Friday, December 07, 2012

More malware to worry about

Some hypochondriacs like to read about physical ailments in order to convince themselves that have the diseases described. I visit computer security sites to read about the malware that may be infesting my system.

Logic tells me that there's no real reason to worry, not at the moment. Everything is running smoothly and rapidly. My system boasts a nearly-fresh install. All of the anti-malware apps say that this machine is running as clean as a baby's conscience.

And yet that uneasy feeling lingers. The bad guys have written a lot of dangerous new code -- malware unlike anything the world has seen before. Maybe it lurks somewhere on this system...

Or maybe it's on yours. And maybe you're infecting all of your friends.

Understand: I'm not really a tech guy. But I am a paranoia connoisseur.

If you want a good scare, read about the latest variant (euphoniously dubbed the Sst.c) of the TDL4 rootkit. We're talkin' about the nastiest, grimmest, gruesomest piece of code ever conceived by any cyber-malefactor. See here. And here and here.

Remember the Big Hand in Cabin in the Woods? That hand wrote this rootkit.

Firewalls can't stop it. Antivirus engines can't see it.

This thing is so damned sophisticated that I'm beginning to wonder about state sponsorship. We know that Stuxnet originated with Israel's infamous Unit 8200, originally as a way to get control of the computers used by Iranian nuclear technicians. For more info on Stuxnet, see the previous Cannonfire posts here and here. (Also see here.)

So far as I can determine, nobody has yet suggested in public that Unit 8200 may be behind TDL4 or any variant thereof. Well, let me be the first to raise that possibility.

How can anyone prevent being infected by a rootkit designed to evade detection by all antivirus scanners (free or paid)? I'm not sure. But here are two suggestions:

1. Use Sandboxie while web-surfing. A sandbox program keeps anything you download (wittingly or accidentally) in a cage, well away from your operating system. Alas, Sandboxie (cost: zero!) is a rather daunting app. Many find it a bit hard to navigate -- at first. This video from 2009 will give you the basics in a clear and comprehensible fashion. The reviewer is Matt Rizos -- a friendly, low-key computer security guy who talks like a normal human being. Unlike many other computer experts, he isn't arrogant. Bless you, Matt.

After you install Sandboxie, it shows up as an option in your context menu (the list you see when you right-click on something). This means you can use your browser in a normal fashion -- un-sandboxed -- when visiting your usual trusted sites. But when you explore the wilder, less familiar areas of the internet, you can start up a sandboxed version of your favorite browser.

So far, Sandboxie hasn't slowed me down at all. The basic version of the program is free. If you pay, you can get a few more bells and whistles.

There's a well-regarded free alternative to Sandboxie called Bufferzone. It's easier for novices to figure out. Alas, it won't work if you use Comodo's firewall.

2. Keep a pristine system image on a separate (preferably external) hard drive. A "system image" is a copy of your hard drive. If you receive any hint of evilness on your system, move any documents or other data files (images, videos, etc) to a safe hard drive or a DVD (or to "the cloud"), then re-image your drive -- that is, replace everything on that drive with the copy you keep stored elsewhere for just such occasions. And when you re-image, reformat the whole thing.

I think that reformatting your drive will kill even the fearsome TDL4/SSt.c monster (which writes an invisible partition at the very end of an infected hard drive). But I'm not sure. If you can prove me wrong on that score, please educate us all.

If you don't know how to make an image, go here. Keep in mind -- the image should be of a fresh install of your operating system and programs. It has to be clean and perfect, with zero (ZERO ZERO ZERO) crap from the internet. No torrents, no downloads, no IRC, no unnecessary web-surfing, no nuthin'. Spend a weekend getting everything just right.

Being a paranoia connoisseur, I re-image every few months.

One other thing. If you are using a desktop system with a lot of hard drives, play it safe when you re-image: Turn off your computer, open 'er up and physically unplug all of the drives except for the two you will be using -- the C drive (the one you are wiping clean) and the drive that contains the image. (If that other drive is external, as it should be, it connects via USB.) Yeah, you can open up your desktop. Don't be a wussy.

Why should you unplug all other drives? Because you'll want to remove even the slightest chance of applying the image to the wrong drive. Re-imaging wipes a drive clean, so be ultra-careful!

Ransomware. You may have read about another threat -- Ransomware. This New York Times account of the problem is quite terrifying.

Basically, ransomware is a type of malware that locks up your system -- completely. You can't even use your keyboard (except for the numerical pad). You'll see nothing but a screen telling you that the government has caught you downloading illegal material, and that your computer won't work again unless you pay a fine, which will be in the $100-$200 range. Usually, you "catch" ransomware after visiting porn sites.

Believe it or not, many people are foolish enough to pay. Of course, their computers remain inoperative.

The two security tactics described above will help you in the battle against this foe. If you are unlucky enough to stumble across an example of ransomware while looking at copulating couples, Sandboxie will keep the beastie in a cage. If you get infected, simply re-image your drive. You'll have to boot up using a Windows recovery disk.

(By the way: You can also use the Macrium imaging system, which is free software. Some people prefer Macrium to the in-house Windows 7 imaging system. They're both good.)

Before re-imaging a drive crippled by ransomware, you may want to rescue documents and other files on your hard drive. I think you'll be safe if you take the main drive out of your system and plug it into another computer (for example, that ancient XP system you stowed in your closet years ago). Use it as a data drive, not as a C drive. If all goes well, you should be able to migrate your files into a safe place. After that, you can put the drive back into your main computer and re-image the thing.

If you don't have an image, you'll have to install everything from scratch.

If you think that the approach described above is extreme, there are other ways to deal with the problem of ransomware. This page has some excellent advice. Also consider the Norton Bootable Recovery Tool.

Note that one of the methods described on those sites involves booting up into Safe Mode. I've read that Windows 8 doesn't even have Safe Mode. One more reason to hate 8!

By the way: Please don't think that I ascribe all modern malware menaces to Unit 2600. Yeah, I'm paranoid, but not that paranoid. Of course, other nations are getting into the evil game of viral warfare. Still...after the Stuxnet episode, a certain amount of jumpiness is justifiable.

As always, readers are advised not to comment on this post if they are of the "Get a Mac" or "Get Linux" persuasions. In the first place, evangelists and zealots are always kind of annoying; you have nothing to say that we all haven't heard before. In the second place, the newest types of malware are comin' to get the Microsoft-phobes as well. Sure, you may feel safe right now, but it's just a matter of time...

One of these days, the bad guys will find a way to target portable tablet devices. God only knows what will happen then.

15 comments:

Maz said...

Oddly enough, I've been online virtually every day since mid-October 1983; I've downloaded an absurd number of files (I have 5 drives in this machine, including a 1.5 Tb drive I installed in May 2011... that currently has 2 Gb free); I've primarily used Microsoft OSes, beginning with PC-DOS 1.1; I've never used a PC firewall; *AND* until this past June, I'd never used a proactive antivirus utility.

And, sure, I got infected.

Once.

September 2008. It was a 'drive-by' hit that took advantage of a zero-day Quicktime exploit, reached through a bug in Firefox.

Oh, I'd had to clear viruses off my machine after letting friends surf the web. And I'd intentionally infected it a couple of times, usually by unzipping an archive I new likely carried a Trojan as payload. But other than that, nothing.

Admittedly, I've been very lucky. At the same time, though, I've never been very dumb. For one thing, I don't use pirated software -- that cuts out a lot of risk right there. While I've been a huge fan of free/trialware for nearly 30 years, ever since falling in love with PC-Write, I don't download it from dodgy sites. Similarly, I pay attention to email attachments and suspicious URLs, instead of clicking randomly. For most of the last 10 or 15 years, I *have* used an antivirus; while I can't abide the drag on the system imposed by keeping one in an always-on state, I'd usually scan new downloads before opening or installing them. (Right-click on file; from context menu select 'scan with [AV app].') I'd still be using that method if I could find a way to run AVG entirely on-demand; unfortunately, it now seems to require a not-insignificant number of core routines be loaded on system boot. And although I forgo software firewalls, I *do* make use of hardware-based ones, either as a standalone or as a function of our DSL modem.

Viruses and trojans *aren't* inevitable.

Stephen Morgan said...

Linux is certainly safer, but Android is Linux and look at the Carrier IQ furore. On the other hand, Norton Bootable Recovery and the like are clearly untrustworthy.

Proprietary anti-virus companies have occasionally been shown to have spread malware, and authors of malware have often been people previously employed by anti-malware firms. You might as well trust the police to protect you from organised crime or the intelligence services to protect you from drugs and terrorism.

Open source is better because it takes balls of steel to put malware in wher everyone can see it. Of course, it you really want security you use OpenBSD, not Linux. Although, there was a story a few year ago about the FBI hiring one of the OpenBSD development team to put a backdoor into it's encryption system. And one of the biggest contributors to the Linux kernel is Microsoft.

So if you really want security, disconnect your computer from the internet, encrypt the hardrive and lock it in a box. But then there was that story about the CIA investing in some quantum computing company everyone had assumed was fraudulent, which could vastly speed up breaking encryption.

And the RIP act here in Britain says they can lock you up for not giving your encryption password.

But you're not a paranoid for thinking the box in your house connected to government computers (aka the internet), programmed by a profit making company and equipped with a microphone and camera is spying on you.

You don't even need a computer. As long ago as 99/2000 time, everyone attending the Superbowl (XXXV, apparently) was scanned by facial recognition. Do you ever pass CCTV? Or the NRO just gave NASA a couple of Hubble class telescopes. Do you ever go out where there's no roof? Your employer might require your facebook password, do you use that?

You know the CIA put brain implants in a cat, right? To broadcast what it sees back to base. And that was decades before I was born. Have you got a cat? Does he look at you? At your keyboard as you type? Is he there when you indulge in private depravities? Just the other day I was reading in Private Eye magazine, the only reliable English new publication and thus frequently sued for libel, about an Azeri dissident who spoke out against the government, and suddenly a tape of her having sex was on the internet. The article heavily implied it was government controlled malware, but maybe it was a beloved family pet. Okay, the CIA cat got hit by a taxi and killed on it's first mission, but how many were there on active duty at the time? And how many today?

So a Linux Live CD isn't a panacea, but it's still better than not.

Stephen Morgan said...

Silly me, I forgot van Eck devices. I'm getting old and complacent. And "roving bugs", the use of mobile phones, even when turned off, as bugs by the authorities using the microphones.

And see here:
http://web.archive.org/web/20050301063045/http://www.sfbg.com/nessie/40.html
for the cats' eyes.

And you call yourself a paranoid. Now, if you thought it was aliens that might be spying on you, then you'd be a paranoid. As it is, you're not even reasonably cautious.

Lewis Rizos said...

Thanks for the link and the super nice comments! Bless you too!

Matt Rizos
Remove-Malware.com

Aeryl said...

A coworker got hit by that ransomware, the guy she got to repair it told her it was connected to a government virus used to take over computers in other countries.

And if you boot into Safe Mode too many times with ransomware, it will eventually corrupt that process as well.

Joseph Cannon said...

Aeryl, I'd like to know more about the government connections to ransomware. Intriguing.

I think that virus may be related to one called Shamoon, which was directed at Saudi oil executives. It locked up computers and placed an image of a burning American flag on screen...

http://topics.nytimes.com/top/reference/timestopics/subjects/c/computer_security/index.html

Joseph Cannon said...

Maz -- jeez, I can't believe that you've been so lucky. I have TWO antivirus engines running at all times. Most people will tell you that you can't use two simultaneously, but Panda seems to play well with others. I also have a strong firewall and sandboxie AND nightly scans with various on-demand scanners.

affinis said...

Yes, Sandboxie is a great tool.
Malwarebytes is also a very good tool. The free version can be used for scans (and in my experience, has effectively cleaned up malware the other programs miss). The Pro version, which offers some real-time protection, is a good deal (only a single lifetime fee) and seems to work well alongside other live antimalware programs.
http://www.malwarebytes.org/products/malwarebytes_free/

A couple useful online malware scanners:
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/143
(F-secure has a good detection rate)
http://www.pandasecurity.com/homeusers/solutions/activescan/
(recently allowed me to clean a few malware bits that other programs left beind).

http://www.bitdefender.com/scanner/online/free.html
(not useful for cleaning per se, but will pick up some items other programs miss)

Some useful AV charts are linked here:
https://wikis.uit.tufts.edu/confluence/display/AntivirusDiscoveryProject/AV-Comparatives
Perhaps the most pertinant chart:
http://chart.av-comparatives.org/chart2.php

Two additional useful tools:
https://www.virustotal.com/
http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

affinis said...

P.S. There's already a lot of malware out there targeting tablets and other mobile devices:
http://conference.auscert.org.au/conf2012/Juniper%20brochure.pdf
http://www.slashgear.com/android-malware-level-triples-in-q2-2012-16243054/
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2012.pdf?ClickID=dyh22kswwrocohxwon0rrtzntk2tobtrohxr

affinis said...

P.P.S.
Another tool that I've found useful (though a bit clunky).
http://www.multi-av.thespykiller.co.uk/help.htm
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
It's a multi-AV scanner that allows you to download and scan with engines/definitions from several different anti-malware vendors. I haven't used it in the last year (so I don't know if all the linked scan engines download and work properly at this point), but it's been around a long time (and is periodically updated by the developer).

b said...

Joe - you can't be secure. As for Unit 2600, why trust Microsoft? A large part of that company's R&D is done in Israel. Even small-fry journalists with the wrong stuff on their laptops get hassled at ports of exit from that country. Microsoft can't possibly be clean, on any reasonable assumption. That'd be tantamount to 'pandering to terror'; they wouldn't be there in the first place.

Joseph Cannon said...

b, it's not that I trust Microsoft. But I build my own systems, and I can't abide Apple's "Pay twice as much for half the computer" policy.

b said...

For the record, I wasn't advocating getting a Mac or using another OS. I've got Windows XP SP2 here. If I wanted to do something securely, I'd have minimal contact with electronics, whether in cars, cameras, mains electrical circuits, or phones. Using the internet securely is a very tough task indeed.

On the humint side, I'd look among older people for my cutouts. Attitude towards Facebook is a good indicator of clue. The kids today don't have a glimmer of an understanding what everyone being watched by The Man means. Things have gone so far downhill since critical heads were talkin' about Promis a coupla decades ago.

We're fucked. Roll on the solstice and the end of the 13th b'ak'tun!

b said...

Well you did mention Israel... Rupert Murdoch has been criticised for being 'anti-Semitic' when he said the New York Times wasn't sufficiently pro-Israeli during the recent Gaza Massacre. I'd like to say I couldn't make this shit up, but I could.

Murdoch wrote the introduction to Israel in the World, a book that came to mind when you mentioned Unit 2600.

The book is Zionist propaganda, and was helped in its distribution by Israeli diplomats - official ones. It describes how the Zionists' global business strategy has as one of its central planks the push to make themselves necessary in 'business information software' and 'business security' pretty much everywhere. Hello Amdocs, for example. This is beyond mad dog. This is loonies holding the world to ransom. What the fuck is the plan for the Middle East when the West collapses?

In his article linked above, Michael Wolff does at least describe how he was once at an ADL dinner where Murdoch gave Berlusconi "an award for meritorious conduct with respect to the Jews." Thanks Mike. And then when the airforce is out bombing Gaza, Rupert says the Times isn't pro-Israeli enough. I mean, gratitude or what?

My guess would be that it was some faction inside the org, not outside it, that tried to teach Ben-Menashe a little lesson. Sure, this would break the code (don't ever diss made men) but...well...someone outside the org?? Do something like that and avoid making closer nocturnal acquaintance with fishes? pretty much everywhere. Hello Amdocs, for example. This is beyond mad dog. This is loonies holding the world to ransom. What the fuck is the plan for the Middle East when the West collapses?

In his article linked above, Michael Wolff does at least describe how he was once at an ADL dinner where Murdoch gave Berlusconi

Gus said...

I'm late on this, but I've had a similar experience to Maz. One virus in 15 years of computing. Of course, I have always run anti-virus and a few mal-ware scanners on my machines. I build my own as well and agree about Apple. As someone who's pretty much always used Microsoft, I can confirm that Linux is far more secure. Doesn't mean I want to use it.

I still think 90% (possibly more) of infected computers is just people doing stupid shit, like blindly clicking on links in emails, or attachments, or surfing porn or looking for pirated movies and music.

Of course, if I had a root kit I might not know at all.......