The Computer Clarity Blog

1- STUXNET

STUXNET has been the hottest topic for this year because it’s an unusual Worm. It is the first time in the history that malware bypassed cyberspace to go directly to the physical environment. The virus not only damages the code and data, but it also destroys the actual machinery.

Reversing STUXNET allowed security professionals to discover 4 zero-days in Microsoft Windows operating system, and as a result proved that even the industrial systems which are usually isolated, not only from public networks but also on internal enterprise, are not 100% safe.

The worm’s driver certificates were signed with JMicron Technology and Realtek digital certificates, which lets it bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as the signature of the driver is from authorized firms.

The carnival of vulnerabilities that were exploited by this malware is the following:

1.     Microsoft Security Bulletin MS10-046 – Critical

This first bulletin was issued to fix a vulnerability that allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer.

2.     Microsoft Security Bulletin MS10-061

This is a remote code execution vulnerability in Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows system. Files and printer sharing turned on are vulnerable to the attack.

3.     Microsoft Security Bulletin MS08-067

STUXNET is also capable of distributing itself over the network through shared folders. It scans network shares c$ and admin$ on the remote computers and installs a file (dropper) there with the name DEFRAG.TMP and schedules a task to be executed on the next day to exploit this vulnerability.

4.     Microsoft Security Bulletin MS10-073

This security bulletin solves three publicly disclosed privilege elevation (EoP) vulnerabilities in Windows kernel-mode drivers.

2- TDL4

TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which first appeared back in 2008.  However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7.

By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.

TDSS is one of the most complex and dangerous malicious programs categories in the world, and it continues to evolve.

3- Asprox

Asprox is a small botnet has been used for password stealing, spam, and phishing attacks. This botnet based attack is innovative, as it interfaces with Google’s search engine to locate vulnerable web pages.

When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website in order to spread Malware.

4- ZeuS 2.0

The ZEUS Botnet is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised. A recent outbreak is being called Kneber.

On 1 October 2010, the FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m.

More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.

5- Trojan Proxies

These Malware may turn a victim’s computer into a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities.

Usually a Trojan installs an email proxy that is used to send large amounts of unsolicited email, i.e. spam, over via an Internet connection. Recipients tracking the email back to its origin will discover the IP address of the infected system used for the proxy, thereby concealing the identity of the attacker.

It can also use the infected system to launch malicious attacks against other networks.

This is the list of 2010′s Top 5 most dangerous Malware. I would like to wish our readers, fans, followers and subscribers from around the globe a safe and a prosperous New Year may the year 2011 be full of joy and rewards.

Computer Clarity | Making Computers Clear For You

This week’s PandaLabs report looks at a worm, a Trojan and a new fake antivirus.

TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user. These messages appeal to the curiosity of users, with subjects such as “I just got a piercing and you’ll never guess where! Take a look at the photo.   ” or “You’re going to be mad at me for sending you this photo, but you NEED to see it :3″. The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related with antivirus companies.

Another feature is that it prevents the running of certain programs for viewing active processes or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection. To protect these types of devices, Panda Security has launched Panda USB Vaccine, which can be downloaded free from: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518692/).

The message warns victims about a change to the user’s password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.

Finally, GhostAntivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4292776611/).

If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518638/).

This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Computer Clarity

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

This week’s PandaLabs report deals with a worm and a backdoor Trojan.

The Faketube.A  worm spreads via email. The message includes a link to access an erotic video. Some of the message subjects are: “Giga Video Movie Britney Spirs and 8 Beverage Andorran” and “Stimulating Image Britney Spirs and One Manifest South Korean”. If users click the link, the browser opens and a fraudulent website is displayed, which resembles You Tube. Additionally, users are asked to update their flash player version to see the video. If they accept, the worm is downloaded.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4228670796/).

Zapchast.EX is a backdoor Trojan that spreads using a fake Christmas card. In order to view the card, users are asked to install a special version of flash player which is really the Trojan. Once Zapchast.EX is installed on the system, it establishes connections with several IP addresses, awaiting orders and gathering user information.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4228670850/).

Computer Clarity

Facebook is a favorite hunting ground for hackers. The vast pool of users offered by this popular social network and the ease with which accounts can be hacked make it a highly attractive channel for spreading malware. Such is the case with the latest variant of a well-known worm: Koobface.GK. The bait consists of a Christmas greetings video hosted on a YouTube page. On playing the video, or clicking a link on the page, users will download and install the worm. Image available here

When the virus is installed on a computer, the following image appears and if users fail to enter the corresponding ‘captcha’ (Completely Automated Public Turing test to tell Computers and Humans Apart), it threatens to reboot the computer within three minutes. When the three minutes are up, nothing happens, but the computer is rendered unusable. Every time the captcha text is entered, the worm registers a new domain where the video will be hosted in order to continue being distributed.

According to Luis Corrons, Technical Director of PandaLabs, “social networks have become one of the methods most frequently used by hackers to spread their creations, due to the false sense of security many users have regarding the content published on these networks. Users generally trust the messages and content they receive, and consequently hackers get a high level of response through these channels”.

Christmas: hackers’ favorite time of year

Internet users often send Christmas greetings to their family and friends over the Web. Infection figures are always high at this time of the year, as new viruses emerge that take advantage of this increased user activity.

Every Christmas we see new malware designed specifically for the festive season:

- MerryX.A appeared in 2005. It reached users’ computers in a Christmas greetings email with an attachment. It was really a Trojan designed to capture keystrokes and steal information. It managed to infect over 50,000 Internet users in only a week. More information

- Zafi.D. Although this worm appeared in 2002, it is still distributed through emails that use Christmas greetings as bait. It opens a port on the infected computer without users’ knowledge and downloads another Trojan.

- The Navidad (Christmas in Spanish) malware family has numerous variants. These astute worms appeared in 2007. They are difficult to detect because they reach computers as a reply to an email which has previously been sent to another (infected) recipient. The message includes the Navidad.exe file which infects computers when run.

Here are a few security tips from PandaLabs when using social networks:

1) Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, and through other social networks and even via email.

2) If you click on the links, check the target page. If you don’t recognize it, close your browser.

3) Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.

4) If you do download or install an executable file and the PC starts to launch messages, there is probably malware on your computer.

5) As a general rule, make sure your computer is well protected, to ensure that you are not exposed to the risk of infection from any malicious code.

Computer Clarity