Techs-on-Call Computer Blog

Security researchers were able to trick 8,000 people into downloading a program that could contain malware onto their smart phone. The bait was a seemingly innocent weather application. This study was meant to bring to light how cybercriminals trick people into downloading their malware. The program itself was clean, but the creators had a version that was a trojan horse program. The fact is, the weakest part of any computer security is the end-user.

Once again, one of the best ways to fight viruses and malware is to never assume everyone on the internet is your friend. Just because it is free does not mean it is safe. A common way for malware to install is to trick the user into installing something else because that bypasses all security. In fact, the two most common ways to distrubute viruses and malware is through social engineering tricks (like this one) and by poisoning websites. Social engineering tricks are very common with email where the user is tricked into clicking on a link. But tricking people into downloading a program is also heavily used.

Links related to this study:

• New Scientist: Sneaky app shows potential for smartphone botnets
• Dark Reading: Smartphone Weather App Builds A Mobile Botnet
• Sophos: 8000 iPhone and Android users duped into joining smartphone botnet

A company called Surfright has just released a study from users who visit their website to remove malicous software, or malware. Even up to date antivirus definitions. One quote from the study from cyvelliance.com says that "Even the most popular AV solutions detect less than half of the latest malware threats." VB100, a company that tests antivirus products, says "A few renowned anti virus programs do not pass the VB100 test."

All this confirmed what I already knew: Your antivirus program won't protect you from the biggest threat today, malware. From personal experience, the malware I see the most is fake antivirus programs. I see this a lot because it is profitable. Of course, fake antivirus programs are easy to remove. The idea behind fake antivirus programs is to make as much money as you can as fast you can; burying itself deep is too much work. Also from my experience, malware in Windows Vista is more likely to be confined to a specific user. What this means is that if a computer has more than one sign in name, it is more than likely to be limited to one of those users with the other user unaffected. Windows XP is more likely to have every user affected.

Read more...

This is from McAfee labs about a new technique computer viruses are using. This one embeds itself in a help file. I've seen viruses in executable files (.exe) and in library files (.dll). Now viruses have another place to hide: help files.

A computer virus is a bit of code that is embedded into a file and when that file is executed, the virus executes some code and often spreads itself. In this case, once the infected help file is viewed, the virus installs some malicious program. The malicious program is just an encoded file with a file extension of .hlp to make it look like a help file. The purpose of this is to foil anti-malware programs.

All of this just illustrates the point that malicious software will always change tactics to stay two steps ahead of the cleanup programs. Fortunately for you, the motivation behind most malware is profit. This means that most malware is not this complex because that is too much work. These cyber-criminals want as much as they can as fast as they can. Complex malware like this take a long time. Still, never assume you are safe. I've said it before in other blog posts, not even Macs are safe. About 80% of the malware I see is a simple scam, the fake antivirus stuff. And that is relatively easy (for me anyway) to remove. Just always be alert. Being alert can foil most of the cyber attacks.

If you like more information on this new virus tactic, McAfee has a blog entry about it: Be careful on help file.

This comes from snopes.com. A spam email message is circulating claiming Facebook is going to start charging a fee of $4.99 per month soon. The email has a link to a website which is claimed to be an online petition to prevent this. In fact, it is a page full of malware.

I would estimate that 75% of malware that I see comes from social networking sites, such as Facebook, Twitter, and Myspace. The malware may not be on the site itself, but these scammers use that site as a vehicle to deliver the malware. What happens is some cybercriminal creates a page on these sites and loads it full of viruses and malware. People are naive and assume that every page is safe and before you know it, you've clicked on a bad page. The ones that are trying to make as much money as they can as fast as they can work only on Windows, and aren't very sophisticated. The malware first tries many known security vulnerabilites, including ones found in non-Microsoft programs such as Adobe Acrobat and Flash. If a computer is fully patched, then it tries to fool the user into manually installing the malware. Fake antivirus programs fall into this category, but their power is limited because that would cost too much money to make. The really good ones work on both Windows and Mac and are difficult to remove.

One of the other major causes of malware infestations is from spam email, such as this scam. In one example, people use a weak or common password and the cybercriminal comes along and systematically tries to figure out your password. He (sometimes she) will try the most common passwords people use (i.e. 123456) and then, if that fails, read your page to learn what it might be. For example, your password may be related to your dog's name and on your page you will have the name of your dog on it. That makes it easy for the cybercriminal to have access to your page. What he will then do is change your page and load it with malware and viruses (but make sure it looks the same) and then send out an email to all your friends through the social networking site with a link which contains malware. Since it looks like it comes from you, people are more likely to trust it and thus click on the link.

The other major causes of malware are porn sites and hacked websites.

This week I had a computer that was loaded with malware. While I was working on the problem, I had to restart the computer. Upon restarting the computer, the first thing that appears is a pop-up box about winlogon.exe with the error message: 'The instruction at '(some address)' referenced memory at '(some address)'. The memory could not be "read". Click on OK to terminate the program. Click on CANCEL to debug the program.' Of course I did not write the addresses because that was irrelevant. What stood out to me was the fact the word "read" was in quotes.

The options were to click OK or CANCEL. When you click OK, Windows immediately restarts. However, if you just move the pop-up box out of the way, I was able to sign in no problem.

Many of the answers I was finding were saying bad memory. I knew it wasn't bad memory. I knew it was malware. I ran Malware Bytes, it cleaned the computer up, and the error never came back. This particular computer was loaded with close to 500 Vundo trojans but not much else.

This computer was a business compuer and required an interactive logon, that is the logon that requires you to type the username in instead of selecting the user by an icon. If you need to get to the interactive logon window, just hold down CTRL+ALT and then quickly press DELETE twice.