Malicious software links

General malware links

McAfee warned about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms.

The well-researched and written 2008 Global Threat Report by antivirus vendor McAfee paints a comprehensive picture of malware incidents worldwide, and is recommended reading for infosec professionals everywhere. All the antivirus companies, by necessity, are well in touch with the state of the art and present a clear understanding of the latest malware issues.

The Art of Computer Virus Research and Defense by Peter Szor (~US$31 from Amazon) is highly recommended as a well-written and good value 700 page textbook that builds a comprehensive picture of the evolution of viruses, worms and other malware over the last 20 years or so.

SP 800-83 is NIST’s excellent 101-page Guide to Malware Incident Handling and Prevention. “This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. The recommendations address several major forms of malware, including viruses, worms, Trojan horses, malicious mobile code, blended attacks, spyware tracking cookies, and attacker tools such as backdoors and rootkits. The recommendations encompass various transmission mechanisms, including network services (e.g. e-mail, Web browsing, file sharing) and removable media.”

Watchguard’s outstanding malware-related security awareness videos have fairly technical content but are good, engaging presentations: drive-by downloads - demonstrates how simply browsing a malicious or compromised website may infect an inadequately-secured PC; rootkits - part 1 part 2 part 3 - explain how your system can be owned by the hackers.

Despite the title, Bug Free Computing: Stop Viruses, Squash Worms, and Smash Trojan Horses by Ken Dwight (~US$15 from Amazon) is primarily about viruses rather than what we would call bugs. It is a short, non-technical book.

Trojans, Worms, and Spyware: A Computer Security Professional’s Guide to Malicious Code by Michael Erbschloe (~US$45 from Amazon) combines step-by-step instructions on what to do in an incident with case studies.

The Administrator Guide to Email Protection is a free eBook mostly, in fact, covering malware protection for Exchange and Outlook. [Download requires registration].

Secunia has a wealth of information on malware including a synthesis of virus information and virus alerts from the main antivirus companies and some tools to help fight the scourge. Secunia’s independence is a bonus.

Send your virus-infected email to VirusTotal.com and they will scan it with a broad range of antivirus products, showing their differing effectiveness. Jotti and Sunbelt Sandbox are two more in the same vein.

Worried about zero-day attacks? Curious about which antivirus software vendors react first to new malware outbreaks? Then take a look at AVtest.org. The research team have been tracking and comparing the average release times for signature updates from all the main antivirus vendors.

Bill Cheswick’s presentation my dad’s computer made the point that his dad has virtually no interest in or understanding of the technology and security implications, hence his PC is continually infected with viruses and spyware.

Professor Richard Elnicki used questionnaires to gather malware cost estimates from Florida University faculty and IT staff of the time lost to a major virus outbreak, amounting to nearly $2m, excluding the value of time lost by students. Serious networking problems at a law firm were traced to a malware-infected screensaver circulated by highly qualified and bright (but evidently naive) staff. Nonproductive downtime and recovery costs in that case totaled $100,000.

An eWeek article traces the history of malware back to a 1982 proof-of-concept virus called Elk Cloner on Apple II systems. The SCA virus and Brain infected IBM PC compatibles and Amigas in the late 1980s, followed by the Morris Worm, the first documented “in the wild” worm.

GFI LANguard Portable Storage Control is software to control the use of USB memory sticks, smartphones, MP3 devices etc. It can help avoid the introduction of malware as well as limiting the unauthorized removal of gigabytes of sensitive data.

The UK Department of Trade and Industry publishes a range of basic good advice for businesses, including a set of awareness materials on information security topics. The link takes you to an index page with access to all sorts of DTI goodies on malware, internet security, physical security etc. plus a new general overview publication Information Security: Hard Facts.

The latest cyber security tip from US CERT concerns what to do if, despite the controls, your system is infected with a virus, worm, Trojan or other malicious software. The tip includes actions to minimize the chances of re-infection. Other CERT cyber security tips are listed here.

Microsoft’s advice for home users on viruses, worms and Trojans is one of the few sites to discuss Instant Message security issues.

CERT’s incident note concerns the increasing rate of spread of malware and some of the reasons behind it. They recommend multilayer defenses, not just antivirus software but firewalls and access controls etc. as well. Their home network security page carries a lot of advice for ordinary users.

Some hoaxes and urban legends can be quite entertaining, once you realize they are entirely fictional, but they are mostly just annoying and wasteful.

The Stay Safe Online site promotes simple good practice tips to help home users stay secure. One of their top tips is to “Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure”.

The Register carries lots of topical news on viruses, worms etc., tinged (or tainted, depending on your perspective) with the usual cynical British humor.

The US Department of Energy Computer Incident Advisory Capability (CIAC) website has news of current malware and related threats.

Viruses

A US-CERT Cyber Security Tip ( updated in March 2008) explains how antivirus software protects your system against viruses, worms etc. CERT also offers simple advice on how to recover from a virus or Trojan infection ... which makes the point that you will almost certainly need to restore programs and/or data from backups. Are your backups up-to-date? And if this page is not enough for you, try CERT’s huge list of virus links.

Datafellows (supplier of F-secure), Sophos, Symantec, Network Associates (supplier of McAfee and the late Dr Solomon’s), Computer Associates and Kaspersky Lab are antivirus software vendors. They all provide information about malware, not just about their own products. If you are curious to find out how antivirus products compare, AV-Comparatives regularly tests a reasonable selection of products against an up-to-date ‘zoo’ containing a million malware examples. The top three products in the February 2007 assessment were AVK, TrustPort and AVIRA.

The Advisory Council recommends clarifying rules such as “Don’t disable antivirus software”. We’d suggest circulating security awareness materials with a form of words remarkably similar to “Don’t disable antivirus software!”

PDAs and hand-held PCs can suffer viruses and, more importantly, can introduce viruses into the corporate networks. This VNUnet story gives an overview.

The Wild List is a monthly-updated list of viruses in circulation, verified by correlating reports from multiple sources. The website supports the need for frequent antivirus signature updates. Viruslist claims to be the biggest virus encyclopedia.

Originally known as the European Institute for Computer Antivirus Research, EICAR is the source of the EICAR antivirus test sequence, a useful and safe way to check that your antivirus software is actually working.

The Virus Bulletin is targeted at antivirus professionals.

Worms

Zotob worm exploited a Plug-and-Play vulnerability, targeting unpatched Windows machines by scanning port 445 and downloading a virus using ftp. The worm was released shortly after Microsoft’s patch Tuesday. Two men were arrested in connection with the Zotob worm after systems at CNN, ABC, the New York Times, DaimlerChrysler, the American Red Cross and others were reportedly either hit by the Zotob-family Plug-and-Play worms or were taken offline to apply the Microsoft patches. Certain ‘security experts’ reportedly believe the Zotob situation demonstrates that the patching window is non-existent, in other words all attacks are presumably now zero day attacks. Two other worms exploited the same Plug-and -Play vulnerabilities as Zotob. According to antivirus professionals, these are signs of ‘worm wars’ - battles between the (presumed) three teams writing these worms to take control of machines previously infected with worms from the other teams. What a jolly jape (not).

Here is a salutary lesson about how information security department that had to spend hundreds of man -hours eradicating the Mumu worm from a network they thought was pretty well protected. It turned out, in fact, that the worm was exploiting weak passwords and out of date or missing antivirus software, mostly on remote machines connected to the corporate network.

Worm library covers worms discovered in the wild. Many of them are in fact blended threats e.g. worms that install backdoors or SMTP spam mailers.

Trojans

A helpful if rather technical explanation of targeted malware attacks takes a look at some remote control Trojans.

Here’s an impressive list of functions available remotely to someone who controls systems infected with the Phatbot Trojan. Read the list to understand what it really means if your system is 0wn3d by Phatbot.

Computerworld reported “‘We’re clearly seeing a trend away from broadcast attacks to much more targeted and much more sophisticated types of attacks,’ said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a drug maker in Basel, Switzerland. ‘Dealing with it is much tougher.’ That’s because ‘the cons in the attacks are so much better customized’ for the specific companies they target, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry. ‘The chances of them being successful are much higher’ than in large-scale attacks, he said.” The potential for malware attacks targeting specific companies, or even individuals, looks clear to us, and we’re not just talking about phishing/pharming type attacks. We can forsee worms, for instance, that are slow spreading, benign and cryptic (thereby largely evading the interest of the antivirus community) unless/until they find themselves inside the target organization whereupon they spring to life with devastating consequences.

RSS feeds can evidently be used to deliver Trojans (or indeed other forms of malware) as well as news.

A Manchester nurse has been hackmailed, possibly the first victim of so-called ransomware in the UK. A somewhat confusing BBC news report indicates that hackers got onto her PC, encrypted some of her files and then blackmailed her to decrypt them. The article also mentions a virus called Archiveus, which F-secure in fact lists as a Trojan called MayArchive.B. Victims are evidently told to buy pharmaceuticals from a Russian Internet company. Ransomware is also the name of a licensing scheme to raise a certain amount of money from software before releasing it to the Open Source community, so we prefer the term “hackmail”.

Eicar.dk urbanlegends.miningco.com Snopes Urbanlegends and various other websites carry information on hoaxes, urban legends, folklore and Internet frauds including malware spoofs and even fraudulent emails about the tsunami. The better ones cite properly-referenced research on the validity or otherwise of the stories. The Virus myths site, for example, has an excellent searchable database of myths, spoofs, urban legends etc.

“Spear phishing” attacks involve the use of phishing-type email lures targeted at specific individuals or groups , that seek to install Trojans or indeed other malware on their systems. In one example, British MPs were evidently targeted. Thankfully, the Parliamentary security systems seem to have foiled the attack but other victims may not have the same level of protection. What’s interesting about spear-phishing is that the classic pattern-matching antivirus tools may prove ineffective if the attackers create or use virgin never-before-in-the-wild malware specifically for these attacks. The implications are deeply worrying.

Stories about hackers secretly snooping on people through their own PCs may sound like urban myths but a few reported cases have enough information to be credible. A teenager and her mother in Houston describe how a hacker would sometimes take over their keyboard, typing disturbing messages on the screen as they watched in horror. Words spoken in the room would appear character-by-character, transcribed by the hacker as he listened on the webcam’s microphone. It looks as if the PC had been infected by a remote -access Trojan, giving the hacker complete control of the system’s functions through the Internet. [Remember this little story next time you pick your nose or worse in front of your webcam!]

Where there’s smoke there’s mirrors: the truth about Trojan horses on the Internet is a comprehensive paper about Trojans, starting with Greek mythology. The legendary “Trojan horse” was a wooden horse used by the Greeks to sneak soldiers into Troy. Would a similar trick work today? It seems in many places in Australia, the answer is yes.

Trojans enable spammers to use infected PCs to send out huge volumes of spam. Spammers like insecure home systems with always-on broadband connections because sending lots of emails quickly needs network bandwidth. Trojan’d systems also offer anonymity and resilience, hence their use to serve pornography and scams. The New York Times has a story about a ring of 1,000 Trojan’d PCs being used to host porn.

Other malware issues

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming.

The take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

A helpful if rather technical explanation of targeted malware attacks takes a look at some remote control Trojans.

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway.

Find out why you should beware rootkits on your systems. Rootkits install modified operating system files such as “ls.exe” (the UNIX list files command) to hide the presence of hacking tools. A technical presentation and white paper by F-Secure explains about deeply embedded kernel-mode rootkits.

“Virtual Machine Based Rootkits” (VMBRs), rootkits that install themselves at boot time and then install a virtual machine environment to boot the normal operating system, are the subject of a fascinating research paper.

A US CERT CyberSecurity tip explains ‘hidden threats’ such as rootkits and botnets and another explains how to recognize, prevent and remove spyware or adware from your PC.

If your system is compromised by a rootkit and assuming you discover the infection, you might as well just “waste the system entirely,” said a program manager from Microsoft’s security solutions group.

SecurityFocus brought up the possibility of rootkits infecting the computer’s BIOS. The same principle applies to rootkits in video BIOS and network BIOS. The nasty thing about these locations is that a reboot won’t clear them, nor will a normal complete system rebuild - not even a brand new hard drive ...

Sophos has highlighted the increasing prevalence of malware, especially keyloggers and other Trojans.

The Federal Trade Commission accused companies of infecting computers with spyware in an attempt to sell their own anti-spyware software. ‘Rogue software’ is another term that springs to mind.

Spycar comprises a suite of routines designed to mimic the tricks used by various forms of spyware to install themselves (in a benign fashion, of course) and thereby test your anti-spyware tools. Having been created by Ed Skoudis and colleagues, one can be reasonably confident that the tests are both effective and safe . The name is a jaunty tip-o’-the-hat towards the EICAR anti-virus test sequence.

Keyloggers have some legitimate as well as illegitimate uses e.g. keeping an eye on what your children are getting up to online.

A phishing attack using the promise of a Windows Update to lure people to visit a site that attempts to infect their systems with a Trojan, is a typical blended threat.

US-CERT Cyber Security Tip ST05-007 explains the risks associated with P2P (peer-to-peer) file sharing, including threats such as malware, disclosure of confidential information and denial of service.

Hackers attempting to steal £220m (around $400m) from the London offices of Sumitomo Mitsui Banking Corporation were stopped by concerted effort from the bank’s internal information security systems/processes and the British National High Tech Crime Unit. The hackers used keyloggers - media reports indicated they were hardware devices planted by hackers posing as office cleaners. The bank subsequently superglued its keyboard cables to its machines to foil similar attacks.

Despite a somewhat lackluster history with its anti-malware and a rotten history of releasing operating and application system bugs ripe for malware exploitation, Microsoft still promotes its own anti-spyware software. A short spyware awareness video is a great way to make computer users aware of the issue and gives useful, straightforward advice on reducing the risk of infection. See, Bill Gates is not all bad.

General malware links

Viruses

Worms

Trojans

Other malware issues

Related NoticeBored links collections