Malware

Sorry, Apple People, You’re Just Not That Popular

I know, you think I’m less than smart, but let me assure you, I have some idea what I’m talking about. I began as a wildly satisfied Apple ][+ user many decades ago. While others bought “inferior” computers that hit the market, from PET, Commodore, Atari and TRS-80…well, Atari was the bomb for gaming….I was forging ahead. I moved to the Mac line with a 512K, then an SE, a Mac II, then a IIcx. I learned how to make a computer work for humans because of Apple.

However, here’s the reality. Macs aren’t that popular. I support this by playing into the meme that Macs don’t get viruses, ergo, they are superior platforms. Nope, you have that wrong, but there is the genius of not only Apple, but the evangelized Apple faithful that have somehow missed the point of their lack of bad programmings disrupting their lives at the worst moment, as PC users have come to know and still not love.

Here’s the truth staring you in the face, Apple fanatics: You’re not popular with the people who create viruses, and therefore, you don’t get them. It’s not that your computer is in this uber operating system world, impenetrable by mere mortals out to steal credit card and bank account numbers. I know, in just about every single movie where the earth is saved from alines of environmental disaster, Apples are prominently displayed and used in the crucial scenes. I also know some of you believe that to be the real case.

What’s really up is this: The MacOS is built on top of UNIX, which is very secure, but the face that, depending on the link, the Apple market is about 10-12% and therefore, the effort to infect them is not worth the ROI, on one analysis point. Take the next step: How many Macs are used to manage and handle credit card databases, and large customer files? Pretty much none. Besides taking quite a bit of effort to learn the system inside and out, even if they could find ways in through security flaws, they would most likely find intellectual property, but not something they could make money on, like entire user profiles of banking/financial services, a key set of data for identity theft.

Consider, from a business owner’s view point: If you could set up to serve 87-90% of the market for the same effort to serve 10-13%, with the return per customer the same, which direction would you head? There will be a minnow out there (thank you, Scott Weber!) who gets this answer wrong and insists loudly they are correct, but you all know the right answer to remain viable in the market. That’s why you’re also not infected. Far more ROI in spending your energy developing and working the PC market and the associated Windows based server farms. Not to mention, Apple made a run at the server world and built a very cool piece of technology, but like Beta tape, the public went for the lesser versions in the PC based systems using LINUX and Windows.

That all being said, there are those, because the Apple market share is growing no doubt, who are taking up the challenge to infect the Apple Faithful. You’ve been spared due to not being attractive (I’m not talking the aesthetics of the device design, but the ugly fact that Apples aren’t used to conduct serious financial business). That’s my tough love for you. Some are coming after you and the good news is you can now enjoy virus and malware protection as we PC users do.

Now let me, after turning your meme upside down, drop it on (your) its head: If the MacOS doesn’t get viruses, as some smuggly post to Facebook, why, pray tell, would giant anti-virus companies have software on the market to provide anti-virus for the MacOS that doens’t get viruses? Oh, yeah, it would be a very silly and costly idea to serve a market that has no need, right? Software costs money and then, as any product has to return some what of a profit, or it will be dropped from the company offerings for failing to add to the bottom line.

Check this Dogpile search out: Looks like Symantec, ESET, Norton and Webroot, Avast, AVG just to name a few “small” companies trying to sell something “real” Mac users don’t need.

I’m hoping this dose of reality spurs the Apple faithful to break down and admit they have been a tool in the greater Mac propaganda machine, but then get online and download an appropriate software package to protect themselves. Speaking as a complete PC/Windows user for all my own (too) many computers, it’s a pain to get them, I have two layers of anti-malware/virus on all my systems, just to practice as much safe computing as possible. I encourage you Mac types to do the same. I see the helplessness in people’s eyes all the time, when they have contracted such an infection. Trust me, you don’t want to feel that way, let alone missing your working hours while I or your Mac tech (who should have already advised you to get software – if they haven’t, send them this link so they can be better providers for their customer base) conduct the technical exorcism rites.

If you need help in getting protected, contact me and let’s get you into the real world you actually live in.

Malware and Virus attacks get more “life-like”

I spent a few hours pulling a serious malware infection, actually a set of 8 different ones, off a client’s main system yesterday. He contracted the mess at 5:40 PM last Monday.

My contention os these attacks are getting more “life-like” is based on the manner in which he identified the moment of problems: He has a major customer and he ships mountains of product to them via UPS. On Monday afternoon (consider what else was going on in the Post-Christmas days and UPS), he received and email indicating an updated delivery status for his UPS shipment. His comment was it appeared to look very much like others he had received via the major customer, so he clicked on it. He said it didn’t have fancy graphics, but it certainly was a detailed looking email, not a one liner with a link.

It also reminds me of the 1-3 emails I get a day into one of my other blogging emails that obviously some scraper picked up off that site. They tend to be advertisements, but they are mixed in with emails that are my accounts at (fill in the banking institution) suspended, blocked, etc. Some of them actually are all dressed up with HTML graphics layouts, too. I stay away, but then I deal with this daily. For others, like my client, when one comes that makes sense to their work flow/life/personal business/social networking, there is a likelihood they will allow the malware in, and their firewalls may not stop it.

For the user: You have to be wary of things that look kinda true , but something still tells you it’s not kosher and look closer before clicking.

Be careful out there and practice safe computing!

For you techs, looking how to get rid of this:

Anyhow, it really embedded itself within his system, flagged as a Win32 password stealer by Microsoft Security Essentials. The good news, in early Tuesday, I convinced him to take the rest of the year off and reward himself for a great year, and I’d be over Thursday morning (since the malware would allow a network connection for a few moments, then cut it off, so a remote session was out of the question.

I used MalwareBytes, Microsoft Security Essentials, Kaspersky TDSS Root Killer and old school digging through the entire registry, after seeing the names in the user appdata roaming and local files under nonsense random lettering named .exe files and folders.

I called this one a “repeater,” as MSE would identify it, clean it, then it would fire itself back up about 30 seconds later. I would see 8 different start up program listings named BitNefender 2016, turn them off, and they would be back, activated in the next reboot. Interestingly enough, searching for that name in the registry never found anything, even after several tries.

It was the searching for the keys and values in the registry and manually deleting them) that, in combination of the MSE and MalWareBytes scans that finally got things working normally, including restoring a constant network connection.

Friday Freebies: Comodo IceDragon

For a while now, I bave been using the FireFox based Comodo IceDragon for my browswer. I have long since left Internet Explorer behind, only using it when it was the only option for some things such as updates from Microsoft, and have long been a fan of FireFox from the folks at Mozilla.

Long before the added functionality of plugins arrived in the IE world, I had many, many useful plugins operating in FireFox.

Then I came across IceDragon about a year ago on the Comodo site Free Products page. I had been using their Dragon browser for a bit, which is based on Google Chome, and had built it up for some replacement functionality in the plugin world, but I wanted a FireFox version and they read my mind. So here I am.

Advantages of the IceDragon browser of “straight stick” Firefox:

1 – On the right end of the website address bar, where is a stylized blue “W.” That button is a tool the, when clicked, scans the currently selected webpage for infections. Think of it like a virus scanner, not for your comp[uter, but the site are looking at.


Click images for larger version

Why is this important these days? Beacuse the bad guys are hacking into and infecting legitmate websites. The result is you get intrusions into your computer, not by clicking the obviously hacking into freinds Yahoo email account sending out spam viruses, but without your inattention to detail for a mere moment.

2 – The browser has beefed up security checks, and will stop and ask you if you really want to go to a webpage that has indications of being a malicious site, or, in the case a site’s shopping cart that had their security layer (the SSL function, that ensures your credit card info is encrypted before it leaves your end of the transaction to purchase on the net) expire, which then makes passing your info a risky thing.

I have seen it also ask me if I wanted to continue, because the web address had more than some acceptable numbe or dedirect command (meaning the webiste keeps forwarding you to anothe domain/server for the content, but in this case, the redirects continued to bounce my request to other places). IN this case, it is a site I go to regulalry, and is a big name, but obvioulsy the bad guys use mulitlpe redirects to cover thier tracks in an effort to hide what they are up to, and IceDragon saw a similar pattern and asked me. I tried it in the current version of FireFox, out of curiousity, and it took me right to the sight. Good real time comaparison.

But, they you have your Friday Freebie courtesy of The Computer Whisperer!

Windows 8: The hackers are already in it…

This news is a few days old, but is telling: Windows 8 already has it’s own phishing and fake anti-virus malware attacks…

Hackers Already Blasting Windows 8 With Phishing, Fake AV Scams as reported in CRN.

In both cases, for those who keep asking me “why do these hacker do this?”, it’s about getting you to give them your credit card info…then they can go shopping on line for you and begin to try to steal your identity…simple, they have a business model of “crime does pay, if the gullible just hand me their bank information!”

Safe computing, you need it!

“Flame” – a new virus, but it’s not after your credit card information

Quite often I’m asked why do people write viruses and malware. The bottom line: because it makes them money.

Today, there’s another reason. The recent news indicates a virus by the name of “Flame” is running amok in the Middle East, specifically Iran. From the New York Times – “Researchers Find Clues in Malware:’

Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
[…]

There you have it. Governments are now in the business of writing PC based malware for the specific purpose to conduct espionage. Which government? We can all speculate, but most likely one’s threatened by the prospect of a nuclear arsenal being built by an unfriendly neighboring nation.

There have been two other reported viruses used to work inside the computers of other nations, but one, Stuxnet, wasn’t designed to go after computer users, but the systems used to run machinery, in that case centrifuges. Duqu, the other known one, was like Flame, to collect information and email it out, but not nearly as sophisticated as Flame.

And this quote is a keeper for the NYT article linked above:

“This is the third such virus we’ve seen in the past three years,” Vikram Thakur, a Symantec researcher, said in an interview Tuesday. “It’s larger than all of them. The question we should be asking now is: How many more such campaigns are going on that we don’t know about?”

It’s Flu Season….for computers, too!

I’ve mentioned it lately, but I’m keeping busy chasing smarter viruses. Now I’ve seen “repeaters,” meaning the anti-malware/virus software did it’s job, but something in the background was watching over the process and did the ET “Phone home” thing, and in one case, within seconds, the malware was coming right back up as being detected. End result? I took a long look at the history in Microsoft Security Essentials (MSE) and then went chasing the indications on the net. The thing that caught my eye was a infection/hijacking of an add-in to FireFox, the main browser they used.

Response: Control panel>Uninstall FireFox. Then I went to the (windows Vista settings) user/application data> local and roaming directories and deleted the FieFox folders completely. Then downloading and installing a new copy of FireFox solved the problem. That was three days ago, and I’ve not been called back for subsequent fixes.

I have been chasing the Windows XP Anti-Virus 2012 and Firewall malware for about a week now, in a home with three computers, that don’t share data, but the malware seems to get taken off, then shows up on one of the other (or both) computer(s). a day later. The computers are all being used for separate uses, so common websites/files aren’t a condition. Best guess I can come to right now is the Internet Explorer * is compromised on one of the systems, since we can scan with several products, block with firewalls, and at some point, it’s either hammering to get in with great rapidity, or it reappears on the screen. Today I had them shift that computer to FireFox as the default browser and it’s been quiet on the phone since this morning. Haven’t gotten an email or call, so I suspect that’s the case. In a few days, barring a reinfection, I’ll have to figure out how to uninstall IE 8 and put it back in again.

Between all of these, I can’t figure a common thread of how it’s happening, but the result is not so good for the users. I have a suspicion one of the flash game websites, frequented by one user may be injecting scripts, but that’s still just speculation right now.

Be careful out there! Make sure any links you click are really good ones…..that will be the topic of another full featured post soon: How to validate links.

My User is being directed into another users folder named TEMP

Malware, BadWare, ScareWare, RansomWare, just make you MadWare. I couldn’t get back far enough to find the cause, but the brief version began with a call well before business hours from a client…

I didn’t get to see all the problems, as he tired to fix it first, before deciding this was something different. The story goes like this: “I had a message on the screen to upgrade [not update] Avast.” He did as directed, and it said it had to reboot. When he came back to the login screen, all three users were presented and he clicked on his own icon. In he went, to a balck desktop, missing all but the public icons. When he started Outlook 2007, it took him to the new install, set up a new account wizard.

He ran a restore point, yet the results were the same. He left me a message.

I go there and began to look for the associated “hide all your icons” malware, but the user documents folder was empty…not even any hidden files, just like a new Windows 7 user would be. Found the Outlook .pst, and it was very small, but there with a new date. His desktop folder had none of his files/icons, so this left me wondering what was up. I pulled up the cmd line and what caught my eye was the initial directory was “C:\Users\TEMP>,” not one named for his user, as he signed in under.

From here, I wondered what was up, so I went to regedit and did a serach for “\users\temp.” I got the result I was looking for (in HKey_Users), but it was the surrounding registry entries that clued me to the fix required: The malware had taken the normal -1000 (first user) and had renamed in with a “.bak” extension, and then in the now existing -1000 user settings, it had used his login in name, but pointed his settings to the “\user\temp” folders, which now explained the absence of any of his files.

I went back to Windows Explorer and confirmed all his files were actually in the user folder bearing his name, and then, being a bit smarter on the problem, noted the temp user folders were, of course, like a brand new user.

The repair was simple at this point: Rename the offending -1000 user with a “.bad” extension on the entry, then removed the “.bak” from his real -1000 user entry. Of course, I first backed up the registry as it was, just in case I would find out this wasn’t the case, and then, with the changes in place, restarted the system and all was now back to normal.

Still can’t tell you the exact cause, but the symptoms were a solid black desktop, and empty files for My Documents/Pictures/etc, and Outlook wanted to create a new install for a new user. All it turned out to be was the infection had copied and renamed the proper user registry entry, and put iteslf in is the user, and, while using the the correct user name, it was sending the coputer to the new “TEMP user name, now new and empty folders.

The reboot after correcting the registry entries worked fine, and that was two weeks ago.

Become an Anti-SPAM Warrior!

This morning, I opened my personal email account to find a SPAM email. Very obviously one, sitting right there. So, rather than just delete it, I took a moment to look at it and it revealed some clues as to how it got to me, and by way of that analysis, I can tell you how to begin your own anti-SPAM campaign!

Not only was the email addressed to me, but to a number of local business people I know, but do not correspond with via that email address, if I do at all. Most are people I have met networking and have their cards, so I know who they are. Point 1: I could see all their email addresses.

It didn’t take much scanning to figure out point 2: I can guess with about 99% certainty who has been sending out emails with this list of addresses. I get them from him, too, and in this email account.

Point 3: Because of his method of blasting his email contact list “in the clear” using the “to:” and “cc:” fields, he now makes all his contacts vulnerable to be collected and used, increasing the quantity of SPAM traffic on the net, not to mention annoying (at the least) and infecting (at the worst) all those computers of your friends and family and business contacts.

Putting all those puzzle pieces together, he’s how you can save your friends, family and business contacts from more of such a fate:

1) If you feel inclined to send something out, put their addresses in the “Bcc:” field. Then any recipient will only see their names, and no one else, and therefore, if this email finds it’s way into someone’s email account where they farm email addresses to send out SPAM to, you’ve put up a simple firewall on that activity.

2) When you get that forwarded 20 bizillion times joke, or offer for Bill Gates to donate $1 to your favorite charity, do this: Right after you click on the “Forward” function of your email, hilight and delete all the other lists of emails that are visible in the body of the message. Besides saving someone from being SPAMed as a result of you inadvertently helping SPAMers collect their address, think how much better a reading experience those who receive it will have when they don’t have to scroll down 37 screens to read the relevant material?

Summary: Put email address for blast work in the “Bcc:” field and remove any visible lists of email addresses in items sent to you, if you forward them along!

Understanding Your Digital Landscape Seminar 11/16/2010

From the flyer, regarding the Seminar I’ll be conducting to help business owners, who are not technically enabled, to better understand what makes their business function:

Understanding the Digital Landscape

What is it?
How do you find it?
How do you use it effectively?

Computers save us time in everything from information storage and retrieval, calculation, graphic design, and report preparation. E-commerce allows our websites to keep our businesses running 24/7.

A failure at any point, from our office records to our online presence, can quickly snowball into a technological disaster, especially for a small business that doesn’t have an IT (information technology) staff in-house.

Seminar leader Curt Middlebrook, The Computer Whisperer, provides insights into the equipment, computer programs, and office and internet support services out there, and the people who provide them. You’ll learn how to maximize your online efficiency, and how to track the success of your online marketing.
This is a Lunch & Learn program, part of the Pinellas Park/Gateway Chamber of Commerce Success in Business Series. Your registration includes detailed information for evaluating every aspect of your company’s digital landscape, as well as a light lunch.

When : Tuesday, November 16; 11:30 am to 1:30 pm
Where : Park Station, 5851 Park Blvd., Pinellas Park, Room 202

Cost : $19.95 Pinellas Park/Gateway Chamber Members
$24.95 Non-members

Call Chamber Manager Larry Steinlauf at 544-4777 to register.
You must be registered to attend.

Isn’t it Ironic? Mac OS X Virus arrives

A sesimic shift in the PC word has just happened: A Mac OS X virus is here, coming in the form of a Java script off of social media.

The irony? as I was removing a virus off a “real” PC this morning, my client indicated they might buy a Mac, so they wouldn’t viruses. I began with a little business analogy: One day, it will happen. When? When the Macs in the market reach some magical %, the “bad guys” will then take the time to study the Mac OS in detail, to try and exploit it. I also went on to discuss how a business decision, when done right, always looks for the most impact, for the least expenditure of resources. And, as of that moment, it must haven’t arrived (little did I know)…yet. I potulated, that when it did, it would be like a very big tidal wave, particulalry accentuated by the fact that it’s “well known” Macs are invulnerable from attack. Yeah, right.

So any how, for you MacoPhiles…gird your loins, the attainment of 20% of the PC market by Macs announced by Steve Jobs a few days ago, has had an impact on your bulletproofness. Be on your toes, and hope the good guys have anti-virus software ready for you, really, really soon.

Here’s the warning from the articles at ARSTechnica:

A new trojan horse has cropped up that affects Mac OS X (and Windows as well), primarily disguised as a video flitting around social networking sites. When users click an infected link, a Java applet is launched that downloads multiple files, including an installer that runs automatically without users’ knowledge.

While between other appointments this after noon, I saw the article (linked above) and I knew the time has come.

Note, too, you Windows based PC users, you’re a casualty of this new attack, too.

Be on the look out for any video on the social media sites….all of you computer users.

I’ll bring this history, too, because there have been Mac based viruses before. In early 1988, I contracted the “Scores” virus on my Mac II from a download off of GEnie.

That was bad news. The good news is the PC market exploded on cheap Intel based PCs and the bad guys went after them. That has left the Mac world as the untouchables for all these years…until now.