Posts Tagged ‘virus’
Last week saw the addition of another chapter to the never-ending malware saga that is Adobe Reader. A clever exploit for a vulnerability was uncovered by researcher Mila Parkour and Reader as well as Acrobat currently remain unpatched.
PC World reports that the exploit uses rigged PDF files that include code to exploit the zero-day flaw. It has been called impressive and clever because it first gets around 2 Microsoft-created protections. The sophisticated exploit bypasses two important defences that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention), researchers have confirmed.
Second, the attack also boasts a valid digital signature by Vantage Credit Union. VeriSign has revoked the signature to prevent further usage but the malware that’s already out there will still be carrying what looks like a valid signature.
The attacks have been targeted to specific corporations and individuals but now that the word is out the hackers will probably expand its target range. Adobe has not offered any word on how to avoid the attacks or when they will have a patch ready. They did warn users on Tuesday about the malware.
To get infected the bad PDF needs to be viewed so it does require some interaction and disabling JavaScript will block the attack. This is the latest attack to use digital signatures to fool defence systems, it bears a resemblance to the Stuxnet worm which was a problem for some companies over the summer.
It wouldn’t be surprising if in the future more malware uses these sophisticated techniques with digital signatures since they have been effective.
Did you know someone can change the setting on your router so all your internet traffic goes through their servers and from this they can get your bank details as well as other personal information?
Routers come with a standard password and I usually use this to access clients routers without even asking if they know the password. This is because the router is usually the last place someone thinks of needing a password or they simply have not known it. Now, well for some time, criminals have taken advantage of it, they have developed malicious code to change your setting on the router.
This looks like the computer is affected by a virus but even after a computer has been cleared of everything it still has the same error and all computers will show the same symptoms. You may net even get any symptoms which makes it worse.
When you go to a website your computer does not know where that website is hosted so it looks for a DNS server. On nearly all home routers this will be set to get the address of these servers from your ISP automatically. So when you type in a website address it goes to these servers and they look up where the website is, return this information to your computer and you get the website displayed on your computer. This virus changes the settings so it does not get the DNS server of your ISP but theirs so they can see what you are doing and intercept any data they can.
For the full report see Forbes
How do you change this password? If you are confident then search for your routers model number and for the instructions. This should tell you what to do, if you are not sure then get a technician in to do it for you. It does not take long and you will know that this virus can not affect you.
Today I received an email from my ISP saying it had quarantined an email from someone at UPS. I found this strange as I was not expecting anything from UPS and that my ISP thought it was a virus.
As I always check these things out I phoned UPS and even before I got to multiple choice menu it had a message saying they have had a number of calls about this email. The email says that a delivery was attempted but no one answered and asks the user to open an attachment to arrange another delivery. Well you might have guessed it is a virus and opening this attachment infects your computer.
If you get any unexpected emails from a large company especially Ebay and Paypal go to their websites directly and not though a link on the email and check it out either by logging in or in my case phoning the company. I know Ebay and Paypal have an email address you can forward your email and they will tell you if it came from them or not.
I have tweeted about this before but now Google has started to warn about it. Scareware is where a malicious piece of software disguises itself as a normal program but then demands money from you otherwise your something will happen.
I have always seen the fake anti virus ones that pop up and can not be closed down, they say your computer is infected and unless you pay a set fee to buy this program then they will not remove anything. The truth is that program is the malicious code and often adds other malicious programs which, even if you did pay, it would not remove them. The name of this program changes every so often, one was called anti virus 2009.
Anyway back to Google, they scanned 240 million web pages over 13 months, January 2009 to February 2010, and found that fake anti virus programs accounted for 15% of all malicious software. Over 11,000 web domains were involved in the distribution of the fake anti virus software. This attack is mainly aimed at Windows machines and is usually delivered through ADVERTS. The reason I highlighted adverts is I often get asked if it was because someone in the household had been on ‘adult’ sites, while some will be on adult sites most are now using normal looking website so they can get a greater infection.
Trusteer, a security company, reports that Zeus is the number 1 botnet with over 3.6 million pc’s infected and that is only in America. Now that is a scary figure.
What is a botnet and what does Zeus do?
Botnet is a term for a collection of softyware agents or robots that run autonomously and automatically. A bot typically runs hidden and uses a covert channel to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools. Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community
See the Wikipedia definition
Zeus steals you information like back details and other usernames and passwords and reports them back to someone who can then sell this information onto criminals. The BIG problems with zeus is even if you have a good anti virus program and keep it up to date it only reduces your chances of being infected by 23%. It spreads by email and by downloading or activating activ-x controls on infected websites.
Another security company called Prevx said in their blog that only a few computers are infected by each variant of this virus to help prevent it from being detected and by the time it is detected it usually has done it’s job.
If you want to search for it Prevx also says what to look out for, although these name may have changed
The ZEUS trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE,PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.
Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
Finally, check the Registry lloking for RUN keys referencing any of these names.
According to the BBC news the latest version 1.6 can only infect people using Internet Explorer or Firefox but I would be careful no matter which browser you are using
The guardian has also reported that two people were held over this virus but is continues to be a major problem today so please watch out and search for the above.
This might sound like a silly question if you have selected automatic updates, but times have changed and Microsoft have introduced a new rule. If Microsoft detect a root kit virus they will not install any more updates.
Why?
In February Microsoft issued an update that conflicted with a root kit virus and left a lot of machines unusable due to some operating files becoming incompatible with the kernel.
Microsoft know that if they were to blindly apply these updates and more computer crash then people will turn the automatic updates off. This mean that a lot more machines will be able security loop holes in them and more change of being hacked or ending up with a virus, both are not very good and can get you disconnected if your ISP detects any unusual behaviour from your computer.
Detection and removal
Knowing what program are genuine and trustworthy is not easy from looking at a website but bellow are some that we trust. If you are getting the above problems and have installed one of these but it does not detect anything then try another as I have yet to see one that is perfect. The below list are free but you can also buy the full version
- AVG
- Avira
- Malwarebytes
- F-Secure – Blacklight
- Mcafee
- Panda
- Sophos
- Trend Micro
If you are wanting to pay to get better protection I would also recommend
- AVG internet security
- Malwarebytes
- Bit defender
- Gdata
If possible I would start a scan in safe mode using one of the above, this will stop some viruses from starting up and give the programs a better chance of removing them.
Some of you may remember the good old days of dial up internet access and the pearls it brought with viruses. The dreaded dialler virus where it would disconnect your modem from your ISP and then dial a premium rate number costing up to and sometimes over £1 per minute. By the time you realised what had happened or you got your phone bill you quite often had to pay several hundred pounds after all dial up was slow and took a while to do anything online and if it had a lot of pictures then you had tine to make a coffee. Now these people were clever in that they muted your modems speaker and had it done so quickly you just thought that it was taken a bit longer than normal to load a web page.
Well they are back but not for your computer but for your new shiny smart phone. Security firms have noticed a rise in the amount Trojans known as diallers. like their older relatives they dial premium rate numbers and you then get hit by a large bill and they get some of that money.
Writing on the CA security blog, Akhil Menon said
it was seeing a "an increasing trend of trojan diallers.
Mr Menon profiled one such virus, called Swapi.B, which sends premium SMS messages.
"The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent,"
Mikko Hypponen, head of research at F-Secure which makes security software for mobiles, said
it had seen a "handful" of diallers in recent months.
They were popular because they get round one of the big problems facing anyone wanting to make money out of Windows viruses. PC malware can’t just directly steal money from your machine; it has to jump through hoops like keylogging your credit card number or sending spam.
However, mobile malware can just instantly steal from you by making premium-rate calls or messages. Some diallers sent messages or rang many different numbers, including legitimate ones.
The trojan can place calls to, say, 100 different premium-rate numbers, only one of which is his own number. How would you fight this? Shut down all the numbers, including the innocent ones?
A lot of people still think that you only get viruses by visiting porn sites but this is not true. I have seen computers being infected from normal looking sites and even sites which are legitimate websites but had been hacked into and malicious code inserted but the overall look was not alerted.
If you want to protect your phone from this type of attack then you will need a mobile anti virus program. F-secure make one and if you search around you will find others as well.
