Archive for May, 2012

Should the home user be worried about the Flame virus?

May 31, 2012

I am sure many of of you have heard about the new computer infection called Flame or Flamer in the papers and on television. There has been a lot of buzz about this virus and how it is the most sophisticated espionage weapon currently in Cyber Warfare and a a harbinger of what is to come. What you have not read, though, and what many people are concerned about is if this infection is something that you, the normal computer user, need to worry about. The simple answer is yes and no.

The immediate concern for most people after learning about a new super-infection is whether or not they are infected with it. I am going to go out on a limb here and say, NO, you are not infected with Flame. Although researchers are still analyzing the malware it is fairly certain that this infection was created by a specialized organization, whether that be a nation state, criminal organization, or mercenary developers, and it was targeted at specific computers, organizations, and governments in the Middle East. It does have the ability to spread itself over a local network and through removable media like USB drives, but it was most likely first installed at a particular location via a hacked computer or specially planted thumb drive. What this means for you is that unlike a normal computer worm that tries its best to spread all over the world via the Internet without a care of who is ultimately infected, the Flame virus appears to have been only spread when told to by its creator. So don’t be concerned about this malware being present on your computer.

Countries infected by Flame

Countries infected by Flame

Picture from SecureList

Now let’s get to the reason why you should be worried about Flame. First, it is a very sophisticated infection that consists of numerous individual modules. It is also very large, weighing in at close to 20 Megabytes. To put this in perspective, malware typically has a file size of about 18 Kilobytes to 300 Kilobytes. That is over 1,000 to 70 times smaller than Flame. When you put its size and modular construction together it becomes difficult to analyze. What has been discovered though, is that this malware is an incredible surveillance tool that has the ability to report back to the developers a tremendous amount of information. This includes the infected machine’s address book, installed programs, network activity, files, etc. One of the scarier abilities is that it can turn on an external recording devices connected to the computer and record what is happening in the room.

As you can see this program was designed to be a spy tool that allows the attacker to gather information without being present. This is scary and is the true future for computer infections. The days of single virus writers doing it for laughs and their ego are over. Malware is now being created by organizations and developers in order to make big money, for corporate espionage, and government warfare. For these reasons, we need to stay worried and vigilant as we are only going to be up against more sophisticated and intelligent malware in the future.

Be smart, be careful, run an anti-virus program, and keep those operating system and program updates installed and your computer will be as secure as can be. […]


Google begins notifying users infected with DNS Changer

May 23, 2012
As the date set for the final shutdown of the infrastructure that keeps computers infected with the DNSChanger Trojan connected to the Internet is approaching at a fast pace, Google has decided to begin warning affected users that land on its search sites.
Google’s goal is to notify about half a million users whose computers and/or routers are infected by the malware, and to redirect them to pages where they can learn about the Trojan and how to remove it from their devices.

The warning has already begun appearing to infected users. It comes in different languages, and looks like this:

“Since the FBI and Estonian law enforcement arrested a group of people and transferred control of the rogue DNS servers to the Internet Systems Consortium in November 2011, various ISPs and other groups have attempted to alert victims,” Damian Menscher, a Google security engineer, explained.

“However, many of these campaigns have had limited success because they could not target the affected users, or did not appear in the user’s preferred language (only half the affected users speak English as their primary language). At the current disinfection rate hundreds of thousands of devices will still be infected when the court order expires on July 9th and the replacement DNS servers are shut down.”

Google is hoping that a warning from a trusted site such as Google and in the users’ native language might give better results. Still, Menscher says, the company does not give guarantees that their recommendations will always clean infected devices completely.

“Some users may need to seek additional help,” he concluded.

Beware of fake Facebook account cancellation emails

May 23, 2012
Fake account cancellation emails are targeting Facebook users and trying to get them infected with information-stealing malware, warns Sophos.
The email looks pretty legitimate at first glance:

While both embedded links point to a Facebook page, it is that of a third-party application running on the Facebook platform.

Users who follow them land there, but are immediately asked to allow a Java applet whose digital signature could not be verified. And even if they answer “No”, the window with the request continues to pop up and pester them.

If they finally agree and run the applet, another window pops up requiring them to download a supposed Adobe Flash update, which is actually the SpyEye Trojan in disguise.

“The social engineering being used by the tricksters behind this malware attack is pretty cunning,” Sophos points out. “They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.”

Beware of phone telephone scammers calling on behalf of Google

May 15, 2012

A new phone scam is underway where people are receiving phone calls by people who state that they calling on behalf of Google. These callers state that they received your name and number from the Google Database and that Google had detected that your computer was infected or had a problem. They further stated that they worked for Gooseberry Tech, who has a partnership with Google to offer a free remote troubleshooting evaluation of your computer. If you agree to this evaluation, they will have you download TeamViewer and will then use it to take remote control of your computer. They will then proceed to poke around your computer, look at event viewer, and check your programs. While doing this they will point out “serious” and “alarming” problems on your computer. When they are done scaring you, they go in for the kill by trying to sell you a one-time fix, for $100, or a maintenance contract for $199.

This is not the first time phone scammers have pretended to be from large companies and offering free troubleshooting services. In the past, phone scammers were calling people and stating that they were from Microsoft who had detected that their computer had a problem. They would then offer to remotely fix their computer for a fee. Eventually Microsoft caught wind of this scam and warned about these scammers on theirWindows blog.

FBI: Updates Over Public ‘Net Access = Bad Idea

May 10, 2012

The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless.This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. EvilGrade is a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly Rule #1 for Staying Safe Online:  covers this nicely — If you didn’t go looking for it, don’t install it! Rule #2 for Staying Safe Online: If you installed it, update it.” Rule #3 for Staying Safe Online: “If you no longer need it, remove it.” Also, using an update tracker, such as Secunia‘sPersonal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.