Tag: Malware

Google launches phishing blacklist api

I see on the Google Security Blog that Google have launched a Safe Browsing api.  In other words, Google are making available its dynamic blacklist of phishing and malware sites so ISPs and web app coders can check against it.

This should help ensure unwitting users are notified before they browse to to unsafe sites and submit their confidential information.

Google are actively encouraging 3rd party participation –

Sign up for a key and let us know how we can make the API better. We fully expect to iterate on the design and improve the data behind the API, and we’ll be paying close attention to your feedback as we do that. We look forward to hearing your thoughts.

Great idea guys.

Users are 'stupid' – Microsoft

I wrote a post over a year ago about how I deal with PCs which have become infected with malware (viruses/trojans/worms/rootkits, etc.):

what I do, is to re-install the OS – more often recently it is XP, turn off System Restore, install XP SP2, Microsoft Anti Spyware, Spybot, Adaware, and AVG… or consider formatting the PC.

It seems that I was on the money with that advice – eWeek are reporting today that Mike Danseglio, program manager in the Security Solutions group at Microsoft said at an InfoSec conference in Florida yesterday:

When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit

Malware is becoming more difficult to detect because malware writing has become a big business. The people who write these malware programs now do so for profit. They write programs which allow them to use infected machines (to send spam, for instance) and they sell their services to companies who want use infected machines. The more machines they control, the more money they can make. It is therefore in the malware writer’s interest that the malware be as unobtrusive and difficult to detect as possible.

Danseglio said:

We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,

This is similar to my observation that malware can hide in the System Restore volume and can re-install themselves after a scan is run.

The one place where Danseglio and I disagree fundamentally is in the apportioning of blame. Danseglio said:

Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity

Personally, I believe that if the software allows people to be fooled into clicking on a phishing link (and some of the phishing emails I have received have been extremely convincing), then it is the software which is stupid and not the user.

Blogs used to infect PCs with spyware and malware

I note a story on the BBC Technology site which says Spyware and Malware authors have copped on to the popularity of blogs and are now using them as vectors to host spyware and malware to infect people lured to the blog.

I’m surprised it took so long for them to come up with this.

Of course I can be smug – I use a Mac so I don’t have to worry about Spyware and Malware!

How to rid a PC of viruses and malware

My parents have asked me to look at their neighbours PC – it has started ‘acting funny’ and “they think it might have a virus”, I was told.

“Uh oh”, I thought. Here we go again. If you are the local IT guru you know this feeling well. And, is it just me or is it becoming more frequent?

I have developed a routine for dealing with these PC’s now – inevitably the “it may have a virus” turns out to be 10’s if not 100’s of viruses, trojans, worms and spyware all combining together to grind the PC to a halt. So, what I do, is to re-install the OS – more often recently it is XP, turn off System Restore, install XP SP2, Microsoft Anti Spyware, Spybot, Adaware, and AVG.

The reason for disabling System Restore is that many of the more recent Viruses, etc. hide in the System Restore volume so that they are restored after a scan is run and are impossible to delete while System Restore is running.

Once all the above software is installed and has scanned and cleaned the PC, then, and only then, connect the PC to the Internet and do a Windows Update updating the PC with all available updates. Finally, connect to and install Trend Micro’s Housecall online Anti Virus scanner . Run this scan on the PC, disconnect from the Internet and scan once more with all the previous tools ensuring all scans come up clean again. If they don’t keep repeating until they do or consider formatting the PC.

Be sure to set the Windows Updates to update automatically through the Security Center (sic).

Install Firefox and Thunderbird and set them to be the default browser and default mail client respectively. removing desktop shortcuts for Internet Explorer.

Finally, on returning the PC, you need to inform the owner of all the changes that have been made to the PC and be sure to let him/her know that these measures will only keep the PC secure for 6-9 months maximum.

It is at this point that you need to tell them that if they want to stay uninfected going forward, they’d be far better off getting a Mac!

irc/backdoor.sdbot in Win XP Home

A friend’s pc was infected with the irc/backdoor.sdbot trojan recently and I cleaned it out – eventually.

This is a tricky little trojan which hides in the System Volume folder (where the System Restore info is held) as well as the Windows/Winnt folder.

Killing the trojan using anti-virus software only gets rid of it until the next re-start. The way to get rid of this one is to turn off the System Restore service by opening the Services MMC in the Administrative Tools folder, right-clicking the System Restore service and selecting stop.

Having stopped the System Restore service, it is now possible to kill this virus permanently using your favourite anti-virus software or preferably a combination of av software. In this case, I used AVG and Stinger to be sure all infections were gone.

Don’t forget to re-start this service once you are done!

Security center could not change your automatic updates settings

I was working on a friends PC the other day. It had Windows XP Home on it and several viruses! After cleaning out the viruses, I updated the PC to XP SP 2 to get the security advantages that the service pack confers.

However, on re-starting the PC after the install, the Security Centre gave a warning that Automatic Updates were not turned on. On attempting to turn it on from the Security Centre, I got the error message “The security center could not change your automatic updates settings”.

I tried changing the Automatic Update settings through the Control Panel but according to the Control Panel, the Updates were turned on! However, every time I re-started or logged in again, I got the warning “Your computer may be at risk”.

Resolution:

I did a Google search on this error and found a resolution on Google Groups – after registering the dlls in this thread, I closed and re-opened the Security Centre and the Automatic Updates showed as being on.