Tag Archives: Malware

Geinimi: New Android Malware from China or Just a Hoax?

Geinimi is the latest scare in the Android world. It is a sophisticated Android malware from China. It is designed to take control of a device and it can even make the device a part of a botnet. However, there is a catch. All of this is valid only if you are installing third party apps from unauthorized sources as this app did not make it to the Android market.

TNW has  warned users not to be scared by the threat alert on the Lookout security blog. In other words, there is not much of a threat from this malware, since more than half of the people using Android will not install it at all.

Lookout Security has claimed that the malware is spreading by being repacked into legitimate versions of Android applications on the app market. This malware can be checked by the permissions that an app requests. In Android, if any application requests more permissions than it needs, there is a very good chance that it does more than it claims it does.

The current capabilities of Geinimi, as stated by Lookout are,

Though we have seen Geinimi communicate with a live server and transmit device data, we have yet to observe an operational control server sending commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but we have evidence of the following capabilities:

  • Send location coordinates (fine location)
  • Send device identifiers (IMEI and IMSI)
  • Download and prompt the user to install an app
  • Prompt the user to uninstall an app
  • Enumerate and send a list of installed apps to the server

Hey PC Tools, I Quit. Everyone Else Please Start Uninstalling

I have been using the "free version" of PC Tools Spyware Doctor for quite some time now, however, the only purpose it is there is for my laziness to clear tracking cookies, or clear my cache every day. I do have scheduled tasks on my PC to clear all cookies and trash every few days, but this bugger tried to be useful, but as far as I am concerned it is becoming useless, and I uninstalled it.

pc_tools_license_crap

Above you can see a "Legal Notice" the latest version displayed to me. It is not only deceptive, it has lawyer words written all over it. For the record, as I said earlier I use a free version of PC Tools Spyware Doctor, and other than the browser this program tracks nothing else. Of course, I use several other programs to track what goes on my PC.

However, this new legal notice has sent me into a foul-mouthed cruise of my own. Come on, why would a program send a legal notice like this when they just clear cookies. When I try to clear cookies manually in my browser, all I get is a "Do you want to clear this data". I click "Yes" and I am on my way. However, I hate this reverse psychology ways of companies to get people to think what they are doing.

I am not afraid of saying that many of them are "dumb", nor am I afraid of saying that many of them will fall for this and not remove potential tracking cookies because of this notice. It is a really bad thing on PC Tools part to put this notice up. They are just trying to save their ass (or advertisers) while making more people exposed to potential cookies that track people.

I am assuming that they did tie up with several tracking sites to ensure that they put in a fear before people removed cookies from their PCs. Eff them, I would highly suggest you use CCleaner, Malware Bytes and Microsoft Security Essentials (links at end) to clean up your cookies or mess going forward, just duck and uninstall PC Tools once and for all.

Happy Defending.

New Ways to Get Infected Online – Fake Update Downloads

app-blocked2-ico Two days ago, the Symantec blog posted an article that describes how the newest and most successful malware and fake anti-spyware fools you into downloading it. The descriptions and images of these social engineering attacks are something you should see, so that you’ll know it when it happens to you.

Below are four images from the Symantec article. The first three show a web page with a fake warning to download updates. The last image shows you the payload, which is a fake anti-spyware program that tries to fool you into purchasing it (also known as scareware).

Image #1 download Firefox Secure Updates

fake-update-1

Image #2 download Updates

fake-update-2

Image #3 download Chrome Updates

fake-update-3

Image #4 resulting download scareware called Security Tool

fake-antispyware-1

Even though these images are a bit fuzzy, you can still see that they’ve done a good job of looking like legitimate warnings. The bad news is that this isn’t the scariest part. It gets worse.

According to the article, trying to cancel these warnings does no good. The fake warnings keep popping up. If you exit the page without downloading these updates, something even worse happens. They redirect you to a site that hits you with some heavy duty exploits that could infect your PC.

The Symantec article only tells you that their software and some common sense will keep you protected from these fake warnings.

If you want my advice, do the following if you think you are seeing a fake warning:

  1. Close the browser.
  2. Follow up with an anti-virus scan of your system.
  3. Use MalwareBytes Anti-malware to clean your system if you think you’ve been infected.
  4. If all else fails, and you’re certain you have a problem, go to an anti-spyware forum to get help. (SpywareWarrior and PC-Help are good)
  5. Optional tell me about your adventures, or comment below.

Update: Lorraine emailed me this link to removal instructions that helped her remove the “My Security Shield” scareware which looks like the “Security Tools” above.

[Source Symantec Blog]


Quickly Scan Any File with 40 Different Antivirus Engines

VirusTotal-icoThere are several online services that will allow you to check files for viruses or malware by uploading the files from your computer. One reason you might use one of these services is that you have downloaded a new program and you want to know if it’s safe to install on your computer. One of the services that I use most often is called Virus Total’.

Virus Total is a free, independent service that will analyze uploaded files with around 40 different antivirus engines. Here is the current list:

AhnLab (V3)
Antiy Labs (Antiy-AVL)
Aladdin (eSafe)
ALWIL (Avast! Antivirus)
Authentium (Command Antivirus)
AVG Technologies (AVG)
Avira (AntiVir)
Cat Computer Services (Quick Heal)
ClamAV (ClamAV)
Comodo (Comodo)
CA Inc. (Vet)
Doctor Web, Ltd. (DrWeb)
Emsi Software GmbH (a-squared)
Eset Software (ESET NOD32)
Fortinet (Fortinet)
FRISK Software (F-Prot)
F-Secure (F-Secure)
G DATA Software (GData)
Hacksoft (The Hacker)
Hauri (ViRobot)
Ikarus Software (Ikarus)
INCA Internet (nProtect)
K7 Computing (K7AntiVirus)
Kaspersky Lab (AVP)
McAfee (VirusScan)
Microsoft (Malware Protection)
Norman (Norman Antivirus)
Panda Security (Panda Platinum)
PC Tools (PCTools)
Prevx (Prevx1)
Rising Antivirus (Rising)
Secure Computing (SecureWeb)
BitDefender GmbH (BitDefender)
Sophos (SAV)
Sunbelt Software (Antivirus)
Symantec (Norton Antivirus)
VirusBlokAda (VBA32)
Trend Micro (TrendMicro)
VirusBuster (VirusBuster)

They keep those engines up to date with the latest virus signatures, and they also offer detailed results from each engine in their reports. Virus Total is available in nearly two dozen languages.

To use this service, you simply visit the web page, click on the file upload button, select the file and wait for it to upload. Once the file is uploaded, you will often have to wait a few minutes for the scan results to appear. If you think that sounds pretty easy to do, you are correct. However, Virus Total now offers an even easier method, the Virus Total Uploader.

After you install the Virus Total Uploader [Windows Only] on your PC, you can right click on a file, then Send tothe Virus Total site.

virus-total-uploader-context-sendto-menu

After a few seconds, your web browser will open up to show you the results of the antivirus tests from Virus Total.

That’s not the only trick that the Uploader has for you. When you launch it from your Start menu, you’ll see three other upload options in it’s interface:

virus-total-uploader-main-interface

  • upload a file by choosing it’s process name
  • select a file by browsing to it’s location
  • type in the URL of a file on the web

Go to the Virus Total Uploader page to get it.

Techie Buzz Verdict:

Having a good antivirus program installed on your PC is a must have. The ability to double check files using 40 different antivirus engines is not required, but it sure is nice to have. If you’d like to try this application, I recommend it.

techiebuzzrecommendedsoftware1

Techie Buzz Rating: 4/5 (Excellent)

Conficker Worm Owns The World’s Largest Cloud Network

Cloud computing is quite the buzzword these days. Both Google and Microsoft have acknowledged its importance and have introduced multiple cloud related services over the past year. However, neither of them are the owners of the world’s largest cloud network. No, it is not Amazon either. According to the ReadWriteWeb, it is Conficker.

Conficker controls 6.4 million computer systems in 230 countries, more than 18 million CPUs and 28 terabits per second of bandwidth. Among the legitimate entities, Google is the largest, followed by Amazon. Google is made up of an estimated 500,000 systems, 1 million CPUs and 1,500 gigabits per second (Gbps) of bandwidth.

Conficker was first spotted in 2008 and quickly went on to become one of the most notorious worms in the history. It was not the most dangerous worm ever seen. However, the lengths to which it went to avoid detection and disinfection made it remarkable.

Conficker remains an enigma. Thanks to the massive botnet under its control, Conficker can unleash havoc, if it ever wishes to. Yet, to this day, it has remained largely silent. It is quite possible that Conficker became too large for its own good and the intense spotlight madethe entire operation too risky for the owner.

New Free Virus Removal Tool from McAfee – Fake Alert Stinger

flying_wasp [Windows Only] McAfee is well known for it’s antivirus software, and you usually have to pay for their protection. They offer the free Stinger tool to help people clean out PCs that have been crippled by virus and trojan attacks.

fake-alert-scanner

There is no installation required. Just download it and run it. It works on all Windows PCs as far as I know.

I normally download a fresh copy of Stinger onto a USB flash drive or CD before I go off to help my friends with bug problems.

In addition to the standard Stinger, there’s a new version of Stinger out now called FakeAlert Stinger. It’s designed to specifically target multiple varieties of the FakeAlert trojans, such as, Kryptik, AVP Security, Fakespypro, Winwebsec, Antivirus Soft and XPSpy.

FakeAlert applications are a form of ScareWare that pop up fake warnings which attempt to trick you into running their scans and buying their premium products. It’s a huge money-making scam that’s been very effective against new PC users.

Download McAfee Stinger and FakeAlert Stinger

Notes: There are many other antivirus and anti-malware tools that can help you clean up an infected PC. Last year, Keith wrote about an application which will Remove Fake Antivirus from Your System. If all else fails and the PC is really trashed, I’ve got an article describing how to Run AntiVirus on a PC That Will Not Boot.

Techie Buzz Verdict:

techiebuzzrecommendedsoftware1 There are two versions of McAfee Stinger. Both are very good, and there’s no reason not to use both of them when you need to clean up an infected PC. I have used Stinger for years and I’ve never had an issue with it. I only wish it was Open Source, so that more people could contribute to it’s effectiveness.

Techie Buzz Rating: 4/5 (Excellent)

Vodafone distributes Mariposa Bot, Conficker and Lineage in HTC Magic

Viruses and malware are not new to mobile devices, however, in a somewhat startling revelation, Panda Research blog discovered that Vodafone is distributing the Mariposa bot, Conficker and Lineage password stealing malware with HTC Magic phones.

mobile_virus

The vulnerability was found in HTC Magic phone running the OS which was supplied by Vodafone Germany (based on the screenshots and German language used on the computer of the Panda AV employee). The alert was triggered by Panda Cloud AV, when the phone was plugged into the PC via USB.

Malicious code was found in the Autorun files, which automatically runs when a USB drive is connected to a PC. The malware in question was identified as Mariposa bot client, which is run by an unknown guy named "tnls". If users are infected with the virus it will automatically start contacting servers and sending data to them.

Also Read: Prevent Autorun.inf From Running on Inserting a USB Drive

In addition to the above bot, the researcher also found traces of Conficker virus along with a password stealing malware called Lineage. There were no reports about the phone being affected by the above, but PCs without appropriate protection would definitely be vulnerable to these viruses.

It is really startling to see that both Vodafone and HTC allowed these phones to be sold without extensive testing and checks. It is not known as too how many phones are affected, however, it is a safe bet to connect your phone to your PC (with AV running), and running a quick scan on the contents of the phone.

We have contacted Vodafone and HTC for a statement, will update this post when more information becomes available.

Image Credit: Novarider.com

Did Apple Abandon Its Malware Blocker?

Apple-Snow-Leopard-Malware-BlockerBack in August ’09, Apple had quietly added a malware blocker to Mac OS X (Snow Leopard). However, some six months after the feature was first introduced, it seems to have been abandoned by Apple.

Apple hasn’t released definition updates for the malware blocker in months. Although, malware for Snow Leopard are few in number, Snow Leopard isn’t completely virus free (as some Mac advertisements suggest). Most of the recent malware for Mac are DNS Changer threats. They alter Mac’s DNS system and are commonly used for phishing.

Technically, Apple never promised to provide full-fledged antimalware capabilities in Snow Leopard, However, malware for Mac are few and far in between. Surely, it wouldn’t take much of an effort to maintain a decent antimalware tool, which would immensely benefit Mac users.

Conficker – One year Later

Conficker (also known as Downup or Downadup or Kido) was first spotted in November 2008. During the course of a year, it has gone on to become one of the most notorious Windows worms in the history.

Conficker isn’t the worst malware ever, neither is it the most dangerous. What makes Conficker remarkable is the length is goes to in order to avoid detection and disinfection. Conficker employs all standard measures like creating multiple copies and injecting itself into critical processes (e.g. explorer.exe and svchost.exe). On top of that, it disables Windows Update, blocks websites of security vendors and even disables anti-malware utilities.

Even more ingenious is the technique it uses to check for payloads (additional pieces of code which are downloaded without the user’s permission). Conficker is programmed to generate an apparently random list of URLs and download payloads from them. While the initial three variants connected to only about 250 domains, the newer modifications are capable of generating as many as 50,000 domain names. This makes preventing delivery of payloads in advance almost impossible.

Conficker-Infection-Country-wise
Conficker-Infection-graph

Conficker is also a story of what happened, what could have happened and what may happen. The malware creators have succeeded in building a huge botnet which may be used for tasks like spamming, DDOS (distributed denial of service) attacks, pay per click fraud, key logging, identity theft and traffic logging. However, Conficker hasn’t yet created the mayhem that many believe it has the potential to.

Conficker spreads using a vulnerability in Windows RPC Server Service, which was patched by Microsoft a long time back. In spite of this, Conficker continues to spread. BitDefender suggests that the worm would continue to be a nuisance even in 2010 and may even become a bigger threat.

[ Download the whitepaper on Conficker or listen to the podcast ]

Avira Antivirus Is the Lightest Antivirus Software

Will it slow down my system?, is a question antivirus vendors are often asked by worried customers. Indeed, antivirus utilities are infamous for having an adverse impact on system performance. A new report released by Av-comparatives a leading antivirus software testing firm, provides us the answer to this oft-asked question.

Av-comparatives-Antivirus-Performance-Test

Av-comparatives used 16 popular antivirus utilities and measured the impact they had on various activities like file copying and downloading. Fully defragmented hard disks were utilized on each occasion and external factors like network and temperature were neutralized as far as possible.

None of the antivirus utilities had a significant impact on encoding/transcoding and archiving/unarchiving speeds. However, eScan, FSecure, G DATA, Microsoft and Trustport slowed down file copying significantly (more than doubled the time required to copy a file). Thankfully, due to fingerprinting technologies, all of them but eScan performed impressively on subsequent runs.

When it came to slowing down application installations/uninstallations Bitdefender, G DATA and Trustport were the biggest culprits. Trustport also increased application launch times by more than 100%. These three were joined by AVG in the file downloading hall of shame. AVG, Bitdefender, G DATA and Trustport more than doubled file download durations.

Throughout the tests Avira performed admirably and this was reflected even in the WorldBench scores. eScan, Trustport, Bitdefender and G DATA once again found themselves at bottom of the pile.

Thanks to an outstanding all round performance Avira was the overall winner. Kingsoft, F-Secure, Sophos and Kaspersky were the other products which made it to the top five.

Performance Chart

    Antivirus Name – Score (Higher is better)

  1. AVIRA AntiVir Premium 9.0 – 199
  2. Kingsoft Antivirus 9 Plus – 196
  3. F-Secure Anti-Virus 2010 – 195
  4. Kaspersky Anti-Virus 2010 – 193
  5. Sophos Anti-Virus 9.0.1 – 193
  6. Microsoft Security Essentials 1.0 – 190
  7. avast! Free 5.0 – 188
  8. Symantec Norton AntiVirus 2010 – 188
  9. ESET NOD32 Antivirus 4.0 – 183
  10. McAfee VirusScan Plus 2010 – 174
  11. Norman Antivirus & AntiSpyware 7.30 – 169
  12. AVG Anti-Virus 9.0 – 164
  13. BitDefender Antivirus 2010 – 154
  14. G DATA AntiVirus 2010 – 152
  15. eScan AntiVirus 10.0 – 137
  16. Trustport Antivirus 2010 – 125

The full report can be downloaded from Av-comparatives.org.