Over iT! » trojan

No, you’re not infected…

cameron — Tue, 18 Aug 2009 18:31:58 +0000

A reader who wishes to remain anonymous is concerned about a very scary looking website. I attempt to calm the waters.

I used Yahoo to search for something and was sent immediately to the following [redacted] site. I believe my Mac was invaded and don’t know what to do!

First, relax. Your Mac wasn’t invaded, infected, compromised, co-opted, or conquered. If you’d clicked through a few of those dire pop-up warnings you might have been as amused as I was to see a phony Windows Security Alert appear on a Macintosh. What you’ve encountered is termed “scareware”—a scam that attempts to frighten those confronted with these pages into downloading a hunk of software that will allegedly deal with the problem.

The chain of events goes like this: A perfectly legitimate URL is hijacked by the scammers and you’re redirected to the scareware page. That page is designed in such a way that several dialog boxes pop-up, warning you that your computer is infected. Click Cancel and you’ll just get more warnings and an interface that makes it appear like your computer is being scanned. If you fall for the trick and click the buttons necessary to download the offered antivirus software, you’ll pay for a product that is likely a hunk of malware (and I hate to think what happens to your credit card information). This malware is bad for Windows PCs but has no effect on Macs.

Typical scareware warning:

Regrettably, these pages are sometimes difficult to dismiss because the constant pop-up warnings prevent you from leaving. Clicking OK may get rid of the pop-ups so that you can close the window or tab (and no, doing so won’t automatically download the software to your Mac), but I faced a situation with my wife’s Mac (who was just concerned as you were) where I had to force-quit Safari to get away from the scareware page.

You can take some comfort in knowing that the search engine folks do their best to weed out this junk and that those who promote it have been—and will continue to be—prosecuted for engaging in such malicious and scammy activities.

ComboFix (Windows)

cameron — Tue, 12 May 2009 17:33:33 +0000

ComboFix is just as spartan as the screenshot here makes it look. You download ComboFix, run it, and it takes care of the rest. The basic ComboFix process looks like this: It backs up your registry, checks to see if you have Windows Recovery Console installed, and then it goes to town on your system scanning away through 40+ stages. When it’s done, ComboFix spits out a log file and lists all the malware it found, which ones it was able to remove, and which ones you’ll have to use your Google-fu to look up how to remove manually. It isn’t fancy, but it gets the job done and gives you a detailed report at the end to take to security forums for help if you need it.

Panda Cloud Antivirus is a Lightweight, Always-Updated Virus Killer

cameron — Tue, 12 May 2009 17:20:42 +0000

Windows only: Panda Cloud Antivirus uses the power of cloud computing to scan and eliminate viruses from your PC that can identify new malware in almost real time.

Traditional anti-virus applications simply download an update from the servers on a periodic basis to keep your virus definitions scanning for the latest viruses—Cloud Antivirus uses their cloud system to do the work of classifying and scanning for new viruses, and is constantly updated with the latest virus information based on information from every other PC running the software.

The client is lightweight, taking a mere 16mb of RAM on our test system—and while it caches a copy of the definitions for offline use, it doesn’t seem to take much drive space either. We’ve not had a chance to test the software against real malware—in our testing it quickly found and eliminated a bunch of spy cookies, but it’s refreshing to see new innovation in the boring world of virus killing.

Panda Cloud Antivirus is a free download for 32-bit Windows only, and according to CNET will stay free for personal use even after it is released from beta. For more, check out the five best malware removal tools, and the five best antivirus applications.

Information about Conficker

cameron — Sat, 11 Apr 2009 06:43:34 +0000

Here’s an illustration of how the Conficker worm works

Conficker is a collection of related malware strains typically described as a worm due to its ability to self-propagate through a network. In other words, in contrast to a typical virus, Conficker does not necessarily need a user to do anything such as click on an infected file to compromise a system. There are currently three known variants of Conficker (also called Downadup by some anti-malware vendors) and each of them can propagate through a number of mechanisms, the most common is by exploiting a vulnerability in Microsoft Windows. This vulnerability can be fixed by applying a patch from Microsoft that was released last November (link below).

On April 1st, the Conficker C variants will begin utilizing a new domain name-generating algorithm that utilizes a much larger set of potential domain names than the previous variants to attempt to stay in contact with its command and control channel. That is all that the drones are programmed to do. It is important to note that the authors could also do this today via the P2P capability so there is no real significance to the April 1st date other than the activation of the new domain name generating algorithm.

Windows Update
http://windowsupdate.microsoft.com

Free Anti-Virus Online Scan
http://onecare.live.com/site/en-us/default.htm

Free Anti-Virus Software
Http://free.avg.com