Home
News
Support
Download
Glitches
SPAM
E-Mail Settings
E-Mail Warnings
Spyware info
Antivirus
High Speed
PC Cleanup
New PC
Music Download?
Wireless Routers
Got A MAC?
Speed Test
Hard Drives
Rates
Mission
Company Profile
ComSouth Goals
Recycle that Old PC
Contact us

The Battle for Your Browser
By Larry Seltzer
2008-04-30

 
Attackers are doing a drive-by on your browser, but the defenses against such attacks are good and getting better.

Windows users have to look at the Internet as a source of unending attacks. You can defend yourself with some software and some common sense, and the defenses are set to get even better.

There are two basic popular types of malware infection these days: the Trojan horse program marketed through links in an e-mail and drive-by browser hijackings. I have a hard time getting my hands around how effective one or the other is.

The drive-by method uses a bag of JavaScript that throws a stream of attacks at the browser, one after another, hoping one will compromise it. At almost all times these attacks are patched vulnerabilities, meaning that you're basically safe from them if you keep your browser and other software up to date. Some of that software, like Flash, Acrobat and RealPlayer, are more likely to linger in old, unpatched versions, so you need to be assiduous.

A big part of the consideration for vulnerability exploits is, if they happen to execute, how much damage can they do? Microsoft has done a lot of work in this area over the last few years, aiming to restrict the ability of exploits to do much damage if they get through initial defenses.

One of my favorite Microsoft bloggers, Robert Hensing, who works in the Security Vulnerability Research and Defense group, argues that these second-level defenses are good and getting better.

The active defenses on by default in Vista are pretty good: IE Protected Mode, ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection) are all examples of this. But applications have to be set up to use ASLR and DEP, and both Microsoft and ISVs have been slow to do so. These techniques are so good at rooting out bugs as well as exploits that they would be too disruptive to turn on in a blanket fashion.

But they've been turning on more and more. Even Apple has turned on ASLR and DEP in some parts of QuickTime, an option it doesn't have in OS X. And IE8 will have DEP turned on by default, which puts all the ActiveX control authors on notice.

ASLR may prevent it from finding an execution point. If it can find the exploit code, DEP will likely prevent it from running. Protected mode prevents it from modifying anything in the system or becoming persistent. As Hensing points out, faced with an environment like this, exploit code can't get a lot of work done.

The reflexive advice you get from a lot of sources, including the U.S. government, is to shut off JavaScript and ActiveX. I just can't agree that this is good advice; despite what the average Noscript advocate says, the Internet is unusable with JavaScript turned off. I try it every now and then and it's just not worth surfing the Web. With ActiveX turned off, you can get some work done, but you'll notice that lots of pages work badly, mostly for excessive reliance on Flash.

I often wonder how many completely updated PCs get exploited. I bet the numbers are small, and I bet almost all of the ones that do get exploited are through social engineering where the user gets tricked into lowering defenses and running a Trojan horse. It's hard to get through otherwise.
 

Finnish security vendor F-Secure has collected twice as many malicious software samples this year than it has over the last 20 years, a trend that highlights the growing danger of malicious software on the Internet.

Through the end of 2006 and 20 years prior, F-Secure counted a total of 250,000 samples, said Mikko Hypponen, F-Secure's chief research officer. This year alone, 250,000 samples have been counted, he said.

Statistics on malware from antivirus companies can vary since the data is often derived from what their customers experience while using their software, and it depends on how widely that software is used.

But other security vendors have also noted the flood of new malware on the Internet over the last few years. Symantec said earlier this year that it detected 212,101 new malicious code threats between January and June, an increased of 185 percent over the same period a year prior.

The astounding increase shows that hackers "are generating large number of different [malware] variants on purpose to make the lives of antivirus vendors more difficult," Hypponen said.

A variant is a piece of malware that has a unique look but belongs to a known family of malware, sharing common code and functions. Hackers use techniques such as obfuscation, which jumbles up code and makes it hard to determine what the program is, and encryption, to trick security programs.

"Genuine innovation appears to be on the decline and is currently being replaced with volume and mass-produced kit malware," according to F-Secure's report, which covers the second half of 2007.

Higher numbers of malware samples put more pressure on vendors to ensure they have fine-tuned products. To handle the surge, F-Secure has hired more security analysts as well as continued to develop automated tools to evaluate malicious software, Hypponen said.

Any new malware must first undergo an analysis. Then most security software vendors companies create a signature, or an indicator, that allows its software to detect the malware.

Automation makes the task of analyzing malware somewhat easier, but "in the end, a human makes the decision where we add detection [signatures]," Hypponen said.

Malware is Getting Sneakier

StopBadware.org warns that Web's 'dark corners' are everywhere, even on legitimate sites.

Robert McMillan, IDG News Service Wednesday, October 03, 2007 09:00 AM PDT
 

It's getting harder and harder to know who to trust on the World Wide Web, according to online safety advocates StopBadware.org.

On Tuesday, the group released its 2007 Trends in Badware report, saying the bad guys are finding new ways to place their malicious software on our computers -- often by compromising Web sites that we trust.

With the help of one of its sponsor companies, Google Inc., StopBadware maintains a list of 200,000 Web sites that are known to be associated with malicious downloads. According to Max Weinstein, a project manager with StopBadware, more than half of these sites have been hacked and don't even realize it.

In fact, this move to delivering malicious software on legitimate sites has been a disturbing trend over the past year, he said.

"It used to be that the advice to the end-user was 'keep your software up to date and then don't go to bad Web sites,'" he said. "You still don't want to go to those sites, but what we seen now is that you can be on a very legitimate site and have a problem."

Web surfers know that visiting gambling or pornographic sites could harm their computers, but lately attack code can be downloaded from almost anywhere.

In January, for example, the Web sites of Dolphin Stadium and the Miami Dolphins, hosts to the 2007 Super Bowl U.S. football championship, were found to have been hacked and were serving up malicious software, just days before the Super Bowl.

And the bad guys are even sneakier than you might imagine. In June and July, Web sites that had been linked on the popular Boing Boing blog were compromised, a tactic called 'linkjacking.'

Weinstein says criminals don't necessarily have to hack a site to have it serve up malicious software. Part of the problem is in the Web 2.0 world, where sites are built up of many different components pulled from different parts of the Web, it's becoming easier to sneak badware onto a legitimate site.

StopBadware has seen this happening with Web advertising networks, which can easily be subverted by attackers to serve up maliciously encoded scripts and images, he said. "What we're seeing is a lot of cases where a legitimate Web site has an ad network, and that ad network itself, or sometimes even a subcontractor of that ad network, contains an ad that is providing badware."

"It's certainly something we are seeing in increasing numbers, probably in the past several months," Weinstein said.

eBay Inc. is looking into ways of curbing a similar problem. The online auction giant allows users to put their own images and HTML code on its site, but sometimes this leads to "bad code," said eBay Chief Information and Security Officer Dave Cullinane, speaking at an online security symposium held Tuesday at Santa Clara University. The company is looking at including security ratings for users as part of its reputation system to help prevent novice users from accidentally putting malicious or unwanted code on the site. "One of the things we are looking at bundling in is your level of security. As a user goes up, we'll allow you to do more things."

Under the proposed system, eBay power sellers with good security ratings would be given more free rein on the types of features they could add to their stores, Cullinane said.

Another growing source of concern is social networking.

Users should also be wary of fake accounts set up on legitimate social networking sites, which are often designed with one thing in mind: to lure unsuspecting users to malicious Web sites, Weinstein said.

So with all this badware, is the Internet a more dangerous place to be?

It's a tough question, Weinstein says, but he believes things are getting better, largely because people are getting smarter about what they do online. "I think the bad guys are always trying to stay a step ahead of the average users," he said. However, "people are learning, and I think that is having an effect."

"I'd like to think that our effort, and other efforts like ours, are actually making a substantial difference."

Top 10 tricks causing spyware epidemic

Spyware tricks have become increasingly devious, making spyware and adware stick to machines longer, more difficult to remove and sometimes impossible to see with ordinary methods. In the spyware tricks series I wrote about seeing installations with multiple resuscitators, increasing numbers of randomly named files, even randomly named folders. Internet Explorer security settings are being changed by spyware and hosts files are being hijacked. We've recently seen installations of keyloggers and spam bots along with your garden variety of adware. Now add rootkits to that list.  Let's look back at the top 10 tricks of 2005…

10. Spyware spread through Windows Media files as described by Ben Edelman, Eric Howes and Ed Bott in January.  The Windows Media Player flaw that allowed the exploit involved DRM and has since been patched by Microsoft.

9.  Adware companies hide their dirty work using rootkit technology, examples Enternet Media's Elitetoolbar and ContextPlus' Apropos and PeopleonPage.

8.  Internet Explorer infected through Firefox as documented by Paperghost, aka Chris Boyd. This story stirred up quite a bit of controversy.  The real culprit was a Java-based malware installer, which did, in fact, infect the machine while browsing with Firefox.

7.  Direct Revenue unleashed Aurora, see Got Aurora? Nail.exe? for details and more here about the massive impact of the Aurora software, including a file named nail.exe, which kept spyware help forums and HijackThis experts busy for months and generated an unprecedented number of comments including threats of violence against Direct Revenue on my Spyware Warrior blog.

6.  Spam bots, keyloggers, kiddie porn connect with major adware companies – 180solutions, Direct Revenue, SurfSidekick, BullsEye Network and ShopAtHomeSelect installed in conjunction with a spam zombie and rogue anti-spyware program, all of which started from a child porn site and were installed through an exploit as illustrated at SunbeltBLOG and Spyware Warrior.

5.  Spazbox domain installs massive spyware/adware – using IRC as documented by Paperghost and Spyware Warrior (complete with video), dissected by Wayne Porter here and again here.

4.  Anti-spyware spread by spyware and trojans, details here about super rogues PSGuard, Razespyware, SpySheriff, Spy Trooper, WorldAntiSpy and more recently SpyAxe here.

3.  Direct Revenue adware distributed through BitTorrent, (or more aurora and nail.exe) exposed by Paperghost and told by eWeek.

2.  AIM worm carries backdoor, rootkit and adware, found to be powered by world wide bot net with ties to the Middle East.  See write up from CNET, Paperghost's analysis and FaceTime's press release.

And now, drum roll please, the top spyware trick of 2005

1.  Sony BMG infects users with DRM rootkit originally reported by Mark Russinovich at SysInternals. The fallout of this debacle continues with artists revolting and plenty of legal action against Sony BMG in the works.

Top 10 rogue anti-spyware  (Programs to Stay Away from)

What is rogue anti-spyware? Rogue anti-spyware programs are defined by spyware and anti-spyware expert Eric Howes on the Rogue/Suspect Anti-Spyware Products and Sites page. 

"Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection. 

Some of the products listed on this page simply do not provide proven, reliable anti-spyware protection or may be prone to ridiculous false positives. Others may use unfair, deceptive, high pressure sales tactics to scare up sales from gullible, confused users. A very few of these products are either associated with known distributors of spyware/adware or have been known to install spyware/adware themselves.

A bit of history about the Rogue Anti-Spyware page, if you will.  I had been loosely tracking complaints on the web about anti-spyware apps for some time when the first "super rogue" was unleashed just over 2 years ago. In late November 2003, complaints about a program called Spy Wiper started popping up by the dozens in forums and blogs all over the net. I had an entire blog category devoted to Spy Wiper and its successor Spy Deleter. Eventually the Center for Democracy & Technology (CDT) filed a complaint about the two, and later the FTC took action and that operation was shut down.

Due to the Spy Wiper/Spy Deleter attacks I was really fired up about rogue anti-spyware and started blogging about rogue apps. A while later I learned that Eric Howes had also been tracking anti-spyware complaints and testing the applications. We began collaborating and the Rogue/Suspect Anti-Spyware page was officially launched on June 26, 2004 with about 50 apps listed.

Less than a year later, on June 9, 2005, the rogue list reached 200 apps. If you are wondering why there are so many rogue anti-spyware apps, click here and scroll down a bit. The list currently stands at 241 programs including 19 that have been de-listed but remain on the page with notes about why they were listed and later de-listed.

This year we have seen a proliferation of what I call super rogues, blogged here and here. These super rogues are usually seen on pages designed to look like a Windows security center, seen here and here. The super rogues are also known for hijacking desktops and being installed via security exploits, along with a myriad of spyware and adware apps, and are usually part of an infestation called smitfraud.

Let me say that choosing the top few was very difficult because they are all nearly identical in behavior and installation methods. I've ranked them in part by their pervasiveness and the number of complaints found about them on the web. They are apps that debuted this year, except for one honorable mention, an app that's been around for about 2 1/2 years but continues to appear regularly in spyware infestations. The names of the programs are linked to a complaint or example of the app, not the website of the vendor or program. 

Without further ado, I present to you the top 10 rogue anti-spyware applications of 2005.

Honorable mention goes to VirtualBouncer/AdDestoyer for its 2 1/2 year history of being stealth installed in exploits without notice or consent.

10. Spyware Bomber brought to us by the same folks behind Enternet Media, the spyware company shut down recently by the FTC.

9.  SlimShield tied with Winhound Spyware Remover for hijacking and stealth installation.

8.  WinAntiVirus and its companion WinAntiSpyware 2005 for hijacking, aggressive advertising and inappropriate collection of personally identifying information.

7.  SpywareNo and its clone  SpyDemolisher for stealth installation and deceptive aggressive advertising.

6. Razespyware for stealth installs, desktop hijacks and aggressive advertising.

5.  Spy Trooper for stealth installs, desktop hijacks and aggressive advertising.

4.  WorldAntiSpy for stealth installs, desktop hijacks and aggressive advertising.

3.  PSGuard for stealth installs, desktop hijacks and aggressive advertising.

2.  SpySheriff for stealth installs, desktop hijacks and aggressive advertising.

1.  SpyAxe for desktop hijacks, stealth installs and deceptive, aggressive advertising.

Note: For anyone landing on this this page while searching for help with removing these rogues, I'd suggest going to one of the reputable spyware help forums and posting for help.  SpyWareBeware, the home of ASAP, the Alliance of Security Analysis Professionals lists member sites where users can get expert help with spyware removal from trained volunteers.

The List ... of known fake Anti-Spyware...  (once going to this link ... it will not return)

 

[Home] [News] [Support] [Download] [Glitches] [SPAM] [E-Mail Settings] [E-Mail Warnings] [Spyware info] [Antivirus] [High Speed] [PC Cleanup] [New PC] [Music Download?] [Wireless Routers] [Got A MAC?] [Speed Test] [Hard Drives] [Rates] [Mission] [Company Profile] [ComSouth Goals] [Recycle that Old PC] [Contact us]

Send mail to tomdawson@comsouth.net with questions or comments about this web site.
Copyright © 2007 ComSouth Computer Services
Last modified: 04/30/08