Beware Malware, Everywhere!

Let this article at ComputerWorld’s Security Manager’s Journal serve as a warning to us all.  Even those who are employed in the Information Security profession are subjected to, and sometimes prone to, malware infections.  Just because you know a little something about a subject doesn’t mean that you are immune to the cleverness of others.  Most, but not all, of my malware infections have been intentional as part of my research, as a learning experience, or in order to gain a sample to study and understand.  Malware authors are no longer the pimple-faced kids, swilling JoLt in some dingey basement, looking to gain notoriety among their nerdy friends by causing a little disruption on the Internet for kicks.  Malware authors have grown up a bit, and are now motivated by greed.  They are committing fraud, and doing so in a business like fashion.

This will not be news to most people that have had a computer for a few years, but may surprise some.  Malware authors have entered the business of organized crime.  They sell their services to, produce customized code for, and share profits with the same groups or affiliates of the guys that are running drugs and guns.  Online is where the money is, and the risks of getting caught remain low.  For the top dogs, anyway.  Not so much for the guys on the ground sho actually gather the credentials, move the money around, and are often left holding the virtual bag.  Those are the ones that most often get busted.

Everywhere that you turn online these days, you are taking a risk.  Malware can be delivered very easily from porn sites.  These sites are always looking to separate you from your cash, and are not above selling re-directs to malicious fraudsters.  Their business is seedy to begin with, so what’s a little extra coin gained anonymously?  I have trolled some of these sites (for research purposes only, of course 8) on occasion, and it is not uncommon to be redirected to some other site 2/3 of the time you click on a link or picture.  Out of the links and pictures that I merrily clicked away on, at least 2/3 of those either attempted to load some malicious code, presented a questionable pop-up, or offered some sort of nebulous download.  This of course is not the only way to get infected these days.  Malicious code distribution is taking place regularly on legitimate web sites through online ads, where the malicious “vendor” purchases ad space from a legitimate ad supplier, and provides an ad that contains malicious script, or when clicked through, loads code from the directed site.  these ads are served up by many, many sites unknowingly, as they present the rotating ads.  Other legitimate sites are probed for vulnerabilities, in the code they use, the back-ends they connect to, or the add-ons that they support.  Once a vulnerability is found, code is injected into the pages that either infects or directs the browsing user.

Fake Anti-Virus is a common and nasty little problem.  It has hit the malware scene fairly recently, and has proven to be an effective infection mechanism.  It generally works like this.  You surf on down to MadMark’s Bait Shop, and click some link.  This link takes you to some other site, and WHAMMO, a pop-up with no border, and perhaps a titlebar that says “Super-Duper-Malware-Killer” or something more convincing, since criminals aren’t really worried about abusing copyright or trademark rules.  Rules are for suckers.  It shows a nifty progress bar, and will often show many files in red, warning you that you have some sort of virus.  It will continue to scan your system while it attempts to exploit your system with attack after attack until it finds a chink in your armor, and downloads software to you in the background.  It may tell you that it can cleanup your dirty little system for the low low price of <insert insignificant dollar value here> and takes all major credit cards.  Of course, giving your credit card information to these guys might not be the wisest move you have made today.  This gives them the opportunity to process a transaction on your card, gaining them whatever value they placed on their “product”, as well as validating that this is indeed a working, juicy, valuable credit card that they can use to buy things, take cash advances on, or sell to someone that can do all that and more.

You need to know what your anti-virus scanner looks like, you should have a good idea of how it will actually alert you to an event, and you should really close any suspicious windows without clicking anywhere on the presented interface if you suspect that the alert is fake.  Why this last part?  Because they can program the entire window to act as an installation button.  I use the shortcut key Alt-F4 (hold down the Alt button next to the spacebar, and tap the F4 button above the number keys.) to close suspicious windows.  Try it.  If it closes this browser window, come on back and finish this article!

J.F. Rice writes, “Nobody is safe anymore from malware, now that it’s being professionally and competently developed. Make sure your backups are current, and spread the word to unsuspecting users that any unexpected “Security Scans” require immediate response.”

I would agree, backups are essential.  Here are 10 tips that I would recommend to any business or home user:

  1. Run a hardware firewall.  It will filter a good amount of the cruft and most direct network attack attempts.
  2. Run a software firewall.  It will filter out practically all of the remaining junk, and any direct system attack attempts.
  3. Patch your Operating System AND your applications, ASAP.  The longer you are not patched, the more exposed your flanks will be.
  4. Install anti-virus software.  Nag nag nag.  There is a good reason that you hear it all the time.  It WILL NOT stop everything, and the latest and greatest malware will get you despite it being there.  However, and this is IMPORTANT!  It will stop most of yesterday’s latest and greatest, and that is the most common threat that you will encounter.  Update your A/V signature files daily, or more often if possible.  This is what will detect the most recent threats that your vendor is aware of.
  5. Actually configure and USE that anti-virus software.  It is not enough to install it and expect it to work if you don’t scan often.  I have the heuristics turned way up on my A/V, and it scans my system’s memory, critical O/S files and critical documents daily.  This scan takes about 15 minutes to complete, and happens in the wee hours, when my wife expects me to be sleeping.  I’m usually not, but that will be our little secret.  LET IT RUN!  I also set my systems to scan their entire directory structure at least once a week.  This happens again at a time that I am not expecting to use the system.  This one I may pause, BUT NEVER CANCEL!
  6. Use a signature based A/V product, but fortify this with a whitelisting, integrity checking, IDS, or change controlling software product.  You want to be alerted whenever something new is installed, something tries to communicate out, something old is changed, or something old changes behavior.
  7. If you surf to “the dark side” of the Internet, or would just like a little extra protection, get your hands on a sandboxing program.  This type of program sets up a copy of your favorite browser, and all of the add-ons and support files that your browser interacts with.  Then, when you surf with the sandbox enabled, it allows the infection to occur, but only on this temporary setup.  Once you close the browser, everything is deleted, and there is no infection.  I also like virtual machines or VMs.
  8. Monitor your network.  It’s your network and you are responsible for it.  Install one of the free or commercial IDS (Intrusion Detection Systems).  It will be a great learning experience, and you will be able in time to tell what is going on in your network.  Look, anyone that has been using a computer for more than 3 years either has an old one lying around, or is overdue for an upgrade.  Put it to use!  Even if all you do is use it as a proxy, it can serve as a canary in your coal mine.  If something were to happen to that system before it happened to yours, you’ve been attacked, but probably lost nothing but the time it takes to fix that old clunker.
  9. Secure your wireless connections.  Change the SSID, hide it, enable the best encryption mechanism that it supports, and change the keys periodically.  This is your weakest link, in most cases, because your neighbors don’t need physical access to get at your network, your computer, and your personal information.
  10. DON’T CLICK ON LINKS or ATTACHMENTS, unless you are 100%  certain that they are safe and can be trusted.  Uncle Frank sending you some “interesting photos” in a zip file unexpectedly?  Give the old coot a call.  See if it really is him.  Doctor Whatsisnuts in Nairobi looking to cut you in on a deal for millions?  >-DELETE-<  If it was true, why use trace-able emails?  Look, just don’t trust anyone on the Internet that you can’t verify and validate.  Oh, and no pill is going to help you with little problem, or cost you half as much as the ones at Shoppers Drug Mart and actually work.  Just sayin’.

Got any tips to share?  How do you prevent malware infections?  How have you dealt with them when they have occurred?