The Computer Clarity Blog

1- STUXNET

STUXNET has been the hottest topic for this year because it’s an unusual Worm. It is the first time in the history that malware bypassed cyberspace to go directly to the physical environment. The virus not only damages the code and data, but it also destroys the actual machinery.

Reversing STUXNET allowed security professionals to discover 4 zero-days in Microsoft Windows operating system, and as a result proved that even the industrial systems which are usually isolated, not only from public networks but also on internal enterprise, are not 100% safe.

The worm’s driver certificates were signed with JMicron Technology and Realtek digital certificates, which lets it bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as the signature of the driver is from authorized firms.

The carnival of vulnerabilities that were exploited by this malware is the following:

1.     Microsoft Security Bulletin MS10-046 – Critical

This first bulletin was issued to fix a vulnerability that allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer.

2.     Microsoft Security Bulletin MS10-061

This is a remote code execution vulnerability in Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows system. Files and printer sharing turned on are vulnerable to the attack.

3.     Microsoft Security Bulletin MS08-067

STUXNET is also capable of distributing itself over the network through shared folders. It scans network shares c$ and admin$ on the remote computers and installs a file (dropper) there with the name DEFRAG.TMP and schedules a task to be executed on the next day to exploit this vulnerability.

4.     Microsoft Security Bulletin MS10-073

This security bulletin solves three publicly disclosed privilege elevation (EoP) vulnerabilities in Windows kernel-mode drivers.

2- TDL4

TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which first appeared back in 2008.  However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7.

By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.

TDSS is one of the most complex and dangerous malicious programs categories in the world, and it continues to evolve.

3- Asprox

Asprox is a small botnet has been used for password stealing, spam, and phishing attacks. This botnet based attack is innovative, as it interfaces with Google’s search engine to locate vulnerable web pages.

When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website in order to spread Malware.

4- ZeuS 2.0

The ZEUS Botnet is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised. A recent outbreak is being called Kneber.

On 1 October 2010, the FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m.

More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.

5- Trojan Proxies

These Malware may turn a victim’s computer into a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities.

Usually a Trojan installs an email proxy that is used to send large amounts of unsolicited email, i.e. spam, over via an Internet connection. Recipients tracking the email back to its origin will discover the IP address of the infected system used for the proxy, thereby concealing the identity of the attacker.

It can also use the infected system to launch malicious attacks against other networks.

This is the list of 2010′s Top 5 most dangerous Malware. I would like to wish our readers, fans, followers and subscribers from around the globe a safe and a prosperous New Year may the year 2011 be full of joy and rewards.

Computer Clarity | Making Computers Clear For You

Quick Facts

Spyware is software installed on your computer without your consent to monitor or control your computer use. Clues that spyware is on a computer may include a barrage of pop-ups, a browser that takes you to sites you don’t want, unexpected toolbars or icons on your computer screen, keys that don’t work, random error messages, and sluggish performance when opening programs or saving files. In some cases, there may be no symptoms at all.

To lower your risk of spyware infections:

• Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads.
• Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
• Download free software only from sites you know and trust. Enticing free software downloads frequently bundle other software, including spyware.
• Don’t click on links inside pop-ups.
• Don’t click on links in spam or pop-ups that claim to offer anti-spyware software; you may unintentionally be installing spyware.

Just when you thought you were Web savvy, one more privacy, security, and functionality issue crops up — spyware. Installed on your computer without your consent, spyware software monitors or controls your computer use. It may be used to send you pop-up ads, redirect your computer to websites, monitor your internet surfing, or record your keystrokes, which, in turn, could lead to identity theft.

Many experienced Web users have learned how to recognize spyware, avoid it, and delete it. All computer users should take preventive steps to avoid spyware.

The clues that spyware is on a computer include:

• Barrage of pop-ups
• Hijacked browser — that is, a browser that takes you to sites other than those you type into the address box
• A sudden or repeated change in your computer’s internet home page
• New and unexpected toolbars
• New and unexpected icons on the system tray at the bottom of your computer screen or on your desktop
• Keys that don’t work (for example, the “Tab” key that might not work when you try to move to the next field in a Web form)
• Random error messages
• Sluggish or downright slow performance when opening programs or saving files

The good news is that consumers can take steps to lower their risk of spyware infections.

Update your operating system and Web browser software. Your operating system (like Windows or Linux) may offer free software “patches” to close holes in the system that spyware could exploit. Set your operating system and security software to update automatically to be sure you have the latest protections.

Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. You can download this software from ISPs or software companies or buy it in retail stores. Look for anti-virus and anti-spyware software that removes or quarantines viruses and that updates automatically on a daily basis.

Don’t install any software without knowing exactly what it is. Take the time to read the end-user license agreement (EULA) before downloading any software. If the EULA is hard to find — or difficult to understand — think twice about installing the software.

Minimize “drive-by” downloads. Make sure your browser security setting is high enough to detect unauthorized downloads, for example, at least the “Medium” setting for Internet Explorer.

Don’t click on any links within pop-ups. If you do, you may install spyware on your computer. Instead, close pop-up windows by clicking on the “X” icon in the title bar.

Don’t click on links in spam or pop-ups that claim to offer anti-spyware software. Some software offered in spam or pop-ups actually installs spyware. In fact, ads that claim to have scanned your computer and detected malware are a tactic scammers have used to spread malware, so resist the urge to respond to or click on those messages.

Install a personal firewall to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out.

Back up your data. Whether it’s text files or photos that are important to you, back up any data that you’d want to keep in case of a computer crash. Do these as regularly as you update your security software.

If you think your computer might have spyware on it, immediately stop shopping, banking, or doing any other online activity that involves user names, passwords, or other sensitive information. Confirm that your security software is active and current and run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem.

Computer Clarity

28/7/10

June saw the UK become the fourth largest producer of spam in the world, and it is now also the fourth largest producer of viruses, according to July threat statistics from managed security company, Network Box.

The number one virus producer remains the US, which has increased production by around one per cent (to 14.6 per cent). But India’s slight increase in production (from 9.2 to 9.5 per cent) was enough to move it to number two in the charts and see Korea drop to third place, with a decline in production of more than three per cent.

The UK has moved from sixth to fourth place in the virus charts – it now produces five per cent of the world’s viruses – the result of an increase of two per cent in virus production and Russia’s decrease of over three per cent.

The spam chart is still dominated by the US (11 per cent), India (eight per cent), Brazil (almost five per cent) and the UK (four per cent).

Simon Heron, Internet Security Analyst for Network Box, says: “Governments are in a difficult position at the moment. Clearly, cuts need to be made to balance the books, but there is also evidence that cybercrime will increase at times of economic strain. Cybercrime is a crime without borders and all governments must co-operate to successfully tackle the problem. The recent news that the UK’s Police Central E-Crime Unit will not receive the increased funding it expected next year, may be seen as further evidence that cybercrime is not being tackled with the urgency that it requires.”

Top Viruses

Top Trojans

Top Intrusions

Top Sources of Viruses

Top Sources of Spam

Computer Clarity

Spam is a common, and often frustrating, side effect to having an email account. Although you will probably not be able to eliminate it, there are ways to reduce it.

What is spam?

Spam is the electronic version of “junk mail.” The term spam refers to unsolicited, often unwanted, email messages. Spam does not necessarily contain viruses—valid messages from legitimate sources could fall into this category.

How can you reduce the amount of spam?

There are some steps you can take to significantly reduce the amount of spam you receive:

• Don’t give your email address out arbitrarily – Email addresses have become so common that a space for them is often included on any form that asks for your address—even comment cards at restaurants. It seems harmless, so many people write them in the space provided without realizing what could happen to that information. For example, companies often enter the addresses into a database so that they can keep track of their customers and the customers’ preferences. Sometimes these lists are sold to or shared with other companies, and suddenly you are receiving email that you didn’t request.
• Check privacy policies – Before submitting your email address online, look for a privacy policy. Most reputable sites will have a link to their privacy policy from any form where you’re asked to submit personal data. You should read this policy before submitting your email address or any other personal information so that you know what the owners of the site plan to do with the information.
• Be aware of options selected by default – When you sign up for some online accounts or services, there may be a section that provides you with the option to receive email about other products and services. Sometimes there are options selected by default, so if you do not deselect them, you could begin to receive email from lists those lists as well.
• Use filters – Many email programs offer filtering capabilities that allow you to block certain addresses or to only allow email from addresses on your contact list. Some ISPs offer spam “tagging” or filtering services, but legitimate messages misclassified as spam might be dropped before reaching your inbox. However, many ISPs that offer filtering services also provide options for tagging suspected spam messages so the end user can more easily identify them. This can be useful in conjunction with filtering capabilities provided by many email programs.
• Report messages as spam – Most email clients offer an option to report a message as spam or junk. If your has that option, take advantage of it. Reporting messages as spam or junk helps to train the mail filter so that the messages aren’t delivered to your inbox. However, check your junk or spam folders occasionally to look for legitimate messages that were incorrectly classified as spam.
• Don’t follow links in spam messages – Some spam relies on generators that try variations of email addresses at certain domains. If you click a link within an email message or reply to a certain address, you are just confirming that your email address is valid. Unwanted messages that offer an “unsubscribe” option are particularly tempting, but this is often just a method for collecting valid addresses that are then sent other spam.
• Disable the automatic downloading of graphics in HTML mail – Many spammers send HTML mail with a linked graphic file that is then used to track who opens the mail message—when your mail client downloads the graphic from their web server, they know you’ve opened the message. Disabling HTML mail entirely and viewing messages in plain text also prevents this problem.
• Consider opening an additional email account – Many domains offer free email accounts. If you frequently submit your email address (for online shopping, signing up for services, or including it on something like a comment card), you may want to have a secondary email account to protect your primary email account from any spam that could be generated. You could also use this secondary account when posting to public mailing lists, social networking sites, blogs, and web forums. If the account start to fill up with spam, you can get rid of it and open a different one.
• Use privacy settings on social networking sites – Social networking sites typically allow you to choose who has access to see your email address. Consider hiding your email account or changing the settings so that only a small group of people that you trust are able to see your address. Also, when you use applications on these sites, you may be granting permission for them to access your personal information. Be cautious about which applications you choose to use.
• Don’t spam other people – Be a responsible and considerate user. Some people consider email forwards a type of spam, so be selective with the messages you redistribute. Don’t forward every message to everyone in your address book, and if someone asks that you not forward messages to them, respect their request.

Computer Clarity

Filter Spam

Because most email scams begin with unsolicited commercial email, you should take measures to prevent spam from getting into your mailbox. Most email applications and web mail services include spam-filtering features, or ways in which you can configure your email applications to filter spam. Consult the help file for your email application or service to find out what you must do to filter spam.

You may not be able to eliminate all spam, but filtering will keep a great deal of it from reaching your mailbox. You should be aware that spammers monitor spam filtering tools and software and take measures to elude them. For instance, spammers may use subtle spelling mistakes to subvert spam filters, changing “Potency Pills” to “Potençy Pills.”

Regard Unsolicited Email with Suspicion

Don’t automatically trust any email sent to you by an unknown individual or organization. Never open an attachment to unsolicited email. Most importantly, never click on a link sent to you in an email. Cleverly crafted links can take you to forged web sites set up to trick you into divulging private information or downloading viruses, spyware, and other malicious software.

Spammers may also use a technique in which they send unique links in each individual spam email. Victim 1 may receive an email with the link <http://dfnasdunf.example.org/>, and victim 2 may receive the same spam email with the link <http://vnbnnasd.exaple.org/>. By watching which links are requested on their web servers, spammers can figure out which email addresses are valid and more precisely target victims for repeat spam attempts.

Remember that even email sent from a familiar address may create problems: Many viruses spread themselves by scanning the victim computer for email addresses and sending themselves to these addresses in the guise of an email from the owner of the infected computer.

Treat Email Attachments with Caution

Email attachments are commonly used by online scammers to sneak a virus onto your computer. These viruses can help the scammer steal important information from your computer, compromise your computer so that it is open to further attack and abuse, and convert your computer into a ‘bot’ for use in denial-of-service attacks and other online crimes. As noted above, a familiar “from” address is no guarantee of safety because some viruses spread by first searching for all email addresses on an infected computer and then sending itself to these addresses. It could be your friend’s computer is infected with just such a virus.

Use Common Sense

When email arrives in your mailbox promising you big money for little effort, accusing you of violating the Patriot Act, or inviting you to join a plot to grab unclaimed funds involving persons you don’t know in a country on the other side of the world, take a moment to consider the likelihood that the email is legitimate.

Install Antivirus Software and Keep it Up to Date

If you haven’t done so by now, you should install antivirus software on your computer. If possible, you should install an antivirus program that has an automatic update feature. This will help ensure you always have the most up-to-date protection possible against viruses. In addition, you should make sure the antivirus software you choose includes an email scanning feature. This will help keep your computer free of email-born viruses.

Install a Personal Firewall and Keep it Up to Date

A firewall will not prevent scam email from making its way into your mailbox. However, it may help protect you should you inadvertently open a virus-bearing attachment or otherwise introduce malware to your computer by following the instructions in the email. The firewall, among other things, will help prevent outbound traffic from your computer to the attacker. When your personal firewall detects suspicious outbound communications from your computer, it could be a sign you have inadvertently installed malicious programs on your computer.

Learn the Email Policies of the Organizations You Do Business With

Most organizations doing business online now have clear policies about how they communicate with their customers in email. Many, for instance, will not ask you to provide account or personal information via email. Understanding the policies of the organizations you do business with can help you spot and avoid phishing and other scams. Do note, however, that it’s never a good idea to send sensitive information via unencrypted email.

Configure Your Email Client for Security

There are a number of ways you can configure your email client to make you less susceptible to email scams. For instance, configuring your email program to view email as “text only” will help protect you from scams that misuse HTML in email.

Computer Clarity

PandaLabs, the anti-malware laboratory of Panda Security –The Cloud Security Company- has published its Annual Malware Report.

The report reviews the major incidents and events concerning IT security in 2009. The outstanding trend of the last 12 months has been the prolific production of new malware: 25 million new strains were created in just one year, compared to a combined total of 15 million throughout the rest of the company’s 20-year history.

This latest surge of activity included countless new examples of banker Trojans (some 66%) as well as a host of fake antivirus programs (rogueware). The report also draws attention to the resurgence of traditional viruses, previously on the verge of extinction, such as Conficker, Sality or the veteran Virutas. See the graph here.

During 2009, spam was also highly active: some 92% of all email traffic was identified as spam. The tricks used to dupe potential victims into opening these emails have focused heavily on exploiting current affairs and dramatic news stories -a tendency which also applied to SEO attacks-. As such, we saw waves of junk mail related to celebrity scandals or deaths (real or fictitious), swine flu, compromising videos of politicians, etc. This year PandaLabs also tracked how spam impacted different industrial sectors, revealing how the automobile and electrical industries were the worst affected, followed by government institutions.

As regards malware distribution channels, social networks (mainly Facebook, Twitter, YouTube or Digg), and SEO attacks (directing users to malware-laden websites) have been favored by cyber-criminals, who have been consolidating underground business models to increase revenues.

The Annual Malware Report also examines how individual countries and regions have been affected throughout the year, based on the data gathered from computers scanned and disinfected free of charge with Panda ActiveScan. Taiwan tops the rankings, followed by Russia, Poland, Turkey, Colombia, Argentina and Spain. Countries suffering fewest infections include Portugal and Sweden.
You can see this graph here.

Last year also saw a rise in the number of news stories related to cyber-attacks with political motives or targets, suggesting that this is no longer the preserve of sci-fi movies and conspiracy theorists and is now becoming a reality.

Finally, and as we announced some days ago, PandaLabs has predicted that the amount of malware in circulation will continue to grow during 2010. Windows 7 will surely attract the interest of hackers when it comes to designing new malware, and attacks on Mac will increase. While we are likely to witness more politically motivated attacks the report concludes that, once again, this will not be the year of the cell phone virus.

Computer Clarity

This week’s PandaLabs report looks at two new fake antiviruses and a Trojan.

Safety Antispyware and InternetSecurity 2010 are malicious programs that try to pass themselves off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate threats that actually do not exist.  For more information about this type of malware read “The Business of Rogueware”, a report on fake antivirus programs written by Luis Corrons and Sean-Paul Correll, PandaLabs researchers.

This report is available at:http://www.pandasecurity.com/img/enc/El%20Negocio%20de%20los%20falsos%20antivirus.pdf.

Safety Antispyware tricks users by warning them their computers are infected by (non-existent) threats, prompting them to buy a program to remove them. This program can be downloaded from the vendor’s site. The link can reach users through spam messages, fraudulent Web pages, etc. The fake antivirus shows an icon similar to that of real antivirus programs. Once installed, the program interface opens and runs a full system scan looking for malware.

You can see an image here:http://www.flickr.com/photos/panda_security/4208462422/

Then, it shows a series of messages prompting the targeted user to buy the product.

(http://www.flickr.com/photos/panda_security/4208462446/)

If the user decides to follow the program instructions to get rid of the ‘threats’, they will be asked to enter an activation code and be redirected to a website to buy the product. Once run, InternetSecurity 2010 scans the computer for malware. However, this is a fake scan that always reports that the computer is infected. Then, it offers users the possibility of disinfecting the computer. As the fake antivirus version is supposedly a trial version, users are first requested to buy the antivirus license. To this end, the malware opens the user’s Internet browser on the fake antivirus purchase page.  To reassure users that the purchase is safe and the antivirus is legitimate, it shows certificates of authenticity and claims to have been tested by McAfee. It even offers the antivirus license for a long time, apparently at a good price.

See an image here:http://www.flickr.com/photos/panda_security/4207698275/

If the user decides not to purchase the antivirus, it will keep running and displaying warnings about the threats the user is exposed to if they remain infected and do not update the antivirus. These warnings are displayed in two ways: through warnings on the toolbar or on-screen pop-up messages.

Banker.MAI is banker malware aimed at stealing banking data, credentials and/or credit card details when users try to log in to their online banking services.  This malware goes memory resident and does not show any symptoms that warn of its presence on the affected computer. The malware works in the background, waiting to be run, and send or receive data.  Banker.MAI arrives as a self-extracting RAR file attached to an email message, usually with the subject “Comprovante Deposito-29092009″. This email message appears to come from a legitimate banking institution, and asks the user to open the attached file to enter some necessary data. If the user opens the file they will become infected. The malware creator is notified via email whenever a computer is successfully infected.

More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/.

Computer Clarity

According to Panda Security and PandaLabs, the global leaders in computer security, “Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats.”  They also point out the following facts:

• Rogueware attacks generate approximately $34 million per month for cybercriminals
• Each month rogueware infects approximately 35 million computers
• Twitter, Facebook, MySpace, and Digg, are used to spread rogueware
• Eastern Europe is the source of the majority of cybercriminals
• Rogueware is difficult to detect because it changes quickly

Because of these facts, your computer will encounter rogueware and your antivirus might not catch it.  So, what does a rogueware attack look like?  A window appears on your computer screen announcing the presence of viruses on your computer and offering to remove them if you pay them $40-$90.  If you don’t, the program starts hiding different windows controls and continues to warn you with popup windows until you do pay.  Then they will wait a random period of time before they do it again.  Once the rogueware is installed, it can be very difficult to remove, so it is best to catch and stop the installation attempt.  Fortunately this is very easy.  Rogueware tries to look like an antivirus.  You must know who your antivirus company is and don’t trust any other antivirus warning.  When you see a warning, identify what program is issuing the warning.  If it is not your antivirus software, then it is a rogue security officer trying to gain entry into your computer.

When this occurs on your computer you must close the window without following any of its instructions and without touching the window.   You must use the taskbar button below that represents the window, right click it, then hit close.  This should close the window, but if it does not, press and hold your power button on your computer.  You may lose any unsaved work, but it is better than removing the rogueware after the infection.

Rogueware and other types of malware threats are extremely prolific on the internet.  Antivirus companies are trying franticly to keep up with the threat, but only one is on top of it.  Panda Security makes and distributes the best computer security solutions and PandaLabs discovers the threats and writes the antivirus updates before the rest of the antivirus companies even know about it.  Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPrevent® Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users. According to my own test, Panda Security Solutions are the best available.

Computer Clarity