Tag: Viruses

Posted on

Conficker Continues

The BBC has an article on Conficker, the virus that everyone seemed to think passed us by on April 1st.

The Conficker worm has started to update infected machines with a mystery package of data.

Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.

The activity on its update system delivered encrypted software to compromised machines. It is not yet clear what the payload contains.

The Conficker virus variants are thought to be present on millions of PCs around the world.

Spam connection

The updating activity has begun about a week later than expected. Analysis of the “C” variant of Conficker (aka Downadup) revealed that its updating mechanism was due to go live on 1 April.

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called “honeypot” machines deliberately seeded with Conficker C.

Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.

In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

“The Conficker/Downad P2P communications is now running in full swing,” wrote Ivan Macalintal from Trend Research on the company’s security blog.

Once it arrives on a machine, the package of data randomly checks one of five different websites – MySpace, MSN, eBay, CNN and AOL – to ensure its host still has net access and to confirm the current time and date.

Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a “rootkit” that will bury itself deep in Windows in order to steal saleable data such as bank website login details.

Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.

The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.

Posted on

Malicious Software Removal Tool (MSRT)

Microsoft recently reported that their Malicious Software Removal Tool (MSRT), which was included in Windows Updates on December 9, 2008, has now removed over 400,000 copies of the nefarious “Antivirus 2009”.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, as most users can be tricked into installing it. Many fake sites exist that you might find during a normal web search. The sites appear to be a standard Windows Control Panel page which pretends to search for and find viruses. If you click “Ok” or “Remove All” you will be infected.

It will eventually take away all administrative rights from you and ask for your credit card to update and remove the viruses. Of course, it never removes anything, but instead gives your credit card info to the bad guys to use as they wish. Your computer is also a zombie ready to do whatever they ask of it.

The problem is that the dialog boxes and alerts look just like legitimate ones that might appear from Microsoft. See the fake Antivirus 2009 alert above.

I mentioned another variant of this malware called Antivirus XP 2008 in an earlier post.

While there are other tools you could use, Microsoft’s Malicious Software Removal Tool (MSRT) is a real solution that will remove and protect the computer from this Malware. It is available as a critical update from Microsoft.

It is not always apparent how to run Microsoft’s Malicious Software Removal Tool (MSRT). If you have it installed, you can just go to Start – Run and they type mrt

Posted on

Russian Gang Hijacking PCs

This NY Times article talks about how a gang in a Russian town is using Microsoft administrative tools to infect private and government computers. A few excerpts:

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet.

The system infects PCs with a program known as Coreflood that records keystrokes and steals other information.

“The great thing about this system is that from one computer it is possible to push out updates to all machines in a corporate network at once,” Mr. Stewart said. “This is a useful tool that Microsoft has provided. However, the bad guys said, ‘We’ll just use it to roll out our Trojan to every machine in the network.’ ”

The gang then uses the passwords to access your bank account and transfer out money. Scary stuff.

This only affects Microsoft operating systems, so Macs are safe. In order to protect PCs, I suggest using:

  • hardware firewall (included in routers)
  • Windows Vista or XP with Service Pack 3 (latest)
  • Anti-virus software such as AVG Free or Avast.

If you get infected by something like this Coreflood virus, you should do a complete re-install of your system.

Posted on

Operating System re-installs installs for virus ridden computers

Infections Beyond Repair

Most people say that once a machine is infected with a virus, there is no practical way to know for sure if it is ever truly safe. You could take out the drive, attach it to a Linux machine for scans, and run all the latest tools. But this doesn’t guarantee success.

Think of it as an arms race between the virus writers and the anti-virus writers. Many viruses re-write parts of the Windows operating system. They are written specifically to sneak past popular anti-virus software, namely Norton and McAfee.

The solution, especially for machines with nasty viruses, is a clean install of the operating system. This can’t be done from within Windows. The important data should be backed up and the drive should be formatted and a clean install should be performed.

Before the old data is put back on the computer, it too should be scanned. Even documents can contain little programs (Macros) that could contain viruses.

Client Story

A recent client in Virginia had a computer that was badly infected. After the computer booted up, supposed anti-virus software popped up indicating that there were viruses. This was certainly true, but the anti-virus software was bogus. It just asked for his credit card info to fix the problems. If he had provided his credit card, I am sure that the virus would not have been removed. He would have probably just gotten many unauthorized charges.

His computer was no longer his. He had no administrator privileges. He had no “My Computer”, no CD drive, and no task manager. His system tray in the bottom right corner only had the words “VIRUS ALERT!”.

Without much hope, I initially tried Windows is Avast! 4 Home Edition.  One feature that Avast has over the previously mentioned AVG is the ability to scan Windows before booting into Windows machines.

Unfortunately, much of the operating system had been modified, so Avast could not fix it. I removed the drive, placed it in a Linux machine, backed up and scanned the important files, and then ran Darik’s Boot and Nuke to wipe the drive.

The desktop was an HP that did not come with a restore disk, so we had to purchase another copy of Windows to install.

I told the customer how many viruses use social engineering to work. Messages appear in an email or browser pop-up window and they appear legitimate so users click on them. He asked me how to tell the real pop-ups for the fake ones. Without computer experience, it is very difficult to know.

Windows Vista has made this worse. By constantly asking people to approve even small tasks, it conditions people to just click “Okay” for everything.

His computer now is up and running again. It is behind a router with a firewall and has the Firefox web browser and Avast anti-virus.  Hopefully that will keep him safe from viruses and malware. At least he can rest assured that his machine is not currently hi-jacked after a clean operating system install.

Posted on

Anti-virus Software

If you are running Windows, you should have anti-virus software. One of the best is free for personal use. It is:
AVG Anti-virus Free Edition

It includes free anti-virus updates and does a great job of finding and stopping viruses.

The only downside to AVG is that every year or so AVG comes out with an update that requires a fresh install of the new version. And on the website, you need to look for the free version. AVG does push their paid version.

When installing, you don’t need to install their browser plug-in which can needlessly slow things down. Instead, for safety, you should use Firefox when browsing the Internet.

Compared to standard anti-virus software from Norton and McAfee, AVG does both a better job finding viruses and is less resource hungry in my opinion. Often I will find a system that is completely bogged down, not by viruses but by Norton’s rediculously large Internet Security Suite of software.