Mac OS X Trojan catches Sophos’ eye

Two very recent article point out what most security people know and the rest should knowNO technology, especially computers connected to any network, are completely secure!

An article here points this out:

"It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple’s increasing market share."

And from another one here:

"More than half of Americans believe that PCs are "very" or "extremely" vulnerable to cybercrime attacks, while only 20 percent say the same about Macs, according to this ESET survey.
(Credit: ESET)"

ESET released the results of a survey in November related to awareness of cybercrime in the U.S. The survey of more than 1,000 people found that while both PC and Mac users perceive the Mac as being safer, Mac users are victims of cybercrime just as frequently as PC users.

Meanwhile, Mac users are just as vulnerable to Web-based attacks like phishing as PC users are, and Mac users who fall prey to phishing tend to lose more money on average than PC users do, the survey found. "Viruses are a diminishing percentage of what we’re seeing," said Randy Adams, director of technical education at ESET. "A lot of attacks have to do with social engineering and that kind of attack is platform agnostic."

Please folks, practice safe computing practices. I’ve written extensively on that so I won’t go into that here, just search my blog(s) for security items.

For those of you that are interested in an antivirus product for Mac Eset makes a fantastic one. You can check it out here.

By the way Eset’s products are top notch! If I were to buy a security solution it would be theirs.

Keep safe folks.

Anti Virus/Anti Spyware Suite Shootout Results

Here are the results of a very well done study on the effectiveness of current anti-virus/anti-spyware suites.
Review of the review here.
The top of the current list is Nortons latest suite.
They did not test Microsoft’s new/updated foray into this arena – their Freeware solution;
Microsof Security Essentials.
As I have mentioned previously I have been a fan of Norton for a while. They have done a good job of reducing the memory and process footprint compared to previous editions.
I am however very impressed with Microsoft’s Security Essentials application.
I recently had a collegue who’s systems was infected and Norton AND Trend Micro could not effect a solution.
But Security Essentials DID!
I think it is a good free solution and worth checking out.
Keep safe out there.

Bogus and Malicious emails

Here is a reminder.

Let’s all keep ourselve and our data and systems safe.
I have just recently seen numerous emails comming in supposedly from UPS containing trojan/infected files!!
If you are not expecting and ‘EXPLICIT’ file in an email from a TRUSTED person.

DO NOT OPEN/RUN OR DOWNLOAD IT!!
Info on some here.

Legitimate vendors – eBay, ups, fed-ex amazon etc. will send you notice that you have invoices, receipts, shipping info etc. ready for you viewing.

BUT do not click on links provided in emails requesting personal information – they can contain links to bogus/phishishing sites! [sites that mask as legitimate but instead ‘steal/get you to give them your personal information]

If the email is from a true valid vendor you should be able to go to the appropriate vendor site by typing in the web address into your web browser and logging into your account and checking ‘messages/status etc.

I have spent a lot of time recently cleaning up systems that people inadvertently infected with spy ware/malware. And by trying to ‘fix’ the problem by themselves many of these folks have only infected/wrecked their machines more dramatically.

There are LOADS of malicious emails out there claiming to be ‘security updates/upgrades’ or Outlook system updates etc. that are cleverly (dastardly actually) masked (spoofed) as comming from within your organization, or some other trusted entity (often Microsoft).

Here is a good article on what some of these look like. Here is another. And still another.
You get the idea I hope.
They vary but the result is the same – you infect your system and your entire network with a ‘backdoor’ trojan.
These types of emails are very dangerous ‘phishin’ attacks designed to place a trojan silently onto your machine.

Once again please NEVER click on a link with in an email! From anyone.

The safest thing to do is call the person suposedly sending the email and verify it’s validity, or simply type the address directly into your browser.

As always I hope that any of you who read this have current Antivirus and Anti spyware software installed and most importantly keep them updated daily. And have them currently running.
While there may be advertisements listed on my site for anti-spyware and anti-virus protection, I can’t always control who or what they are for. I can however, recommend the links below.
My recomendations are as follows:

For a very, very good Antivirus and spyware solution (and free at that):

http://free-antivirus.eeye.com/

Their solution – Blink is fantastic.

You may also have Symantec/Norton, McAfee or AVG installed – Great!! but is it updated daily?

http://www.symantec.com/business/security_response/definitions.jsp

http://us.mcafee.com/virusInfo/default.asp?cid=45702

http://www.grisoft.com/us.download-update

Another super free and great anti-spyware is Spybot Search and Destroy (Spybot S&D;).

I have used this to successfully fix/repair dozens of machines.

Beware though there are many ‘bogus/extortion’ appliations that are trying to trade off the ‘Spybot’ name.

The home to the one and only freeware SpyBot Search & Destroy is:
http://www.safer-networking.org/en/spybotsd/index.html

And a very highly rated anti-spyware package by PCWeek is Spyware Doctor. Not free but worth the price:
http://www.pctools.com/spyware-doctor-antivirus/

Conflicker Protection

The hype and realities of the Conlicker Worm.

Yes folks, this is very dangerous worm. In fact Microsoft is offering a bounty for the capture and prosecution of the author!
But once again it’s spread is caused by all the usual suspects – un-patched systems, out of date Antivirus and Antispyware software and POOR computing practices. The hype regarding the ‘Conflicker’ worm is real. But can be mitigated with a few prudent actions.
Here are all of the tasks that should be done. And when I say all, I mean ALL. Not doing one or two will leave you open to attack.

Disable ‘Autorun’For XP, 2003, Vista and Win2000.
One of the first things I do on every system I build or manage, for over 14 years, is to disable autorun, and you should too. Microsoft has some simple ‘patches’ and instructions here:
http://support.microsoft.com/kb/953252

Make sure your antivirus is up to date – run a live update DAILY.
Run a full scan NOW and at least once a week.

Make sure your anti-spyware application is up to date – run a live update DAILY.
And run a full scan NOW and at least once a week.

Make sure your Windows is up to date – run windows update at least WEEKLY (Tuesdays are the day MS releases updates)
Download and install/run the latest MS Malicious Software Removal tool RIGHT NOW!!!!:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang;=en

Use CCleaner http://www.filehippo.com/download_ccleaner/download/86e6a458e780243c3a944b66ec60b319/

to clean out temporary files at least once everyday.
I run it EVERYTIME I close my browser!

Never, ever install ‘special viewers/browser helper objects’. By that I mean if a site tells you you have to download/install a plug-in to ‘view/watch’ a particular file – YOU DON’T NEED IT!

And finally make sure you change your passwords regularly, and make sure they are ‘secure’; containing upper and lower case letters, numbers and symbols.

After you have done all of the above check out Microsoft’s Conflicker page for some more great information.
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

If you follow these steps you should be OK.
Remember most ‘hacks’ happen because of user actions – being tricked/suckered into installing the trojan or by users not keeping their protection software and operating system up to date.
Don’t become a statistic.

Good luck and safe computing.
Peace.

Let’s Kill Some Spyware!!

I recently had to help some people remove some serious spyware/malware/virii.
No normally if I can’t ‘kill’ the bad stuff fairly quickly. I will simply get the persons ‘data’ – documents, pics, music etc. – off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.
But sometimes in a business situation this is not always possible.
Or sometimes all the needed applications are not available for ‘re-install’
For this you must try and ‘save’ your system without the ‘nuclear option’.
So here is one of the best methods I use on a ‘running’ active system.
Read all the instructions and download ALL of the suggested applications from a ‘non-infected’ machine 1st.
Then place them on a portable drive – usb or a directory on the infected system [c:\killmalwareapps or something]
Ok let’s start.
1st on the infected machine delete the ‘hosts’ and ‘lmhost’ files.
They will be located in the c:\windows\system32\drivers\etc folder.
[Possibly c:\winnt\system32\drivers\etc]
First try an online scan from Trend Micro.
To do this safely – using an ‘external non-infected browser’ you need to run ‘Firefox portable’ off USB drive.
This will allow a ‘clean run’ of a browser for a live malware/spyware scan:
How To:
The article here:
http://firefox-fangirl.livejournal.com/1977.html
explains how to download the latest portable Firefox builds and how to correctly install it as a ‘portable app’ on a separate folder or usb drive. I ‘install’ it to a directory called ‘portablefirefox’ and then I copy that to my USB drive.

Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:
http://housecall65.trendmicro.com/
Make sure you do NOT use any browser installed on the infected system!!!
Use the ‘Firefox Portable’ application to get to the web.

Other tools to have on hand (on your usb drive) before starting.
From Sysinterals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Get the following apps. Download on clean system and transfer to usb.
Autoruns – Finds all the crap actually loading at startup.
You will finds all kinds of ‘crap’ that shouldn’t be there.
http://download.sysinternals.com/Files/Autoruns.zip
Extract and run this to show EVERYTHING that is loaded at start up.
This includes applications, scripts, drivers, active X controls, dll’s and more.

Process Explorer
http://download.sysinternals.com/Files/ProcessExplorer.zip
This helps find unwanted running strigs and helps in there termination.
Run the application to see every currently running process/application on your system.

You will often need some or all of the following applications to ‘kill’ bad processes.
That is, malicious programs that are running ‘un-authorized’ processes.

unlocker
http://ccollomb.free.fr/unlocker/

wholockme
http://www.dr-hoiby.com/WhoLockMe/

file assassin
http://www.malwarebytes.org/fileassassin.php

A great spyware finder:

spybot s&d;
http://www.safer-networking.org/en/spybotsd/index.html
I install this as my online scan is running (if possible).
Don’t confuse this application with other that are trading on the ‘Spybot’ name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.
http://www.spybotupdates.biz/files/spybotsd162.exe

Remember to have all these files already downloaded and copied to your portable drive.

And to assist in cleaning our all ‘temp’ type files:
CCleaner
Especially usefull if there is an ‘unseen’ internet app (ie or firefox) downloading malware in the background continually
I will run this over and over while running spybot scans.

http://www.filehippo.com/download_ccleaner/download/d1565b7fb77b48a3692a199d871845fd/

Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don’t have a ‘Live’ type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren’s, or a custom Bart PE disk.