February 12, 2009

Keep the latest worm infestation off your PC


Woody Leonhard By Woody Leonhard

It's been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers.

Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.


Remember the patch that Microsoft released suddenly — "out of cycle" in the parlance — back in October 2008? Windows Secrets followed suit with an out-of-cycle news bulletin about the patch on Oct. 24. Susan Bradley recommended that readers immediately install the update described in MS08-067 (KB article 958644) to protect against "a remote-code attack that could spread wildly across the Internet."

Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:

"We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we've not seen evidence of public, reliable exploit code showing code execution."

By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited: "We're getting a very small number of customer reports for these attacks."

Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.

How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter. The MMPC's TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:

  • Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

  • Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!

  • If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

  • Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

  • Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.

The worm's tricky twist on autorun.inf

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let's say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.

Autoplay reacting to a normal autorun.inf
Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.

Autoplay reacting to a fancy autorun.inf
Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC's automatic-update function, too — getting rid of the worm is surprisingly easy.

    cialis medicine 0pt; padding-bottom: 0pt; margin-left: 17px; padding-top: 0pt”>

  • Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.

  • Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.

    The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

  • Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.

  • Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the advice in Scott Dunn's Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.

Those four steps will ensure that your PC isn't one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.

Permalink • Print • Comment

Has your PC become a spammer’s botnet zombie?


Scott Dunn By Scott Dunn

Worldwide spam traffic dramatically dropped after a major spam server was temporarily shut down last fall, raising public awareness of botnets: networks of PCs that have been turned into spam-spewing robots.

Most antivirus applications are ill-equipped to stop this kind of malware, but you can reduce the risk of having your PC become zombified.

Last November, a provider of Internet connectivity named Hurricane Electric pulled the plug on hosting company McColo. Immediately, the worldwide volume of spam dropped a whopping 65%, according to some estimates.

As explained by Brian Krebs in an cialis jelly title=”http://windowssecrets.com/links/casamqr63t9zd/948e29h/?url=www.washingtonpost.com%2Fwp-dyn%2Fcontent%2Farticle%2F2008%2F11%2F12%2FAR2008111200658.html%3Fsid%3DST2008111801165%26s_pos%3D”>article at WashingtonPost.com, Hurricane — one of the two companies McColo depended on for its Internet connection — took the action after the newspaper informed the provider of McColo's role in hosting all sorts of Internet bad guys.

According to Krebs, McColo's clients included "international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products, and child pornography via e-mail."

The spam reduction held for a couple of weeks before rebounding, according to a Nov. 26 story at InfoWorld.com.

McColo's servers didn't send out the spam themselves. Instead, they provided the command and control for a vast network of PCs infected with malware. A collection of hacked PCs that have been turned into automated spamming machines is known as a robot network or "botnet." Security professionals name these botnets after the malware that runs them, which include Asprox, Rustock, Cutwail, and Srizbil.

The malware creators rent their botnets to spammers, who in turn use the control servers to coordinate the transmission of huge amounts of junk mail, as explained in another Washington Post story.

Your computer could be a spam zombie and you might never know it. And if you think your security software is keeping your computer safe from botnet slavery, you'd better think again.

A recent study by security firm FireEye revealed that antivirus products detect bots less than half the time. The study tested AV programs using Virus Total's free malware-scan service; consult that site for a list of the AV products tested.

Your four-step spambot-safety program

What can you do to prevent becoming a botnet victim? Although there are no perfect solutions, the following actions will help prevent your system from being compromised. (My thanks to the security blog written by Wiz Feinberg for many of the tips.)

Step 1: Keep your security products up-to-date. Although the FireEye study found little protection against bots from antivirus products, the study's author, FireEye chief scientist Stuart Staniford, did note that "AV works better and better on old stuff — by the time something has been out for a couple of months, and is still in use, it's likely that 70% to 80% of products will detect it."

Update your antivirus program regularly with the latest patches and virus definitions; even if the app doesn't catch the latest bot, your AV protection will reduce your risk of catching older malware still circulating around the Internet.

Step 2: Use a software firewall. By carefully monitoring your Internet connection, you'll reduce your risk of infection by botnet malware. By default, the firewalls built into Windows XP and Vista monitor only incoming connections. The firewalls can be configured to monitor outbound traffic, but doing so is technical and problematic for most users. The differences between the firewalls in XP and Vista are described in this Microsoft TechNet article.

Many free, third-party software firewalls are bidirectional. Third-party firewalls sometimes require updates after you install Patch Tuesday fixes from Microsoft, but the added functionality of these firewalls can make this inconvenience worth living with. WS senior editor Ian "Gizmo" Richards describes the best products in his July 31, 2008, column.

Step 3: Get a free diagnosis. Some security products are intended specifically to combat the botnet plague. For example, RUBotted is a free utility from Trend Micro that sits quietly in your system tray and monitors suspicious activity (more info). If the program spots an infection, it alerts you to take action. The program is currently a beta, but it worked fine for me.

According to a post by security blogger Feinberg, RUBotted encourages you to scan your system with Trend Micro's free HouseCall online virus-scanning service, which detects and removes many malware infections. Note that on my system, RUBotted uses 8MB of RAM.

Trend Micro RUBotted
Figure 1. Scan your system with Trend Micro's RUBotted to ensure that your PC is bot-free.

Full disclosure: Feinberg's blog is sponsored in part by RUBotted's manufacturer, Trend Micro. But I don't consider this to be an argument against using RUBotted.

Step 4: Try Norton AntiBot. Another bot-specific security product is Symantec's Norton AntiBot (more info). This $30 program claims to monitor, detect, and remove bots before they can cause harm. Norton AntiBot uses behavioral analysis rather than definitions for specific bots and received an Editor's Choice award from PC Magazine in 2007.

Security sites such as Marshal continue to report spam-bot activity. The buggers are delivering junk mail, malware, and other odious data to millions of victims. By using the above bot-prevention tools and techniques, you'll reduce the chances that your machine's a spammer's helper.

Permalink • Print • Comment

The warning signs of a PC infected with malware

Dennis O'Reilly By Dennis O'Reilly

Last week's news alert by Woody Leonhard described the high level of sophistication behind the Sinowal/Mebroot Trojan and described tools that attempt to remove the malware.

Many readers asked for more information on symptoms they should look for if they fear for their machines' security.

Subscriber Leslie Kight asks the following question:

  • "Great article. I'm curious, though: what makes Woody suspect his XP machine is infected by Mebroot? What symptoms did he see to raise that question?"

Here's Woody's reply:

  • "I kept getting weird virus warnings from AVG — viruses would appear, I would remove them, then they would reappear in different locations, or entirely different viruses would show up. AVG reported that the MBR [Master Boot Record] was being changed every time I rebooted, even when I did nothing.

    "I did a deep scan — first with AVG, then with NOD32 — to remove all the reported malware, but the viruses kept reappearing. Antirootkit scans turned up nothing. Then I couldn't connect to F-Secure's Web site, so I pulled the plug.

    "As I said in the article, I have no idea at all if it was Mebroot. But I couldn't find any reports of similar collections of problems and decided to err on the safe side.

    "Periodically reinstalling Windows is something I recommend anyway: once a year is ideal, in my experience. I'm happy to report that I've reinstalled XP Pro (SP3, of course), reactivated [Windows], and brought back the data files; everything appears to be working just fine. The machine's snappier than ever."

Double up to remove a virus from a hard drive

In deference to animal lovers, I will avoid the cat-skinning analogy, but as reader Bob Biegon points out, there's more than one way to return an infected hard drive to a healthy state:

  • "One of the easiest and, by my experience, most effective ways to remove many serious virus-spyware-rootkit infections is to remove the PC's hard drive, put it in another PC (or connect to another PC via a USB-to-IDE/SATA adaptor), and scan the drive with the second PC's anti-malware software.

    "This method ought to work well for the Mebroot virus without compromising the host PC's drive. My favorite products to use in this endeavor are AVG 8 and Sunbelt Software's Vipre."

Since when did mice start hunting cats?

The best analogies have a basis in reality (not the one I mentioned above relating to feline pelts, thank goodness). But another kind of cat reference in Woody's column from last week gave reader John Walsh pause:

  • "I do enjoy Woody Leonard's cialis generic vs brand articles and have been a fan of his for many years. However, in his latest article, Woody notes 'Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.'

    "In my mind, the cats are actually the good guys trying to help eradicate the vermin (malware) represented by the mice. Therefore, I would suggest it is actually the black mice who are winning and proliferating, much to the consternation of the white cats."

Indeed, the bad guys are scavenging for your data and your money while the good guys hunt them down. However, Woody's use of "black cats" in this sense plays off the term "black hat" to describe a hacker with evil intent.

Mixing puns and analogies is dangerous business, but that's the kind of adventurous, risk-taking writer Woody is. That's only one reason why his readers love him so.

Permalink • Print • Comment

February 11, 2009

Antivirus tools try to remove Sinowal/Mebroot

Antivirus tools try to remove Sinowal/Mebroot

Woody Leonhard By Woody Leonhard

I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.

This week, I'll concentrate on the best available techniques to try to remove the offender, if you're one of the unfortunates who've already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC's got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I'll simply call the threat Mebroot in the remainder of this article.)

Mebroot infects a PC's Master Boot Record (MBR), the first sector on a hard drive, where it's invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia's free Personal Software Inspector (get it from Secunia's download page).

Ideally, you should run a PSI scan right after you install Microsoft's Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it's vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit "celebrity video" sites and leave their PCs' third-party applications unpatched for months or years at a time.

But, as careful as you are, it's possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can't be 100% effective against a threat that's evolving as quickly as this li'l terror.

Use F-Secure's utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry's response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:

  • Mebroot is the most advanced and stealthiest malware seen so far.
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot.
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.

For a complete outline of Kasslin's points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot's programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro's blog entry on this subject.) Detecting and preventing Mebroot cialis generic brand is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure's commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure's BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer's May 22 Best Software column.

Unfortunately, I don't know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can't tell for sure. I've quarantined the system by disconnecting it from my network, and I'm in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I've copied the files, I'll reformat the machine's hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows' AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I'll install and religiously use Secunia's Personal Software Inspector every month. Then I'll rub my lucky rabbit's foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn't bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot's initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the "Affected Systems" section of software engineer Peter Kleissner's analysis.

Of course, by the time I've done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn't it?

Permalink • Print • Comment

Don’t be a victim of Sinowal, the super-Trojan

Woody Leonhard By Woody Leonhard

The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.

This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.

Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.

That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."

Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)

Microsoft's Robert Hensing and Scott Molenkamp blogged cialis generic best price about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.

That's a long, long lifespan for a Trojan. It's important for you to know how to protect yourself.

A serious infection most antivirus apps miss

I haven't even told you the scariest part yet.

Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)

Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.

The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.

Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.

Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.

Sinowal/Mebroot isn't so much a Trojan as a parasitic operating system that runs inside Windows.

Windows XP users are particularly vulnerable

So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing … it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."

Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)

Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.

First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.

Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.

In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.

Don't look to your bank for Sinowal safeguards

So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

"I'll be labeled a heretic for saying this, but … from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."

If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.

This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."

As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."

Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and an easy to customize WordPress theme • Sky Gold skin by Denis de Bernardy