Maximum PC malware RSS Feed

64-bit Windows is More Secure, for Now

Bart Salisbury — Wed, 18 Nov 2009 16:09:38 -0600

Microsoft is doing some chest-thumping over the advantages of it’s 64-bit operating systems. According to Joe Faulhaber, who works at the Microsoft Malware Protection Center, the 64-bit versions of Windows and Vista are less likely than their 32-bit counterparts to be infected with malware.

According to Faulhaber, who relied on information gathered by Microsoft’s Malicious Software Removal Tool (MSRC), during the first half of 2009 64-bit XP was 48 percent less likely to be infected, while 64-bit Vista was 35% less likely to be infected. No information was available for Windows 7 for the obvious reason it hadn’t yet been released, but it is expected the same would hold true for it. Faulhaber suggests the reason 64-bit versions are more secure is that malware, written mostly for the 32-bit world, is confused by 64-bit.

Not so fast, chicken Marengo! Alfred Hunger, vice president of engineering at the security firm Immunet, and formerly of Symantec, says there’s plenty of 64-bit malware out there. In fact, its a pretty easy thing for malware creates to whip up 64-bit versions if and when they desire. The low levels of 64-bit infection, he says, is more due to the low levels of 64-bit penetration in the market. If there aren’t all that many people using it there’s no incentive for malware makers to pay attention.

Microsoft’s own bi-annual Security Intelligence Report offers up another possibility: 64-bit users are smarter than 32-bit users. Being technologically more savvy they are less likely to bring malware onto their machines. The report concludes that as 64-bit spreads from the provenance of techno-geeks the current difference in infection rates between 32-bit and 64-bit will evaporate.

Image Credit: If you dream it.../Flickr

Computer Security Company Takes Out Enormous Botnet

Ryan Whitwam — Tue, 10 Nov 2009 18:30:15 -0600

Security firm FireEye has reportedly struck a massive blow against spam. The so called “Mega-D” or “Ozdok” spam botnet was effectively dismantled by these intrepid security researchers. After studying the beast, FireEye launched an attack by notifying ISPs, having command and control (CnC) domains removed, and then registering unused CnC domains.

Almost immediately, the spam ceased. No small feat, considering Ozdok was probably responsible for one third of the world’s spam. This takes the load off ISPs which were forced to filter the spam from this botnet. Individual users probably won’t notice much difference.

FireEye found that over 246,000 zombie machines were reporting to the CnC domains in their possession after the takedown. The security firm plans to work with ISPs to indentify the owners of the PCs so they may remove the malicious software.

Removing Rogue 'Security'

The Maximum PC Staff — Wed, 04 Nov 2009 14:45:45 -0600

PC MightyMax 2009 was included with the purchase of my new HP a6827c with Windows Vista. After trying out MightyMax I decided I didn’t want it due to its obscene costs. I obtained the instructions for removal—go to the Start menu, go to the PC MightyMax folder, and hit the uninstall button, but the software does not fully uninstall. Help!

—Shannon Swank

Doctor, I managed to get two computers infected with AntiVirus2009, simply by following a link to a video review online. Both machines run Windows XP Professional SP3. One is a Dell Vostro laptop, the other is a desktop I built about three years ago.

I’ve run Malwarebytes’ Anti-Malware, which removed a bunch of copies, Rogue Remover, SuperAntiSpyware, ThreatFire, and ZoneAlarm Internet Security, but every so often a new browser window will suddenly open and try to access AntiVirus2009.com. I’ve looked at every website on the Internet (well almost) and nothing I’ve tried will get rid of it on either computer. The only way I’ve been able to keep using the computers is to manually block antivirus200*.* in ZoneAlarm. Every time I check the log, there’s entry after entry where it tried to send an ICMP ping to that website or tried to open Firefox to access it. I’m at the end of my rope. I don’t know what else to do and I’m sure that there are other people out there having much the same problem as I am. Is my only hope to re-install Windows?

—Steve Rugg

Ah, our least favorite kind of malware: the kind that masquerades as useful software. Here we have two of the most insidious and widely spread flavors. PC MightyMax is a fake antivirus app that throws up false positives in an attempt to get you to pay for it. The Internet is full of people trying to remove PC MightyMax, and the general consensus is that Malwarebytes’ Anti-Malware (www.malwarebytes.org) will remove the program. If not, you’ll have to remove it manually. Start the Task Manager and end the following processes: pcmm.exe, ExeAfter.exe, PCMightyMaxSetup[1].exe, and any other processes with PC MightyMax in the title or location. Then run msconfig and prevent them from running at startup. Reboot and delete the folder. Run CCleaner (www.ccleaner.com) to remove registry crud.

Antivirus 2009 is another faux-security malware program, but it’s even more insidious. Since you’ve already tried Malwarebytes’ Anti-Malware, which effectively removes most malware (including, for most people, Antivirus 2009), but your problems persist, you’ll want to check out our full malware-removal how-to for detailed instructions on purging your machine of baddies. If your problems persist even after a thorough scrub-down, however, you may have to reinstall Windows. It sucks, we know, but not as much as a security-compromised PC.

SUBMIT YOUR QUESTION Are flames shooting out of the back of your rig? First, grab a fire extinguisher and douse the flames. Once the pyrotechnic display has fizzled, email the doctor at doctor@maximumpc.com for advice on how to solve your technological woes.

Phishing Scams and Worms on the Rise, Social Networks to Blame

Paul Lilly — Mon, 02 Nov 2009 12:35:03 -0600

Phishing and worms go together like, well, fishing and worms. But unlike the latter, you're the prey, and it can be particularly dangerous swimming in social networking waters, suggests a new report by Microsoft and McAfee.

The two software makers noted a sizable spike in phishing attacks during the months of May and June, driven in large part by hackers concentrating their efforts on social networking sites. Other popular targets included gaming sites, banking portals, and e-commerce.

While Trojans still topped the charts, Microsoft noted that worms are becoming much more prevalent, rising from fifth place in the second half of last year to now being the second most prevalent category of threats. Much of the rise can attributed to Conficker, which still has most security experts puzzled.

For those still clinging to XP, Microsoft noted that infection rates for Vista were significantly lower than for XP.

Image Credit: serc.carleton.edu

Kaspersky Offers Protection from Twitter Malware

Bart Salisbury — Thu, 29 Oct 2009 14:33:59 -0500

There’s creepy things afoot on the web, and what’s better to combat them than something crawly? Internet security company Kaspersky Lab has introduced the “Krab Krawler”, an anti-malware tool that can make your Twitter-hungry lifestyle a little bit safer.

Krab Crawler examines every public post that appears on Twitter. The posts are parsed for URLs which, if present, are traced to their origin. (Even shortened URLs are recognized.) The site is then checked for any creepy things, such as the Koobface virus, that might make your day less tweety.

Costin Raiu, a senior malware analyst at Kaspersky Lab, says the Krab Krawler pulls out about half a million new, unique URLs from Twitter posts each day. In these Krab Krawler finds between a hundred and a thousand linked to malware attacks. Raiu also notes that about 26 percent of these URLs link to spam sites, so even if a URL doesn’t pose a deadly threat, there’s a one-in-four chance it leads to an annoyance.

Krab Krawler works on top of Twitter’s own filtering system. The extra layer is useful because of malware’s propensity to undergo code changes to avoid detection. Raiu estimates it takes two to 12 hours to pick up on such changes and properly identify a new malware strain.

In addition to Kaspersky Lab, Trend Micro also monitors Twitter posts for malware. And Finjan offers a free browser plug-in, SecureTwitter, that warns users of URLs of dubious character.

Image Credit: thomwisdom/flickr

Murphy's Law: C-Y-A on the WWW

David Murphy — Thu, 29 Oct 2009 12:15:44 -0500

What a wonderful world that open and closed platforms have created on the World Wide Web. I can have an untold number of features and applications inserted into my Web browser without having to lift much more than a finger to access them. I can take my favorite Web platforms and expand their usefulness by linking them to other Web-based services. I can even download a variant of my Web browser of choice that bridges the best of two worlds under one new roof: new innovations mixed with standard familiarity.

So, what happens when these architectures fight back?

It's a stupid thing to say on its face, because I don't believe that it's up to a particular program or application to breach your defenses and fight its way into your cyber-life. Most, if not all instances of malware, spoofing, and hijacking (to name a few) can be directly traced to user stupidity in some fashion. Either a person leaves the ol' back door unlocked, fails to frisk the guests as they enter the home, or actively invites a heap of trouble to come on over for a party.

Simplified examples, perhaps, but the underlying fact remains a constant: You are the gatekeeper for your PC. Unfortunately, as we begin to adopt an "everyone's allowed" mindset for Web integration, we're only making it easier for the bad guys to do what they do best. Unfriendly, if not downright hostile bits of malware can be pushed back with but a few simple changes in behavior--are you as security-focused as you should be in today's cross-platform world?

Who Is Your Daddy; What Does He Do?

There's an online network for everything nowadays. And with these online networks come a flurry of registration requests and data exchanges that you feel compelled to answer. I can't count the number of Twitter invites I receive on a daily basis--just for reference, I'm not @veronica or something, but I definitely get enough email to make for a bout of mindless follower-accepting during my lunch break. That's just one platform.

It almost seems silly to type this, as it should come as Web 101 for all but the most inexperienced of users, but I'll say it anyway: Do you always know what you're clicking on? There's a reason why most programs come with a little status bar or helpful pop-up whenever you mouse over a hyperlink. One of the easiest ways to detect a potential link spoof--like, say, one that's been placed in a seemingly innocuousTwitter invite--is to hover your mouse over the link.

If the hyperlink doesn't match up with the actual site in question (like http://208.348.142.555/takin/ur/password.html versus http://www.twitter.com), then you probably shouldn't click on that link. And if you can't detect that I'm being sarcastic, and you really shouldn't click on the link, then it's too late--you've probably already clicked on the link.

Of course, if you're lazy, you could try using a helpful utility to try and make this judgment for you. Firefox's LinkExtend extension aims to do just that--protect you from sites that are trying to steal data they shouldn't. You can also check out TrendProtect for a similar safeguard. Still, nothing is as foolproof as the ol' brain-box. Don't just click accept or ignore on everything that comes in your inbox. Look before you leap, as it were.

On Page Two: The API Skeleton Key to Your Front Door and Third-Party Malware on Your Favorite Web Sites!

Giving the Guard Dog a Bone

For all the successful, engaging Web communities and platforms out there, it seems that there are nearly ten times the third-party applications that tie into said original platforms via some authentication method or API. And that's awesome, right? With but the click of a mouse button, you can expand the functionality of a service you find useful with even more bells, whistles, and AJAX-themed applications. Provided you can still log into the service, that is, considering you've just given up your name and password to a complete stranger.

Huh? How do we make the jump from Facebook to #fail so quickly? It's all in the authentication--or lack thereof. Consider a site called TwitViewer. According to a number of Tweeted messages late this July, signing up for the third-party Twitviewer service would allow you to generate a photo-based graphic of the last 200 people to click on your Twitter feed. Sounds inocuous, if not downright fun, eh?

Wrong. The site's sole purpose was to yoink the name and password of your account, which you'd type into the site under the mistaken belief that you were signing up for a service. Twitviewer would then use your account to spam your followers with the "sign up for us!" message, and the entire process would start again with a new batch of suckers.

Every platform is different in the way it allows third-party applications to access its services. Once again, however, it's up to you and your juicy brain to separate the good from the bad. In the case of Twitviewer, there were a few warning flags to watch out for.

First up is the obvious issue that it's currently impossible for a third party to be able to provide you with a picture-themed list of the last 200 people that have checked out your Twitter page. That would require some kind of callback or script built into the core of the page itself, which isn't something that can be done via the Twitter API. Ask thyself--have you ever heard of any other third-party service that can perform this function?

But supposed you wanted to give Twitviewer the benefit of the doubt. That's fine. The larger, glaring red flag is the actual authentication method that's used to "give" Twitviewer access to your account. Twitter authenticates third-party API requests using OAuth, a protocol that keeps your actual login and password out of the equation by instead assigning specialized keys, or permissions, to these external services.

It's the best of both worlds: Your user name and password stays safe with Twitter, yet other sites can make use of all the different Twitter features surrounding your account. That in mind, a third-party site shouldn't give you a prompt to type in your name and password. It should feed you a link to the main Twitter domain itself, where you'll log in (or use your already logged-in account) to approve or deny the authentication request.

It's a sad world when one has to be reminded to not give out a user name and password to anyone who asks, but the Twitviewer issue fooled many a user and tech journalist--even those decently well-versed in common security practices.

But I Didn't Do Anything!

Here goes my paycheck. If you're running a modern Web browser, you should really be doing everything in your power to prohibit third-party plugins from pushing content to your system sans permission. For Firefox users, that means running some kind of Adblock or Noscript plugin, which gives you the ability to select certain types of Flash and JavaScript content to allow or deny.

Why is this a big deal? Just look at the recent Gawker issue, where users across Gawker's many Web sites were served up with malware via a hosted advertisement that flew under the parent company's ad-ops radar. Or, for that matter, check out the New York Times--same deal.

But even these extensions can only deliver so much peace of mind for Firefox users. If you're a fan of a particular site, say, Maximum PC, and you decide to add it to your white list, then you'll get hit with any malicious content hosted on the site--and it's no real fault of your own. Aside from keeping your system software fully patched and accepting any unwanted or strange-looking file download, there's not much else you can do on the protection side of things.

What's important from this entire exchange, however, is your changing mindset. And that's really what this entire article is about. Web platforms and associated sites push content at you from all different directions and sources. It's up to you to do what it takes to make sure that this transaction takes place because you want it to happen--you're giving permission for an action to occur. You're not just sitting back and accepting someone else's malicious invite.

This control can come in many forms: scanning Web links for legitimacy; ensuring that third-parties are only allowed to access your data using safe, prescribed methods; or locking the door to everyone before you let people in, as opposed to throwing a party for all and trying to boot out unwanted guests after-the-fact. These are all important techniques to keep in your pocket as you traverse the Web's many platforms. And as our data slowly becomes interconnected between these sites, it's even more critical to keep one weak link from opening up your entire Web world for disaster.

After all, malware can ruin anyone's day.

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!

Number of Web Sites Hosting Malware Rapidly Increasing

Jason Barry — Tue, 27 Oct 2009 19:17:40 -0500

Security firm Dasient has compiled some interesting numbers regarding the slums of the internet, in particular the number of pages hosting malware. Combined with numbers released earlier this year by Microsoft and Google it leads to a disturbing and messy forecast.

According to the study an estimated 5.8 million pages within 640,000 websites were infected with code designed to impregnate visitors’’ computers with malware. Microsoft released numbers back in April regarding this same statistic claiming only 3 million pages were infected. In approximately 6 to 7 months, the internet garbage pile has close to doubled. During a similar period, Google doubled its blocked site metric to just fewer than 350,000.

The cleaning process isn’t easy because sites are getting re-infected just as quickly as they are getting clean. In fact, 39.6 percent of compromised sites have been compromised in the past and were cleaned up.

Old versions of common programs such as Adobe Flash and Acrobat provide easy targets for exploiting large numbers of clients all at once. "Hackers are starting to see some success from these attacks and whenever they see success, they continue to invest more," said Ameet Ranadive co-founder of Dasient.

65,000 Time Warner Customers Exposed to Vulnerabilities

Paul Lilly — Wed, 21 Oct 2009 08:55:36 -0500

Yikes - it was discovered that a vulnerability in a Time Warner cable modem and WiFi router being used by 65,000 customers makes it possible for a hacker to remotely access the device's administrative menu and wreak havoc, To deal with the problem, Time Warner said it hopes to have updated firmware from the router manufacture to push out to customers soon.

"We were aware of the problem last week and have been working on it since," said Time Warner spokesman Alex Dudley.

The security snafu affects Time Warner's SMC014 series combo modem/WiFi router and was discovered by blogger David Chen, who writes for chenosaurus.com. Chen said he was trying to help a friend change the settings on his cable model when he discovered Time Warner had hidden some admin functions using JavaScript code. All he had to do was disable JavaScript in his browser and he could see those functions, including a tool to dump the router's config file displaying the admin login and password.

"From within your own network, an intruder can eavesdrop on sensitive data being sent over the Internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks," Chen wrote on his blog. "Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically."

Time Warner said it is working to find out if the same or a similar vulnerability also affects other models.

Image Credit: SMC via Wired.com