Not trying to scare anyone… well maybe just a little.

[Ken]

Let’s talk for a minute about your computer.

There are scary things going on in the computer world and traditional anti virus vendors don’t seem to be keeping up. I keep having to clean trojans, malware, rootkits and password stealers off local computers that have uptodate commercial brand name “Internet Security” packages.

It seems that is not enough.

Two of the most dangerous I have seen recently are koobface and autorun variants.

Koobface uses social engineering via social networking sites. Here is a link to a paper explaining how it works and how those new to social networking sites are damn near guaranteed to get it through their own actions which often bypass their installed Anti-virus software and firewalls.

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_koobface_jul2009.pdf

Another note: You MUST update your adobe reader software since vulnerabilities in it have been targeted recently to install virus dropper and rootkit combinations via the reader BHO (Browser Helper Object) The new versions of reader include a “check for updates” link under the help tab and Firefox ver 3.5.x now checks to see if you have the latest version.

To keep this short (for me) I will not go into how to clean up these at the moment but I may if there is interest.

Autorun variants infect flash drives. A local community college is infested with one it seems since I have detected it on a new flash drive used only there one time.

This article describes one of the early variants:

http://www.sophos.com/pressoffice/news/articles/2007/05/usbstick.html

This is a link to a list of 4000+ variants which use different names on different antivirus packages.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=WORM_AUTORUN&alt=AUTORUN

PS: Microsoft had a much trumpeted update last year which the wording made it seem that they turned off the autorun feature. What they actually did was patch xp so that you could edit the registry and actually turn off autorun the way you were supposed to. I have not yet found a free, easy to use tool to do that.

Another note:

Some of the antivirus packages that come with new computers are time limited free trials. McAfee is particularly bad at letting you know you’re no longer getting updates.

Some AV brands users seem to keep turning it off since the programs seem more interested in selling you the next version and making you confirm over and over that you want to go to a site or document, than in giving you real useful information.

Here are a few Links to free tools that have been proven useful by me.

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/index.html

http://secunia.com/vulnerability_scanning/online/

http://free.avg.com/ww-en/homepage

http://www.superantispyware.com/

(look for free edition link)

http://www.javacoolsoftware.com/spywareblaster.html

http://www.safer-networking.org/en/home/index.html

http://www.malwarebytes.org/

Another note: fake antivirus, antispy and rogue registry cleaners are rampant on the internet. NEVER buy one that show up with a popup. Here is one list of rogue programs that pretend to be the fix for your problem. The first is an older site but it will give you some idea how widespread this is. Some of the same gangs and players in this game are still at it with dozens of different fake products that drop trojans, zombies and rootkits in the guise of cleaning up your spyware.

http://spywarewarrior.com/rogue_anti-spyware.htm

This months variations:

http://rogueantispyware.blogspot.com/

And the wikipedia entry:

http://en.wikipedia.org/wiki/Rogue_security_software

Another rogue uses the current twitter trends as bait:

http://blog.purewire.com/bid/20446/Twitter-Trending-Topics-Used-to-Propagate-Rogue-AV

And for more detailed info read this post:

“So how did I get infected in the first place?”

http://www.spywareinfoforum.com/index.php?showtopic=60955

And go to windows update RIGHT NOW and make sure it is not quietly waiting for you to visit even though you have automatic updates turned on.

Mac users, your not protected by your tiny user base anymore:

http://www.h-online.com/security/news/item/First-rogue-anti-spyware-application-for-the-Mac-735819.html

http://www.clamxav.com/

Next time:

Backups and backup devices: decide what is important to you and figure out how to keep it WHEN you hard drive crashes.

Share This

[lazybeard]

An alternate to Adobe Acrobat Reader is Foxit Reader. It’s open source and not prone to security flaws like Adobe’s reader.

Overall, great write up Ken!

Share This

[WesCAddle]

Thanks Ken. Hey, what do you think about Microsoft’s new Security Essentials (free anti-virus)?

http://www.microsoft.com/Security_Essentials/

Share This

[pigeonmom]

Another reason I’m switching to a Mac. I have had it with microsoft. My pc died this past summer, now the hp laptop I’ve been using is broken. ARGH!

Share This

[Ken]

pigeonmom: Can I have the laptop or dead pc for parts?

:)

Think of it as an organ donor, someone else’s computer might live due to your gift :)

I can also recover your data in most cases.

Share This

[Ken]

WesCAddle:

http://blogs.securiteam.com/index.php/archives/1324

I have not tried it. I probably won’t. Researchers are not impressed.

Excerpt from above:

The first item on the list was rated severe. Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me? The EICAR test file? A severe threat? Microsoft, you have got to be kidding. And the joke is not funny.

The EICAR test file is a test file. If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR. It’s harmless. Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

http://en.wikipedia.org/wiki/EICAR_test_file

If MS promotes it and that makes people aware of the problem that is a “good thing” TM but those of us who have been dealing with the virus and basic security issue for years know damn well that 90% of viruses, spyware and malware are labeled “win32” because MS ignored repeated warnings from their own developers and security pros around the world, that they were creating a petri dish of potential abuse.

Also note: the marketing fluff seems geared to the brain damaged users or third graders. Almost as bad as a Sony web tutorial.

http://www.microsoft.com/Security_Essentials/

Share This

[miws]

Thanks Ken!

Mike

Share This

[Kimberley]

Hey Ken – I may have an old Sony Viao laptop you can have, I need to check with the other half.

Share This

[bluebird]

WesCAddle,

It’s not true that security experts dislike MSE.

“In AV Comparative’s most recent report on malware removal, MSE was the only free antivirus rated Advanced+. That ranking placed it alongside big names like Norton, Kaspersky, and F-Secure. Security Essentials also beat out technician favorite ESET, which managed only an Advanced rating”

“Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.”

http://www.av-comparatives.org/images/stories/test/removal/avc_removal_2009.pdf

Share This

[Ken]

The test you cite is a static test. Most tests or AV and security products are. I have used many of the products on that list and have never seen ANY of them clean a serious vundo infestation.

Microsoft has never ever made a “version one” of a product that was not dangerously stupid or ill designed.

There is always a first time though.

I will start doing my own MSE testing on the boxes I have to fix since the real world stuff I have to fix is usually multiple infections of polymorphics aged to the point where they are fighting each other for control of the host file.

If Microsoft can indeed fix some of what it has created that will be a tiny weight balancing against its karmic debts.

Share This

[bluebird]

Ken, I’m glad you’ll be trying it. I’ll be curious to hear of your results.

Share This

[WesCAddle]

Thanks for the feedback Ken and bluebird.

I asked because my subscription to ESET just ran out and I also just installed Windows 7, so I wanted to try MSE before spending another $59 for one year on ESET.

I’ll let you know how it goes. So far, it is very “dumbed down” so to speak. Not very many options or very configurable. I think you are right, it is designed for the lowest common denominator. (Sort of like a Mac). ;)

Share This

[Ken]

From the test bluebird linked, I was interested in the results for escan. The web site makes it hard to figure out how much it is, but after putting it in the cart it told me a one year subscription was 29.95.

I will probably try the non cleaning demo just as a detection tool if it is a small footprint on a tools cd.

http://www.mwti.net/products/escan/escan_antivirus/escanantivirus.asp

Share This

[Ken]

I am sitting on my win7 upgrades until more info is available on repair installs for non oem computers.

Looks like microsoft wants to make sure you disable your existing xp licenses by using the upgrade. This will make repairs pretty much impossible to do legally and make anyone who cannot keep up with their media and cd-key over the years into a pirate.

They can still go back to new egg in their unopened packages. We shall see.

http://www.winsupersite.com/win7/clean_install_upgrade_media.asp

Share This

[bluebird]

It could all be bs, which is why I’m interested in Ken’s results, but the first review that got me interested, was the intentional unobtrusiveness. “Supposedly” it was designed to be minimal and out of sight on the consumer end, but full featured under the hood, so to speak.

Share This

[Author]

Posts