Monday, November 29, 2010

Bizarre worm in Facebook "random applications" leads to more discussion of site's security; checking Friend requests

So here’s a story by British criminology graduate student Zack Whittaker on ZdNet about a new worm whose bizarre links seems to be showing up in a lot of Facebook friends’ lists these days. The story is (website url) here, in an "iGeneration" piece.  Note the use of the word "infested" instead of "infected". The worm has various random names such as “S22BZ5”. There follows an existential discussion, especially in the comments, as to whether Facebook is “secure.”

I know that I started getting a run of Friends’ requests, from people who probably wouldn’t have a legitimate interest in me. At least one stated his birthdate, and it seemed that some were underage, which sounds dangerous. Maybe a worm masquerading as a police sting. Someone who doesn’t have a lot of “Friends” (pun) should probably look at the profile of every request. My own policy is not to accept any Friend whom I believe to be under 18 (unless I know him or her from a legitimate source).

Saturday, November 27, 2010

Webroot quarantines "Rogue Security Products" from active Shield

This morning, while surfing blogs that displayed ads, I suddenly got a warning from Webroot that it had quarantined “Rogue Security Products”. All previous quarantine incidents have occurred when running the sweep (which gets longer all the time). Webroot says that it an adware program. Apparently it would try to prompt the user to purchase a fake anti-virus product. No such ad appeared in my browser or on my screen.

Webroot’s blog entry for the problem, dated Nov 22, is here.

There follows a discussion of Karagany, a fake “security” product that hides in Adobe applications.


Trojan Mimics Adobe Updater from Webroot Threat Research on Vimeo.
Webroot Threat Research

About three years ago, my blogs sometimes attracted comments attempting to sell fake anti-virus software. Since I have monitored comments, spam comments have disappeared. But one time when tried clicking on a link, an application icon came up (on an older XP computer), and McAfee did not detect it. (All such comments have been removed.)

Picture: Sartor Resartus, and a cluttered closet.

Wednesday, November 24, 2010

Webroot/Sophos detect mysterious malware "Mal/JSIfrLd-A"




Today, Webroot made me run the biweekly sweep (now up to 3 hours and 600000 files across 2.5 million definitions -- it doesn't let me work until I run this), and in the files (not registry) it spotted “Mal/JSIfrLd-A” , which it called a “virus” (not spy coolied) which it quarantined at the end.

The only definition I could find on the web was a generic listing from Sophos (Webroot’s antivirus engine) is here , dated Nov. 22, 2010. I found a similar listing from 2008 by surfing, but this appears to be a new variation of a low-prevalance threat before. Since the date is recent, the Shield may not have detected the virus during surfing before Nov. 22. You can look at the Sophos “malicious behavior” link and find a general description of how it looks for “malicious behavior” with what it calls “genotype protection”, as here

Apparently it found an executable with markers known to be associated with spyware or malicious activity and not considered part of legitimate application code. It’s possible that it found accidental “unsafe code” in a legitimate module, but there is a risk that it could have found the “virus” in an executable placed there by a website and inserted originally on a legitimate corporate site by a hacker, for later use in identity theft or perhaps DOS attacks.

Search engines find numerous lists of new threats including this and similarly spelled "Mal/" threats, but they always point back to a Sophos link, which gives little information other than "suspected malicious behavior". This may be spyware or keylogging or attempts to sell fake anti-virus products.

Webroot has been sending me advisories of a new Security Essentials upgrade, which I can only do by working with Geek Squad to remove a duplicate record on their files; I may get this done when I go to Windows 7. 

Both Webroot and Kaspersky have a "street" reputation of being much stricter with suspected malware than McAfee and Norton. Webroot has a very active Twitter feed.

(Note: the spelling of the virus name seems to have an "l" (lower case "L") and only then an "I" (upper case "i")), according to search engines, when looking it up.)

Saturday, November 20, 2010

Reprise on the Stuxnet worm: Q&A from Yahoo!, Webroot


Yahoo posted a Q&A on the Stuxnet Worm back in August which Webroot has reminded us of with a tweet. The link is here.

The worm seems to relate to the way Microsoft shows some shortcuts on the desktop. It may relate to the fact that touchpads on some laptops will try to create new shortcuts by mistake.

But Stuxnet appears to have been released with the idea that some people will take devices like USB flashes from home to work. The main harm could be in process control at power plants or manufacturing. There are some reports that Stuxnet is related to centrifuges in processing nuclear ores and was targeted at Iran’s controversial nuclear industry.

Major infrastructures like power grids are not supposed to be reachable from the public Internet. But as far back as 2002 there have been scattered reports of access points, and grids could be vulnerable to devices brought from other sites or from home and connected to work computers. Even military computers have been known to be infected this way.

Tuesday, November 16, 2010

Much of US government and military and ordinary home traffic was mistakenly routed through China; more on Stuxnet

Shuan Waterman has a story in The Washington Times on Tuesday Nov. 16, reporting that about 15% of American Internet traffic was routed through China for an 18 minute period e in April, according to some rogue networking optimization algorithms. Some of this traffic came from US government and military computers. Obviously, hackers could have enjoyed an opportunity to corrupt the traffic.

The story appears on the front page of the Tuesday, Nov. 16 Washington Times and has this link.

There are also media reports that the Stuxnet work was designed to disrupt Iran centrifuges associated with nuclear materials, but the worm has the potential to affect process control in various industrial operations and electric power grids, and it might circulate as an apparently harmless Trojan in home systems.

I had to chuckle today at NBC’s “Days of our Lives” when a character gets a computer virus from a video and didn’t bother to use anti-virus software and is so naïve!

Thursday, November 11, 2010

Twitter offers picture chart comparing anti-virus software

Twitter has a chart (“Twitpic”) that compares the results of tests by various anti-virus vendors. Webroot scored well, and, yes, Webroot sent out the Tweet. Here’s the link. You might have to refresh it once.

I thought that Titanium was the cloud product, but it scored lower.

By the way, I’m getting advisories from Webroot to upgrade to new Essentials (that includes a new firewall, replacing Windows), but because of a duplicate license issue going back to Best Buy, it won’t work. I’ll probably have to take care of this if I go to Windows 7 and do a bug upgrade of everything.

I also have Kaspersky and McAfee on two other Windows machines (and stripped down McAfee on all machines).

By the way, security experts recommend putting "tiny url" preview tools on your machine before clicking on them from Twitter, unless you know the entities you follow well.

Wednesday, November 10, 2010

FBI probes DOS attacks against antipiracy sites

A hacker group called “4chan” has launched anonymous denial of service attacks on websites of organizations heavily involved in copyright litigation, according to a CNET story by Greg Sandoval, link here.  The FBI is investigating attacks that took down a number of these sites, including that of the US Copyright Office.  The group apparently takes the “extremist” position that copyright protection is a kind of censorship.

Friday, November 05, 2010

Could home router owners be responsbile for illegal downloads of wardrivers?

The whopping judgment against a Minnesota woman for illegal downloading that she says she didn’t do, raises a question. True, RIAA says it is not suing now but is working with ISP’s. But if you have a home router, and a wardriver gets too close and does illegal downloading with your router, are you responsible? I wonder.

The server logs will identify the computer as well as router, so you would be able to prove it wasn’t your own computer. (See IT Jobs blog, June 10, 2010). But could you be responsible anyway? A hotel would not be responsible for illegal downloading done through its wireless network, I would think.

Many ISP's provision home routers for use without logon, but from a security viewpoint,. that may not be a good idea.

Tuesday, November 02, 2010

Application fingerprinting may become important than virus signature files

Webroot, a Denver based security company, has bought UK security vendor Prevx in order to establish a foothold in cloud-based security.

Prevx is a leading player in “application fingerprinting technology” which is likely to become critical in the future. It is getting increasingly difficult to maintain adequate security with regular updates of virus signature files and probably anti-virus engines on individual PC’s.

Tech World has a story on the acquisition by John E Dunn, with the title “Antivirus scanning becoming inadequate, says Webroot CEO”, link (website url) here.

Webroot sent this out as a tweet today with a condensed URL, which did not convert when I pulled it up. That hasn’t happened before. That tiny link was this.