Mar162009

Today's Tip: Update to AntiSpyware XP2009

Last week I alerted you to a common trojan trap that is surfacing all over the web under a variety of names. AntiSpyware XP2009 is just one name. Rather than update the original post, I have decided to post this once again because of the EXTREME DANGER this type of threat poses.

A colleague of mine recently passed away. While searching for news about him, I navigated to a site where I was greeted by this pop-up window:


AV360 Pop Up


Pretty scary huh? It gets better. It matters not how you exit the pop-up message, as soon as you do, a fake "scan" animation is displayed that makes it appear your system is being scanned. It is important to note that the script is NOT PERFORMING A SCAN. What you see is only an animated webpage made to resemble an actual scan. A full size screen capture of this scan animation is displayed here
So how do we know the scan is a fake? Well for starters, the fake animation displays only 2 Local Disk drives and a DVD-RAM drive. In reality, there are 9 Disk drives on my computer and one DVD-RW drive. Secondly, while "local disk" is the name Windows assigns Hard Disk Drives during installatioin, I rename all my drives to unique names. It's a neat little trick that can help you spot these fake screens. Renaming HDD's to a friendly name will be the subject of a future post. And lastly, we know this is a fake screen because the layout is based on a Windows XP Explorer window, I'm actually using Windows 7 Beta on this computer.
Finally, take a close look at the final screen capture below:


AV360 Pop Up


Under no circumstances should you select the "OK" option to install. Clicking on the X, or the Alt-F4 keystroke combination just puts you in a repeated error message loop. Close the actual BROWSER window to cut this trojan off at the knees.
It's easy to be fooled by these tricks and a lot harder to clean up after, so surf smart. Don't panic when you see a pop up like this, but if you get taken in, call the St. George UT PC doctor for disaster cleanup.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments

Mar112009

Today’s Tip: Security Updates from Microsoft

Microsoft released critical patches to it’s Windows 2000, Windows XP, and Windows Vista consumer platforms Tuesday March 10th. In addition, critical patches were released for Server platforms as well. If your system is not configured to automatically download and install automatic updates, you should run Windows Updates to insure you have the latest security fixes. This is one of the most important things you can do to protect your system from malware.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments

Mar062009

Today’s Tip: Beware “Antispyware XP2009″

 

Several acquaintances of mine have been stung in recent months by the rogue program “Antispyware XP2009″. This program relies on social engineering to dupe you into installing a malicious program to then extort money.

 

 

Looks legitimate right? Here’s how it works. You visit a website, and without warning, an ominous message appears on screen alerting you that spyware or a virus has been detected on your machine with the instructions to “click now to clean”. Unwittingly falling victim to this ploy can be costly in more ways than one.

When you “click to clean”, this trojan installs Antispyware XP2009 on your system “for free”. After you perform their “free” scan, the software instructs you that you must purchase a license to remove the infected items it “finds”. Unfortunately the one infected or malicious item it never finds is itself. Paying the ransom, er, “license fee” does nothing except extort money from you. In addition, Antispyware XP2009 destroys legitimate program executable files, rendering popular programs such as Windows Media Player, Internet Explorer, Office applications and more, useless.

 

 

There are several copycat variants of this malware with similar names so surf cautiously! Your best defense against this type of attack is your own common sense. Never “click here” to clean anything that is presented unsolicited on any website. Also make sure you have a robust security solution that detects rogue applications and viruses in real time. Of course having robust anti-virus and anti-spyware are useless if threat definitions are not updated regularly, and that will be the subject of a future post! If you do fall victim to Antispyware XP 2009, contact the St. George PC Doctor to restore your computer’s health today.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments

Mar042009

Top 9 Current Malware Threats

1. Win32/PSW.OnLineGames

This is a family of Trojans with keylogging and (sometimes) rootkit capabilities which
gather information relating to online games and credentials for participating.
Characteristically, the information is sent to a remote intruder’s PC.
What does this mean for the End User?
This represents a return to the top spot for this class of threat, which has been at number
one or number two (alternating with INF/Autorun) for many months now.
However, it’s also important that participants in MMORPGs (Massively Multi-player
Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses”
like Second Life, continue to be aware of the range of other threats ranged against them.
We are not just referring here to harassment nuisances like griefing and pointless quasiviral
attacks like grey goo, but phishing and other scams that can result in financial loss
in the real world.

2. INF/Autorun

This detection label is used to describe a variety of malware using the file autorun.inf as a
way of compromising a PC. This file contains information on programs meant to run
automatically when removable media (often USB flash drives and similar devices) are
accessed by a Windows PC user.
What does this mean for the End User?
Removable devices are useful and very popular: of course, malware authors are well
aware of this, as INF/Autorun’s persistent appearances at number one or number two in
these statistics clearly indicate. Here’s why popularity is sometimes a problem.
The default Autorun setting in Windows will automatically run a program listed in the
autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always
the program’s primary distribution mechanism, malware authors are always ready to
build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this
heuristic, it’s better, to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. Microsoft Security Advisory (967940) “Update for Windows Autorun”, published February 24, 2009, is a further attempt by Microsoft to address the issue
(http://www.microsoft.com/technet/security/advisory/967940.mspx): see also
http://support.microsoft.com/kb/967715.

3. Win32/Conficker.AA

Win32/Conficker.AA is a worm that spreads via shared folders and on removable media.
It connects to remote machines in attempt to exploit the Server Service vulnerability.
What does this mean for the End User?
Make sure your anti-virus has effective detection for Conficker variants. It is important to ensure that your systems are updated with the Microsoft patch, which has been
available since the end of October, so as to avoid other threats using the same
vulnerability. Information on the vulnerability itself is available
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
Note that Conficker uses the autorun facility misused by members of the INF/Autorun
family.

4. Win32/Conficker.A

The Win32/Conflicker threat is a network worm that propagates by exploiting a recent
vulnerability in the Windows operating system. The vulnerability is present in the RPC
sub system and can be remotely exploited by an attacker. The attacker can perform his
attack without valid user credentials.
Win32/Conflicker loads a DLL through the svchost process. This threat contacts web
servers with pre-computed domain names to download additional malicious
components.
What does this mean for the End User?
It is important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
There is an exhaustive analysis available at http://mtc.sri.com/conficker.

5. Win32/TrojanDownloader.Swizzor.NBF

The Win32/TrojanDownloader.Swizzor malware family is commonly used to download
and install other malicious components on an infected computer. The Swizzor malware has been seen installing multiple adware components on infected hosts. Some variants of the Swizzor family will not execute on systems using the Russian language
What does this mean for the End User?
There is often no clear distinction between out and out malware and other nuisances such as adware, and malware is frequently used to promote advertising. Whereas virus authors used to do what they did without commercial gain, whether from misguidance, mischief or malice, contemporary malware authors are more often driven by profit.

6. WMA/TrojanDownloader.GetCodec

Win32/GetCodec.A is a type of malware that modifies media files. This Trojan converts all
audio files found on a computer to the WMA format and adds a field to the header that
includes a URL pointing the user to a new codec, claiming that the codec has to be
downloaded so that the media file can be read. WMA/TrojanDownloader.GetCodec.Gen
is a downloader closely related to Wimad.N which facilitates infection by GetCodec
variants like Win32/GetCodec.A.
What does this mean for the End User?
Passing off a malicious file as a new video codec is a long-standing social engineering
technique exploited by many malware authors and distributors. The victim is tricked into
running malicious code he believes will do something useful or interesting. While there’s
no simple, universal test to indicate whether what appears to be a new codec is a
genuine enhancement or a Trojan horse of some sort, I would encourage you to be
cautious and skeptical: about any unsolicited invitation to download a new utility. Even if
the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.

7. Win32/Adware.TencentAd

The Win32/Adware.TencentAd threat family is used to display advertisements on
infected computers.
This Adware seems to be targeting computers in Asia and is often installed by drive-by
download attacks.
What does this mean for the End User?
The proportion of drive-by downloads to user-launched infections is probably
overestimated. Social engineering, by which the victim is tricked into executing
malware, is successful time and time again. By contrast, malware that relies on
vulnerabilities in the system to infect without the victim’s intervention tends to decline
in effectiveness as more potential victims learn to patch vulnerable systems, and the
number of exploitable vulnerabilities is finite. Good patch management (by individuals
as well as businesses) lessens the risk further.

8. Win32/Toolbar.MywebSearch

This is a Potentially Unwanted Application (PUA). In this case, it’s a toolbar which
includes a search function that directs searches through MyWebSearch.com.
What does this mean for the End User?
Anti-malware companies are sometimes reluctant to flag PUAs as out-and-out malware,
and PUA detection is often an option rather than a scanner default, because some
adware and spyware can be considered legitimate, especially if it mentions (even in the
small print of its EULA or End User Licensing Agreement) the behavior that makes it
potentially unwanted. It always pays to read the small print.

9. Win32/Adware.Virtumonde

This detection represents a family of Trojan applications used to deliver advertisements
to users’ PCs. Among other actions, Virtumonde may open multiple windows while
running, which contain unwanted advertising material, and it can be very difficult to
automate removal completely. Adware is still a big profit generator for malware
distributors.
What does this mean for the End User?
Virtumonde has become a particularly difficult problem for vendors and customers alike,
far more than its classification as “adware” might suggest.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments