Maximum PC rootkit RSS Feed

AVG Updates Free Security Tool to Support Shortened URLS; Ad-Aware Also Expands Protection

Ryan Whitwam — Tue, 13 Oct 2009 21:06:29 -0500

You probably encounter more shortened URLs these days. These links, while convenient, are also a great way to hide a link to a malicious site. You can blame Twitter for their proliferation. With only 140 characters, tweeting a full link is impractical. Now AVG is stepping up to the plate to offer a method of protection.

AVG’s LinkScanner security product now fully supports shortened URLs. AVG says the LinkScanner system is more reliable than other methods because it tests links in real time. Whether or not it's the best, it is free.

The free malware scanner, Ad-Aware, has also added new features. The new enhancements are aimed at detecting and removing rootkits. A rootkit is a piece of malware that specializes in getting deep into the operating system to avoid detection. Ad-Aware uses heuristic detection to search for these nasty bits of software. It is also able to stop certain types of malware from restoring themselves after a reboot. Ad-Aware is a free download [warning, attempted upsell], and well worth having a look at.

China-Based GhostNet's Social Malware Attacks Exposed

Mark Edward Soper — Thu, 02 Apr 2009 11:21:18 -0500

The Conficker worm has been generating the big security headlines, but what The New York Times calls a "vast electronic spying operation" reveals an ongoing, very sophisticated cyberespionage campaign that may well represent an even more important threat than Conficker - especially to the Dalai Lama's Tibetan freedom movement.

Researchers at the University of Toronto Munk Center's Citizen Lab summarize GhostNet thus:

Documented evidence of a cyber espionage network— GhostNet—infecting at least 1,295 computers in 103 countries, of which close to 30% can be considered as high-value diplomatic, political, economic, and military targets.

Documented evidence of GhostNet penetration of computer systems containing sensitive and secret information at the private offces of the Dalai Lama and other Tibetan targets.

Documentation and reverse engineering of the modus operandi of the GhostNet system—including vectors, targeting, delivery mechanisms, data retrieval and control systems—reveals a covert, diffcult-to-detect and elaborate cyber-espionage system capable of taking full control of affected systems.

The attacks started with so-called "social malware" (emails apparently from trusted sources that included documents containing malware installers). Once the malware was installed, the programs used a variety of methods to compromise targeted computer: rootkits, HTTP GET/POST transmission of stolen data, keyloggers, backdoor remote administration tools, and even remote control of webcams and microphones for surreptitious recording.

The F-Secure "News from the Lab" blog posting on GhostNet describes how the attack works, includes a partial map of the extent of the attacks, a video on targeted attacks, and links to reports from the University of Toronto's Munk Center and Cambridge University. If you're responsible for computer security in your business or home, want a better understanding of cyberespionage, or are looking for better ways to detect information theft, these reports are must-reads.

How can you stop a GhostNet-style attack on your PCs? Consider the following:

If you receive unexpected attachments purporting to be from friends, associates, or co-workers, check them out before you open them.
Consider using Rich Text Format (RTF) document format instead of other formats. RTF retains document formatting, but can't be exploited as a container for malware.
Use the monitoring programs discussed in the GhostNet reports to check for suspicious activity.
Disconnect webcams and microphones when not in use.
Make sure your copies of Microsoft Office and Adobe Reader are running the very latest security updates.

What methods have you found to be most effective to sniff out and stop these types of information stealers? Hit Comment and share your discoveries.

Map courtesy The New York Times.

Online and Security News Roundup, Memorial Day Edition

Mark 'Marcus_Soperus' Soper — Mon, 26 May 2008 22:01:06 -0500

Helping IE8 Deal with IE7-Style Web Pages

Like it or not, the de facto HTML standard for web pages in recent years has been Microsoft's anything-but-standard dialect of HTML. Now that Redmond's browser is under attack from Firefox, Opera, and Safari, the next version of Internet Explorer will run in W3C standards mode by default. Sounds great - except that it's going to take a while to get all those billions of web pages to be redesigned to meet W3C standards instead of existing Microsoft 'standards.'

Now there are two workarounds:

You can use the Emulate IE7 button in IE8 to view pages written for Microsoft standards...or...
If you're a web designer, you can add a metatag to your existing web sites or individual pages that will force IE8 to display pages in IE7 mode. Get more information (and get the metatag code) by visiting KB952030.

Who Runs Rich Internet Content Faster? Hint: It Starts with X and Ends in P

Rich Internet Application (RIA) frameworks like Flex and Flash (Adobe), Microsoft's Silverlight, and Java's Swing are becoming the preferred ways to build rich Internet websites. The Register reports that Apple's OS X is over 40% slower than Windows XP in rendering RIA and HTML-based websites on an Intel-based MacBook Pro, according to the new GUIMark benchmark. See the test results here, and try it for yourself here.

Rootkits Beware! Vista's UAC On Guard

PC World reports that Vista's User Account Control is good for much more than reminding you of your nagging relatives - it blocked the installation of every rootkit used in two tests of Windows XP and Vista-compatible security programs and online scanners.

Rootkit installation on the Vista boxes could be performed on the Vista systems only after UAC was disabled. Unfortunately, detecting rootkits after installation continues to be a major problem for the tested applications. See the article summarizing the results (PDF format) here.

So, if you're a Vista user, pay attention to those UAC prompts - and if you've disabled UAC, think twice, especially if your system's getting infected.

Bad Guys Beware! The (Grim) Reaper's Getting a GPS

You've probably heard the public service announcements that tell how an airline pilot flying for the Air Force Reserve can direct an MQ-1 Predator drone from 7,000 miles away. Now, the MQ-1 has a big brother, the MQ-9 Reaper. The Reaper cruises at three times the speed of its predecessor and carries 15 times the armament.

Soon, the MQ-9 will also carry even smarter weapons: a recent test of new GPS versus laser-guided weapons fired by the Reaper showed the GPS-guided weapons achieved direct hits, while the laser-guided weapon got close, but didn't get a direct hit.

Many thanks to those who guide these weapons and those who also fight in the air, on land and on the sea to keep PC geeks (and everyone else) safe this Memorial Day.

(US Flag clip art courtesy of http://www.wpclipart.com/)

What We Should Learn from "Bad Tech August"

Mark Soper — Wed, 05 Sep 2007 22:59:48 -0500

August was a bad month for IP telephony users running Skype, users of Sony USB fingerprint readers, some users of Microsoft Windows XP and Vista, jobseekers using Monster.com, and users of Google Video's download to rent or buy services. Even if you're saying "no problems here," think of August's bad technology events as the equivalent of a canary in a coal mine: the canary keels over at the first whiff of bad air to warn the miners that something's wrong. Similarly, this quintet of technology-based problems may forshadow problems for everyone down the pike. Fortunately, you can take action to save yourself some grief.

Canary Number 1: "Nobody's in Charge Here."

Skype's problems reveal the big weakness of peer-to-peer and distributed networking (Skype's design includes features of both): no central server's in charge of load balancing and keeping the system running. Although Skype recovered after a couple of days of users' inability to logon to the network, untold amounts of business were lost, not to mention misunderstandings between friends, romantic breakups ("why didn't you call - why didn't you call?"), and missed reminders to pick up some bread and milk on the way home

Your escape route: While it's up to vendors to make sure their P2P networks can handle whatever happens (Skype's already made changes to stop the next "perfect storm" in its tracks), if you're not satisfied with how your P2P client handles unusual circumstances - switch to a different product.

Canary Number 2: "Free Can Cost You - Big Time"

Skype's problems reveal a second canary. If you rely on a free (or almost free) service, what happens when that service is out to lunch for a while?

Your escape route: Whether it's VoIP, email, or some other communications service, you'd better have a backup plan in case your primary communication service goes down.

Canary Number 3: "Vendors Are Looking Out for Number 1 (Hint: It Might Not Be You)"

The needs of legitimate customers sometimes fall far below other concerns for big companies. Sony's boneheaded decision to use rootkit-like technology in the software for their MicroVault USM-F fingerprint readers provides an abundant demonstration, but they're not alone. Consider the 12,000 or so users of Microsoft operating systems who were left wondering (temporarily) what was wrong with their copies of Windows XP and Vista when Microsoft's activation/validation server also went down August 24-25.

Your escape route: I've proposed a "Bill of Rootkit Rights", but don't hold your breath waiting for vendors to comply. Instead, you may want to vote with your wallets. If you don't buy hardware or software that uses rootkits, activation, or validation, vendors may get the message (especially if you tell them why you chose another product). We want secure products and want to see vendors get paid for their work - but there has to be a better way than creating virus infection vectors or preventing you from getting full use of the software you've paid for.

Canary Number 4: "Even if they know your name, don't trust them."

The data-theft attack on Monster.com exposed hundreds of thousands of jobseekers to a more insidious form of phishing: personalized phishes. Because the hackers gained access to the job-recruiter side of Monster.com, they were able to create personalized messages that can lull unsuspecting users into clicking their way into financial trouble.

Your escape route: No matter how plausible a message from a financial institution, job hunting site, or other site looks, skip the click and log in yourself. And, expect to see more personalized phishes as time goes by.

Canary Number 5: "You never really own DRM-enabled media."

Google pulled the plug on its video download to own or rent service in August, and terabytes of videos became unplayable as a result. While Google is providing full refunds to its customers and decided to turn its DRM validation servers back on for another six months of playback before the final curtain, the message is clear: DRM means never getting to say "I own it."

Your escape route: Spend a little more and buy non-DRM enabled media. Vendors like Apple and (believe it or not) Wal-Mart now offer MP3-format digital music free of DRM shackles, and more are likely to follow. If you want to see an end to DRM, it's time to vote (again) with your wallets.

Use a Sony USB Fingerprint Reader and Thumbdrive, Get a Rootkit Free!

By Mark Soper — Wed, 29 Aug 2007 12:40:00 -0500

In 2005, Sony added "rootkit" to the vocabulary of computer users across the world when it added hidden copy protection software to its music CDs. Two years later, history seems to be repeating itself.

Rootkits 101

What's a rootkit? In case you slept through the Sony music CD debacle, a rootkit is a program that hides its presence from normal operating system interfaces. A Windows rootkit, for example, will not show up in Windows Explorer. Depending upon its design, a rootkit can hide files and folders, registry keys, or other system components.

Rootkits can be used in a variety of ways: Sony used two different rootkits to prevent copying of music CDs by computer users in 2005, while other rootkits have been used to run security programs, run malware to attack systems, and so forth. While some users will object to any rootkit, no matter its purpose, others will be more concerned if the rootkit makes it easy for others to attack your PC.

What's Wrong with Rootkits

Sony's 2005 rootkits provided a vivid demonstration of everything a company that uses rootkit technology can do wrong:

Users weren't notified of the presence of the rootkit by the end-user license agreement
The copy-protection programs Sony installed as rootkits didn't prevent malware such as Backdoor.Ryknos.B (also known as Breplibot.C and others) from hiding themselves in the rootkits' own folders
The programs hiding in the rootkit degraded system performance
The programs could not be removed with normal uninstall routines

Sony eventually wound up recalling over 100 music CD titles that used the rootkits and shelled out millions of dollars in settlements.

Sony Rootkit, Part Deux

Monday, anti-malware vendor F-Secure announced that Sony's MicroVault USM-F line of USB flash drives with onboard fingerprint readers create a folder invisible to Windows that is used for the fingerprint reader's software and data files. While this method helps protect the reader from tampering, F-Secure points out that the hidden folder can also be accessed from the command prompt, can be used to store additional files, and could be exploited by hackers as a location for storing malware. In other words, whether Sony intended it or not, the MicroVault fingerprint readers install a rootkit on your PC that can be exploited as a security risk.

Sony - Slightly Smarter...

However, in a follow-up analysis two days later, F-Secure also points out that Sony has learned a few things from its 2005 fiasco:

The fingerprint driver software can be uninstalled easily
The program does not hide software or registry keys

...But Not Smart Enough

Unfortunately, the driver can be used to hide any (!) folder (McAfee's AVERT Labs used it to hide the Windows folder and all subfolders). How long will it be before some malware writer comes up with a nasty piece of "ransomware" to take advantage of this 'feature?'

Time for a "Bill of Rootkit Rights"?

Right now, the way that some rootkits are designed and used by legitimate companies makes it easy for the bad guys to abuse a rootkit by using it to attack users' computers - and users who don't know about a particular rootkit (and don't use anti-rootkit programs) are sitting ducks. Here's my modest proposal to set up a "Bill of Rootkit Rights" for PC users:

Vendors should use rootkits only if other methods for protecting files and programs are not feasible
Users need to be notified that a rootkit will be installed when a program or device containing a rootkit is being installed or connected
Users should be given the option to opt-out of installing a program that uses a rootkit
Vendors should provide an alternative to a program that provides a rootkit whenever possible, and explain the potential security risks of not using the rootkit-enabled version
Vendors should provide effective uninstallers for rootkits they distribute
Vendors should clearly explain what the rootkit does and why they believe it's necessary to the operation of the program or device
Vendors should use rootkits only if the rootkits cannot be used in ways other than what the vendor intended

Sony's Micro Vault driver quite clearly fails to meet most of these proposed rules - especially the last one.

Some may argue that this level of disclosure would harm the effectiveness of a rootkit designed to perform legitimate tasks. I disagree: right now, the bad guys know about what rootkits can do - and all I'm advocating is the same level of knowledge for legitimate users. Nobody wants to install a program that can be turned into a weapon against their system or their information.

-------------------

Discover what features are great, what works, and what needs work in Windows Vista with Mark's new book Maximum PC Microsoft Windows Vista Exposed. It's now available at Amazon.com and other fine bookstores.