La Piazza

Published by Jose Manuel Bernal, 27/04/2012

This morning, after I started up the PC, I was confronted with the following full-screen window covering the entire desktop:

Without paying much attention to it I instinctively pressed ESC and other key combinations like ALT+F4 to try and close it, but the message had locked the computer rendering it effectively unusable.

The message pretends to come from Spain’s local authorities and claims illegal activity has been detected on my computer. More specifically, the message claims that forbidden websites containing pornography have been visited from my IP address and demands a fine is paid to let me back in. The text, loosely translated, reads:

“Illegal activity has been detected on your computer. According to Spanish law your computer is locked. Forbidden websites containing pornography, child pornography, bestiality, etc. were visited from this IP address. This locking serves to stop your illegal activity.”

This is actually a new variant of the infamous Police Virus called Trj/Ransom.ab, which belongs to a malware category called ransomware. The aim of the people spreading this malware is to intimidate and blackmail users whose PCs are infected and persuade them to pay for having the malware removed. The scam is similar to that of rogueware or fake antivirus software, which we have covered in post The nightmare of fake antivirus continue. Protect yourself with Panda, only this time the perpetrator tries to pass themselves off as a law enforcement agency instead of as an antivirus vendor.  Well,  here are the Instructions to remove the Police Virus Trj/Ransom.ab.

Finally, we’d like to remind you of these simple tips that will help you protect yourselves from this type of malware.

1. Use your common sense. No governmental organization can block access to your computer. Under no circumstance pay the so-called ‘fine’.
2. Install a good antivirus. Check out our recommendations in the following post: Protect your banking data with Panda Security’s new 2012 products. Protect your computer at all times and avoid nasty surprises.
3. Keep your operating system up-to-date with the latest security patches.
4. Never open an email from an unfamiliar sender. Beware of messages with eye-catching subject lines, they are more likely to carry a virus.
5. Avoid surfing to non-secure Web pages. In some cases, it is enough to visit a compromised website to get infected without knowing. If, however, you need to access a dubious website, do so from a malware-free environment like that offered by Panda SafeBrowser.

Stay safe!

Published by Javier Guerrero, February 2011

Even though the protagonist of this new chapter in the Malware for Beginners series is no malware specimen, it does share a couple of features with viruses, Trojans and other threats: You can easily find them in your email inbox and they can be really annoying. Yes, we are referring to those scary, apocalyptic email messages…

Yes, you know, those messages that friends and colleagues forward to you -with the best of intentions- to let you know about the latest virus, or a threat so deadly that can blow up your computer, kill your dog with some mysterious radiation and turn your granny into a blood-craving zombie… And for which there is no cure, of course.

Well, seriously now, this type of email is quite frequent. Even though these emails are not dangerous in themselves and are not aimed at defrauding anybody, they alarm people by taking advantage of their lack of knowledge and fear, as they don’t really know the reality and limitations of malware.

Not so long ago I myself received one of these messages, which you can see below loosely translated:

Let’s take a look at sentences like “This is a virus that burns your entire hard disk”. They could have used the term “delete” or “format”, but obviously “burn” is far more spectacular. Of course, no virus can damage a hard disk like that. And do not forget that recommendation, This is the reason why you must send this email to all your contacts. Is there any email user who doesn’t hate this sentence?

Anyway, the scariest bit comes in the second paragraph, where you are prompted to “Shut down your computer immediately” without even opening the message, or you are said there is no fix for this threat. Finally, they even mention CNN’s coverage of the story, and Microsoft, which classifies this virus as the most dangerous ever.

To sum up: One thing is to inform users about the dangers of malware, and another one is to raise confusion and scare people for no reason with the sole purpose of achieving notoriety.

Finally, keep an antivirus installed and update it frequently. This is your barrier against spam and phishing.If you are not sure about something during the installation or update processes, don’t leave it for later. Look for the appropriate solution in the support forums available to you for any queries you might have.

Javier Guerrero Díaz
. R+D – Development Dept.
Panda Security

Posted by Blanca Carton, January 2011

Every year, PandaLabs, Panda Security’s anti-malware laboratory, publishes an annual malware report discussing the year’s most virulent threats. In 2010, this task was made all the more difficult as PandaLabs had to analyze and shift through no less than 20 million new viruses.

This report is also used as the basis for the company’s ‘Virus Yearbook’, which rather than a definitive list of threats that have infected most computers or caused more damage, is simply a summary of some of the viruses that, for one reason or another, have caught our eye.

Here are the Top Five:

1. The mischievous Mac lover: This title has been earned by a remote-control program with the worrying name of HellRaiser.A. It only affects Mac systems and needs user consent to install on a computer. Yet once installed, it can take remote control of the system and perform a whole host of functions… it can even open the DVD tray!
2. The Good Samaritan: Surely some of you will have guessed… Bredolab.Y comes disguised as a message from Microsoft Support claiming that a new security patch for Outlook has to be installed immediately… But watch out! If you download it you will have installed the SecurityTool rogueware, which will start telling you that your system is infected and that you should buy a certain solution to fix it. Of course, if you pay for the program, you will never receive it, it will not resolve the problem and that’s the last you will see of your money…
3. Linguist of the year: Our award for the linguist of the year goes to MSNWorm.IE. This virus, which in itself is nothing special, is distributed via Messenger with a link tempting the user into viewing a photo… in 18 languages!
4. The most annoying: Remember how viruses used to be? Or those ‘jokes’ that once installed would ask: “Are you sure you want to close the program? Yes – No?”. No matter what you clicked, the same screen would appear: “Are you sure you want to close the program?”, time and time again, enough to try the patience of a saint… Well that’s what this worm does: Oscarbot.YQ. Once it is installed, start praying, or doing yoga, or meditating… whatever you can think of, because it will drive you mad. Every time you close it, another screen opens asking another question, or opening a browser window, or… The most annoying, without a doubt.
5. Insect of the year: We would like to make special mention of the Mariposa (Butterfly) botnet, which was dismantled in March and led to the arrest of the creators thanks to the collaboration between Panda Security, the Spanish Civil Guard, FBI and Defense Intelligence… Like a true insect, it fed on the nectar of other people’s computers, flitting from one to another… and compromised a total of 13 million computers around the world.

How to protect yourself against attacks

The first rule is to use your common sense. If you receive an email message with attachments from a dubious source, delete it.

Be careful when surfing the Web. Avoid downloading programs from unknown websites. And even if you know the source, stay alert and take all necessary precautions before opening them.

Finally, to be completely protected it is essential that you have an antivirus installed and updated, regardless of whether your operating system is Windows or Mac.

Remember, if you have any questions about the operation of your product, you can always find the answers in the articles published on the Panda Security support website, in the videos posted on our YouTube Support Channel or by contacting our expert technicians through the Tech Support forum.

===============================================================================

This is an extract from the Post published by PandaLabs Recaps Year of Malware with its Virus Yearbook 2010

Published by Javier Guerrero, November 2010

Many people think that when antivirus companies talk about the vast number of malware threats that exist, they are exaggerating in order to sell their software. In other words, they are scaremongering to frighten users into buying their products. That’s why when I write articles about malware, I like to refer to first-hand experiences, as I am going to do in this post.

Some time ago a friend called me, concerned because his computer displayed a window notifying him that it had been infected by malware; specifically 42 examples of all types of malware: viruses, spyware, adware, Trojans… This was a bit of a shock, as his anti-malware solution had only detected a couple of threats, which in theory it had deleted. What’s more, these warnings did not come from the antivirus, and neither would they let him eliminate the infection.

As I guessed his antivirus might’ve been out of date, I suggested he looked for a second opinion, and used our Panda ActiveScan free online scanner.

However, my friend was unable to install the ActiveScan scan module, neither with Internet Explorer nor with Firefox; something was stopping it. In fact, it had become virtually impossible to use the computer, so he couldn’t browse the Web, install or uninstall applications. It seemed that his computer had been hijacked by this application.

My suspicions were confirmed when (on going round to his house) I could see the window in question. It belonged to a (supposed) security product called “Personal Security”:

However, the problems I mentioned before suggested there was something dubious about this software. Also, my friend was quite sure he had not installed this product, at least not in the way one normally installs a product in Windows. It was also highly suspicious that his antivirus had not detected all the malware displayed in the window.

The conclusion was obvious: This was a fake or rogue antivirus.

What is a Rogue Antivirus?

This is a malicious application which, in the guise of a trial version of a normal antivirus, tries to trick users into believing that their computers have been infected by numerous examples of malware.

What’s the aim?

Money, of course. Users are then forced to buy a ‘full version’ of the application if they want to ‘disinfect’ their computers. Many people fall for this, either unwittingly, or because they want the system to return to normal.

The rogue antivirus we are talking about today displays the following window:

And obviously, there is a form in which victims are prompted to enter their personal and bank details.

This type of malware is now widespread, largely because it is successful in tricking many people, as the graphic interfaces used (windows, buttons, etc.) are often very professionally crafted.

For example, this particular fake antivirus displays a warning which is similar in appearance to the Windows Security Center:

How to avoid them

The careful and professional design of many of these programs make them particularly dangerous, as they will fool many users with little knowledge of IT security.

Although much of the usual advice we offer (use a good up-to-date antivirus, don’t download unknown programs, take care with USB devices, etc.) is just as valid in these cases, it is particularly important to be careful with the websites you visit.

One of the most common techniques used for spreading these fake programs is known as “Blackhat SEO” (we will talk about this in the next post), which basically manipulates Web search results, including links to malicious pages used to infect users. These pages provoke false infection warnings, prompting the user to click a button to download or install the product.

You should never click on any part of these windows, as this will start installation. In these cases try closing all windows using the ALT-F4 key combination, although the infection may have already taken place.

So, What happened to my friend?

We managed to resolve the problem by starting up in safe mode and manually deleting all files and registry entries corresponding to the fake antivirus. Of course we had to get this information through another computer, as the system had been completely hijacked by the intruder.

To end this post, I would just like to answer the question set out at the beginning: Yes, the threat of malware is real. We are not exaggerating it in the slightest.

===============================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: the first Panda Platinum, Panda Security and Panda Security for Networks, firewall and TruPrevent technologies, file permanent protection modules, Shield and the Cloud AV interception layer, etc. He is currently part of the interception unit and is responsible for the file and process interceptors in Panda Cloud Antivirus.

Published by Javier Guerrero,  October 2010

We use the term malware to refer generically to the multiple threats to which IT systems are exposed every day. However, this word covers a whole range of concepts with which, on the whole, most users are unfamiliar.

Although this is perfectly understandable (one of my favorite maxims is that “you don’t need to be mechanic to drive a car”), it’s not a bad idea to have an understanding of the mechanisms used by the different types of malware. So let’s start with something simple: keyloggers.

A keylogger is simply a component (generally software, although hardware-based keyloggers also exist) that registers keystrokes on a keyboard without the user’s knowledge.

Not too nasty really, is it? Nothing could be further from the truth. Keyloggers are used to steal information entered by users, such as:

• User names and passwords for starting OS sessions social network credentials.
• Credit card numbers. Keyloggers are a crucial element of many banker Trojans that steal this type of data and send it to hackers, who profit financially at the expense of unwitting users.In fact, most banks now implement measures in their Web services to protect against this threat, such as virtual keyboards.

In any event, the advice that we generally give for other types of malware also applies for keyloggers:

• Don’t download or run files from dubious sources
• Only browse trusted sites
• Use a good, up-to-date security suite.

And, of course, use your common sense. These are the best weapons in the fight against malware.

===================================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: The first Panda Platinum, Panda Security and Panda Security for Networks, involving firewall and TruPrevent technologies, file residents, Shield and the Cloud AV interception layer. He is currently part of the interception unit and it is responsible for the file and process interceptors in Cloud AV.

Published by Luis Corrons, October  7, 2010

Latest news!!

According to Tieve.tk, the ‘Anonymous’ cyber-activist group, has called on its community to launch a distributed denial of service attack (DDoS) at midnight (00:00h CET) October 7 against the Spanish copyright protection society (SGAE). This group, in an initiative called “Operation Payback”, has been launching denial of service attacks against various targets in recent weeks as a response to the attempted closure of free file-sharing websites.

SGAE

A distributed denial of service attack (DdoS) involves launching numerous requests at a server hosting the Web page so that the hosting service cannot cope with the load and the server ‘crashes’, i.e. the service is suspended. In this case, for example, anyone trying to access the SGAE website may not be able to reach the domain.

On September 17 we witnessed what could be deemed the first organized mass cyber-protest on the Internet, against the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), bodies that set out to protect copyright and distribution rights, as a response to the action that both these organizations have been undertaking against free file-sharing sites: they had contracted an Indian software company to launch attacks against sites such as The Pirate Bay, forcing them to close.

Details of the attacks, which have been monitored in real-time by our researcher Sean-Paul Correll are available here.

Published by Luis Corrons, october 6,  2010

Every day, cyber-crooks find new ways to lure us into their traps. Have you heard of the FAKEBOOK case?

Facebook is one of today’s most popular social networking sites as well as one of the most exploited by cyber-criminals for conducting phishing attacks.

Phishing consists of tricking users into believing they are in a familiar Web page and stealing their confidential information, login credentials, etc.

There many domains with the word facebook but which actually contain malicious pages:  facebook-ims.com, facebooks.bz, gjfacebook.com, image-facebook.com, ims-facebook.net, inbox-facebook.com, kfacebook.net…

In most cases, if you access these URLs, an interface similar to that of the real Facebook page is displayed in order to steal your login credentials. Then, you are redirected to the real website to avoid raising any suspicion. However, phishing doesn’t always involve stealing user details. Sometimes these pages download malware to user computers through ‘drive-by download’ techniques, which run files without the victim’s consent.

There is an ‘IT saying’ that goes like this: The most destructive virus sits between the keyboard and the chair“. Don’t become the weak link on your computer!

In this presentation you can find out if you are infected and how to keep yourself safe from phishing:

And as always, don’t forget that to protect yourself it is essential to have an antivirus program installed and up-to-date with an anti-spam filter. Any of the Panda Security solutions will keep your computer free from phishing and your inbox free from spam.

=================================================================================

You can contact Luis Corrons through his PandaLabs blog.

At Panda Security we are relentless in our efforts to advise users about the best way of protecting themselves from the continuous threat of malware. On this occasion, I would like to offer a new recommendation, which stems from an unfortunate experience I had recently.

A few weeks ago… I was hit by a virus.

Yeah, I know, I should hang my head in shame; I work as a developer for a major anti-malware company and I’m well aware of the risks. Anyway, I was messing about on my home computer, doing some less-than-sensible things and the inevitable happened.
At first I didn’t notice anything strange, but then some odd things start to happen; for example some games, like Steam or my treasured Battlefield, stopped working, the programs displayed error messages whenever I tried to run them, and my Internet connection went really slowly. Every user knows their own computer, and knows when something is not right, and in this case something was clearly not right.

Then finally the computer just wouldn’t start up, and displayed the BSOD (blue screen) in a critical controller for the Operating System; so critical in fact, that the computer wouldn’t even start in safe mode.

Ideally, at this point I would have had to have a safe boot disk with a commandline antivirus, like our Panda SafeCD, but I didn’t (cobblers’ children and all that…..). Then I remembered that I had two Operating Systems installed in dual-boot configuration, Windows XP and Windows 7:

Dual Operating System

So I could start up the other operating system, which wasn’t infected, launch our antivirus, detect the malware and eliminate it without needing a safe boot disk. So in this way, my dual-boot configuration was an unexpected and valuable ally against the malware that had infected my PC.

In short, this experience has taught me some valuable lessons:

Make sure you always have a way of starting your computer in the event that the operating system fails, whether this is via CD, DVD, USB drive, or as in my case, an alternative operating system installed on another partition.

Always make sure you have a set of tools available for analyzing and eliminating malware in a low resource environment (read commandline). Our free antivirus for command line is a good example. You’ll also find other free scanners and tools at http://free.pandasecurity.com/

Don’t take foolish risks with your system.
And at least if you are going to, don’t use the administrator account.

Posted by Javier Guerrero, September 8th, 2010

Sometimes when writing my posts, I get the urge to forget about malware for a while and talk about the other “side”: antivirus software. Specifically, I like to stress the difficulty involved in certain aspects of developing anti-malware products; I think it’s an interesting subject, and one that is not widely understood.

False positives

And so now, I’d like to talk about a problem that affects all malware detection software: false positives… So what are they?

A false positive occurs when an antivirus erroneously identifies a legitimate file or process as malware. This can happen with signature-based scans as well as behavior analysis.

An antivirus identifies malware basically using one of two methods: signature-based scanning or analysis of behavior. In the first instance, the scanner looks for a specific pattern of bytes, which has been previously catalogued as malicious, or at least suspicious, and may correspond to a sequence of malware commands, a univocal value that identifies the file (known as a hash) or other values that may be used for identification.

In the case of behavior analysis, actions are detected which, although on their own may not be malicious, when they are correlated with others represent a symptom of malicious activity.

The problem is that neither of these methods is infallible: the hash of a file is useless, for example, against polymorphic viruses, or expackers. Moreover, a sequence of instructions classified as suspicious could easily be contained in a legitimate file, as after all, we are talking about executable code.

The same thing occurs with behavior analysis: The process that generates an executable file, which later writes a registry entry referring to the executable, could be an intruder inserting a rootkit on the system, but also the installer of a bona fide application.

The consequences of false positives can be serious: If an antivirus erroneously deletes a file which is vital to the functioning of the computer, the system could be rendered unusable, and this does actually happen, with grave repercussions.

Fortunately, false positives are not frequent (particularly in relation to the immense amount of files that anti-viruses have to scan) and security companies implement strict quality control to avoid them.

In any event, as I mentioned in the beginning, all developers suffer from this problem, which, I believe, demonstrates how challenging it is to develop and anti-malware product.

Published by Javier Guerrero,  September 3rd, 2010

Malware is no longer viewed with the notoriety it once was. Gone are the days of massive infections, such as the “I love you” worm, which was headline news even in the mainstream press.

Today, professional creators looking to profit financially from malware need any virus, worm or Trojan to be able to operate undetected by users, as this is a key ingredient in achieving their objectives. In other words, an invisible virus is far more dangerous than one that is easily noticed.

So how can we see malware?

Well let’s not forget, after all, that it is only software, and all software leaves its trace on a system: not just the file or files that contain the intruder, but also the registry keys, folders, activity reports, etc. Any tool that lets you list files or registry values, such as Windows Explorer or Regedit, will reveal the presence of an intruder that cannot cover its tracks.

Now, this is where rootkits come in to play. A rootkit is software whose sole purpose is to hide system components, such as files, processes, registry keys, etc, so that the user cannot see them. They do this by penetrating the most critical layer of the operating system, the kernel, and manipulating certain internal structures and functions, thereby deceiving applications and preventing them from displaying the real content of the system.

For example, imagine there is a virus, whose binary name is “malo.exe”, installed in  “C:WindowsSystem32”.

Virus binary marked in red.

When the intruder loads to memory, the rootkit manipulates the system functions that list the files in this folder, so that when they detect the path “C:WindowsSystem32MALO.EXE”, they ignore it and go on to the next one. This way, an application that requests the list of files cannot see this folder. The same thing happens with registry keys, processes, or any other component of the system that the rootkit wants to hide.

Now the file has disappeared.

It is interesting to note here that rootkits are not malicious per se, as they may have perfectly legitimate uses, or at least, uses that are not related in any way to malware. In fact, the term “rootkit” first became used on a wide scale thanks to an incident involving the company Sony.

In 2005, Sony BMG Music included copy protection software on its music CDs which also included a rootkit designed to hide the protection system. The problem in this case was that it was done without user authorization, transmitting information and creating a security hole. Any attempt to remove the rootkit manually would leave the CD drive inoperable.

The danger therefore of any malware that includes a rootkit component is evident, given the significant stealth capacity and the ability to control a system without users realizing. Moreover, rootkits are among the most complex, advanced and resilient threats, operating at a level so deep that typical detection techniques are of little use, and specific purpose-built scanners are required, such as the free Panda Anti-Rootkit.

In any event, it is important to remember that all rootkits enter systems initially through a file, so the usual precautionary advice we offer for other types of malware also serves in the case of rootkits: use a good antivirus, keep it up-to-date, use a firewall, install the latest security patches, do not use an administrator account unless strictly necessary , etc.

So now you know…. watch out for rookits!!

Javier Guerrero Diaz
R+D Development Dept.
Panda Security