Experts: Gumblar attack is alive, worse than Conficker

The previously mentioned Gumblar virus is still running rampant, and worse than ever. Friendly Computers found some useful information about how the virus spreads and how to determine if your machine has been infected. Read more below…

Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.

The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.

As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.

Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.

Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.

Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.

The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.

"It is targeting IE users and Google searches," Landesman said.

The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.

Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."

The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.

ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.

In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.

Source: http://news.cnet.com/security/?tag=hdr;snav

Microsoft to patch new DirectX hole

A security flaw in DirectX which could allow someone to take complete control of computer. Friendly Computers thinks this may be of interest to you:

Microsoft on Thursday said it was working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said.

"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.

For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a work around are available here, as well a "fix it" button.

Source: http://news.cnet.com/security/?tag=hdr;snav

Facebook user drops lawsuit over virus

 

Yesterday, Friendly Computers found out about a man that was suing Facebook because he felt that the site did not protect their users’ account information sufficiently when the site was attacked by a virus. Today we find out that he is no longer pursuing the case:

A Florida librarian and activist said on Tuesday that he will drop a civil lawsuit he filed against Facebook alleging that the social network failed to adequately protect users from a virus.

Theodore Karantsalis, of Miami Springs, Fla., was seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade County court.

"I spoke with FB's law department and the case has been resolved," Karantsalis wrote in an e-mail late Tuesday. "I will file the attached Notice of Dismissal tomorrow. We agreed to add each other as 'friends' and 'poke' each other periodically. Also, FB is going to send me a T-shirt and I'm going to wear it in my profile photo."

Facebook spokesman Barry Schnitt said: "Obviously, we're pleased."

In the lawsuit, Karantsalis had alleged that Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network. Karantsalis claimed his account was compromised and temporarily disabled and that his photos and friends were not restored.

"We're very interested to hear how he came up with the figure of $70.50," Schnitt wrote in an e-mail to CNET News early on Tuesday. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.

When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.

In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."

He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.

Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.

"Basically, I filed to get their attention," he said before agreeing to drop the suit. "Facebook has failed to respond to my e-mails and my phone calls."

"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he had written in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."

According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not have held up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.

"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

One lawyer said that from a legal standpoint Karantsalis' claim was "DOA" (dead-on-arrival).

"Per 47 USC 230, Facebook is not liable for third-party conduct and has no legal duty to protect its users from third party-caused harms," Eric Goldman, an associate professor at the Santa Clara University School of Law and director of High Tech Law Institute, wrote in an e-mail. "There are at least two federal appellate cases supporting this proposition. See Green v. AOL (AOL not liable for user-posted virus placed into AOL chatroom); and Doe v. MySpace (MySpace had no obligation to police its premises to prevent users from harming each other)."

"If anything, Karantsalis might be on the hook to Facebook for filing such a meritless lawsuit," he said.

Karantsalis, who is also a journalist and blogger, has a history of filing lawsuits. He sued the city of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.

Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.

Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.

Source: http://news.cnet.com/security/?categoryId=9729342&tag=rtcol;tags

Facebook sued by user over virus

A while ago we posted that Facebook had been attacked by a virus. One user feels that Facebook should have taken better steps to protect his user account. Friendly Computers wonders if more people now feel that Facebook is coming up short when it comes to protecting their users’ personal information:

A Florida librarian and activist has filed a civil lawsuit against Facebook alleging that the social network failed to adequately protect users from a virus.

Theodore Karantsalis, of Miami Springs, Fla., is seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade county court.

Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network, the lawsuit alleges. Karantsalis claims his account was compromised and temporarily disabled and that his photos and friends were not restored.

"We're very interested to hear how he came up with the figure of $70.50," Facebook spokesman Barry Schnitt wrote in an e-mail to CNET News. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.

When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.

In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."

He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.

Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.

"Basically, I filed to get their attention," he said. "Facebook has failed to respond to my e-mails and my phone calls."

"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he wrote in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."

According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not hold up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.

"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

Karantsalis has a history of filing lawsuits. He sued the City of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.

Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.

Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.

 

Source: http://news.cnet.com/8301-1009_3-10249301-83.html?tag=mncol

Computer Virus Strikes FBI, U.S. Marshals: Report

 

Even the FBI is not safe from viruses! Friendly Computers recommends installing anti-virus software and keeping it constantly updated. Read what U.S. Marshals reported:

In one of his many memorable skits, my favorite comedian, the late George Carlin, lists “Things you don’t want to hear,” and this gem is among them:

“Well, Jim, there’s no reason why you shouldn’t live another 50 to 60 years. However, you will be bleeding constantly from both eyes.”

If you’re a federal law enforcement officials who is charged with protecting the kind of ultra-confidential information that increasingly travels through computer networks, I imagine the equivalent of that bad news for Jim goes something like this:

“A mysterious computer virus has infected your networks and forced both the FBI and U.S. Marshals to shut down.”

Yet that’s pretty much what happened this week, according to Devlin Barrett of the Associated Press.

Officials at the U.S. Marshals reportedly confirmed that they disconnected from Justice Department computers after the virus hit, and the FBI conceded that the agency also was having a problem.

Here’s what FBI spokesman Mike Kortan told Barrett: “We too are evaluating a network issue on our external, unclassified network that’s affecting several government agencies.”

What those agencies are he would not say, according to Barrett.

Yet the incident points to a disturbing phenomenon that deserves some thought. It is the business world, not the U.S. government, that leads the industry when it comes to developing new technology to cut costs, boost communications and increase efficiency, and it’s the private sector that often is ahead of the curve when it comes to detecting cybercriminals’ activity.

Consider: At about 76 percent of all phishing attacks, software represents the largest doorway that cybercriminals such as hackers use to enter computer users’ systems and steal confidential information. And one Cupertino, California-based security, storage and systems management solutions provider – Symantec Corp. – recently reported that it’s seeing malicious code grow at a record pace.

In recent weeks, more and more home and small office computers have seen their networks compromised by Internet security attacks that gain traction through the devices that many of us use to make our home-surfing lives more portable: routers. (To try and preempt the attacks, one Fountain Valley, California-based company recently launched a new system that prevents malicious software by detecting whether responses are generated by humans or computers.)

According to Stephen Trilling, vice president of Symantec’s (News - Alert) security technology and response group, the company is seeing attackers shift away from mass distribution of a few threats to micro-distribution of millions of distinct threats.

“Cybercriminals are profiting from creating and distributing customized threats that steal confidential information, particularly bank account credentials and credit card data,” Trilling said. “While the above ground economy suffers, the underground economy has remained consistently steady.”

That recalls some of what TMCnet heard recently from the world’s largest maker of computer networking gear. Officials at Cisco Systems Inc. say that cyber-criminals’ attacks are becoming more targeted and sophisticated.

This latest problem apparently started yesterday morning, for both the Marshals and the FBI. No data was compromised, officials said.

The type of virus that caused the shut-down and its origin are not clear, they said.

“In Thursday’s incident, the Marshals Service shut down its Internet access and some e-mail while staff worked on the problem,” Barrett reports. “The FBI made similar moves to protect its system.”

Source: http://sip-trunking.tmcnet.com/topics/security/articles/56645-computer-virus-strikes-fbi-us-marshals-report.htm

Deja vu: New phishing scam hits Facebook

 Friendly Computers wants to make sure that your Facebook account will be protected from a new phishing scam. More information is below…

A new phishing scam is hitting Facebook users on Thursday, sending them to a Web site designed to steal their log-in information, according to report.

Facebook users are receiving messages from friends with a subject line of "Hello" and a prompt to check out "areps.at" or another one ending in .at

If you log in to the site, it steals your email and password, logs you into Facebook and automatically changes your password and sends the same message to all your Facebook friends, according to the All Facebook blog.

"Whoever is behind the scam has been steadily amassing a large number of email addresses and passwords over the past few weeks," the blog says. "Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users."

The phishing URLs were blocked by Firefox and flagged as a "Web Forgery" as of 9:50 a.m. PDT. One of them was still up and downloading malware on Internet Explorer.

A Facebook spokesman did not immediately return a call and e-mails seeking comment.

Separately, some Facebook users reported difficulty accessing the site on Thursday morning. It was unclear whether the connectivity issues were related to the phishing scam.

Source: http://news.cnet.com/8301-1009_3-10246536-83.html?tag=newsLatestHeadlinesArea.0

DPS blames computer virus for delay

Everyone knows that renewing your drivers license is not always fun. Friendly Computers found out that a computer virus caused a big delay in Houston. Read more below…

The Texas Department of Public Safety is blaming a computer virus for a six-week delay in processing new and renewed driver’s licenses.

Agency spokeswoman Tela Mange says the Conficker virus, which struck the Department April 15, forced a delay in a planned upgrade to the driver’s license system. That upgrade, called the “Drivers License Re-engineering” project, was supposed to be completed in three days last month. Instead, Mange says it will not be finished until later this week.

For drivers, this means the typical 10 to 15 day waiting period to get a license is now four to six weeks. The Department’s temporary permits, which drivers receive when they apply for a renewal online or in person, will now last for 45 days.

As a temporary measure, Mange says the DPS has asked local law enforcement agencies to double-check expired licenses in traffic stops against a computer database, to see if a driver has applied for a new license but has not yet received it. DPS is also issuing temporary paper licenses that last for 45 days.

Customers outside one of Houston’s DPS offices say that employees told them it will take anywhere from two to eight weeks to receive a new license.

Phone lines at the Department’s Austin headquarters are jammed with people checking on the status of their licenses, Mange said. When 11 News tried to reach an operator Monday, the automated system repeatedly told callers to hang up and try back later, because no one was available. There was also no mention of the delay on the DPS website.

State Rep. Lois Kolkhorst, R-Brenham, says she is not surprised that DPS is having computer problems.

Kolkhorst’s bill to upgrade computer systems at DPS has passed the Texas House and is awaiting a vote in the state Senate.

“This is the pattern that we have been seeing with the department,” she said. “We need a major overhaul. We’re asking the system to do more than it is probably capable of doing.”

Mange says that the computer problems that caused the delay should be resolved by Friday. She says at that point, the bulk of the delay will be behind them and licenses should take about 20 days to reach drivers.

Source: http://www.khou.com/news/local/stories/khou090518_jj_drivers-licenses-renewal-changes.16b2f560.html

'Gumblar' attacks spreading quickly

Friendly Computers found some important information regarding a new malware spreading over the net. As usual, we urge you to keep your operating system and antivirus software updated. Read more below…

The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.

The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.

Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.

"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.

"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.

In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.

Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.

The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.

Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.

The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.

Source: http://news.cnet.com/8301-1009_3-10244529-83.html?tag=mncol;title

Five Best Malware Removal Tools

If your computer is running slow or full of pop-ups, you may have malware on your machine. Friendly Computers found a list of some of the best malware removal tools. Read more below...

The internet—unfortunately—isn’t a never-ending buffet of secure open-source software and Bollywood-style musicals starring LOLCats. There are people and organizations that delight in stealing your personal data, hijacking your computer, and making a general nuisance of themselves through malicious software. This week we’re highlighting the top five tools for removing software with ill intentions from you PC.

Spybot Search & Destroy has made quite a name for itself over the years, earning accolades from both general and computer-focused publications. Spybot Search & Destroy is the highest ranked freeware tool at 2Spyware.com, a website that ranks malware removal tools. In addition to scanning for malware, Spybot Search & Destroy also has a variety of additional features, including a botnet scanner, hosts-file modification (to keep malware from calling home), a secure file shredder, and a dummy code feautre (it replaces malicious or questionable adware modules with inert code so the dependent program will keep functioning). As an added bonus Spybot Search & Destroy is compatible with every version of Windows dating back to Windows 95.

SUPERAntiSpyware is available as both a freeware and premium edition like Malwarebytes’ Anti-Malware, but the level of restrictions on the freeware edition are considerably higher. The free version is limited to basic scanning and removal. The premium version includes real time scanning, registry protection, a scheduling service, auto-scan on startup, and 50 startup diagnostic to stop malware infections before they spread. One of SUPERAntiSpyware’s strong selling points is a high level of compatibility with other protection tools like Avira, Kaspersky, Symantec and McAfee. In most cases it can be run alongside other tools without conflict.

ComboFix is just as spartan as the screenshot here makes it look. You download ComboFix, run it, and it takes care of the rest. There is a basic process where it backs up your registry and checks to see if you have Windows Recovery Console installed, and then it goes to town on your system scanning away through 40+ stages. When it’s done it spits out a log file and lists all the malware it found, which ones it was able to remove, and which ones you’ll have to use your Google-fu to look up how to remove manually. It isn’t fancy but it gets the job done and gives you a detailed report at the end to take to security forums for help if you need it.

Malwarebytes’ flagship application Anti-Malware is shareware malware removal tool. The principle difference between the free and premium version of the application is real-time monitoring. If you can stand not having active scanning against threats, the free version uses the same database and does an admirable job ferreting out infections. Anti-Malware was, for example, one of the few malware removal tools that could detect and remove the Antivirus XP 2008 spyware application. Anti-Malware included another application from Malwarebytes, FileASSASSIN, which is a helpful tool for deleting files locked by Windows.

HijackThis stands alone in this Hive Five as being the least automated yet most likely to completely wreck your system if used incorrectly. HijackThis does a comprehensive scan of the state of your computer and reports back an enormous log file. The tool makes no judgement on whether or not an application, browser modification, or registry entry is malicious or not. It simply generates a list of things that could have been potentially altered or tampered with by spyware, malware, or other malicious programs. Advanced users can look over the log themselves and determine what needs to be pruned. If you’re not comfortable doing that your best bet is to take the log file to a popular security forum like BleepingComputer or SpywareInfoForum and post it to get combed over by an army of knowledgeable volunteer malware slayers. Alternately, while not a replacement for getting help from people on the forums, HijackThis.de is a web-based HijackThis log reader which is updated nightly. You dump your log file in and it scans it for relevant entries and gives you links to articles on how to remove the malware found in the log.

An honorable mention goes to “Reformat” as a popular nominee in this week’s Hive Five. Apparently sometimes when you find a mouse in the kitchen the only way to be sure there aren’t any more of them in the walls is to burn the whole house down.

Source: http://www.lifehacker.com.au/2009/04/five-best-malware-removal-tools/

Ways to Save on Anti-Virus Software

Friendly Computers thinks that these tips about Anti-Virus software may be helpful to you:

Your computer is a big investment and your documents in it could be priceless, so it's wise to install software to protect it. Getting a virus out on your computer can be frustrating and expensive. If you've been the victim of a computer virus, it's something you'll never forget. "I'm a storywriter so I lose like all the stories that I've written from years ago and it's...it's really frustrating," said Jessica Rodriguez of Springfield. Aristeo Torres of Post Computer Systems in Wilbraham told 22News "We strongly recommend that you only get an anti-virus and anti-spy ware program and not the suites." The suites are the deluxe versions. If you stick with the basics, you'll save money. Experts recommend "Panda" or "Norton Anti-Virus". Both are around forty dollars each. You can also get free anti-virus downloads online. "AVG" and "AntiVIR" are the two most reputable according to Torres. But free downloads do not provide you with support if you have questions. The best way to save money on protecting your computer is to simply use common sense. For example, don't use sharing websites like "Limewire." They're not only illegal, but they can also expose your computer to viruses and spy ware. Remember to update your protection every year. It will cost you about forty dollars annually, but it will save you money by extending the life of your computer.

Source: http://www.wwlp.com/dpp/news/ways_to_save/wlp_local_waystosaveonantivirussoftware_200905141224http://www.wwlp.com/dpp/news/ways_to_save/wlp_local_waystosaveonantivirussoftware_200905141224

Cybercriminals use fake search engines to spread malware

Friendly Computers found an interesting article concerning the new wave of malware. Read more below…

Cybercriminals have moved on from search engine optimization techniques and are now creating fake search sites designed solely to direct Web surfers to pages hosting malware, Panda Security warned on Wednesday.

Previously, attackers resorted to sending e-mails with malicious code in attachments and with links to malicious Web sites and took measures to push those Web sites higher in search engine rankings. Now, they're also creating fake search engines that are showing up in Google search results, according to a PandaLabs blog posting.

When people use the engines to search for popular terms, like "flu statistics," the results displayed redirect to porn sites that purport to show video but require the visitor to install what they say is the latest version of a video player but which instead is malware, the post said. Searching on the fake search engines for security topics leads to fake antivirus sites, PandaLabs said.

One of the fake search engines has received about 195,000 visits, according to the post.

Web surfers should use reputable search sites to protect themselves, PandaLabs recommends.

Source: http://news.cnet.com/8301-1009_3-10235083-83.html

Prediction: Apple will recommend security software

Security analysts are predicting that it will soon be necessary for Mac users to install security software. Friendly Computers found an article that describes why. Read more below…

As an analyst, it is my job to follow the industry, internalize trends, and then use this information to make predictions. OK, here goes: Within the next 18 months, Apple will begin recommending that Macintosh users install Internet security software on all systems.

Now I realize that this statement is blasphemy to dedicated Mac users, so let me start with a few qualifying statements. I am not comparing Mac OS with Windows, or Apple with Microsoft, and my prediction should not be interpreted as an attack on Apple, its developers, or the security of its code.

The truth is that all sophisticated software contains vulnerabilities and Mac-based malicious code is nothing new. The recent iBotnet virus is just one example. My hunch is that Mac attacks will increase precipitously over the next year, driving Apple to drop its Windows security insults and partner with the likes of Sophos, Symantec, and Trend Micro. Here are a few reasons why:

1. Macs users are a lucrative target. Mac owners tend to affluent and Net savvy. To the bad guys, this means identities to steal and broadband connections to exploit.

2. Organized cybercrime is diversifying. Cybercriminals tend to work as a loose confederation with each group specializing in a certain task. There are malware writers, botnet owners, mules, etc. Some entrepreneurial bad guy is bound to see a green field market in Mac cybercrime, recruit Mac hackers, develop expertise, and market these capabilities. If there is an equivalent of a cybercrime venture capital firm, they are probably looking at business plans like this already.

3. Macs are growing in the enterprise. In many large firms, Macs make up about 5 percent of endpoints. If the bad guys infect these systems, they can troll the network looking for other vulnerabilities and juicy data at will.

4. Macs are fairly easy to hack. In March as part of a contest, security expert Charlie Miller won $5,000 for exploiting a hole in Safari in about 10 seconds. If he can do this in 10 seconds, how many techies can do it in an hour? This is a frightening thought to me.

The company and Macintosh users should not fight this trend--doing so would only increase risk and help cybercriminals. Realize that most enterprises that already use Macs do so with the caveat that these systems must run security software. The goal is reducing risk, not singling out Mac users. There is a lesson to be learned here.

Senior citizens often hark back to a time when people left their house unlocked and left their car keys in the ignition. Now they lock their doors for safety. Apple, along with Mac users, should prepare for a similar transition. Given the state of cybersecurity today, pragmatism should trump romanticism.

Source: http://news.cnet.com/8301-1009_3-10234535-83.html