Subscribe to the Techs-on-Call monthly mailing list E-mail Techs-on-Call

Category: Malware

Aug 10 2010

Another Study Shows Antivirus Software Is Poor Against Malware

Earlier this year, the security software company Surfright published a study showing how even up-to-date antivirus programs fail to detect malicious software, or malware for short. Now Cyveilance, a cyber intelligence company, (whatever that is, I don't know) has shown that traditional signature based antivirus software detects on 19% of the malware. After the malware has been in-the-wild for 30 days, detection rates increased on to 61.7%.

One way antivirus software detects malware and viruses is by using a signature. What the antivirus software is doing is seeing if the file matches the signature the program has of known bad software. This study only considered the signature based portion of antivirus software. There are other techiques to detecting malware which the study did not consider.

Malware has become a great way to make a lot of money with little work. Malware creators make new variants weekly, perhaps daily, to stay ahead of signature based antivirus software. One criticism I have of the study is that it expected antivirus software to know a new strain of malware the day it was released. How can an antivirus program be ready to handle something totally different that was just put in-the-wild a few hours ago? I would give an antivirus program 2 days to detect a new strain of malware.

However, this study does remind me of how bad antivirus software really is. Antivirus companies get fat and lazy. They work hard at first, get a good reputation, get name recognition and a steady stream of renewals, and then they stop trying as hard. I don't want to name names because I don't want to worry about any legal issues. But I have seen firsthand how bad antivirus software is at detecting malware.

0 comments - Posted by Wade Burchette at 9:35 AM - Categories: Malware | News

Jun 8 2010

Hackers Compromise Jerusalem Post Website

Yesterday hackers attacked the Jerusalem Post website and planted malware on it. While it appears this attack has nothing to do with the recent events between Israel and the Gaza strip, this does highlight the tactics used by malware creators. They want to target as many people as possible, which is why Windows is attacked and why popular websites are attacked. They also run ads for real well-known companies by actually carry malware. Malware is highly profitable and effective. And unfortunately, the bad guys have the time and ability to study every little weakness in every system. They are always two steps ahead. Greed does that the people.

The tricks malware creators use are both direct and indirect. Hacking a website is an indirect way of planting malware because they must exploit a system to secretly install the malware. These attacks are harder, but more difficult to shut down and trace. Direct attacks involve tricking you into carrying out some action. These attacks exploit the weakness of the person.

One of the most effective tools against Malware is to use the FireFox browser along with the NoScript add-in. NoScript is complex, but when used it can block just about every form of indirect secret attack on your computer. FireFox sometimes warns you when a website is compromised; a warning is a great defense against malware.

Sophos labs has a report on the Jerusalem Post attack.

0 comments - Posted by Wade Burchette at 4:51 PM - Categories: Malware | News

Mar 9 2010

Experiment Shows How Easy It Is To Install Malicious Software

Security researchers were able to trick 8,000 people into downloading a program that could contain malware onto their smart phone. The bait was a seemingly innocent weather application. This study was meant to bring to light how cybercriminals trick people into downloading their malware. The program itself was clean, but the creators had a version that was a trojan horse program. The fact is, the weakest part of any computer security is the end-user.

Once again, one of the best ways to fight viruses and malware is to never assume everyone on the internet is your friend. Just because it is free does not mean it is safe. A common way for malware to install is to trick the user into installing something else because that bypasses all security. In fact, the two most common ways to distrubute viruses and malware is through social engineering tricks (like this one) and by poisoning websites. Social engineering tricks are very common with email where the user is tricked into clicking on a link. But tricking people into downloading a program is also heavily used.

Links related to this study:

0 comments - Posted by Wade Burchette at 2:45 PM - Categories: Malware | News

Feb 8 2010

Study: Antivirus Software Not Effective At Stopping Malware

A company called Surfright has just released a study from users who visit their website to remove malicous software, or malware. Even up to date antivirus definitions. One quote from the study from cyvelliance.com says that "Even the most popular AV solutions detect less than half of the latest malware threats." VB100, a company that tests antivirus products, says "A few renowned anti virus programs do not pass the VB100 test."

All this confirmed what I already knew: Your antivirus program won't protect you from the biggest threat today, malware. From personal experience, the malware I see the most is fake antivirus programs. I see this a lot because it is profitable. Of course, fake antivirus programs are easy to remove. The idea behind fake antivirus programs is to make as much money as you can as fast you can; burying itself deep is too much work. Also from my experience, malware in Windows Vista is more likely to be confined to a specific user. What this means is that if a computer has more than one sign in name, it is more than likely to be limited to one of those users with the other user unaffected. Windows XP is more likely to have every user affected.

Read more...

0 comments - Posted by Wade Burchette at 4:43 PM - Categories: Malware | News

Feb 3 2010

Another Tactic of Viruses

This is from McAfee labs about a new technique computer viruses are using. This one embeds itself in a help file. I've seen viruses in executable files (.exe) and in library files (.dll). Now viruses have another place to hide: help files.

A computer virus is a bit of code that is embedded into a file and when that file is executed, the virus executes some code and often spreads itself. In this case, once the infected help file is viewed, the virus installs some malicious program. The malicious program is just an encoded file with a file extension of .hlp to make it look like a help file. The purpose of this is to foil anti-malware programs.

All of this just illustrates the point that malicious software will always change tactics to stay two steps ahead of the cleanup programs. Fortunately for you, the motivation behind most malware is profit. This means that most malware is not this complex because that is too much work. These cyber-criminals want as much as they can as fast as they can. Complex malware like this take a long time. Still, never assume you are safe. I've said it before in other blog posts, not even Macs are safe. About 80% of the malware I see is a simple scam, the fake antivirus stuff. And that is relatively easy (for me anyway) to remove. Just always be alert. Being alert can foil most of the cyber attacks.

If you like more information on this new virus tactic, McAfee has a blog entry about it: Be careful on help file.

0 comments - Posted by Wade Burchette at 7:17 PM - Categories: Malware | News | Security

Jan 12 2010

Hoax Facebook Email Being Used to Spread Malware

This comes from snopes.com. A spam email message is circulating claiming Facebook is going to start charging a fee of $4.99 per month soon. The email has a link to a website which is claimed to be an online petition to prevent this. In fact, it is a page full of malware.

I would estimate that 75% of malware that I see comes from social networking sites, such as Facebook, Twitter, and Myspace. The malware may not be on the site itself, but these scammers use that site as a vehicle to deliver the malware. What happens is some cybercriminal creates a page on these sites and loads it full of viruses and malware. People are naive and assume that every page is safe and before you know it, you've clicked on a bad page. The ones that are trying to make as much money as they can as fast as they can work only on Windows, and aren't very sophisticated. The malware first tries many known security vulnerabilites, including ones found in non-Microsoft programs such as Adobe Acrobat and Flash. If a computer is fully patched, then it tries to fool the user into manually installing the malware. Fake antivirus programs fall into this category, but their power is limited because that would cost too much money to make. The really good ones work on both Windows and Mac and are difficult to remove.

One of the other major causes of malware infestations is from spam email, such as this scam. In one example, people use a weak or common password and the cybercriminal comes along and systematically tries to figure out your password. He (sometimes she) will try the most common passwords people use (i.e. 123456) and then, if that fails, read your page to learn what it might be. For example, your password may be related to your dog's name and on your page you will have the name of your dog on it. That makes it easy for the cybercriminal to have access to your page. What he will then do is change your page and load it with malware and viruses (but make sure it looks the same) and then send out an email to all your friends through the social networking site with a link which contains malware. Since it looks like it comes from you, people are more likely to trust it and thus click on the link.

The other major causes of malware are porn sites and hacked websites.

0 comments - Posted by Wade Burchette at 8:53 AM - Categories: Malware

Dec 25 2009

Winlogon Error at Windows Startup

This week I had a computer that was loaded with malware. While I was working on the problem, I had to restart the computer. Upon restarting the computer, the first thing that appears is a pop-up box about winlogon.exe with the error message: 'The instruction at '(some address)' referenced memory at '(some address)'. The memory could not be "read". Click on OK to terminate the program. Click on CANCEL to debug the program.' Of course I did not write the addresses because that was irrelevant. What stood out to me was the fact the word "read" was in quotes.

The options were to click OK or CANCEL. When you click OK, Windows immediately restarts. However, if you just move the pop-up box out of the way, I was able to sign in no problem.

Many of the answers I was finding were saying bad memory. I knew it wasn't bad memory. I knew it was malware. I ran Malware Bytes, it cleaned the computer up, and the error never came back. This particular computer was loaded with close to 500 Vundo trojans but not much else.

This computer was a business compuer and required an interactive logon, that is the logon that requires you to type the username in instead of selecting the user by an icon. If you need to get to the interactive logon window, just hold down CTRL+ALT and then quickly press DELETE twice.

Posted by Wade Burchette at 9:07 AM - Categories: Computer Repair Notes | Malware