Fake System Tools Spread to Japan

Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.

 

Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

 

None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.

 

Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

 

Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

 

Infection Vectors

Fake diagnostic tools may arrive via several different infection vectors:

• Users visit malicious sites and manually download and install malicious files.
• Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

 

The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

 

System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

 

Its installer uses the same icon as Windows Update.

Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

 

 

Here are some of the other names the fake diagnostic tools use:

• Check Disk
• Defragmenter
• Disk Doctor
• Disk Optimizer
• Disk Repair
• DiskOK
• EasyScan
• FastDisk
• GoodMemory
• Hard Drive Diagnostic
• HDDControl
• HDDDefragmenter
• HDDDiagnostic
• HDDFix
• HDDHelp
• HDDPlus
• HDDLow
• HDDRecovery
• HDDRepair
• HDDRescue
• HDDTools
• MemoryFixer
• MyDisk
• QuickDefrag
• Scan Disk
• Scanner
• Smart HDD
• Support Tool 2011
• System Degragmenter
• Ultra Defragger
• Win Defrag
• Win Defragmenter
• Win Scanner

 

Solutions and Workarounds

Trend Micro free tools can clean systems that have been affected by System Defragmenter. However, users have to first go around one of this malware’s behaviors—monitoring the execution of applications—so that some security tools like HijackThis as well as files in the C:\Windows and C:\Program Files folder will not run and instead display the following:

 

Users will have to terminate the malware process first. The procedure starts by determining the file name that malware used. To do this, follow these steps:

1. Right-click the shortcut (System Defragmenter) on the desktop and select Properties.
2. Check and note the file name, which is usually made up of random characters. In the following screenshot, the file name used was 1181500.exe.

After taking note of the file name, open Task Manager by pressing Ctrl+Alt+Delete and use it to terminate the fake tool’s process.

 

Using HijackThis, take note of any or all of the registry entries that the malware added. HijackThis can then remove these entries to stop the malware from running whenever the system starts. (The suspicious entries have been enclosed in a red box.)

 

 

 

Source: http://blog.trendmicro.com

Intel sells anti-virus business, waits 12 years, buys anti-virus business

The big news in the IT security industry today is the announcement that Intel plans to acquire McAfee for a jaw-dropping $7.68 billion.

 

Yes, that’s “billion”. Oh to have such pocket money.

 

Of course, those of us with long memories will know that Intel is no stranger to the computer security industry.

 

Indeed they used to have their own anti-virus product (Intel LanDesk Virus Protect) which they sold to Symantec in 1998.

 

 

Now, Intel is purchasing Symantec’s arch-enemy McAfee and re-entering the business.

 

Read More…

 

 

UK Government: We’re sticking with Internet Explorer 6

Gulp. At the end of last week, along with thousands of other Brits, I received an email from the UK Government telling me that they had responded to a petition I had signed urging the Prime Minister to encourage government departments to upgrade from Internet Explorer 6.

 

You can read the UK Government’s response here.

 

In a nutshell, Her Majesty’s Government says it is more cost-effective to stick with Internet Explorer 6 (which has been dogged with security issues) rather than switch to an alternative browser or a more up-to-date version.

 

Too expensive, huh?

 

You have to wonder if that’s going to be considered an acceptable excuse by the general public when there’s a serious security breach that exploits a creaky old browser that’s been around since 2001.

 

Where’s the wisdom in sticking with IE 6 when Microsoft itself has urged users to upgrade to a more secure version, many websites are dropping support for it, and security professionals advise that installations of Internet Explorer 6 should be taken outside and beaten with a heavy stick.

 

Read More…

 

 

GFI Software Enhances its Security Product Offering with the Acquisition of Sunbelt Software

The company’s VIPRE technology will allow GFI to offer its own established antivirus product

Raleigh, NC – July 13, 2010 – GFI Software, a market leading provider of software infrastructure products for small and medium-sized enterprises, announced today that it has acquired Sunbelt Software and specifically its VIPRE® product suite. Terms of the transaction were not disclosed. The acquisition will allow GFI to merge VIPRE technology into GFI’s email security and web security solutions group, and will provide GFI with new security products consisting of world-class and innovative technology. The assets of Sunbelt’s software distribution business, started over 16 years ago and separate from the technology side of the company, will be divested into a separate entity and the company is exploring other strategic partnerships.

“Over the past several years, we have looked extensively for the best technologies, the best developers and the best management teams that will allow us to expand our current product offerings and to provide the best service we can to our customer base. We were impressed by the high quality and innovative technology that underlies Sunbelt’s VIPRE line of products and immediately saw strong synergies between the two companies. We have acquired a good, growing and cash-flow positive business that fits well within GFI’s strategic vision to consolidate our products and grow our business,” said Walter Scott, GFI’s CEO.

 

“Furthermore, Sunbelt’s technology is backed by a reliable, committed customer support team that provides great service – something so important for us. We see this investment in Sunbelt and its VIPRE technology as an excellent opportunity to increase our install base, drive the software globally through our international partner channel and also build our consumer market, which has a powerful drag-along effect on the SME and SoHo markets,” Mr. Scott added.

 

“The technologies developed by both companies are highly complementary and I have a hard time imagining a better combination,” said Alex Eckelberry, CEO of Sunbelt Software.  “Additionally, GFI and Sunbelt are rooted in similar business principles, with similar markets and a commitment to superlative customer service.”

 

About Sunbelt Software

Headquartered in Tampa Bay (Clearwater), Fla., USA, Sunbelt Software is a leading provider of Windows security software including enterprise antivirus, antispyware, email security, and malware analysis tools. Leading products include the VIPRE® and CounterSpy® product lines, Sunbelt Exchange Archiver™, CWSandbox™, and ThreatTrack™.

 

About GFI

GFI Software provides a single best source of web and mail security, archiving and fax, networking and security software and hosted IT solutions for small to medium-sized enterprises (SME) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMEs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina and California), UK (London and Dundee), Austria, Australia, Malta, Hong Kong and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner.

 

 

To view this release online, go to:

http://www.sunbeltsoftware.com/Press/Releases/?id=362

 

For more information:

GFI Software

Please email David Kelleher on dkelleher@gfi.com

GFI – Malta: Tel: +356 2205 2000; Cell: +356 7906 3606; Fax: +356 21382419.

URL: http://www.gfi.com.

 

Sunbelt Software

Please email Brian Alberti on sunbelt@daviesmurphy.com

Sunbelt – US: Tel: +1-781-418-2403

URL: http://www.sunbeltsoftware.com.

 

 

All Twitter Users Have 0 followers and 0 following !

Before 10 min I just want to follow some twitter users and I got this message

 

Then I refreshed the page to see Virus Experts profile and I saw it has 0 followers and 0 following !?

I thought we only have this problem with our account so I checked more than twitter account and I saw it has the same problem.

 

I think twitter is fixing followers spam problem.

 

we will wait…

 

Update : after 20 min twitter fixed the problem.

Facebook privacy given a poor scorecard by WhatApp project

Facebook has been rated lower than its social networking competitors Twitter and MySpace for privacy and security, according to a study from Stanford University.

 

According to a report in Forbes, the WhatApp website has rated the security and privacy of Facebook as being lower than that of the Apple iPhone, Twitter and MySpace.

 

Service	Privacy	Security
Facebook	2/5	2/5
Twitter	3/5	3/5
MySpace	3/5	3/5
iPhone	3/5	3/5

WhatApp, which was co-created by Stanford University Law fellow Ryan Calo, describes itself as “an online resource where experts and other users can assess, discuss, and rate the privacy and security of mobile and Internet-enabled applications. Now in Beta, the website combines traditional consumer reporting and review tools with wikis and news feeds to allow users to make informed choices about the applications they download.”

 

Calo told Forbes that he believed Facebook users are concerned about the amount of information applications can access: “I think people are upset because when you download an app, you don’t have any control over what the app developer sees on your profile. There’s the perception among users that they don’t need to give away so much information to have the apps do the same thing as they are currently doing.”

 

However, I think we would be rash to take WhatApp’s scorecard for Facebook at err.. face value. It’s important to note that the WhatApp site’s goal is primarily to look at specific applications, and that the results publicised by Forbes are extrapolated from those individual application scores to give an overall score for how well Facebook as a whole is faring. (I’ve been contacted by Oliver Chiang, the author of the Forbes article, who tells me that WhatApp do rate platforms such as Facebook separately from the apps, so it’s not an aggregation. Sorry about that).

 

What isn’t clear is how well can we verify Carlo’s credentials as an expert, and it’s also not shown how many of the site’s “verified” experts contributed to the scores that have been published so far. Nevertheless, Facebook won’t be best pleased to see it ranked poorly against its competitors.

 

Facebook security and privacy are very real concerns, of course, and this debate is likely to run and run. Many of us may well have good reason to long for the days of 2006, when Facebook privacy was a much simpler thing:

"No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings."

It’s very simple – all I want is to have control over who can see my personal information on Facebook.

But it seems that more and more Facebook is preventing me from achieving that seemingly simple aim.

 

By Graham Cluley, Sophos

 

 

Surveillance rootkits on smartphones

Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.

 

The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.

 

Watch the following YouTube video to learn more:

 

 

It’s a cute little video, but how realistic is this threat in reality?

 

I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.

 

Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.

 

Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.

 

So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.

 

How are they going to do that?

 

They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).

 

So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.

 

Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.

 

Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?

 

If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.

 

Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.

 

However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.

 

It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.

 

More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]

 

By Graham Cluley, Sophos

 

F-Secure unveils updated security suite

F-Secure has announced Internet Security 2010, an updated version of its popular security suite.

The company said that the new suite offers enhanced detection techniques using cloud-based technology, more secure browsing, and an improved user experience.

The cloud based element is provided by its ‘Real-Time Protection Network’, which uses F-Secure’s DeepGuard technology to compare any file launched on a system against a database hosted on F-Secure’s servers.

F-Secure’s technical manager Leslie Forbes said this process took only 70-100 milliseconds. “It’s amazingly fast”, he said. When users are offline, the system defaults to a local ‘sandbox’ scanning method. “It’s like having a virus lab with you all the time.”

Forbes also said that the new 2010 version was less resource hungry than the previous version and its competitors, making it suitable for use with netbooks or low spec systems.

UK country manager Pekka Metala, admitted that having had great success as the default security suite provided with many European ISPs, for now, F-Secure was mainly targeting the consumer market.

“We’re not just an enterprise company any more”, Metala said. However, he assured IT PRO that it was not abandoning the business market and that where relevant the new technology in the 2010 suite would be applied to its enterprise products.

“We have lots of legacy public sector customers, and we’re going to continue to support them.”

The suite will be available for download on 3 September for £39.95 for a three user pack, or £19.95 for a single user. It is available for Windows XP, Vista and 7.

When asked by IT PRO, Forbes hinted that a Mac version was also on the way, but no date was provided.

Back in February, F-Secure’s own internal servers were hit by an SQL injection attack, though the company deemed the attempted hack to be only “partially successful”.

Report finds that fake anti-virus is on the rise