but if it does not, press and hold your power button on your computer.  You may lose any unsaved work, but it is better than removing the rogueware after the infection.

Rogueware and other types of malware threats are extremely prolific on the internet.  Antivirus companies are trying franticly to keep up with the threat, but only one is on top of it.  Panda Security makes and distributes the best computer security solutions and PandaLabs discovers the threats and writes the antivirus updates before the rest of the antivirus companies even know about it.  Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPrevent® Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users. According to my own test, Panda Security Solutions are the best available.

Computer Clarity