Mar062009

Today’s Tip: Beware “Antispyware XP2009″

 

Several acquaintances of mine have been stung in recent months by the rogue program “Antispyware XP2009″. This program relies on social engineering to dupe you into installing a malicious program to then extort money.

 

 

Looks legitimate right? Here’s how it works. You visit a website, and without warning, an ominous message appears on screen alerting you that spyware or a virus has been detected on your machine with the instructions to “click now to clean”. Unwittingly falling victim to this ploy can be costly in more ways than one.

When you “click to clean”, this trojan installs Antispyware XP2009 on your system “for free”. After you perform their “free” scan, the software instructs you that you must purchase a license to remove the infected items it “finds”. Unfortunately the one infected or malicious item it never finds is itself. Paying the ransom, er, “license fee” does nothing except extort money from you. In addition, Antispyware XP2009 destroys legitimate program executable files, rendering popular programs such as Windows Media Player, Internet Explorer, Office applications and more, useless.

 

 

There are several copycat variants of this malware with similar names so surf cautiously! Your best defense against this type of attack is your own common sense. Never “click here” to clean anything that is presented unsolicited on any website. Also make sure you have a robust security solution that detects rogue applications and viruses in real time. Of course having robust anti-virus and anti-spyware are useless if threat definitions are not updated regularly, and that will be the subject of a future post! If you do fall victim to Antispyware XP 2009, contact the St. George PC Doctor to restore your computer’s health today.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments

Mar052009

Today’s Tip: Defrag that HDD!

One of the simplest things you can do to improve the performance of your computer is to regularly defragment the hard drive.  Your computer’s hard drive is much like a giant filing cabinet. When data is written to the drive, the system doesn’t care “where” on the drive it writes to, it just looks for free space.  The result is that parts of a file get scattered indiscriminately all over the usuable disk surface.  Imagine a filing cabinet with no folder structure, only pieces of paper thrown randomly into drawers!  Can you imagine trying to locate all the pages of that important contract you need to review and having to sort through thousands of pages to locate them?  The result is basically the same with hard disk fragmentation. If you’ve got a 500GB disk drive, everytime you access a given file, the computer may have to reconstruct the file by gathering all the pieces by searching the entire drive!  That’s a performance killer and over time will severly slow down your PC. 

 

By setting a system task to periodically defragment the drive (for most users every 30 days is more than adequate), you will keep your disk optimized and your system running smoothly for years to come!



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments

Mar042009

Top 9 Current Malware Threats

1. Win32/PSW.OnLineGames

This is a family of Trojans with keylogging and (sometimes) rootkit capabilities which
gather information relating to online games and credentials for participating.
Characteristically, the information is sent to a remote intruder’s PC.
What does this mean for the End User?
This represents a return to the top spot for this class of threat, which has been at number
one or number two (alternating with INF/Autorun) for many months now.
However, it’s also important that participants in MMORPGs (Massively Multi-player
Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses”
like Second Life, continue to be aware of the range of other threats ranged against them.
We are not just referring here to harassment nuisances like griefing and pointless quasiviral
attacks like grey goo, but phishing and other scams that can result in financial loss
in the real world.

2. INF/Autorun

This detection label is used to describe a variety of malware using the file autorun.inf as a
way of compromising a PC. This file contains information on programs meant to run
automatically when removable media (often USB flash drives and similar devices) are
accessed by a Windows PC user.
What does this mean for the End User?
Removable devices are useful and very popular: of course, malware authors are well
aware of this, as INF/Autorun’s persistent appearances at number one or number two in
these statistics clearly indicate. Here’s why popularity is sometimes a problem.
The default Autorun setting in Windows will automatically run a program listed in the
autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always
the program’s primary distribution mechanism, malware authors are always ready to
build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this
heuristic, it’s better, to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. Microsoft Security Advisory (967940) “Update for Windows Autorun”, published February 24, 2009, is a further attempt by Microsoft to address the issue
(http://www.microsoft.com/technet/security/advisory/967940.mspx): see also
http://support.microsoft.com/kb/967715.

3. Win32/Conficker.AA

Win32/Conficker.AA is a worm that spreads via shared folders and on removable media.
It connects to remote machines in attempt to exploit the Server Service vulnerability.
What does this mean for the End User?
Make sure your anti-virus has effective detection for Conficker variants. It is important to ensure that your systems are updated with the Microsoft patch, which has been
available since the end of October, so as to avoid other threats using the same
vulnerability. Information on the vulnerability itself is available
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
Note that Conficker uses the autorun facility misused by members of the INF/Autorun
family.

4. Win32/Conficker.A

The Win32/Conflicker threat is a network worm that propagates by exploiting a recent
vulnerability in the Windows operating system. The vulnerability is present in the RPC
sub system and can be remotely exploited by an attacker. The attacker can perform his
attack without valid user credentials.
Win32/Conflicker loads a DLL through the svchost process. This threat contacts web
servers with pre-computed domain names to download additional malicious
components.
What does this mean for the End User?
It is important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
There is an exhaustive analysis available at http://mtc.sri.com/conficker.

5. Win32/TrojanDownloader.Swizzor.NBF

The Win32/TrojanDownloader.Swizzor malware family is commonly used to download
and install other malicious components on an infected computer. The Swizzor malware has been seen installing multiple adware components on infected hosts. Some variants of the Swizzor family will not execute on systems using the Russian language
What does this mean for the End User?
There is often no clear distinction between out and out malware and other nuisances such as adware, and malware is frequently used to promote advertising. Whereas virus authors used to do what they did without commercial gain, whether from misguidance, mischief or malice, contemporary malware authors are more often driven by profit.

6. WMA/TrojanDownloader.GetCodec

Win32/GetCodec.A is a type of malware that modifies media files. This Trojan converts all
audio files found on a computer to the WMA format and adds a field to the header that
includes a URL pointing the user to a new codec, claiming that the codec has to be
downloaded so that the media file can be read. WMA/TrojanDownloader.GetCodec.Gen
is a downloader closely related to Wimad.N which facilitates infection by GetCodec
variants like Win32/GetCodec.A.
What does this mean for the End User?
Passing off a malicious file as a new video codec is a long-standing social engineering
technique exploited by many malware authors and distributors. The victim is tricked into
running malicious code he believes will do something useful or interesting. While there’s
no simple, universal test to indicate whether what appears to be a new codec is a
genuine enhancement or a Trojan horse of some sort, I would encourage you to be
cautious and skeptical: about any unsolicited invitation to download a new utility. Even if
the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.

7. Win32/Adware.TencentAd

The Win32/Adware.TencentAd threat family is used to display advertisements on
infected computers.
This Adware seems to be targeting computers in Asia and is often installed by drive-by
download attacks.
What does this mean for the End User?
The proportion of drive-by downloads to user-launched infections is probably
overestimated. Social engineering, by which the victim is tricked into executing
malware, is successful time and time again. By contrast, malware that relies on
vulnerabilities in the system to infect without the victim’s intervention tends to decline
in effectiveness as more potential victims learn to patch vulnerable systems, and the
number of exploitable vulnerabilities is finite. Good patch management (by individuals
as well as businesses) lessens the risk further.

8. Win32/Toolbar.MywebSearch

This is a Potentially Unwanted Application (PUA). In this case, it’s a toolbar which
includes a search function that directs searches through MyWebSearch.com.
What does this mean for the End User?
Anti-malware companies are sometimes reluctant to flag PUAs as out-and-out malware,
and PUA detection is often an option rather than a scanner default, because some
adware and spyware can be considered legitimate, especially if it mentions (even in the
small print of its EULA or End User Licensing Agreement) the behavior that makes it
potentially unwanted. It always pays to read the small print.

9. Win32/Adware.Virtumonde

This detection represents a family of Trojan applications used to deliver advertisements
to users’ PCs. Among other actions, Virtumonde may open multiple windows while
running, which contain unwanted advertising material, and it can be very difficult to
automate removal completely. Adware is still a big profit generator for malware
distributors.
What does this mean for the End User?
Virtumonde has become a particularly difficult problem for vendors and customers alike,
far more than its classification as “adware” might suggest.



[KickIt] [Dzone] [Digg] [Reddit] [del.icio.us] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments