The Computer Clarity Blog

1- STUXNET

STUXNET has been the hottest topic for this year because it’s an unusual Worm. It is the first time in the history that malware bypassed cyberspace to go directly to the physical environment. The virus not only damages the code and data, but it also destroys the actual machinery.

Reversing STUXNET allowed security professionals to discover 4 zero-days in Microsoft Windows operating system, and as a result proved that even the industrial systems which are usually isolated, not only from public networks but also on internal enterprise, are not 100% safe.

The worm’s driver certificates were signed with JMicron Technology and Realtek digital certificates, which lets it bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as the signature of the driver is from authorized firms.

The carnival of vulnerabilities that were exploited by this malware is the following:

1.     Microsoft Security Bulletin MS10-046 – Critical

This first bulletin was issued to fix a vulnerability that allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer.

2.     Microsoft Security Bulletin MS10-061

This is a remote code execution vulnerability in Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows system. Files and printer sharing turned on are vulnerable to the attack.

3.     Microsoft Security Bulletin MS08-067

STUXNET is also capable of distributing itself over the network through shared folders. It scans network shares c$ and admin$ on the remote computers and installs a file (dropper) there with the name DEFRAG.TMP and schedules a task to be executed on the next day to exploit this vulnerability.

4.     Microsoft Security Bulletin MS10-073

This security bulletin solves three publicly disclosed privilege elevation (EoP) vulnerabilities in Windows kernel-mode drivers.

2- TDL4

TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which first appeared back in 2008.  However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7.

By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.

TDSS is one of the most complex and dangerous malicious programs categories in the world, and it continues to evolve.

3- Asprox

Asprox is a small botnet has been used for password stealing, spam, and phishing attacks. This botnet based attack is innovative, as it interfaces with Google’s search engine to locate vulnerable web pages.

When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website in order to spread Malware.

4- ZeuS 2.0

The ZEUS Botnet is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised. A recent outbreak is being called Kneber.

On 1 October 2010, the FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m.

More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.

5- Trojan Proxies

These Malware may turn a victim’s computer into a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities.

Usually a Trojan installs an email proxy that is used to send large amounts of unsolicited email, i.e. spam, over via an Internet connection. Recipients tracking the email back to its origin will discover the IP address of the infected system used for the proxy, thereby concealing the identity of the attacker.

It can also use the infected system to launch malicious attacks against other networks.

This is the list of 2010′s Top 5 most dangerous Malware. I would like to wish our readers, fans, followers and subscribers from around the globe a safe and a prosperous New Year may the year 2011 be full of joy and rewards.

Computer Clarity | Making Computers Clear For You

Five Million New Threats in Third Quarter of 2009 Result in Record-Breaking Quarter for Hackers, According to PandaLabs Trojans (71 percent), adware (13 percent) and spyware (9 percent) have all increased, while traditional viruses and worms have all but disappeared, accounting for just 2 percent of the total.

Panda Security, the Cloud Security Company, today announced that PandaLabs, Panda Security’s laboratory for detecting and analyzing malware, released the findings from its third quarterly report of 2009 detailing cyber-threat activity and revealed that Trojans accounted for 71 percent of all new malware between July and September 2009.

The most significant finding from the third quarter is that hackers broke all records when it came to creating new threats. Over the past three months, PandaLabs recorded five million new strains of malware, most of which comprised of banker Trojans, although adware and spyware also increased.

“We currently receive approximately 50,000 new samples of malware every day, compared to 37,000 just a few months ago. There is no reason to believe that the situation will improve in the coming months,” explains Luis Corrons, Technical Director of PandaLabs.

The number of computers infected has also increased 15 percent when compared to the previous quarter. In more than 37 percent of cases, the culprits were Trojans, and adware was responsible for 18.68 percent of all infections. This category in particular has been expanding primarily because of the widespread proliferation of fake antivirus programs or rogueware.

This third quarter report also notes the trends analyzed over the last quarter. PandaLabs has detected a major growth in the distribution of malware through spam, social networks and search engine optimization techniques, which draw users to spoof Web pages where malware is downloaded. These methods for propagating malware often use social engineering, exploiting a range of current issues such as swine flu, Independence Day, forest fires or Presidential speeches by Barack Obama.

Click here for the original Panda Press Release

Computer Clarity

According to Panda Security and PandaLabs, the global leaders in computer security, “Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats.”  They also point out the following facts:

• Rogueware attacks generate approximately $34 million per month for cybercriminals
• Each month rogueware infects approximately 35 million computers
• Twitter, Facebook, MySpace, and Digg, are used to spread rogueware
• Eastern Europe is the source of the majority of cybercriminals
• Rogueware is difficult to detect because it changes quickly

Because of these facts, your computer will encounter rogueware and your antivirus might not catch it.  So, what does a rogueware attack look like?  A window appears on your computer screen announcing the presence of viruses on your computer and offering to remove them if you pay them $40-$90.  If you don’t, the program starts hiding different windows controls and continues to warn you with popup windows until you do pay.  Then they will wait a random period of time before they do it again.  Once the rogueware is installed, it can be very difficult to remove, so it is best to catch and stop the installation attempt.  Fortunately this is very easy.  Rogueware tries to look like an antivirus.  You must know who your antivirus company is and don’t trust any other antivirus warning.  When you see a warning, identify what program is issuing the warning.  If it is not your antivirus software, then it is a rogue security officer trying to gain entry into your computer.

When this occurs on your computer you must close the window without following any of its instructions and without touching the window.   You must use the taskbar button below that represents the window, right click it, then hit close.  This should close the window, but if it does not, press and hold your power button on your computer.  You may lose any unsaved work, but it is better than removing the rogueware after the infection.

Rogueware and other types of malware threats are extremely prolific on the internet.  Antivirus companies are trying franticly to keep up with the threat, but only one is on top of it.  Panda Security makes and distributes the best computer security solutions and PandaLabs discovers the threats and writes the antivirus updates before the rest of the antivirus companies even know about it.  Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPrevent® Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users. According to my own test, Panda Security Solutions are the best available.

Computer Clarity