Bugs / Virus Article (1)
Free Anti-Virus Comparison Review
» April 8, 2013 04:00PM
PC Doctor Service Center 6 Review
» December 16, 2007 04:00PM
Bugs / Virus News (145)
Posted: February 11, 2015 11:51AM
Author: Brentt Moore
VirusTotal, a website that was acquired by Google in 2012 and offers free checking of suspicious files using multiple antivirus engines, has announced an initiative to combat false positives generated from antivirus programs. In order to do this, the company encourages software developers to share files found within their software catalogue, which VirusTotal then marks accordingly. If a false positive is generated by an antivirus program, VirusTotal contacts the respective antivirus vender to correct the error. Microsoft has already partnered with VirusTotal to help kick start this initiative of combatting false positives in antivirus programs, and the partnership thus far has enabled VirusTotal to remedy over 6,000 false positives thanks to the sharing of metadata about software collections.
Source: VirusTotal Blog
Posted: January 26, 2015 02:25PM
Author: Brentt Moore
According to Adrian Ludwig, the Chief of Security for Android at Google, the company has no plans to patch a WebView vulnerability that affects the default Web browser found in Android 4.3 and older. According to Ludwig, the number of devices running affected Android versions are shrinking every day as users upgrade or get new devices. Unfortunately, about 60 percent of all Android users are still utilizing Android 4.3 and older, according to Android usage numbers provided by Google, meaning that over half of all Android users remain vulnerable.
With Google leaving the WebView issue unpatched, Ludwig has recommended that Android users begin to utilize browsers that are unaffected by the vulnerability and that are updated from the Google Play Store, such as Google Chrome and Firefox. Despite the change in browsers, an application may still make use of the WebView API, and as a result, can still pose a risk to smartphones running Android 4.3 and older.
Posted: August 20, 2014 01:44PM
Author: Brentt Moore
It was recently reported that Community Health Systems suffered a data breach, resulting in the loss of patient names, addresses, birthdates, telephone numbers, and Social Security numbers of 4.5 million individuals. Security experts at the time noted that malware was used to attack systems, and while that still seems to be true, it looks like the major security flaw known as Heartbleed is partially to blame for allowing Chinese hackers to circumvent security measures. According to David Kennedy, the founder of TrustedSec LLC, hackers were able to make use of the Heartbleed flaw in order to steal usernames and passwords, which then gave them access to private communications channels within Community Health Systems. Although Kennedy is not involved with the ongoing investigation in any way, he has noted that the information linking Heartbleed to the stolen data comes from three people close to the matter.
If Heartbleed is in fact connected to the data breach that Community Health Systems recently suffered, it will be the first known breach of a company by use of the vulnerability.
Posted: June 23, 2014 05:21PM
Author: Brentt Moore
Although it has been a little over two months since the initial discovery of Heartbleed, which at the time affected around 600,000 systems, it still continues to pose a threat to users worldwide. Robert Graham from Errata Security noted that there 309,197 servers still vulnerable to the OpenSSL bug, which if exploited, can leak account login details. What is surprising is that last month around the same amount of servers were still vulnerable to the attack, which indicates that people have stopped attempting to patch affected systems. While the amount of affected systems will surely decrease over time due to lifecycle replacements, Robert Graham still expects to find thousands of systems still vulnerable even a decade from now.
Source: Errata Security Blog
Posted: April 14, 2014 06:37AM
Author: Brentt Moore
The Heartbleed security flaw, which has been one of the most influential web security issues in recent history, has hindered many websites since its initial revelation. Even though the code was supposedly an accident and not intentional, it has affected a large number of websites that make use of OpenSSL. One network provider that has been hindered by Heartbleed, Akamai, provided a patch to its systems recently that was supposed to address the security flaw entirely. The company has gone back on that claim now as Willem Pinckaers, a security researcher, has uncovered that the patch released by Akamai for its systems only addressed half of Heartbleed. According to Pinckaers, and confirmed by Akamai chief security officer Andy Ellis, the patch that was released for the Akamai network only covered three out of six critical values found in an RSA key.
In order to protect customers following this news, Akamai is rotating SSL certificates that are vulnerable. In the meantime, the company is working on a patch that will address Heartbleed in its entirety, thereby protecting one-third of the Internet's traffic that the network provider processes.
Posted: April 11, 2014 09:22AM
Author: Nick Harezga
The programmer responsible for checking in the code that led to the Heartbleed bug in OpenSSL has described it as an accident, not a malicious activity. The bug was found in an area of the code that pertained to security and was caused by "missing validation on a variable containing a length." The code went through a peer review process and neither the original programmer or peer reviewer were able to catch the bug. There is a published list of some sites that have been impacted by the bug, but it would probably be a good idea to change all of your passwords anyway.
Posted: April 10, 2014 07:21AM
Earlier this week, news broke out about a major security flaw called Heartbleed that affected two thirds of the web, allowing hackers easy access to usernames, passwords, and other seemingly encrypted data through an OpenSSL hole. Sites utilizing the OpenSSL protocol have been patching the hole, but very few are actually reaching out to customers to let them know. There's a site to check for Heartbleed vulnerability, but it doesn't tell you if the site you're checking was ever vulnerable, just whether it is or isn't at the time you check. That's where Mashable comes in.
Mashable has compiled a list of some of the major sites, providing the information users need to know:
- Was it affected?
- Is there a patch?
- Do you need to change your password?
- What did they say?
Since the hole has existed for years, despite first being publicly disclosed Monday night, Mashable basically recommends changing the password for any site that was ever affected and patched, even if a site says no data was compromised. If there is a silver lining, the good news is that it appears no major banking or brokerage sites were ever affected, as they all seem to use different encryption and security protocols.
Posted: April 8, 2014 02:20PM
A major vulnerability called Heartbleed was discovered Monday night in the open-source software called OpenSSL, which is widely used to encrypt communications, such as logins. In fact, it's so widely used that the vulnerability affects some of the biggest and most popular sites in the world, including Yahoo, Imgur, OKCupid, and Eventbrite. According to SteamDB.info, even Steam was affected!
The good news is that Yahoo, Imgur, and Steam have already fixed the issue as of a couple hours ago.
Officially called CVE-2014-0160, security firm Codenomicon gave it the more recognizable and memorable name of Heartbleed, which the firm discovered along with Google researcher Neel Mehta. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content," Codenomicon said. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users."
There is some conflicting information as to just how much information can be obtained, with Codemnomicon saying it was able to steal "the secret keys used for [...] X.509 certificates" in its tests, but Google security expert Adam Langley claiming that his testing didn't reveal such information as sensitive as secret keys. Langley was one of the experts who helped close the OpenSSL hole – a fix which can be implemented by sites using OpenSSL to block Heartbleed, and presumably what Yahoo, Imgur, and Steam used. There is nothing a user can do on their end, other than not using affected sites until the hole is patched.
If you're concerned about entering your sensitive information on a site that you suspect uses OpenSSL, developer and cryptography consultant Filippo Valsorda published a tool that allows people to check sites for Heartbleed vulnerability. Unfortunately, the site's servers are under such heavy load by people constantly checking that it often gives a timeout.
While the SteamDB.info Twitter account advises Steam users to change their passwords and "deauthorize computers" (essentially resetting Steam Guard without ever turning it off), it's important to note that SteamDB.info has absolutely no affiliation with Valve, so it's probably best to wait for an official statement. Since Valve is supposedly resetting all its certificates, it would make sense to change passwords after the new certificates are issued anyway so that there's a new key. SteamDB.info supplied instructions on how to reset Steam Guard since it seemed to cause confusion among many users.
Posted: January 4, 2014 06:46AM
Author: Brentt Moore
Previously a Trojan which relied on user interaction to spread the ransomware and infect a user's computer, CryptoLocker has morphed into a new worm variant. Researchers at Trend Micro have found that CryptoLocker is able to be spread from computer to computer by using a USB drive or by being downloaded from unsafe sites such as P2P file sharing websites. By utilizing a USB drive that is infected, the ransomware spreads to files on the computer that the drive is attached to and even looks for other computers on the network to infect, if connected. The ransomware can also spread itself by being a fake activator for software such as Adobe Photoshop and Microsoft Office, which are generally shared on P2P websites. CryptoLocker encrypts various files on a computer system and makes users pay a ransom to unlock their files. Since the affected files are encrypted, removing the malware does not aid in retrieving the files for accessibility and one of the only ways to remove the ransomware at this time is by doing a complete system format.
Trend Micro is advising users to keep away from P2P file sharing sites in order to retrieve illegal copies of software. Additionally, Trend Micro is cautioning the use of USB drives, especially those of unknown origin.
Source: PC Magazine
Posted: January 11, 2013 03:29PM
A malware exploit has been reported named Mal/JavaJar-B. The malware exploits a vulnerability in Java 7 that is already being used against systems and distributed among hackers, but has not yet been patched. The malware allows hackers to run code remotely on infected machines running Windows, Linux, and Unix, although Mac OS X remains safe as of now. The U.S. Department of Defense has advised users to disable Java on any systems running the software.
Users with the software installed can easily disable the software from running in the browser through unchecking 'Enable Java content in the browser' under 'Security' in the Java Control Panel. Java has recently played victim to a number of exploits that have used its broad implementation for more sinister purposes. Despite this, Java also provides a great platform for small developers to deploy their software, and has played host to many well-known titles such as Minecraft.
Posted: December 12, 2012 09:10PM
Security vulnerabilities of any kind are never a good thing, and today's revelation is certainly one to be wary of. Analysis company Spider.io has identified a vulnerability in Internet Explorer 6 through 10 that allows mouse movements to be tracked, even if the browser is minimized or inactive. A particularly bad part of this vulnerability is it even tracks movement across virtual keyboard and keypads, like you'd find on touchscreen devices. Spider.io says it's "already being exploited by at least two display ad analytics companies across billions of page impressions per month," which isn't the best thing anyone wants to hear. An attacker can purchase an ad on any website to gain access, even on sites like YouTube, and then track your mouse movements so long as the page with the ad is open.
Spider.io submitted the vulnerability report to Microsoft at the beginning of October, but the company said there are no "immediate" plans to patch it. Hopefully soon there is a resolution for it to make the browser safe once again.
Posted: November 9, 2012 05:12PM
Posted: August 16, 2012 01:59PM
Author: Nick Harezga
Google will be offering up to $2 million in prizes the for the Pwnium 2 contest at the Hack In the Box security conference in Malaysia on October 10. This represents a doubling of the $1 million prize pool from last year where only $120,000 was claimed. A prize of $50,000 will be awarded for exploits that take advantage of code that runs natively on Chrome, while $40,000 will be offered for "non-Chrome exploits." Google is already one of a handful of companies that offers bounties to researchers that report security bugs, with up to $10,000 being given out for severe bugs.
Posted: July 25, 2012 09:30AM
Stuxnet, Duqu, and Flame are all pieces of malware which have been covered by the larger news outlets for their apparent design to target and damage Iranian nuclear facilities. After investigation by security researchers it has been determined that Stuxnet and Duqu are directly related, while Flame is more indirectly related. Now a new piece of malware has struck some of these facilities, but it probably isn't connected to the three before it.
The report of the new malware comes from a Finnish computer security firm which claims a scientist at the Atomic Energy Organization of Iran had contacted them about their systems being infiltrated again. The malware was able to shut down the automation network at two facilities but did a little more than just this sabotage, and that bit more is why it is not as likely that this is related to the malware described above.
Supposedly several workstations were on in the middle of the night at these facilities blaring what the scientist believes is Thunderstruck by AC/DC. As the other three previous pieces of malware operated more secretly, this attack more likely is from a thrill seeking hacker. Until the story is officially confirmed and analysts can examine the malware, we cannot be sure.
Posted: May 29, 2012 09:19AM
Normally the discovery of a computer virus is not big enough news to warrant coverage by large media outlets, but in the past few years there have been some too important to not cover. First it was Stuxnet, a Trojan of uncertain origin that attacked the nuclear facilities in Iran and destroyed equipment there. Another Trogan named Duqu was found later and it shows a higher level of complexity than Stuxnet, though many believe the two are related. Unlike Stuxnet though, Duqu has not been activated yet, so no one knows what its purpose is, except for those who wrote it. Now another virus has been found and it, like its predecessors, has been found attacking targets in Iran and the Middle East.
As researchers at Kaspersky Lab analyzed Duqu they found it had some coding in it that they were not familiar with. After asking for help from the Internet the solution was found, and it indicated that whoever made the malware is very experienced with programming. This new virus, named Flame, surpasses both Stuxnet and Duqu in complexity and size.
Most computer viruses are small, making it easy for them to go undetected. Duqu and Stuxnet at 500 KB were heavyweights, but Flame comes in at an astounding 20 MB, with one module alone 6 MB in size. Considering the large scope of what Flame can do, this is not entirely surprising. The virus not only is capable of stealing your passwords as it records keystrokes, but it can also activate and record voices with a computer's microphone, take screenshots, monitor network traffic, and communicate with BlueTooth devices.
This level of complexity has led every research group that has analyzed it to the same conclusion about Flame's origin. The virus was likely written by a nation-state because the level of expertise required for this piece of malware would necessitate a large budget. Also, as English text was found in the code, the researchers believe it was created by native English speakers. Both Duqu and Stuxnet are alleged to have been made by nation-states, but it has not been conclusively proven.
Posted: May 1, 2012 04:33PM
Author: Nick Harezga
According to Symantec, the group behind the Mac Flashback malware was making roughly $10,000 per day through the use of the botnet created by the malware. The botnet had spread to nearly 700,000 computers at its peak, and those computers were generating revenue for those in control of the system. The Mac Flashback exploit was loaded into Chrome, Firefox, and Safari and targeted searches done through Google. The malware allowed the search to be hijacked and redirected to a different page, depriving Google of the ad revenue and instead putting it into the pockets of the hackers. Symantec also noted that Apple had a particularly slow response time in fixing the exploit, waiting nearly two months after the fix had been issued by Oracle to release it to users.
Posted: March 20, 2012 11:42AM
There are reasons some pieces of computer malware are called viruses, just like influenza and HIV which infect humans. Both biological and computer viruses attack vulnerabilities in whatever they infect and most are then designed to spread, sometimes with mutations. These similarities have security researchers intrigued, such as those at Fortinet’s Threat Research and Response Center.
Though biological viruses are considerably simpler than some computer virus, which can be encrypted and utilize antidebugging techniques, they still have tricks of their own which virus programmers are using as well. For example, HIV targets and attacks the human immune system, thereby making it difficult to defend against HIV and other viruses, and when AIDS is developed, the immune system is essentially destroyed. Several computer viruses will actually disable antivirus programs and give themselves an opening in the firewall, making it impossible to defend the compromised machine from further attacks.
Hackers learning from biological viruses are not the only concern though, with electronic prosthetics and it may be possible to encode a computer virus into DNA. Electronic implants do not always need to connect to an external computer, but occasionally they do, and when this happens they are open to attacks. Also the systems that sequence and store DNA could be vulnerable to a creative attack that encodes a virus into a piece of DNA. It would be like visiting a compromised website and a piece of malware being downloaded and installed while you are there. If a virus was actually written for human biology though, the effects could be quite destructive as our immune systems would have no guaranteed way to protect against the attack, and we do not have restore points.
Posted: March 20, 2012 07:55AM
Not very long ago the security researchers at Kaspersky Labs found some code in the Duqu virus they were not familiar with. To solve the mystery they crowd-sourced it by posting the code on their Secure List blog and the Internet succeeded.
Among the suggested languages was Object Oriented C, or OO C, and that a version of Microsoft Visual compiler (MSVC) was used. The use of MSVC was spotted because of certain commands in the code that are not typical of other compilers. This got the Kaspersky team working with the software and eventually they found that MSVC 2008 with the minimize size (/O1) and expand only __inline (/Ob1) options produced similar code to Duqu.
This proves that some form of OO C was used, but oddly the closest match was not published until after Duqu was released. This finding also sheds some light on the programmers of Duqu. How computer code works has been changing ever since it was first developed, and OO C uses an older custom that code like C++ does automatically. With many modern day languages, if not all, memory allocation is done automatically while in OO C this would have to be done manually. Some programmers prefer OO C for this reason, as they do not trust all of the features in newer languages. Also there was a time that different C++ compilers would give different results, while OO C was a standard with all systems.
Regardless of the reasons behind the use of OO C, this shows a great deal of skill and experience in the making of Duqu. As described in the Kaspersky blog post, "Duqu, just like Stuxnet, is a "one of a kind" piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see."
Posted: March 12, 2012 09:48AM
Some of you may recall from the past two years news about some malware that had apparently targeted Iranian nuclear enrichment centers. The Stuxnet worm destroyed 400 centrifuges, which are critical to enriching uranium, and later the Duqu trojan was found. Duqu’s purpose is not yet known as it has not been activated yet, but it could potentially steal, corrupt, or run certain files.
While analyzing the code, security researchers at Kaspersky Labs have found some mysterious code. It does not conform to any programming language the researchers have compared it to, such as C++, Objective C, Java, Python, Ada, and Lua. Some crowd-source suggestions are that the language is related to LISP, a programming language for AI, or a version of C++ for old IBM systems.
Needless to say, this use of an unknown programming language has security analysts concerned. If more malware starts using unique languages like this, it will become much harder to dissect them and discover their origins. As it is, no one is sure about where either Stuxnet or Duqu came from, though many believe they are related and were even made by the US National Security Agency or the Israeli Mossad intelligence agency. However, Stuxnet had no unusual code like this, so perhaps the two pieces of malware are not related.
Posted: March 5, 2012 07:42AM
Apparently there is no honor among thieves and hackers. Some of you may remember that after the site Megaupload was taken down, the hacker group Anonymous decided to attack other websites, such as the US. Department of Justice, in retaliation. To hit the sites even harder, instructions and software for joining in the distributed denial-of-service (DDoS) attacks were posted online. Well, it turns whichever Anonymous member posted the information was interested in hurting more than the DoJ.
Zeus is a piece of malware meant to enslave its host computer and steal data, and was contained in the Slowloris DDoS software. According to Symantec, the computers in the voluntary Anonymous botnet were compromised, and information, such as banking details, was sent to someone.
I am not sure if "ironic" is descriptive enough.
Posted: February 15, 2012 01:55PM
In the wake of the discovery that an iOS app was collecting and transmitting contact information without permission, Forbes magazine has put together an article on a University of California at Santa Barbara report (pdf) from last year. At the time researchers found that roughly one fifth of free apps available from the iOS App Store were collecting private information, while apps available through the Cydia market for jailbroken iOS devices were collecting the same information only 4% of the time.
What the researchers considered private information included the Unique Device Identifier (UDID), location information, address book, phone number, Safari history, and photos. Of the 825 free apps tested from the App Store, 170 (21%) collected the UDID, 35 (4%) collected location information, 4 (0.5%) accessed the address book, and only 1 (0.1%) grabbed the phone number. Of the 526 from the Cydia market though, only 25 (4%) took the UDID, 1 (0.2%) got the location, 1 got the address book, 1 got the Safari history, and 1 took photos. It is worth noting though that the one Cydia app that captured location information, and also contact information, was designed for this and is called MobileSpy.
Remember, every app available through the Apple App Store is first approved by Apple. The Cydia market however does not have such strict rules on what can be downloaded from them. However, they do have a clientele of privacy-ware people and developers. After the revelation that Path, an iOS app, was collecting and uploading contact information to the developer’s servers, a developer made and released ContactPrivacy to Cydia, which allows a user to deny apps from uploading contact information. Another app, PrivaCy, was developed to prevent any specific app from uploading usage statistics.
Apple will, of course, start taking longer looks at apps it is sent, in light of the Path scandal, but until then, consider carefully what you install. Also, jailbreaking is not necessarily a better way to stay secure, but it is likely worth remembering what it offers you.
Posted: February 9, 2012 11:30AM
About a month after source code for the Norton 2006 antivirus software was released by hackers, source code for Symantec’s pcAnywhere software has been published. As this software is currently in use, the danger of exploitation is far greater. However, the sequence of events has allowed Symantec prepare, at least partially, for this.
Starting on January 18, a hacker claiming to have the source code started negotiations with Symantec. The email thread of the negotiations has been posted online for everyone to see, which is, supposedly, what the hacker wanted. YamaTough, the hacker, has stated he never intended to accept any payment from Symantec and was going to post the source code regardless. The negotiations were just to embarrass the company by showing what it would do to protect itself. However, YamaTough actually was not in communication with Symantec, but law enforcement.
As the negotiations were taking place, Symantec used the time to patch the software as best it could, to make the code dump as useless as possible. Despite the company’s efforts though, these two recent hacks are surely going to hurt it.
Posted: January 9, 2012 08:28AM
For those of you using Norton Antivirus software, this is not the news you want to hear, though it is not as bad as it could be. Symantec has confirmed some of the source code for Norton has been found by a group of hackers, and posted online. The code has since been removed from where it was posted, though it can still be found via other means. Also, Symantec has stated the code is related to two older versions of Norton, one of which is no longer sold.
The fear is a hacker using this information to craft a virus to defeat or even exploit the antivirus. Knowing how the software identifies malicious processes can allow one to work around it, but hopefully everyone is using an unaffected version. However the potential damage this code can cause is only something Symantec can know.
The hackers are from India and call themselves The Lords of Dhamaraja. Symantec has stated the code was not gotten from their system but from a third party. Supposedly the source was Indian military intelligence servers, according to the hackers.
Posted: January 6, 2012 11:01AM
As overclockers we are quite aware of the utility of the BIOS. It starts before the operating system, so changes made in it are independent of the software on the hard drive. This not only makes it powerful when trying to get the most out of a machine, but also makes it a potential target to hackers and virus writers.
This past September, Mebromi was found; the first known piece of malware made to infect the BIOS. Fortunately a method to remove this Trojan has been created, but it does still show it is possible to attack this fundamental component of a computer.
The NIST has released a draft of its security publication on how to secure and monitor the BIOS. This should lead to the development of products to maintain the integrity of a computer’s BIOS as well as methods to deploy them.
Posted: December 16, 2011 07:07AM
Instead of this post being a 'Viral Update' I’m making it a 'Security Update' because the focus is going to be less about viruses than previous updates.
A key part to the Internet is the Domain Name Server, DNS, which converts a domain name, like overclockersclub.com, into an IP address, 220.127.116.11. They are like phone books telling you where a company's building is by looking up the name. The content on a site is not always at a single IP address though. Continuing the phonebook analogy, the company warehouse could be in another city, but you don't necessarily see that from the phone book. This presents opportunities for hackers to intercept communications between a user and a server.
Since 2004 though, a part the Department of Homeland Security and its partners have been working on the Domain Name System Security Extensions (DNSSEC) project. This is to identify and validate these other servers. Already many registars have adopted DNSSEC and US military .mil sites are to be DNSSEC signed starting this month.
As a compliment to DNSSEC, OpenDNS, a leader in DNS security measures, has released its new DNSCrypt service as a "technology preview." Currently only available for Macs, this software will encrypt all of your DNS traffic. This is to prevent anyone from tampering with or otherwise intercepting communication between your computer and an OpenDNS server (obviously you will need to use its service to use the tool). This, so-called, "last mile" is quite vulnerable to man-in-the-middle attacks, especially as the information is sent in plain text, but both DNSSEC and DNSCrypt are steps towards securing it.
Posted: December 1, 2011 11:25AM
Focusing on smartphones in this update, and because of the information available today, I felt like posting this a day early.
The CarrierIQ issue was first found mid-November, but it is getting some new life in the media this week. This piece of mobile-phone software exists on many smartphones of different brands and operating systems (Android, iOS, and Blackberry) and, on the surface, doesn’t seem too bad. It collects some metrics to give your service provider, so they can improve their service. Of course, what’s above and below the surface are very different. This software, which can be hidden from the user and difficult to remove, can collect keystrokes, location data, apps being used, and web addresses visited.
On some phones the software can be turned off, but not all, and on Android phones, manually removing the software can require root access. The software developer states they do not collect information except for what directly relates to improving handset performance and quality. Still, the abilities this software has would likely be tempting to many malware writers. (A search of CarrierIQ gives many sources of further information.)
Also, from North Carolina State University comes a security analysis of multiple Android based smartphones. Specifically the researchers looked to see how pre-loaded apps can introduce backdoors on the phone, which hackers can utilize. These applications are meant to improve user-experience such as notifying a user to missed calls or text messages. The researchers found the vanilla Android phones had, "no real problems," but HTC’s Legend, EVO 4G, Wildfire S, Motorola’s Droid X, and Samsung’s Epic 4G were not so lucky. Of those, the EVO 4G had the most vulnerabilities.
This was discovered earlier in the year and the manufacturers were notified immediately. For these phones, the best way to stay safe is to install the security patches they get and only install apps you trust.
Posted: November 18, 2011 10:18AM
Previously discussed in the November 4th Viral Update item, the Duqu Trojan is back again. When Symantec first analyzed the malware, they had found similarities in it to the Stuxnet Trojan, leading them to believe they were both written by the same people. Stuxnet had the potential to damage a nation’s infrastructure, and also appeared to target Iran’s nuclear facility. Iran has come out to say Duqu has hit its computers but also that it is deploying a fix.
From Kaspersky Labs comes some more information about Duqu, an intriguing timeline. Part of the code found on some infected machines relates to a driver from 2007, suggesting Duqu has possibly been in development for years. From another analysis of an infected machine came code relating to a 2008 driver. What’s more, Kaspersky Labs has found parts of the Trojan are actually written specifically for their target. This adaptation also includes different servers being contacted by different versions of the Trojan, making it harder to stop.
In other malware news, since July there has been a 472% increase in malware for the Android mobile operating system. Of the malware attacks though, only 7.2% occur in the US, far behind China at 64%. These attacks can come in the form of malicious apps and sites that exploit code used specifically in mobile software. So, as always, exercise caution with what you open and install.
After four week of these news posts, tell us what you think. Should these weekly updates continue, or should a ‘as-needed’ approach be adopted?
Posted: November 11, 2011 12:24PM
Obviously the biggest news for computer security of the past week is the hacking of Steam. Right now the best thing for the user to do is change your Steam password, and once the Steam forums are back up, put in a new one there too. Also, monitor your credit card information, if you had that information in Steam.
From McAfee’s Threat Activity page we find numerous new Trojans, and all considered a low level threat. Many of these are password stealers but are still considered low level threats likely because they are easy to avoid.
Always be careful about what websites you visit, email attachments you open, networks you connect to.
Posted: November 4, 2011 04:07PM
For the second viral update we will be focusing on the Duqu Trojan. An installer for the malware was found by Hungarian research firm CrySys and has been analyzed by Symantec. A computer can be infected by a Microsoft Word document that exploits a kernel vulnerability. Once infected, a computer will attempt to spread the virus throughout its network, including to computers without a direct Internet connection. Duqu seems to be targeting corporations and is stealing information to possibly create another Stuxnet-like worm. This speculation and several similarities in the code of Duqu and Stuxnet leads the Symantec researchers to believe both pieces of malware were written by the same people.
Microsoft has been made aware of the virus and will issue a patch as soon as it can. The server Duqu appeared to be contacting has also been taken offline. As there is no work-around or removal strategy for this virus yet, the best strategy is diligence and not opening files from unknown sources.
Most other viruses found recently are less worrying and of low risk.
Posted: October 28, 2011 03:25PM
This is the first in what will possibly become a regular series of posts giving information on newly found viruses, trojans, and malware in general. The current sources of information are McAfee’s Virus Information site, Trend Micro’s Threat Encyclopedia, and Avast’s Summary of Virus Reports. Feel free to post comments giving additional sources, what you think of this new feature, and if we should continue to do it.
From all sources the newly found threats have low risk level, however even though much of the malware alone is not a danger, it is designed to enable others to collect private information from an infected computer, or download other malware, which may cause further damage. Of course not all of the malware discovered can be listed here, as there are too many to list.
The W32/Sality virus for Windows was found and added to McAfee’s Virus Information site on October 20, and, according to Avast’s virus reports, has already been detected on over 3% of the machines scanned. This virus is likely to modify Windows’ security settings, prevent access to the task manager, and prevent access to the registry editor. It also appears to rewrite processes in memory and connect to an external domain.
Trend Micro’s encyclopedia lists TROJ_SHADOW.AF found on the 19th. While the risk rating and distribution potential are both low, the potential damage is high as it appears to attack antivirus programs to patch the data with malware code. It also uses specific APIs to collect system information and may be related to the STUXNET malware. The Trojan TROJ_DUQU.DEC also listed on Trend Micro’s encyclopedia is similar in its damage potential and relation to STUXNET, but was found on the 21st.