New malware hides in the PC’s Master Boot Record, fools cleaning attempts

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector.

A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group’s blog.

“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,” said Feng.

A recovery disc returns Windows to its factory settings.

Malware like Popureb overwrites the hard drive’s master boot record (MBR), the first sector — sector 0 — where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR — operations designed to scrub the MBR or other disk sectors containing attack code — and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.

Feng provided links to MBR-fixing instructions for XP, Vista and Windows 7

Rootkits are often planted by attackers to hide follow-on malware, such as banking password-stealing Trojans. They’re not a new phenomenon on Windows.

In early 2010, for example, Microsoft contended with a rootkit dubbed “Alureon” that infected Windows XP systems and crippled machines after a Microsoft security update.

At the time, Microsoft’s advice was similar to what Feng is now offering for Popureb.

“If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,” said Mike Reavey, director of the Microsoft Security Response Center (MSRC), in February 2010.

Since then, Microsoft has added a check for the Aluereon rootkit to all security updates so that when the malware is detected, the updates are not installed.

Original article by Gregg Keizer from Computerworld.

I recently received the Virus Bulletin Reactive And Proactive (RAP) test results and thought I’d share them with you.

Virus Bulletin measures antivirus products’ reactive and proactive detection abilities against the most recent malware that has emerged around the world.

The following chart shows the RAP results obtained over the last four tests, with average reactive scores plotted against average proactive scores for each product. (The detection figures from any test during which a product generated false positives are omitted (for that product) from the average calculations.) This chart is updated on a bimonthly basis (click to view larger image).

The test measures products’ detection rates across four distinct sets of malware samples. The first three test sets comprise malware first seen in each of the three weeks prior to product submission. These measure how quickly product developers and labs react to the steady flood of new malware emerging every day across the world. A fourth test set consists of malware samples first seen in the week after product submission. This test set is used to gauge products’ ability to detect new and unknown samples proactively, using heuristic and generic techniques.
A full description of the RAP testing methodology and explanation of how to interpret the results graphs can be read here:

VB RAP Testing

Take a look at the chart above and see how your anti-virus solution of choice compares to other products available today.

I hope the results are not too surprising!!

It came to my attention today that there is a fake AVG Anti-virus (avg.exe) floating around on the internet. AVG can now add itself to the list of anti-virus programs which are a victim of their own success as malware writers now consider it widespread enough to be worthy of imitation.

How to tell Fake AVG Anti-virus (avg.exe) from the real AVG Anti-virus

If we look at the two screenshots below you can see that there are a few differences between the fake and the genuine AVG Anti-virus.

You don’t have to look too closely to see the following differences:

1) The colour scheme on the fake AVG is light blue whereas with the real AVG the colour scheme is much darker.

2) With the fake AVG Anti-Virus here’s no “File Components History Tools Help” menu bar.

3) The menu on the left hand side of the program is laid out differently.

4) The information at the bottom of the left hand side menu is laid out differently.

5) If you open task manager there will be a process running called avg.exe – this is the fake anti-virus program. With the genuine version of AVG Anti-virus there is no program or process called avg.exe (see screenshot below from Windows XP Task Manager).

Fake AVG Anti-virus (avg.exe) Malware Removal

If you have determined that the Fake AVG Anti-virus (avg.exe) is installed on your computer then you need to remove it as soon as possible. According to some reports the Fake AVG Anti-virus is also bundled with spyware which will track the websites visited. As avg.exe appears to block downloads from anti-virus sites and prevents the installation of anti-virus and anti-malware programs here’s the steps I used to remove the infection and the changes it made to the computer.

1) On another computer download MalwareBytes Anti-Malware from Filehippo and copy it to a USB memory stick.

2) Reboot your computer into Safe Mode. To do this, turn your computer off and then back on and start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:

Use the arrow keys on your keyboard, select Safe Mode and press Enter on your keyboard.

Windows will now boot into safe mode and prompt you to login. Login with your usual username and password.

3) Install MalwareBytes Anti-Malware from the USB stick.

4) Run the program using the “Perform Full Scan” setting – this will remove SOME of the files and registry entries created by avg.exe.

5) Re-start the computer normally and login with your usual username and password.

6) Run MalwareBytes Anti-Malware again. Use the “Perform Full Scan” setting again – this will remove any remaining files and registry entries.

7) Perform a Full System Scan or Whole Computer Scan with your anti-virus program. If you don’t have any anti-virus installed then you can download AVG Free Edition from Filehippo.com

Once you have scanned your computer in Safe and Normal Mode followed by a full scan with your anti-virus then the AVG Fake Anti-Virus (avg.exe) should of been completely removed from your system.

More technical details regarding Fake AVG Anti-virus (avg.exe) can be found at Bleeping Computer by clicking the link below:

Remove AVG Anti-virus 2011 (avg.exe)

If you have followed this guide successfully then “Share the knowledge” using one of the links below and feel free to comment below.

Whilst browsing the World Wide Web today I had an interesting web page pop-up which I thought I would share with you.

At the time I was using my Ubuntu Linux machine and searching for some trivial thing in Google. The search results were displayed and I clicked on one of the links. Harmless enough you would think but after a few seconds I noticed that my web browser was being redirected to an unknown website!! Once the page had loaded this is what was displayed.

Hmm … looks like this piece of software is checking my C: drive for malware!! I think you would agree that it looks like a genuine windows program. It has the look of Windows XP with the blue area down the left, documents folders, Hard Drive C and Windows Security icons. Anyway, I let it run and as you can see it discovered a number of viruses. After a few seconds the following dialog box popped-up over the results above.

OMG … look at all those viruses!!

After a few more seconds another dialog box popped up offering me some software which would remove all of these infections – Oh joy of joys!!

All very convincing as you can see but beware … none of this is real!!

As I said earlier I was using Ubuntu Linux at the time which doesn’t have a C drive, My Documents or a Windows Security Center! It doesn’t have a Windows anything!

The items above are an example of Fake Anti-virus which will trick you into thinking your machine is infected, ask you to download the program to fix it, could disable your existing anti-virus then install more viruses and maybe even charge you for the pleasure!

A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via the internet and this type of attack is on the increase.

Wikipedia has a page which describes Rogue Security Software. Click on the link below:

Wikipedia > Rogue Security Software

—

Complete protection for everything you do

We know when you go online you want to be able to surf, search, download, bank, and shop safely. With AVG Internet Security, AVG’s most advanced protection, you get a worry-free online experience every time. AVG Internet Security’s multiple layers of protection mean you don’t have to worry about identity theft, spam or viruses and it even prevents you from accidentally visiting harmful sites.

It’s faster, smarter security that won’t slow your computer down.

Safely bank and shop online without fear of identity theft thanks to AVG’s new Identity Protection technology

Surf, and search with confidence, with LinkScanner® checking web pages at the only time that matters – right before you click that link.

Get AVG Internet Security for Free

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

An entry on the MSRC blog provides more details:

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This KB article provides fix-it button that automatically enables the workaround.

Drive-by download attacks are the latest threat to plague web users. The term is used to describe malware and virus infections whereby your PC is infected simply by visiting a malicious webpage, without you actually having to click on any links in order to initiate the infection – the malicious site will download infected files to your PC without you even noticing. It is now becoming clear that even legitimate websites can be infected with drive-by download attacks, through an exploit called cross-site scripting, so even if you believe the website you are visiting is unlikely to be harboring viruses, and belongs to a reputable organization, it could still infect your PC.

One of the most prolific cross-site scripting exploits, called JSRedir-R, accounts for nearly half of all infected websites. It works by using hidden Javascript code that tries to exploit weaknesses in your web browser to infect your PC. Turning off Javascript in your browser will thwart the attack, but will also mean a great many sites that rely on Javascript no longer work.

To keep yourself safe, we recommend that you keep your anti-virus software up to date, and upgrade your web browser to Internet Explorer 8, which includes new security features to protect against cross-site scripting exploits.

You can download IE8 here >>>>

Internet Explorer 8

You could also install an alternative web browser such as Firefox which you can down load here >>>

Firefox Web Browser

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without current security updates. The malicious program – also known as Downadup or Kido – was first discovered in October 2008. Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.

Speaking to the BBC, F-Secure’s chief research officer, Mikko Hypponen, said there was still a real risk to users. “Total infections appear to be peaking. That said, a full count is hard, because we also don’t know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide. It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights. But they haven’t done that yet, maybe they’re scared. That’s good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect.”

Experts say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch. The patch is known as KB958644.

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

“Microsoft did a good job of updating people’s home computers, but the virus continues to infect business who have ignored the patch update. A shortage of IT staff during the holiday break didn’t help and rolling out a patch over a large number of computers isn’t easy.” “What’s more, if your users are using weak passwords – 12345, QWERTY, etc – then the virus can crack them in short order,” he added. But as the virus can be spread with USB memory sticks, even having the Windows patch won’t keep you safe. You need anti-virus software for that.”

Method

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Variant

Speaking to the BBC, Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems “The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism. Of course, the real problem is that people haven’t patched their software,” he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

Original Article

McAfee Info

By Dan Whitworth
Newsbeat technology reporter

Facebook’s 120 million users are being targeted by a virus designed to get hold of sensitive information like credit card details.

‘Koobface’ spreads by sending a message to people’s inboxes, pretending to be from a Facebook friend.

It says “you look funny in this new video” or “you look just awesome in this new video”.

By clicking on the link provided they’re then asked to watch a “secret video by Tom”.

When users try and play the video they’re asked to download the latest version of Adobe Flash Player.

If they do, that’s when the virus takes hold and attacks the computer.

Guy Bunker works for Symantec, who make Norton AntiVirus, and says there are two ways Koobface gets people’s credit card details.

“It can either wait for you to buy something online and just remember the details you type in on your keyboard.”

“Otherwise it can search your computer for any cookies you might have from when you’ve bought something in the past, and take them from there.”

Networking threat

The Facebook case is the latest example of hackers using social networking sites to try to cash in.

MySpace was targeted by Koobface in August.

Security experts say people are far less suspicious about viruses on sites like Facebook because you need to be a member to log in.

Facebook won’t give any specifics on how many users have been hit by the virus, only saying it’s a small percentage.

But they have posted some advice on the site about what to do if you come across it.

“We’re currently helping our users with the recently discovered ‘Koobface’ worm and phishing sites.”

“If your account has recently been used to send spam, please visit one of the online antivirus scanners from the Helpful Links list, and reset your password.”

Original Article Here

Simon Cable explains the ins and outs of securing mobile phones.

It was only a matter of time before the virus writers started to exploit the mobile platforms and recently these viruses have become more malicious and started to present higher levels of risk for business and personal users.

The challenge presented today is multi-faceted, primarily because our mobile devices are increasingly powerful and are performing so many additional tasks. There are now over 300 pieces of malware that infect mobile devices, some of which can infect PCs or servers as well. They are spreading around by every means possible; SMS, MMS, Bluetooth, WAP, Wi-Fi, email, images, video clips, Instant Messaging and Voice over IP, are all known to be used by mobile viruses to spread.

It is important to tighten up on network defences and implement software to protect all types of messaging systems. Once a company device is infected with a piece of mobile malware confidential information may no longer be safe. Data integrity and compliance may also be compromised.

One of the current leaders in the mobile security field commissioned some market research and the results were slightly worrying. Symantec found that in Germany, on average, only 33 percent of men and 65 percent of women with smart phones claimed to be using any sort of security. However, 90 percent of those interviewed stored personal information like email addresses and phone numbers in their smart phone, 25 percent stored passwords on their phone and 20 percent even stored PIN numbers and credit card information!

In the UK a separate survey, also commissioned by Symantec, revealed that only 50 percent of users were concerned that their smart phone might be the target of hackers.

What should you do to protect your mobile phone?

Protecting your devices against attacks from hackers is possible and there are some basic things that everyone should be doing…

1 . Deactivate functions such as Bluetooth, Wireless LAN, and infrared when they are not in use. At the very least the phone should be set as ‘invisible’ under normal circumstances, so that it is less easily recognised by would-be hackers

2. It goes almost without saying that files from unknown sources received by any means (Bluetooth/MMS/SMS etc) should neither be opened nor installed, e.g. telephone numbers or links attached to short messages from unknown senders. The same applies here as with the home PC. Great care must be taken with unsolicited emails from unfamiliar sources

3. You should only download material from sources which you trust and which, as far as possible, are safeguarded by signatures

4. The decisive factor as far as security is concerned is of course having the proper programmes and security functions in place. These include virus scanners and firewalls which ensure protection when the user is surfing the net or checking emails and their attachments. In particular, anti-virus software is essential when the mobile telephone is being synchronised with a PC.

There is a good choice of mobile security solutions available from all of the leading security vendors today. It is essential that customers have a firewall in place to protect devices from unwanted probes or attacks, irrespective of their source or the method they are using. Scanning and checking incoming messages and files to ensure cleanliness from viruses and malicious or unwanted SMS messages is also essential.

The first company to release a solution to these emerging threats was a Finnish anti-virus firm called F-Secure. They were the first to develop software to protect both Symbian and Windows Mobile devices and they remain a market leader in this field today.

The larger anti-virus firms have more recently been able to develop and put to market a very good solution which also ticks all the required boxes.