Archive for the 'Computer Security' Category

 

Why your antivirus can’t stop the bugs

Recently we seen one of our clients business computers become unstable and sluggish. A top rated antivirus program was installed but we found a lot of bugs, some embedded into system areas of Windows 7. We see plenty of malware on systems protected with antivirus from all the big vendors, but what makes this case interesting is this computer does not go on the internet other than intranet and LOB applications into a corporate system.

Our research pointed to a recent download of a free zip archiving program called jzip. The download was packed with potentially unwanted programs, a trojan, and programs identified as spyware.

We sought to identify the source of the packaged-up download and started at google with the search term “download jzip”. Various websites offered free download of the tool, including the popular download.com. Firstly, we setup a sandbox inside Windows 7 to contain any threat and stop it from interacting with the system, program data and files outside of the sandbox. Running the same antivirus as our client we downloaded the jzip program from various sources. Some direct links to jzip were malware free, others were not. The download from download.com was one of the worst.

downloadDOTcom

 

Inside the sandbox we setup earlier we could see a range of installations going on, it wasn’t just jzip trying trying to install but a string of risky programs and bugs. Because we were in the safety of the sandbox we were able to terminate the processes easily. We took the jzip.exe file we downloaded from download.com over to www.virustotal.com to run a multi-engine analysis of the file. Here is a snippet of what was found packed into that small file.

virust

Most antivirus programs did not detect any of the threats embedded in the jzip file, or partially detected the threats. The Bitdefender program rated by avcompatives.org with the highest detection rates in 2013 failed to prevent any of the risks in the jzip download.com file on our test machine. The standard method of detection is based around signatures or known and categorized badware, and this method is failing. The old technology is failing. As Dave Dewalt, the prior CEO of McAfee before McAfee was bought by Intel,  was quoted in a New York Times article, “Antivirus products are not working right now. Companies are spending tens of billions of dollars of their money on a model that doesn’t work.”

People steal our money online and get away with it, law enforcement is failing. Malware hijacks our browsers with incredible ease. Millions of computers are infected with botnets, trojans, rogue malware, zero day malware,  spyware, and the end user is often not aware of the infection other than warning signs of degraded performance. Even the downloaders of smiley faces from firms like funwebproducts (and it’s many other aliases) are unknowingly installing virus-like self replicating bugs which in this case tend to break network connections and have done for over a decade.

People put too much trust in their antivirus programs.

Because people generally associate big brand names like McAfee, Trend Micro, Symantec (Norton), with paying for something that works, these expensive programs are getting away with not doing what they are being paid to do every time a scan result returns a no threats detected message. Malicious and dangerous programs like botnets, backdoor trojans, keyloggers and spyware, are often happily coexisting alongside top brand name functional virus protection programs which are oblivious to the threats. Business and consumers will continue to buy antivirus that doesn’t work, it’s like the suspension of disbelief we see in movies, we sort of know our AV isn’t working but we continue to renew (read Michele Chubirka’s article Security Snake oil for sale at Network Computing).

Computing resources are being targeted at programs that consistently fail to detect even rudimentary rogueware programs like rogue antivirus or the Australian federal police rogue app (variations of the infamous vundoo malware) with a lock screen from installing and locking users out of their computers – but the reality is that it is user ignorance that is exploited. How many people downloaded the rogue AV after searching google for a free antivirus, a registry cleaner, a speed-up-my-internet program, and so on, or didn’t think updating java or the flash player was a good idea.

In the future next generation malware will be forwarded to your computer in non-sequential IP packets and reassemble itself like an army of ants. Next generation intrusion detection technology is going to replace legacy security programs, but users need to be educated about using the web.

Next Generation Technology 

Some developers in next generation technology are looking at intrusion detection or blocking by default, and not on signature based or heuristic analysis.  A computer virus or malware must be known to computer security before it can be recognized. This is known as zero day exploit.

I have been testing a product called Appguard from the Blue Ridge Networks startup in Virginia. There are others developing programs, firewalls, and cloud based security for internet browsers in the enterprise space, but so far there’s not that much around for end users, professionals, standalone computers in small business. These groups are considered soft targets by malware vendors.

Appguard is the security guard who doesn’t trust anyone. It will block any new app or program from launching unless Appguard is in install mode. This is where we are going to have a problem with users unknowingly installing bugs. When AppGuard is in install mode you are temporarily unprotected.

There is a degree of user overhead with this type of approach. It will block something from installing but it will not stop you from installing something you shouldn’t in the AppGuard install mode, and it will not scan your PC for malware, you need a good malware scanner to do that.

I’m not going to recommend AppGuard for everyday users at this point for the above reasons, and will wait to see what else is coming along in 2014. Keep your eyes on the blog! But I recommend stop wasting money on antivirus programs, download Microsoft’s MSE software, it’s as good as paid software and it’s free.

 

appGuard-activity-report

AppGuard is intrusion detection but is not a malware scanner.

 

 

 

 
 
 

5 Compelling reasons to upgrade to Windows 8

 Windows 8 upgrades Perth WA

2013 is going to be a exciting year in technology thanks to the evolution of nano technology and Windows 8. Windows 8 (the next phase of human-machine interaction) has partnered with Intel to harness the power of nano technology in a new breed of computers (e.g. the Ultrabooks, 4″X4″ Next Unit of Computing). Windows 8 offers unified computing, a new generation of sensor technology and the signature Windows 8 UI.  Personally, I love Windows 8. From an everyday users perspective it’s a breeze to use, it’s interesting and fun. The app store has loads of free apps, useful apps, business apps, technical tools and utilities apps, entertainment, SBS TV -  you can connect via HDMI to large screens and TV’s, plug in high speed ethernet when your wifi streaming frustration peaks and enjoy the multimedia.

The apps all seamlessly integrate into the Windows 8 user interface shown in the image above.

Some of the most important developments in Windows 8 relate to security, personal identity protection, and safety of your data, and not without good reason. 2012 seen an unprecedented rise in cyber attacks, identity theft and stealing credit card details, according to cyber-industry experts in Australia. We can expect more of the same in 2013, its a profitable business.

Here in Perth, in the trenches, we sometimes discover viruses, botnets, and spyware or keyloggers (programs which record your key strokes looking for credit card strings) which users were unaware of. For some cyber crims it’s been easy pickings.

Windows 8 is going to be bad for business.

The new security features under the hood of Windows 8 will put a dent in the profits of cyber-criminals. These are seriously good and effective security protocols. We’ve shown our top 5.

1. Trusted Boot

while many viruses today are related to the mid 1990’s variants of Vundoo virus, they are far more sophisticated, utilising the vulnerability of the boot process for example. In Windows 8, for systems with UEFI (Unified Extensible Firmware Interface) enabled BIOS (most current generation computers), the boot processes interact with the operating system to test for valid digital certificates. If the boot codes have changed (i.e. infected) the process reverts the changes.

2. Antivirus program starts first

Windows 8 tweaks startup to give your antivirus priority at load time. Antivirus like Bitdefender performs a startup scan. If the virus or malware is attempting a runtime startup AV scan may be helpful.

3. Do Not Track

A few months ago I wrote about Googling the phone number of a dentist in my area from my mobile phone. The next day or two I received an email offering dental work on the cheap from a dentist in Phnom Penh. This might be an example of browser spying (or a coincidence) commonly known as user tracking for marketing purposes. The problem is this technology, dominated by cookies, is being used by cyber-criminals (read this post). The Do-Not-Track feature in IE10 applies to the immersive browser version in the Windows 8 UI.

4. Windows Smartscreen

Smartscreen is an app integrity safety feature using reputation-based technologies to check apps from the Windows 8 Store for malicious code. Smartscreen is also a feature of the new IE10 to offer a layer of protection against theft of passwords and usernames.

5. The Windows PDF Reader

PDF readers are commonplace in computing so it stands to reason it is also a common attack vector. Windows 8 comes with its own inbuilt PDF reader. Users typically forget to update reader software or don’t know how. The PDF Reader in Windows 8 will be updated with security updates and patches via Windows update. This is another example of good work and Microsoft’s committment to security outside of enterprise.

Read the rest of this entry »

 
 
 

The hidden danger of browser cookies

Every time you visit a website such as Yahoo, Google, Microsoft or your favourite shopping site a cookie is left behind in your browser. This in itself is a harmless text file that merely stores information about your visit, your login and use of the site. Most websites force the use of cookies so it is not feasible to turn off cookies in browser settings. Deleting your browser cache when you close your browser removes some simple cookies but not persistant cookies.

So what’s the danger of a text file with no ability to run a program (executable)? A cookie can contain information useful to an attacker to enable the computer to be re-infected when the original virus infection is removed. Being an insecure text file cookies can easily be harvested by malicious programs. When a virus or backdoor trojan infects a computer it will install a malicious cookie, in part to facilitate re-infection in the future, particularly if the user visits one of the websites where the original infection came from.

Virus analysts have also identified exploits in common browsers where information can be harvested from cookies to gather login information to various websites the customer is using.

Currently, the best antivirus program that scans for and removes malicious text files such as cookies is Bitdefender. You can download a copy here.

 
 
 

Send a self destructing message

Sending someone an email with sensitive information such as your credit card number, passwords, or other information can leave that message hanging around in email folders, instant messaging programs or texts for a period of time until it’s deleted, and even then can be recoverable.

Enter the burn after reading solution from Oneshar. This is the stuff of a James bond movie. The initial data you send in the message is encrypted, once read the message self destructs, and if your intended reader does not read the message it will self destruct after the time allocated by you. By default this is 3 days.

I can see a lot of uses for this. It’s free and you can get it here.

 
 
 

How private are your google searches?

The other day I was in my car and wanted to call a local dentist. I forgot the number so I tethered my iphone to my (wifi) ipad and looked up the dentists website on google. Next day I got a spam email from a dentist in Phnom Penh offering discounted endodontic (root canal) work. This couldn’t be a coincidence, dental spam is pretty uncommon. Google will tell you that searches are not available to prying eyes and might only be available to certain types of persistant cookies in your browser. In this case I was using Safari which is regularly shutdown and its cache cleared of data.

At this stage it’s a mystery how this happened. Have you had similar situations? Write and let me know.

In your own home or place of business things are not so private, just a little hidden. People often use web browsers while being logged into their Google account, or forget it’s open. You can see this in the top right corner of the google search page. Gone is the google my search history but it is still there, just not so obvious. While logged into google type in my search history to view  your recent and past searches.

Here you can see everything you searched for starting from the most recent date, with time stamps. Over to the right you can see a calendar where you can search your search history by date. Because people don’t notice they are logged in to google all searches are recorded, and another user can sit down at the PC and see this history.

To prevent google recording searches you can simply log out of your account, use the pause button available in my search history, or regularly go in and use the clear all tab.

 
 
 

Will the internet come to an abrupt halt on July 9?

You have already read about the dormant virus which will block the internet for around 277,000 users on July 9. This is the estimate given for the number of computers still infected after hackers responsible for the stealth intrusions were arrested by the FBI. In a first for the FBI they brought in their own server to take over the malicious servers to which over 380,000 PC’s were pointing to in terms of DNS.

The temporary system set up by the FBI will be shutdown at midnight on July 9. We don’t know how many of the estimated remaining infected PC’s are located in Australia but you can quickly and easily check your threat status for this specific worm virus at CERT (the Australian Emergency Computer Response Team).

 
 
 

The new rules to protect your PC from malware

 
 
 
 
 
The worst defence is thinking you’re protected because you have an antivirus you paid good money for
Unless you’re using Windows 98 or a i486 system with no internet connection you will be at risk of malware infections even with your well known brand antivirus and  spyware scanners, because modern malware can turn off or damage your AV scanner and avoid detection using sophisticated methods such as CD Emulation Technology. A  malware rogue that first emerged in 2009 recently shutdown the website of the London Stock Exchange. This type of rogue application silently injects malicious code from infected ads on legitimate websites. Staying safe online needs a rethink of the battle plan. It’s no longer about just one thing, like a good antivirus.

 

How does malware get on my computer?

Sometimes malware and rogue programs are unknowingly downloaded when searching online for help with a slow computer, or free virus scanners. This is what people do a lot. Malware that silently injects code onto a system when visiting a legitimate website that has been compromised through its advertising network is difficult to detect. Other infection or attack vectors include Facebook, clicking on bad links in chat programs such as MSN Messenger and Live Messenger, and clicking on infected attachments or links to phishing sites. An example of a phishing link is the spoofed seek.com email. Clicking on the link in the spoofed email leads to a phishing scam website that looks remarkably like the real thing. It’s hard to spot the difference.

One way to spot the difference is to upgrade your browser to the latest version for your operating system, and upgrade to Internet explorer 9 for suitable systems. In the address field of the URL the domain is highlighted and the remainder is greyed out. If you seen jobs.seek.com for example it is likely to be a scam because the seek domain is seek.com, not jobs.seek.com.

But some phishing emails look perfectly like the real thing. How can you tell if the email is spoofed? It’s not that hard. You can read the header of the email by right clicking on the unopened email in the Outlook 2007 window and choosing message options. Here you can see the sender domain after the @ symbol and the reply to address.
In Outlook 2010 you can enable message options to the QAT by following these simple instructions over at slipstick.com

Steps to Securing your System
You cannot run a computer without a good antivirus and malware scanner, in spite of some malware being able to shut down either of these types of defences. Malware and spyware are also often downloaded by a dropper using a Trojan to deliver the payload so AV and malware level protection is an essential, but not front line defence – anymore.

Advanced level steps:
1. Ensure your operating system is up to date. Malware will exploit vulnerabilities in the system and many critical updates in Windows are security related patches. In Windows 7 and Vista type “update” into the search (start) field and choose Windows updates. In WinXP you can find the updates website in the left pane of the control panel. Updates should be set to automatic but it doesn’t hurt to go through the steps above to check if your system is current. If you have pirated software you are at a high risk of infestation.
2. Java and the Flash Player are on most computers so it’s not surprising they are targeted by cyber-criminals. Rogue /scareware programs capable of injecting code from a website  commonly uses the CVE/Java Exploit.  To check if you have the latest Java version visit the Java test centre at Sun Microsystems.
3. On badly infected systems we sometimes find more than one malware/spyware scanner – in some cases competing with each other. We recommend ESET Antivirus and Malwarebytes which work together well. ESET is from Slovakia with an office in Brisbane and is the preferred antivirus shipped with new Intel 2nd generation motherboards.
4. The most common rogue infection is referred to as scareware (figure 1) because it wants you to believe that list of infections it’s showing you are really on your PC. Of course they are not, but it will attempt to defraud your credit card. Each time you click the red X to close the window it will install another instance of itself. This (type) of program is also known to install rootkits and keyloggers which are difficult to detect. If the malware program appears to have been removed by your AV program it may have installed its keylogger payload.
5. The Rapport web browser plugin from Trusteer.com is a highly regarded anti-keylogger tool used by many major banks in the US and Europe. The standalone version is free. Install this into your browser and click to protect specific websites such as your bank.
6. Recently we have seen a browser re-direct that is installed not in the PC, but in the router. Each request in Google search redirected to an unrelated website. The reason the bug was able to install into the router was because it had a default password. When setting router passwords or any password the usual advice is to use complex and difficult passwords. The downside to that is they are impossible to remember. The most common ways to find someone else’s password is to (a) guess (b) use brute force attacks (c) common words (guessing again). Using any of these methods involves a hacker using a script such as a dictionary script. A password like PASSWORD or FIDO3 will take between 3 minutes and hour to guess using an automated script which can be downloaded free on the web. Let’s look at a password example of gehdfa7. A brute force attack running an automated script with 100 passes per second will eventually be hacked (guessed) by the script in some short theoretical time frame (<12mths). If you create a mix of capitals such as gEhdFa7 it would be more likely to take >100 years with an automated script at 100 passes per second. But who’s going to remember gobbledegook? If you use a three word phrase like this “just in time” (with spaces or underscore) it will take in excess of thousand years to brute force hack. And bonus! You will always remember it. The places where passwords are most important is websites you visit such as ebay, banks etc.
7. The password on your computer is less important than websites because the likelihood of your PC getting hacked behind the NAT firewall on most modern routers with a password is remote. Why would your PC be worth the effort of a serious hacker anyway? But using your full name JAMES BLUNT as your login name will be recorded (a) when you upload a photo on some for sale website (b) In the meta data of a Word document. The person who terrorised a young girl in Sydney recently with the collar-bomb hung a lanyard around the girls neck with a USB thumb drive attached that had the ransom note and instructions on it. There was just the one document but data forensics found traces of deleted files including the meta data of an early word document which showed the user logged in at the time as Peter.P. The suspect in the case is Paul Peters. Word documents also contain a history of changes.

8. Using an open DNS server network helps to protect you from phishing sites and infected websites matched in the DNS databases by contributed to by over 20 million users of OpenDNS. OpenDNS is a service which also allows you to block access to Facebook and IM programs during working hours! Or at home. You can block access to naughty content at the router level which will affect all PC’s on the network. The free OpenDNS will often have a side effect of speeding up internet browsing. The VIPRE antivirus from Sunbelt Software uses a similar paid version of a DNS service called Clear Cloud to protect against infected sites and is a similarly very effective tool.
9. Be careful of other people’s USB drives. Beware the sales rep, or even the IT guy fixing your computer who inserts and opens a USB drive on your PC without a password. They could be transferring a virus, or silently installing a keylogger.
10. A lot of criminal-ware takes advantage of common download searches such as registry cleaners, system optimizers, and free antivirus scanners. Be careful what you wish for!

Call us for onsite mobile virus malware removal

© Copyright 2010. Wired Office Computers Perth WA.

 
 
 

Do you do internet banking? Protect yourself from spyware keyloggers

link to Trusteer Rapport safe browsing

Trusteer Rapport add in

Keyloggers are not difficult to install on a computer and there are variations of this type of spyware that can run in stealth mode that only an experienced technician can detect using process analysis.Keyloggers intercept data (your keystrokes) before it reaches the secure site you are logged into, such as your bank. Keyloggers run and record data regardless of secure website technology.

In addition to effective antivirus and malware protection, we install Trusteer’s Rapport security on any business computer used for financial transactions.

The home edition of Rapport is free and easy to install and gives you peace of mind when you are using your browser for secure transactions.  Internet Explorer 9 is now supported as well as firefox.

 
 
 

The Risk of data retention on SSD’s

Solid state drive risk of data retention

Solid state drive and data safety

We see the failure of electro-mechanical hard drives on an almost daily basis. These clumsy but delicate devices are nearing the end of their technology life and SSD (solid state drives) with large capacity and mainstream pricing will take their place. The end-of-life for these troublesome drives is welcomed, though I must point out that while everyone moans about the unreliability of IDE and SATA drives, they are built to a price and you got what you asked for. Some drives seem to be a little more reliable than others, while the WD Velociraptor is very reliable, at a price.

We would expect to see data retained when the flash drive has reached its write cycle and this presents its own security issues for enterprise, medical, and all other users where critical data is stored.  Researchers at the non-volatile-systems -laboratory found that commercial erasing programs were not entirely affective with data remnants still available to testers.

A SSD drive that is unmountable or no longer appears to be working may be mistakenly discarded with accessible data on it.

 
 
 

A quick lesson in internet banking

In our daily work in the field scanning computers for malware and viruses we are finding many variants of the trojans Zeus, Zbot, Hydraq, among others.  We are finding these on computers which are regularly used for internet banking and other financial transactions including using a credit card online. Some of these PC’s actually hold databases with extensive information about a company’s clients such as physical and email addresses.

These types of malicious programs assume the name of legitimate system resources, and want your money from your bank. So far they have been very successful on several continents. The fact that we are finding so many of these bugs on systems here in Perth would indicate Western Australians are also victims.

At Wired Office we are now offering an onsite service to test PC’s for the presence of trojans, and set up advanced, multilayer protection against trojan keyloggers. Keylogger programs are silent and undetectable and either record your keystrokes or hijack a machine,unknown to the user. Standard support rates apply. If you do not require scanning, or if your PC is new for example,  we can set up anti-keylogging on your PC free of charge.

More information here.