Wednesday, November 25, 2009
Upgrade to Windows 7!
Upgrade to Windows 7! You'll be glad you didIs there a single stellar Windows 7 'feature?' No, there isn't one -- but Windows 7 simply does everything Vista does, except better. So should you upgrade to Windows 7? The answer is: Probably.
Is Your PC Bot-Infested? Here's How to Tell
Botnets are big, bad, and widespread -- but if your system is infected, you can take several simple steps to clean it and stay safe.
As fireworks boomed on the Fourth of July, thousands of compromised computers attacked U.S. government Web sites. A botnet of more than 200,000 computers, infected with a strain of 2004's MyDoom virus, attempted to deny legitimate access to sites such as those of the Federal Trade Commission and the White House. The assault was a bold reminder that botnets continue to be a massive problem.
Botnets are rogue networks of compromised "zombie" PCs. Your machine can become infected if you visit a site and download tainted code disguised as a video, if you visit a site that itself has been compromised, or if a traditional virus or other piece of malware enters your system. Once a bot infects your PC, it calls out to its command-and-control (CnC) server for instructions. A bot is similar to a traditional Trojan horse; but rather than merely installing a keylogger or a password stealer (which it might still do anyway), a bot works with other infected PCs, compelling them all to act together, in some ways like a very large computer.
Spammers pay big money to have a bot blast their message to thousands of machines; in particular, Canadian pharmaceutical spam is big right now. Other uses for bots include attacks that shut down commercial Web sites, often paired with a ransom demand. Brisk business also exists in what's called fast flux: To keep phishing Web sites active, operators change domains frequently. Botnets provide a quick and easy means to do so, and, according to security firm Kaspersky, botnet owners charge big money for that service.
In July, the ShadowServer Foundation, a group specializing in sharing information about botnets, reported that the number of identified botnets grew from 1500 to 3500 in the last two years. Each of those 3500 networks could contain several thousands of compromised PCs--and any given PC could be infected by multiple bots.
In raw numbers, the United States and China are the homes of most of the bot-infected machines, says Jose Nazario, manager of security research at Arbor Networks. "I think it's very safe for most PC users to assume they are part of a botnet," he says. "It's a very dangerous Internet for most folks."
Detecting Infections
Botnets live or die depending on communications with their CnC servers. Those communications can tell researchers how large a botnet is. Similarly, the flood of communications in and out of your PC helps antimalware apps detect a known bot. "Sadly, the lack of antivirus alerts isn't an indicator of a clean PC," says Nazario. "Antivirus software simply can't keep up with the number of threats. It's frustrating [that] we don't have significantly better solutions for the average home user, more widely deployed."
Even if your PC antivirus check comes out clean, be vigilant. Microsoft provides a free Malicious Software Removal Tool. One version of the tool, available from both Microsoft Update and Windows Update, is updated monthly; it runs in the background on the second Tuesday of each month and reports to Microsoft whenever it finds and removes an infection. You can use another version of the Malicious Software Removal Tool, downloadable at Microsoft's site, at any time, and you should run the utility if you notice a sudden change in your PC's behavior.
The Malicious Software Removal Tool garners results. In September 2007, Microsoft added to the utility the ability to recognize the Storm bot. Overnight the size of the Storm botnet was reduced by as much as 20 percent. Microsoft has since added other prevalent botnets to the tool's list, such as Conficker and Szribi.
Proactive options are also available. BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops.
BotHunter listens passively to Internet traffic through your machine and keeps a log of data exchanges that typically occur when a PC is infected with malware. Occasionally, to improve its definitions, BotHunter sends outbound messages to an SRI International database of adware, spyware, viruses, and worms. BotHunter first recognized Conficker data-exchange patterns back in November 2008, well before other security vendors picked up on the threat.
Future Botnets
If only to demonstrate their resiliency, bots have recently invaded cell phones, too. Trend Micro reported that the Sexy View SMS malware on the Symbian mobile OS can contact a CnC server to retrieve new SMS spam templates.
While a botnet on a mobile phone may look different from one on a PC, the idea of renting out a network of "owned" phones may be viable in the near future. Regardless of the form bots might take, we probably won't be able to eradicate the threat; we can only learn to better manage bot infestations. But in the meantime, let's clean up as many PCs as we can.
As fireworks boomed on the Fourth of July, thousands of compromised computers attacked U.S. government Web sites. A botnet of more than 200,000 computers, infected with a strain of 2004's MyDoom virus, attempted to deny legitimate access to sites such as those of the Federal Trade Commission and the White House. The assault was a bold reminder that botnets continue to be a massive problem.
Botnets are rogue networks of compromised "zombie" PCs. Your machine can become infected if you visit a site and download tainted code disguised as a video, if you visit a site that itself has been compromised, or if a traditional virus or other piece of malware enters your system. Once a bot infects your PC, it calls out to its command-and-control (CnC) server for instructions. A bot is similar to a traditional Trojan horse; but rather than merely installing a keylogger or a password stealer (which it might still do anyway), a bot works with other infected PCs, compelling them all to act together, in some ways like a very large computer.
Spammers pay big money to have a bot blast their message to thousands of machines; in particular, Canadian pharmaceutical spam is big right now. Other uses for bots include attacks that shut down commercial Web sites, often paired with a ransom demand. Brisk business also exists in what's called fast flux: To keep phishing Web sites active, operators change domains frequently. Botnets provide a quick and easy means to do so, and, according to security firm Kaspersky, botnet owners charge big money for that service.
In July, the ShadowServer Foundation, a group specializing in sharing information about botnets, reported that the number of identified botnets grew from 1500 to 3500 in the last two years. Each of those 3500 networks could contain several thousands of compromised PCs--and any given PC could be infected by multiple bots.
In raw numbers, the United States and China are the homes of most of the bot-infected machines, says Jose Nazario, manager of security research at Arbor Networks. "I think it's very safe for most PC users to assume they are part of a botnet," he says. "It's a very dangerous Internet for most folks."
Detecting Infections
Botnets live or die depending on communications with their CnC servers. Those communications can tell researchers how large a botnet is. Similarly, the flood of communications in and out of your PC helps antimalware apps detect a known bot. "Sadly, the lack of antivirus alerts isn't an indicator of a clean PC," says Nazario. "Antivirus software simply can't keep up with the number of threats. It's frustrating [that] we don't have significantly better solutions for the average home user, more widely deployed."
Even if your PC antivirus check comes out clean, be vigilant. Microsoft provides a free Malicious Software Removal Tool. One version of the tool, available from both Microsoft Update and Windows Update, is updated monthly; it runs in the background on the second Tuesday of each month and reports to Microsoft whenever it finds and removes an infection. You can use another version of the Malicious Software Removal Tool, downloadable at Microsoft's site, at any time, and you should run the utility if you notice a sudden change in your PC's behavior.
The Malicious Software Removal Tool garners results. In September 2007, Microsoft added to the utility the ability to recognize the Storm bot. Overnight the size of the Storm botnet was reduced by as much as 20 percent. Microsoft has since added other prevalent botnets to the tool's list, such as Conficker and Szribi.
Proactive options are also available. BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops.
BotHunter listens passively to Internet traffic through your machine and keeps a log of data exchanges that typically occur when a PC is infected with malware. Occasionally, to improve its definitions, BotHunter sends outbound messages to an SRI International database of adware, spyware, viruses, and worms. BotHunter first recognized Conficker data-exchange patterns back in November 2008, well before other security vendors picked up on the threat.
Future Botnets
If only to demonstrate their resiliency, bots have recently invaded cell phones, too. Trend Micro reported that the Sexy View SMS malware on the Symbian mobile OS can contact a CnC server to retrieve new SMS spam templates.
While a botnet on a mobile phone may look different from one on a PC, the idea of renting out a network of "owned" phones may be viable in the near future. Regardless of the form bots might take, we probably won't be able to eradicate the threat; we can only learn to better manage bot infestations. But in the meantime, let's clean up as many PCs as we can.
Thursday, November 5, 2009
Symantec Uncovers Trojan Scheme Using Facebook
Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.
Researchers at Symantec have uncovered a Trojan using Facebook as a coordinator for its command and control server.
The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through "documents (PDF, or MS Office formats) containing exploits for known vulnerabilities," Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan's code, Lelli found that the Trojan will perform four different actions, depending on the notes' titles that are found.
If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.
Small botnets are causing big security problems for enterprises. Click here to read more.
"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere," Lelli blogged. "However ... one could use a Facebook account as a C&C [command and control] server and this Trojan is able to successfully parse the Facebook html data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same [way] as it sends a timedate stamp)."
To read about how Facebook password spam concealed a malware attack, click here.
If the note has the title 'White', it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.
This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.
According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.
"Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as 'Competitive assessment.pdf .exe,'" Lelli wrote.
"I want to stress the fact that the Trojan does not use exploits or flaws of any kind; it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty," Lelli added. "This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server."
Gerry Egan, director of Symantec Security Response, said the company has not observed a significant number of infections and believes the Trojan to be part of a limited, targeted attack.
Researchers at Symantec have uncovered a Trojan using Facebook as a coordinator for its command and control server.
The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through "documents (PDF, or MS Office formats) containing exploits for known vulnerabilities," Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan's code, Lelli found that the Trojan will perform four different actions, depending on the notes' titles that are found.
If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.
Small botnets are causing big security problems for enterprises. Click here to read more.
"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere," Lelli blogged. "However ... one could use a Facebook account as a C&C [command and control] server and this Trojan is able to successfully parse the Facebook html data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same [way] as it sends a timedate stamp)."
To read about how Facebook password spam concealed a malware attack, click here.
If the note has the title 'White', it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.
This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.
According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.
"Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as 'Competitive assessment.pdf .exe,'" Lelli wrote.
"I want to stress the fact that the Trojan does not use exploits or flaws of any kind; it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty," Lelli added. "This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server."
Gerry Egan, director of Symantec Security Response, said the company has not observed a significant number of infections and believes the Trojan to be part of a limited, targeted attack.
Subscribe to:
Comments (Atom)