Monthly Archives: March 2013

The malware wars: How you can fight it

By Michael Lasky

A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs.

Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it — or clean it out after the fact.

Malware detection and decryption is my business

I met with Brandt at the annual February RSA security conference in San Francisco, Calif. We sat down to talk about the current state of malware and online security.

“Bring it on!” is Brandt’s mantra on malware. That’s because his job is letting malware run on his systems — on purpose. Using Windows XP, Vista, Windows 7, and Windows 8 test machines, he regularly browses sites known to harbor malicious content. But his unprotected systems (sometimes referred to as honey pots) often get malware infections all on their own.

The viruses, Trojans, etc. deposited daily on his computers are fodder for his primary work: reverse-engineering malware so he can understand how the latest exploits work — and how to prevent malware from intruding again. “Unfortunately,” says Brandt, “the goal posts are constantly changing with each malware sample. By design, more-sophisticated malware scripts change every time they run; they effectively create a custom version and, in doing so, change their identity every time they run. That constant change defeats much of the security software in use, which is looking for some previous design [or signature].”

Does that mean installing and using AV software is futile? “No,” says Brandt, “any amount of protection certainly helps. Some security software is better than others at finding and quarantining infections, but no single product can detect everything that’s out there, especially when it changes by the minute — not by the day, by the minute!

As Brandt explains, AV programs need to cross-check each instance of a malware attack against a constantly updated database. But a database containing every version of malware is infeasible; it gets too large to be of practical use. Hacking codes often change their signature by as little as one byte — which might be enough to defeat signature-matching. Moreover, well-written (for want of a better term) malware uses obfuscation techniques to hide itself within a PC. “So an infection can be found only after the damage is done.” Brandt notes, “Of course, then it’s too late.”

To prevent infections, says Brandt, “You’ve got to embrace [anti-malware] deficiencies and take more personal responsibility. Most people tend to click before they think, and sites like Facebook have made matters worse. We click a link simply because it came from a social-network friend. At this point in the malware wars, you need to put a critical eye on any link — no matter how trusted the source. Your Facebook or email friend might have been fooled, and the link they sent you goes to a site that automatically loads its exploit.”

Social-engineering threats are rapidly growing, courtesy of the security vulnerabilities of sites that regularly use abbreviated URLs. Anyone who’s read Twitter or Facebook posts is familiar with cryptic URLs such as bitly, tinyurl, and snipurl. Because they’re shortened to seemingly random letters, numbers, and characters, you don’t know where they’re actually taking you. But all too often, we click them anyway.

  • Tip: You can preview shortened URLs to see their true destination. For example, with bitly addresses, simply paste them into your browser, add a + after the URL (for example, // [Solera Networks page]), and press Enter. Adding the plus sign takes you to the bitly site first, where you’ll see a stats page for the destination site.

    For tinyurl addresses, add “preview” before the address. For example, enter //{xxxxx}, and the uncloaked address will appear at the tinyurl site.

    For snipurl addresses, add “peek” before the shortened address. For example, // takes you to the Snipurl site and displays the full URL:

For any link — short or long — in a webpage, hover your cursor over the link and the true, full address should appear at the bottom of the browser window. Say, for example, you get an email from PayPal with what looks superficially like a legitimate link. But if the true link is something like // or //, it could well lead to getting hacked or phished.

Fake PayPal notification

Figure 1. Fake PayPal notification

The ingredients of a malicious hack recipe

From his years of observing malware, Brandt believes that “the number one delivery method of a hack is a ZIP file. It might be disguised as a link or email attachment, but when opened, it will automatically unzip and execute the exploit that lodges malicious code in your computer.” Zipping the malware also hides its signature executable file, thus preventing its detection by AV software.

Other popular methods for delivering malware include PDFs, EXE files, and links that take you to intermediate sites that then immediately forward you to compromised sites. So again, it’s important to preview the address of a link. Some poorly written ones will actually show an executable file at the end — //, for example.

According to Brandt, if you know where a malware file resides on your computer, you might be able to manually remove it. But then you have to know exactly what you’re looking for. “From my research, I’ve noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files.” You don’t normally find executable files in a temp-file folder.

“If you are still using XP, I’d advise upgrading to Win7 or Win8 as soon as possible — XP is wide open to malware intrusions. Vista and Windows 7 [mostly] fixed this open door with the User Account Control; it pops up every time there is an attempt to make changes to your system, legitimate or not (such as when a new app tries to install). Most people just click Okay and continue, but this is one point when there’s a chance of stopping an infection from entering.”

Caught red-handed: A conversation with a hacker

The malware-monitoring systems in Brandt’s lab see constant activity from online. “One time, I was tending to one PC and, when I turned away from it momentarily, I noticed an open chat window on another machine. A message in the chat screen stated, ‘Yo, bro, you caught me.’ I responded back with an ‘LOL.'” Using malware installed on the XP system, a hacker was creating a text-based report of every open window’s titlebar and sending it to an address in Tunisia.

“I created a text file on my desktop that said, ‘Hey, come back.’ He did. In a series of chat sessions, he told me his story: He ran a network business in Tunisia but, because of the revolution there, business was slow. So to earn money to take care of his family, he was creating botnets to take over computers around the world. He used the botnets to harvest passwords, credit card numbers, and other personal data that he could then sell to other hackers.” (A lot of malware guys get cocky and start communicating with security analysts directly, in a sort of catch-me-if-you-can game.)

“There are open, online markets where malware exploit codes are available free or for sale. The Tunisian hacker would get them as soon as they were made available and use them. He also used free (and perfectly legitimate) remote-control software — TeamViewer (site ) — to take over computers. It would send back screen shots from infected PCs to him every 30 seconds.”

Today, says Brandt, most of the malicious code comes from Russia and other East European countries and from China. Much of it is implemented lazily, so it conforms to known patterns which many email clients recognize and immediately send to spam folders. But some of it does get through. Unfortunately, many of these guys are one step ahead of the analysts.”

Brandt’s Tunisian chat-pal hacker was apparently close to getting caught but shut down his operation in the nick of time. After that he was more particular about his exploits.

When asked the top three ways to deter malware on a PC, Brandt’s suggestions are ones we should all know — and follow — by now.

  • Stop using Windows XP.
  • Install and keep updated security software such as the free AVG (site) and Malwarebytes (site).
  • Most important: Think before clicking any link and whenever Windows unexpectedly asks whether you want to proceed with a change to your PC settings.

“Ratters” – They Watch Through Your Webcam

By Becky Worley | Upgrade Your Life – 13 hrs ago

R.A.T. Remote Access Tools
This scenario is happening more and more; there are myriad photos and videos available online indicating the practice is getting easier and more popular with an online community called Ratters. They use Remote Access Tools (R.A.T.s) to activate the webcams of compromised computers and record video of unsuspecting users. They call the owners of these infected computers “slaves,” and compromising videos, especially of female slaves, are openly traded, and posted on YouTube.

Online Forums of Ratters Grow
The practice of taking over a computer is not new. Hackers have produced software for years that gives complete control of a machine to a remote attacker. Aspects of these tools are also common in the IT field for offering remote tech support. But what’s new is the community of remote attackers who have formed in hacking forums to share or trade access to the enslaved computers and talk about their exploits.

In a detailed article on Ars Technica, journalist Nate Anderson probes into the members at, which he says has more than 134 pages of posts featuring captured images and video of female slaves. Some are recorded from webcams, and others are videos or images found on the hard drives of compromised computers that their owners thought were private and secure.

Scare Tactics
Beyond invading a victim’s privacy, Ratters have tools in their software to scare or annoy remote victims. They can open and close their DVD drives, display graphic images on screen, have the computer read aloud using text-to-speech applications, or even hide the start button.

Hard to Police
While this type of unauthorized computer intrusion is clearly against the law, the fight against Ratting is a challenge. There are many free or low-cost programs already available online, attackers are not usually local or in close proximity to victims, and while any one forum of Ratters could be shut down, others could easily pop up elsewhere.

How Victims Are Infected
Victims are infected with remote access tools the same way many viruses spread: opening attachments, drive-by downloads from sketchy sites, downloading files from torrents or file-sharing sites, or being tricked into clicking links through social media sites.

How to Protect Yourself
The good news is that these tools can be detected and held at bay. First, pay attention to the little light next to your webcam. If at anytime it’s lit and you aren’t using your webcam, find out why it’s engaged by running either an antivirus program or hitting ctrl-alt-del to see what processes are actively running. If you see anything suspicious, it’s time to disconnect from the Internet and disinfect.

[RELATED: Does Your PC Have a Virus – Or Is It Just Slow?]

Best practices to stay safe include using a firewall, keeping all software up to date, and using an anti-virus program. Also, staying away from torrent sites and sketchy websites will add a layer of protection, as many Ratters seed files on these sites disguised as free videos, music or software programs. If your paranoia is high and you really want to be sure your webcam isn’t spying on you, some have suggested taping a piece of paper over the camera, but this does nothing to protect your information or image/video files already on your computer.

Security alert: Bogus tech-support phone calls

By Fred Langa

“Hello. This is Microsoft Tech Support. Your PC has notified us that it has an infection.”

The call is a scam — an extremely prevalent one. Here’s how it works and what you need to know to stay out of the trap.

Scams come and go, but this particular one seems to have staying power — and it’s spreading quickly. It’s now so common, the Internet Crime Complaint Center (a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center) issued a Jan. 7 special alert, “New twist to online tech support scam.”

Windows Secrets reader Scott Brande was recently on the receiving end of a typical tech-support con. Recognizing it for what it was, he carefully documented the attempted snow job, then sent in his notes as a service to all Windows Secrets readers.

His narrative, plus the resources I’ll list at the end of this article, can help you — and the people you care about — avoid falling prey to this malicious tactic.

Scott’s description of how the scam played out:

  • “This morning I received a telephone call (the second such call in two weeks) about infected files on my computer; the caller then offered to fix the problem. Suspecting a scam, I decided to play along.

    “I think it was the same caller both times. He had a strong accent, the kind I’m used to hearing on outsourced help lines. I asked the caller’s name both times; the first time he replied, ‘Mike Tyler,’ and the second time he was ‘Andrew.’ He began the call by saying that he’s with Microtek, an authorized supporter for Windows operating systems. (My spelling of the company’s name was a guess; the caller never spelled it out.)

    “I asked immediately whether this was a sales call. Without directly answering my question, he launched into what sounded like a script. He stated: ‘Our servers have received information from your computer that indicates it is infected.’

    “When I questioned him about his company, he told me I’d find ‘Microtek’ listed on [an online business directory] — as if a listing in the directory were proof his call was legitimate! When asked where the company was located, he replied, ‘Houston, Texas.’ I then asked for his employee ID; he gave me ‘MSCE079502.’

    “(After the call, I ran an online search and came up with a Microtek in Houston; it’s a training facility for business computer users — not a technical-support center. I assume the caller just picked Microtek’s name off the Web. I don’t believe the real Microtek had anything to do with the bogus tech-support call.)

    “Changing topics, I asked how he knew my computer was infected. He replied that his company is an authorized Microsoft Partner and, because I use Microsoft Windows, my computer sends notifications to Microtek servers.

    “I then asked how he knew about my specific computer; he stated that his server gets updates from my PC. He then asked whether I ran Windows Update. When I said yes, he went on to say that Microtek servers got the information about infected files in my system via Windows Update.

    “I countered, stating that Windows Update goes only to Microsoft servers — not Microtek servers. But he simply repeated that Microtek is an authorized Microsoft Partner.

    “Next, I asked him which one of my computers was infected (I have several at home), to which he said something vague about a MAC address. When asked which MAC address he had for my machine, he would state only that, for ‘security reasons,’ he couldn’t tell me the MAC address (even though it was my own PC).

    “At this point, I expressed my doubts about all this information. But he was quite persistent; he stated that ‘some of our clients in your area have been affected by the infected files on your machine.’ He then claimed I had upward of ‘1,000 infected files.’ When asked who these local clients were, he said he couldn’t tell me that (of course).

    “I asked how his clients’ machines could possibly be affected by my home computer. He didn’t answer this but went directly to the following: ‘OK, I’ll show you the infected files on your computer.’ He instructed me to enter .inf into the Start menu search box, then declared that all these files were ‘infected’ (that .inf stands for ‘infected’ or ‘infection’).

    “At that point, I said I didn’t believe that was true; it was my understanding that .inf was a particular type of file that comes with software installed on my computer.

    “At this point, he ended the call — probably because I knew that .inf didn’t refer to infected files. As it was, I’d had him on the line for a good 15 minutes.

    “As I mentioned, this is the second such cold call I’ve received in about two weeks. The pitch given in the two calls was very consistent; I surmise there must be many others who have been presented with the same scam.”

Great job, Scott! Your suspicions are totally correct: This was just a scam. And yes, it’s extremely widespread.

Bogus tech-support call raises red flags

Two of the caller’s assertions in Scott’s narrative immediately indicate a scam:

  • Microsoft or one of its partners made the call: False! Microsoft flatly states:

    “Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes. … Do not trust unsolicited calls. Do not provide any personal information.” (See the full text on Microsoft’s “Avoid tech support phone scams” page.)

  • Windows Update collects personally identifiable information: False, again! Even if it wanted to, Microsoft — or a Microsoft Partner — can’t track you down and cold-call you via information acquired by Windows Update. You’ll find more details on the online “Windows Update privacy statement” page; a more colloquial version on the “Using Windows Update” page states unequivocally: “Windows Update is committed to protecting your privacy and does not collect your name, address, e-mail address, or any other form of personally identifiable information.”

Scott’s caller raised other red flags, too. For example — just as Scott thought — .inf stands for information, not “infection.” An .inf is just a plain-text file containing information Windows uses when it’s installing a driver.

Knowledge of INF files is somewhat specialized — not everyone will know what they’re used for. But the first two red flags should be easily recognized by any experienced Windows user.

Bottom line: If you get an unsolicited call from anyone offering to “fix” your computer (especially if they claim to be from Microsoft or a Microsoft Partner) hang up immediately — it’s a scam!

Further scam-proofing — and reporting scammers

For more information about how to recognize the type of scam Scott ran into, see the MS Safety & Security Center page, “Avoid scams that use the Microsoft name fraudulently.”

You’ll find additional ways to generally scam-proof yourself on the U.S. Federal Trade Commission (FTC) site, “Telemarketing Scams.”

If you receive (or have already received) a scam-related phone call, the FTC requests you dial (toll-free) 1-877-FTC-HELP or visit the Complaint Assistant site.

If you’re on the receiving end of an attempted scam via the Web (rather than by phone), file a complaint on the Internet Crime Complaint Center’s free website.

And here’s some preventive medicine that might help. Register all your phone numbers with the National Do Not Call Registry (free; site). You need to register a number only once; the registry never expires. This won’t stop all unsolicited calls, but it will stop most. If your number is on the Registry and you still get calls, they’re likely to be from scammers ignoring the law. In that case, call the FTC number listed above and file a complaint.