How does malware propagate? According to Microsoft’s report (gathered from Microsoft’s Security Removal Tool) almost 45% requires user interaction, e.g. executing a file. Another 43% uses AutoRun capabilities via USB or a network to infect a system. The remaining 12% list file infections, exploits where updates are available and password brute force attacks.

It is interesting to note that disabling autorun would eliminate nearly 50% of all malware threats. Exploits, which get lots of coverage on the Internet attribute to only 6% of detections.

A look at the different types of exploits reveal that exploits targeting Java were responsible for up to one-half of all exploits in a given quarter. Operating system exploits have passed HTML and Script exploits in the second quarter which can be solely attributed to a vulnerability i Windows Shell which was for instance exploited by the Stuxnet family.

When it comes to document exploits it is Adobe Reader and Acrobat who have accounted for most of the exploits in the first half of 2011.

Operating system infection rates paint an interesting picture. Nearly ten times as many Windows XP SP3 systems get infected as Windows 7 SP1 64-bit systems. Windows 7 Service Pack 1 32-bit systems have a ratio of 1:6 compared to Windows XP’s infection rate.

Even Windows Vista with its latest service pack installed reports only half of the infection rate that Windows XP reports.

A look at the different threat families and categories sees Adware at the top followed by misc potentially unwated software, misc trojans and a second smaller group lead by Worms, Trojan downloaders, virus, password stealers and backdoors.

Email spam decreased dramatically in the past twelve months according to the Microsoft report. From 89 billion messages in July 2010 to 25 billion in June 2010. Microsoft attributes this to the takedown of two major botnets in August 2010 and March 2011.

Global Infection Rates by country

• United States:
• Brazil: Most trojan downloaders and droppers, most exploits, most password stealers and monitoring tools.
• France: Most Adware
• United Kingdom
• China: Most backdoors and spyware
• Germany
• Russia: Most misc potentially unwanted software
• Italy
• Canada
• Turkey: Most misc trojans, Worms and Viruses

Interested users can download the latest report and previous reports from Microsoft’s Security Intelligence Report website.

Rootkit.Duqu.A is digitally signed (with a stolen and revoked certificate) which means that it targets not only 32-bit Windows systems but also 64-bit editions of the Microsoft Windows operating system. According to information posted by Bitdefender, Duqu runs for 36 days on a computer collecting information entered via the keyboard. This may include passwords, emails, conversations, logins on popular sites and even banking and credit card information.

Symantec has posted additional information about Duqu’s installer. According to Symantec’s information, Duqu is spread as a Microsoft Word document that exploits a Windows kernel vulnerability that allows code execution. When a user opens the Word document the malicious code is executed and Duqu is installed on the system.

Duqu infections have already been confirmed in countries such as France, Switzerland, India, the United Kingdom, Austria and the Netherlands.

Symantec has released a whitepaper in pdf format that contains all known details up to this point.

Windows users who want to make sure that their system is clean and not infected by the Duqu rootkit can use Bitdefender’s Removal Tool to scan the system and if necessary disinfect it.

The portable rootkit remover can be downloaded from an official Bitdefender website. All that Windows users need to do is to click on the Scan button to start the scan. The program will list any files that have been identified to be part of the Duqu rootkit. Please note that the program may require elevated rights on some machines.

Is there a way to protect your computer in the meantime? Yes, do not open Word documents locally. Use an online document viewer like Google Docs or Docs.com for that. (via)

Two weeks later things have changed considerable. Several German states acknowledged that the backdoor was used by German police forces to spy on communication software installed on computers. According to the news spyware programs were in use since 2009.

The initial analysis of the contents was far from complete. Security experts at F-Secure and Kaspersky posted the results of their analysis recently which offer a more detailed view of the malware’s capabilities.

Kaspersky discovered that the trojan installer supports both 32-bit and 64-bit Windows operating systems. Experts previously assumed that only 32-bit systems could be targeted by it.

The second finding is a list of applications that the trojan has been designed to monitor. This list is larger than the initial list that the Chaos Computer Club published. A total of 15 applications are listed, including Firefox, Explorer, Opera, Skype, Microsoft Messenger, ICQ and Yahoo Messenger.

The trojan injects code into those processes:

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

The 64-bit Kernel driver is limited in its functionality compared to the 32-bit component.

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Kaspersky identified the a 1024 bit RSA certificate issued by Goose Cert on April 11, 2010.

The F-Secure blog has more information on how the backdoor was installed on target systems.

In one case, the trojan was installed on a suspect’s laptop while he was passing through customs & immigration at the Munich International airport.

The existence of a 64-bit component, the monitoring of additional processes and information on how the trojan was installed on systems confirms that there has been more to that state sponsored trojan than initially assumed. The majority of security software available should detect the backdoor by now.

I do not want to get into to many details at this point in time and suggest you read the long post over at the club’s website to get a better understanding of what it can and cannot do. A binary version of the program has been uploaded to the club’s website as well.

Only that much. The so called Bundestrojaner (federal trojan) works in its detected form on 32-bit Windows operating systems. The trojan targets software used for communication. This includes Skype, ICQ or the MSN Messenger but also web browsers. It acts as a keylogger and contains functionality to download and execute code from remote locations. It can furthermore take screenshots, record audio and supports remote updating.

The core issue here is not that such a trojan exists as it was openly discussed in Germany, but that the trojan is capable of going beyond what the German Federal Constitutional Court allowed police forces to do with it.

While it appears to be more of a local German issue, it is not completely out of the question that the trojan was planted on computer systems of foreign nationals.

Security company Steganos has released a first version of the – German only – Anti-Bundestrojaner, a software to detect the trojan on 32-bit Windows systems. The software is free and portable, and can be downloaded from the Steganos website with a click on the Jetzt Herunterladen button.

All that you need to do is to run the program and click on the Analyse starten… button in the interface. This starts the system scan.

The security software scans the system and will display findings in the interface. It will scan the system for drivers and libraries, and try to make a connection to the remote servers of the trojan. A red icon in front of a line followed by the word Kritisch (critical) means that it has detected a file belonging to the trojan.

If that is the case a popup will be displayed prompting the user to either selected Ja (yes) to delete the identified files or Nein (no) to leave them on the system.

If you select yes you are asked to reboot the system after the deletion completes. Select ja to reboot right away or nein to reboot at a later time.

Over four million and a half million PCs have become infected with the TDL trojan in the last three months.  In a report on the new botnet, security researchers at Kaspersky labs said “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and anti-virus companies.”

TDL installs itself into the Master Boot Record of Windows, where anti-virus programs often fail to look and uses a new encryption method for protecting communication between the infected PC and the operators.  This makes it very difficult to trace the traffic from the PC and locate the people controlling the botnet.

In addition, this botnet doesn’t use direct communication between machines, but instead uses a peer-to-peer system, such as those used in file sharing.  This decentralises the communication, making it even harder to trace.

In their report the researchers said “It’s definitely one of the most sophisticated botnets out there.”

The majority of infections so far have been reported in the USA (28%) with India second in the infected list at 7%.  The infection rates are rising sharply though, and there’s been no reporting yet from Microsoft on whether the enhanced protection and security in Windows 7 will help defend against infection.

It’s clear that the best way to fight the TDL trojan so far will be in individual machines, though it is still common for millions of people to leave their computers open to infection by not understanding the risks involved and how they can protect against them.

There are also still millions of people running Windows XP still and the hugely insecure Internet Explorer 6 web browser.  This will aid the distribution and infection rates for TDL.  Finally it is critically important that people have Windows Update activated on their computers.

The trojan has been distributed via booby-trapped websites.  It has so far been discovered lurking on porn and pirate movie websites, along with some sites offering storage for photos and video files.

Last week however thousands of websites running Microsoft SQL Server 2003 and 2005 were hit by cyber-criminals with an attack designed to circumvent their security. The attack injected code into the servers that meant every visitor thereafter would be greeted by a message saying their computer had been infected by hundreds of viruses.

This of course wasn’t true, it was a way to trick people into paying for a downloadable trojan that would clean the virus problem but would really install botnets, keyloggers and more onto your PC. Worse, in paying for this software, the criminals would then have your credit card details… or more!

This attack could have compromised 28,000 websites according to some reports and is frightening news, especially for all those of us with personal data held by web companies A, B and C.

This brings me back to SSL. If we want to shop online then for over a decade our web browsers have been able to warn us whether or not the information we send is being encrypted, and if that website is deemed safe for financial transactions or for the exchange of personal data.

Then we have companies including Microsoft and Google maintaining blacklists of unsafe websites, shared between them and anti-virus companies, to warn us further of malware-ridden websites by turning our browsers red.

What we don’t have are warnings about how secure the underlying technology on a website is, and whether we can trust that.

There’s no reason why this would be hard to do either, an encrypted file located on the server (probably with the SSL certificate) that could be read by the browser and certificated by a third-party would be all that would be needed, after all this is tried and tested technology. This file would contain informaton about the hosting on that computer, what operating system version it runs and the versions of what other technologies it is using.

In the cases outlined above a system such as this would have warned visitors to the websites that the sites they were visiting and trusting their personal information to, were using older technologies that, even when properly patched, could be vulnerable to attack.

Indeed many people who already know about such things, might choose to steer clear of all servers running Windows in favour of those running Linux and MySql.

It truly amazes me that we don’t already have a system such as this but I’m even more stunned that so many companies and hosting firms are using technologies on their website that are almost a decade old. So come on people, agree a standard by which, within a small margin of error, we can see a traffic light of how secure our personal information will be on a website before we hand it over.

The Cleaner is an antivirus software, not a suite which means it does not offer a firewall, email spam scanning or any of the other modules that security suites offer. It can therefor be best compared to other standalone antivirus solutions such as AVG 9 or Avast.

The developers have divided the program into a scanner and a resident program, both highly compatibly with other antivirus solutions installed on the computer system. The program uses a database of malicious software plus advanced heuristics to detect known and unknown threats on a computer system.

The Giveaway of the Day edition does not offer the TCActive module that monitors processes in the background. This version of The Cleaner is therefor only suitable for scanning the computer system for malicious software.

TCActive is available in the program directory despite the help file claiming that it is only available in retail versions of the security program. It needs to be started manually and will run in the background afterwards.

The tab driven program is easy to use. The user should start by clicking on the Update tab to update the program’s database, something that does not seem to be handled automatically by the antivirus software.

The scan tab provides the means to perform a smart scan that will only scan popular locations for malware or full scan which will scan everything on the hard drives selected by the user.

The only other options provided are to change the heuristics level from relaxed to paranoid in a slider, to whitelist files so that they are not scanned by the software and to take a look at reports and the log.

The Cleaner in this regard is therefor a solid addition to any security setup a user might already have installed on the computer system. The lack of the background process monitor make it not suitable as the only antivirus program on the system.

Installation of The Cleaner

Installation is straightforward. Just execute the setup.exe after extracting the files to the local computer system. The serial number for The Cleaner is located in the readme file that is part of the zip file. The program can be registered after the first startup. A restart of the software is required afterwards.

Positive

• Fast Scan
• Compatible with other antivirus software and security suites
• Background monitoring with TCActive

Negative

• No TCActive module means no background monitoring
• Updates have to be initiated manually

The Cleaner, well the crippled version without TCActive, is available for free at the Giveaway of the Day website. The developer’s website is accessible here.

IClean is a portable application that can be run from anywhere including a portable drive or device. The computer program will then display information about the computer system in six tabs that are accessible on top of the interface.

• Processes: Displays all running processes with the option to check processes and kill them or kill and delete them.
• Services: A list of all running services with the option to delete multiple services at once.
• Registry: Several security sensitive Registry settings are displayed here including programs that bypass firewall rules, toolbars and browser helper objects with the option to repair, backup and restore settings.
• Startup Folders: Displays a list of startup items that are loaded during system start with the option to enable, disable or clear them.
• Hosts: The Windows hosts file that is used by malware to redirect Internet traffic.
• Advanced: Option to terminate a known process ID.

Several of these options could come in handy after a sucessful malware removal on the computer system. IClean is available at the developer’s website and compatible with all Windows operating systems from Windows 98 to Windows Vista (and probably Windows 7 as well).

These things seem to happen regularly and it is not only laptops that are affected by this. We have seen malware on appear virtually anywhere where it can appear in the last years, even on music CDs from a well known company. This leads to the interesting question on what users can do to ensure that their computer system is not already infected by malicious software.

Security companies advise to scan a newly purchased computer system thoroughly before starting to work with it. They also suggest to stay offline during the procedure which can sometimes be problematic if the computer system is the only available at hand. The virus definition files of antivirus software that is already installed on the computer system is usually outdated and might not catch the virus. The same is true for antivirus software that is purchased in stores.

Security experts therefor suggest to download the virus definitions for the antivirus program from a different computer with Internet access. That’s problematic if there is only one computer system available. Solutions for this might be to visit friends, go to an Internet Cafe or computer shop to download it from there.

Which leads to the question: What do you do after buying a new computer system?

The Open Source software can aid the user in removing effects from the Windows file system and the Windows Registry. One of the main functions of it is that it can re-enable access to the Windows Taskmanager, Registry Editor, MSconfig and the Process List.

Other options include process details that can be used to kill any running process including files that are currently in use by it. These processes and files can be added to a blacklist so that they will not be executed anymore even if they try to do so automatically.

The program provides additional options to create or restore a Registry backup, check system files and to repair AutoRun options.

Virus Effect Remover can be a helpful program to remove traces of malicious software.

Virus Effect Remover

The DLL Remover works by pointing the application to a dll on the system which initiates four actions in the software. It searches for infected threads, deleted infected files, deletes entries in the Windows Registry and restarts the computer at the end to complete the operation.

UnDLL (via Techtrends) can be dowloaded from the Italian ESET (Essential Security against Evolving Threats) website only.

An Internet connection is needed on the other hand to perform the scan which sometimes can be a problem if the system is not booting into the operating system. A Live CD could help but many Online Virus Scanners demand the Internet Explorer which is obviously unavailable on Linux systems.

Online Virus Scanners can be used to get a “second opinion” without having to install another anti-virus software on the computer. It is probably a good idea to use as many of the virus scanners as possible if it is suspected that the system was infected by a virus. Below is a list of services that provide access to online virus scanners.

Bitdefender Online Scanner – requires Internet Explorer 4+

Eset Online Scanner – requires Internet Explorer

F-Secure Online Scanner – works only with Internet Explorer 6+

Kaspersky Free Virus Scan – browser independent, downloads roughly 25 Megabytes of files prior to scanning. User can select locations to scan. The scanner does not remove infected files.

McAfee FreeScan – requires Microsoft Internet Explorer 5.5+

Microsoft OneCare Live – requires Internet Explorer.

Panda ActiveScan – requires Internet Explorer or Firefox, does not run in Opera.

Shields Up! – browser independent but very slow and unresponsive currently.

Symantec Security Check – down or gone.

Trendsecure HouseCall – Java based scanner, works with Java compatible browsers.

Windows Security – Trojan scan that requires Internet Explorer 5+

File Scanners:

Avast Online Scanner – file size limit of 512 Kilobyte

Virus Scan – file size limit of 10 Megabyte.

Virus Total – email upload option, 10 Megabyte file size limit.

Do you know any other services where users can scan files or the computer ?

The offer this time was directed at the readers of the German computer magazine Computer Bild which would receive a free one year license of the software Norton AntiBot if they purchased the magazine. Unfortunately though the link to generate the serial number leaked and is now available on the Internet.

I discovered it at Raymond’s excellent blog. To receive the free one year license you need to visit this official Norton page. Enter your email address in the form field, check the Ich akzeptiere box and click on the Gratis Produktschlüssel Anfordern button which will send the serial number to the mail address that you entered in the form.

Now download Norton Antibot in the meantime and activate the product with the serial number that you have received in your inbox. The serial number works with the English version – and probably every other language version – as well. The link above points to the English version of Norton Antibot.

The problem with the Say no to drugs virus is that most virus scanner still do not detect it. Extensive information about this virus is available on the Precise Security website. If you suspect that your computer is infected with this virus you need to download the (free) Ewido Micro Scanner and perform a scan of your system. Remove the entries found and remove the entries of the virus as an autostart entry (autoruns comes in handy) and kill the tasks associated with the virus as well.

I was not able to find out if other products like Spyware Terminator or the various anti-virus applications like Antivir would be able to find and remove the Say no to Drugs virus. I was not infected with it but I guess they should be able to if you consider the fact that the removal procedure at the Precise Security website was posted in January.

Some of the key elements of both documents were the following:

The installation of the Skype trojan could be by email or by the police in the apartment.
The software could be updated, extended and removed without leaving traces on the system.
Data would be send through a computer located outside German jurisdiction.
Access to internal settings of the Skype client and access to SSL-encrypted websites.

The two zipped PDF documents contain information about the company that designed the Trojan, the costs of the Trojan and the federal agencies. The second document contains detailed information about the technique used to eavesdrop on communications, especially what the so called Skype Capture Unit does.

The Skype Capture Unit is installed on the client’s system, capable of recording voice and chat among other things, and directs the data to a recording server. A Recording proxy was not part of the offer but would be possible to install as well. Members of the police would be able to access the data on the recording server in real time.

The document further mentioned that Skype Capture Units were only available for Windows XP or Windows 2000 at the moment.

Besides offering the Skype Trojan Digitalk also offered Man in the Middle attacks on SSL encrypted web traffic if the client would be using Firefox or Internet Explorer.

The costs for the operations are the following:

Skype Capture Unit €3500 per month
Installation of Unit €2500 once
Man in the Middle Attack €2500 per month

You are currently safe if you use Windows Vista, Linux or have a Mac. You are safe with Opera or Safari.

The question that a lot of people in Germany are currently asking are about the low costs of the software. Some see it as an indication that there had to be an agreement to use those units on a large scale.

Before everyone else says: Yeah, that’s Bavaria, part of Germany. I live in XXX, why should I care ? I would like to point out that other countries are most likely using techniques like that as well. Or, they simply ask Skype for assistance which is possible if you read the Skype Privacy Statement:

Please be informed that, notwithstanding the abovementioned, in the event of a designated authority lawfully requesting Skype or Skype’s local partner to retain and provide personal data, communications content and/or traffic data, Skype and/or its local partner will provide all reasonable assistance and information to fulfil this request.

The premium version of AntiVir sells for €19.95 (that’s Euro) usually and adds protection against spyware, adware. pop3 email protection and fast updates through premium servers in comparison to the free version. Both versions protect against viruses, dialers, phishing, worms, trojans and rootkits.

Make sure you fill out the form above and download the Personal Edition Premium from the Avira servers.

The discovery was first reported by Websense on their website and several anti-virus applications have already been updated to counter this attack.

The interesting aspect in my opinion is that hackers are very quick to react on global events that trigger lots of searches for a specific subject in a short time. It took them less than 24 hours to prepare hundreds of websites with the malicious Javascript code and make it into the top 10 for several related search terms.

The Why is obvious. There is always a massive increase in searches when events that are of global interest happen. This can be assassinations, wars or catastrophes for example. The more users search for a subject the higher the chance that they will land on a prepared website.

Protecting yourself:

Here are some thoughts on how to protect your computer from falling into this trap.

• Use the excellent Firefox add-on NoScript which disables Javascript on all websites except on those that you whitelist.
• Visit trustworthy news websites only. The problem here is that you might miss good articles written by bloggers or new websites who rank highly on a subject. If you have to visit those sites be prepared. Turn of Javascript and other scripting languages before you visit those sites.
• Keep your operating system updated. This is one of the most important rules. Update your system with the latest security patches
• Don’t use Internet Explorer. Switch to another browser for increased security
• Don’t log into Windows as an administrator

Can you think of anything else ? You could use a virtual PC or a tool like Sandboxie whenever you surf the Internet.

According to their statistics which are updated when scanning computers 10.90% of all PCs scanned were infected. PCs with Antivirus installed had a infection rate of 8.62% while PCs without Antivirus were infected 14.56% of the times.

Infected or Not displays the rate of infected PCs using a Google Maps mashup. France for instance is the country in Europe with the highest amount of infected PCs (16.41%) while Sweden (4.17%) and Germany (5.33%) have the least amount of infections. The United States has an infection rate of 10.34 btw.

The scan works with Firefox after installing an add-on which can only be uninstalled from the default installation location which is at C:\Program Files\Panda Security\NanoScan. Execute the file nanounst.exe to uninstall it again.

Antivir reported a trojan during installation and execution which can be considered a false positive. In case you are wondering why I have Antivir installed, I did not test this from my main computer.

After clicking Start Play the image of a women on the left side and a captcha on the right is displayed. The program asks the user to enter the captcha to see another picture of the woman with less clothes on. After entering the captcha correctly and clicking on enter the Trojan loads another picture and captcha asking the user again to type the correct code to see Melissa strip even more.

You might have already guessed that the captcha is actually the captcha of another website, Yahoo for instance, and the Trojan uses the help of users to enter those captchas correctly on those websites. Captchas are used to tell human users from bots apart and make it more difficulty to create automatic process to signup or submit data.

The Trojan does not seem to cause harm on the users system. It simply uses him to create correct responses to captcha codes that are used to create accounts on websites like Yahoo Mail.

Trend Micro reports that the Trojan most likely arrives as a file downloaded by other malware on the system. It could also be send as an email attachement.

One way to cope with the situation would be use the freeware Pocket Killbox which deletes selected files before the next system start. Simply start Pocket Killbox and navigate to the file that was identified as a virus. Select delete on reboot and hit the red X icon on the upper right corner of Pocket Killbox. It will prompt for a reboot, select yes and the virus should be automatically deleted during startup.

Just perform a second scan to make sure the virus was really deleted b Pocket Killbox. Another way would be to use the great free program Unlocker which will kill every process that is keeping the file busy. This would mean that you can delete the file in Windows directly without rebooting your computer. It might however have problems with some special system files that have been infected.

Just try both methods and start with Unlocker. Reference to Pocket Killbox first seen on Technibble.