Malicious software links

Click the banner for the site map of NoticeBored.com, the information security awareness service

General malware links

The well-researched and written 2008 Global Threat Report by antivirus vendor McAfee painted a comprehensive picture of malware incidents worldwide, and is recommended reading for infosec professionals everywhere. All the antivirus companies, by necessity, are well in touch with the state of the art and present a clear understanding of the latest malware issues.

The Art of Computer Virus Research and Defense by Peter Szor (~US$31 from Amazon) is highly recommended as a well-written and good value 700 page textbook that builds a comprehensive picture of the evolution of viruses, worms and other malware over the last 20 years or so.

SP 800-83 is NIST’s excellent 101-page Guide to Malware Incident Handling and Prevention. “This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. The recommendations address several major forms of malware, including viruses, worms, Trojan horses, malicious mobile code, blended attacks, spyware tracking cookies, and attacker tools such as backdoors and rootkits. The recommendations encompass various transmission mechanisms, including network services (e.g. e-mail, Web browsing, file sharing) and removable media.”

Despite the title, Bug Free Computing: Stop Viruses, Squash Worms, and Smash Trojan Horses by Ken Dwight (~US$15 from Amazon) is primarily about viruses rather than what we would call bugs. It is a short, nontechnical book.

Trojans, Worms, and Spyware: A Computer Security Professional’s Guide to Malicious Code by Michael Erbschloe (~US$45 from Amazon) combines step-by-step instructions on what to do in an incident with case studies.

An article in CSO Magazine pointed out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms. Antivirus is dead. Long live antivirus.

The Administrator Guide to Email Protection is a free eBook mostly, in fact, covering malware protection for Exchange and Outlook. [Download requires registration].

Send your virus-infected email to VirusTotal.com and they will scan it with a broad range of antivirus products, showing their differing effectiveness. Jotti and Sunbelt Sandbox are two more in the same vein.

eWeek traced the history of malware back to a 1982 proof-of-concept virus called Elk Cloner on Apple II systems. The SCA virus and Brain infected IBM PC compatibles and Amigas in the late 1980s, followed by the Morris Worm, the first documented “in the wild” network worm.

A cyber security tip from US CERT concerns what to do if, despite the controls, your system is infected with a virus, worm, Trojan or other malicious software. The tip includes actions to minimize the chances of re-infection. Other CERT cyber security tips are listed here.

Microsoft’s advice for home users on viruses, worms and Trojans is one of the few sites to discuss Instant Message security issues.

CERT’s incident note concerns the increasing rate of spread of malware and some of the reasons behind it. They recommend multilayer defenses, not just antivirus software but firewalls and access controls etc. as well. Their home network security page carries a lot of advice for ordinary users.

The Register carries lots of topical news on viruses, worms etc., tinged (or tainted, depending on your perspective) with the usual cynical British humour.

Viruses and worms

The News reported “A computer virus has attacked the communications network of almost the entire Royal Navy fleet, knocking out e-mails and the internet. It is understood the worm disabled the NavyStar network in up to 75 per cent of the navy's ships last week, meaning sailors could not get messages home.”

The San Francisco Chronicle, among many others, reported on he Downadup worm also known as Conficker.

A US-CERT Cyber Security Tip explains how antivirus software protects your system against viruses, worms etc. CERT also offers simple advice on how to recover from a virus or Trojan infection ... which makes the point that you will almost certainly need to restore programs and/or data from backups. Are your backups up-to-date?

Antivirus software vendors all provide information about malware, not just about their own products. If you are curious to find out how antivirus products compare, AV-Comparatives regularly tests a reasonable selection of products against an up-to-date ‘zoo’ containing a million malware examples, while AVtest.org have been tracking and comparing the average release times for signature updates from all the main antivirus vendors.

The Advisory Council recommends clarifying rules such as “Don’t disable antivirus software”. The cynical might suggest circulating security awareness materials to employees with a form of words not that dissimilar to “Don’t disable antivirus software!”

PDAs and hand-held PCs can suffer viruses and, more importantly, can introduce viruses into the corporate networks. This VNUnet story gives an overview.

The Wild List is a monthly-updated list of viruses in circulation, verified by correlating reports from multiple sources. The website supports the need for frequent antivirus signature updates. Viruslist claims to be the biggest virus encyclopedia.

Originally known as the European Institute for Computer Antivirus Research, EICAR is the source of the EICAR antivirus test sequence, a useful and safe way to check whether your antivirus software is actually doing anything, short of picking up a genuine virus infection.

The Virus Bulletin is targeted at antivirus professionals.

Here is a salutary lesson about an information security department that spent hundreds of man-hours eradicating a worm from a network they thought was protected.

Worm library covers worms discovered in the wild. Many of them are in fact blended threats e.g. worms that install backdoors or SMTP spam mailers.

Trojans

The Heartland credit card data breach, probably the world’s biggest to date, has been blamed on malware, presumably a Trojan. “A piece of malicious software planted on the company's payment processing network recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.”

The Washington Post reported that some copies of Apple's iWork productivity software downloaded from peer-to -peer (P2P) file-sharing networks were infected with a Mac-specific Trojan.

Here’s an impressive list of functions available remotely to someone who controls systems infected with the Phatbot Trojan. Read the list to understand what it really means if your system is 0wn3d by Phatbot.

RSS feeds can evidently be used to deliver Trojans (or indeed other forms of malware) as well as news - just another example of the criminal creativity, or is that creative criminality of Vxers.

A Manchester nurse has been hackmailed, possibly the first victim of so-called ransomware in the UK. A somewhat confusing BBC news report indicates that hackers got onto her PC, encrypted some of her files and then blackmailed her to decrypt them.

“Spear phishers” use phishing emails to target specific individuals or groups, typically installing Trojans or other malware on victims’ systems. British MPs have been targeted.

Stories about hackers secretly snooping on people through their own PCs may sound like urban myths but a few reported cases have enough information to be credible. A teenager and her mother in Houston describe how a hacker would sometimes take over their keyboard, typing disturbing messages on the screen as they watched in horror. Words spoken in the room would appear character-by-character, transcribed by the hacker as he listened on the webcam’s microphone. It looks as if the PC had been infected by a remote-access Trojan, giving the hacker complete control of the system’s functions through the Internet. [Remember this little story next time you pick your nose or worse in front of your webcam!]

Where there’s smoke there’s mirrors: the truth about Trojan horses on the Internet is a comprehensive paper about Trojans, starting with Greek mythology. The legendary “Trojan horse” was a wooden horse used by the Greeks to sneak soldiers into Troy. Would a similar trick work today? It seems in Australia, the answer is yes.

Other malware issues

“A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week, prosecutors say.” Wired.

An interview with an adware author is quite revealing, if only for his self-serving rationalization when trying to explain/justify why he did what he did.

A sacked worker planted malware on his former employer's computer network in a revenge attack.

Eicar.dk miningco Snopes Urbanlegends and various other websites carry information on hoaxes, urban legends, folklore and Internet frauds including spoof malware warnings. The better ones cite properly-referenced research on the validity or otherwise of the stories. The Virus myths site, for example, has an excellent searchable database of myths, spoofs, urban legends etc. Some hoaxes and urban legends can be quite entertaining, once you realize they are entirely fictional, but they are mostly just annoying.

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming.

The take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway.

Find out why you should beware rootkits on your systems. Rootkits install modified operating system files such as “ls.exe” (the UNIX list files command) to hide the presence of hacking tools. A technical presentation and white paper by F-Secure explains about deeply embedded kernel-mode rootkits.

“Virtual Machine Based Rootkits” (VMBRs), rootkits that install themselves at boot time and then install a virtual machine environment to boot the normal operating system, are the subject of a fascinating research paper.

A US CERT CyberSecurity tip explains ‘hidden threats’ such as rootkits and botnets and another explains how to recognize, prevent and remove spyware or adware from your PC. Yet another covers the risks associated with P2P (peer-to-peer) file sharing, including malware, disclosure of confidential information and denial of service.

If your system is compromised by a rootkit and assuming you discover the infection, you might as well just “waste the system entirely,” said a program manager from Microsoft’s security solutions group.

SecurityFocus brought up the possibility of rootkits infecting the computer’s BIOS. The same principle applies to rootkits in video BIOS and network BIOS. The nasty thing about these locations is that a reboot won’t clear them, nor will a normal complete system rebuild - not even a brand new hard drive ...

Sophos has highlighted the increasing prevalence of malware, especially keyloggers and other Trojans.

Spycar comprises a suite of routines designed to mimic the tricks used by various forms of spyware to install themselves (in a benign fashion, of course) and thereby test your anti-spyware tools.

Keyloggers have some supposedly legitimate as well as illegitimate uses e.g. keeping an eye on what your children are getting up to online, or snooping on criminals to capture their secret passwords. [Admittedly, this is a bit like claiming that beer is merely a refreshing drink.]

General malware links

Viruses and worms

Trojans

Other malware issues

Related NoticeBored links collections