For a reader special, we are taking a look at two pieces of malware, both of which are related in a way.
Bagle is a mass mailing worm which affects all versions of Windows. It opens a backdoor to allow hackers to access your computer and some variants contain the following text:
"Greetz to antivirus companies
In a difficult world,
In a nameless time,
I want to survive,
So, you will be mine!!"
Bagle also cereated a botnet which sent itself to other PCs via mail applications such as MS Outlook. It is estimated that Bagle was responsible for 14% of spam on January 1st, 2010.
Netsky is also a worm. It contained comments in the code of it that was meant to insult the writers of the Bagle worm. Some variants also played sound through the speakers of your computer at 5:00 AM each morning. So this would annoy you and depending on when you get up in the morning and how loud your speakers are, you could actually be woken up by this sound. This sound ceases at 9:00 AM and resumes again at 5:00 AM the next morning. This worm also spread by mass mailing itself to all your contacts.
Feel free to comment below if you have a question or you just want to tell me how awesome I am.
Thursday, March 28, 2013
Monday, March 25, 2013
What Does It Mean? Layered Defense
These days, you can't read, hear. or see anything about computer security without catching the phrase "Layered Defense" or something like that. Well, the first thing you want to know is, what is it?
First, let's start with one layer of defense. Let's say you have an antivirus program. This should be enough, right? But the issue is, some malware can sneak past your antivirus or even disable the antivirus entirely. That looks a little something like this.
The Antivirus blocks some attacks, but some get to the computer and cause havoc.
How can we fix this issue? By using more then one layer. You can use Safe Computing for one.
Safe Computing is being smart before you click. Like I have said before, once you start thinking with your other head, you are a big target. Don't click on anything suspicious, and make sure you know what's real and what's not real.
You can also use a firewall. Security orientated firewalls block malware that attempts to access your computer via the network.
With these two extra layers in place, your "Layered Defense" looks a little more like this.
So, the more layers you have, the less likely you are to get infected. If you still have trouble conceptualizing this, think of an onion. The more layers it has, the harder it is to get to the core.
And these three layers are just the beginning. You can add anything you like to increase your defenses based on your budget and your level of paranoia. And let us not forget that a little bit of paranoia when it comes to protecting what is important to you is a good thing. An example of top notch security would look a little like this.
Now I am not about to suggest that you need to get all of this stuff. And there are some things in here that you may not know about. Stay tuned and we will discuss all of these unfamiliar aspects in future blog posts.
First, let's start with one layer of defense. Let's say you have an antivirus program. This should be enough, right? But the issue is, some malware can sneak past your antivirus or even disable the antivirus entirely. That looks a little something like this.
 |
| OK Defense. Some attacks blocked. |
How can we fix this issue? By using more then one layer. You can use Safe Computing for one.
Safe Computing is being smart before you click. Like I have said before, once you start thinking with your other head, you are a big target. Don't click on anything suspicious, and make sure you know what's real and what's not real.
You can also use a firewall. Security orientated firewalls block malware that attempts to access your computer via the network.
With these two extra layers in place, your "Layered Defense" looks a little more like this.
 |
| Better Defense. More attacks blocked. |
And these three layers are just the beginning. You can add anything you like to increase your defenses based on your budget and your level of paranoia. And let us not forget that a little bit of paranoia when it comes to protecting what is important to you is a good thing. An example of top notch security would look a little like this.
 |
| Defense for the very paranoid. Most if not all attacks blocked. |
Friday, March 22, 2013
What's In A Name: Rootkits
For the second part of my What's In A Name series, we take a look at the cornerstone of malware: Rootkits.
First, what is a rootkit?
A rootkit is a piece of malware that operates somewhat like an elite Special Forces unit. It gets in, communicates with headquarters, recons defenses, and messes stuff up so that the main strike force coming in later will have an easy time.
Rootkits are like Special Forces units in another way as well: Try to remove them, and they go wild. This is why every rootkit remover worth his or her salt warns that removing a rootkit could lead to problems with the operating system, to the point where it will not boot.
This is because the rootkit gets into the system and replaces critical system files with those under the control of the rootkit. And when these replaced files are removed along with the rootkit, the system can be rendered inoperable.
This is why rootkits are some of the most difficult malware to remove. Do one thing wrong, and you could break the computer you are trying to fix.
Hope this clears the issue of what a rootkit is up.
To look at Part One of What's In A Name, go here.
To look at my definition post which contains a brief summery of some of the terms used when talking about malware, go here.
If you have a question or just want to tell me how awesome I am, feel free to comment in the space below. It's FREE!
First, what is a rootkit?
A rootkit is a piece of malware that operates somewhat like an elite Special Forces unit. It gets in, communicates with headquarters, recons defenses, and messes stuff up so that the main strike force coming in later will have an easy time.
Rootkits are like Special Forces units in another way as well: Try to remove them, and they go wild. This is why every rootkit remover worth his or her salt warns that removing a rootkit could lead to problems with the operating system, to the point where it will not boot.
This is because the rootkit gets into the system and replaces critical system files with those under the control of the rootkit. And when these replaced files are removed along with the rootkit, the system can be rendered inoperable.
This is why rootkits are some of the most difficult malware to remove. Do one thing wrong, and you could break the computer you are trying to fix.
Hope this clears the issue of what a rootkit is up.
To look at Part One of What's In A Name, go here.
To look at my definition post which contains a brief summery of some of the terms used when talking about malware, go here.
If you have a question or just want to tell me how awesome I am, feel free to comment in the space below. It's FREE!
Sunday, March 17, 2013
How do I make sure my Antivirus Software is protecting me?
You are a computer user concerned about malware, you have antivirus software, but you do not know if it is protecting you. What do you do?
One thing you could do is find a sample of malware and then scan the file and see if your antivirus program detects it. But if your program does not detect it you are infected with malware that may have already done its work to your computer.
Your second option is to buy the most expensive protection out there. because if it's expensive it has to be good.... right? Sorry, but no. Cost is not an indication by any means of how good an antivirus program is.
Your last option is to try to download a file on the internet called the EICAR Standard Anti-Virus Test File. This is a harmless file that has become the industry standard for testing antivirus software without actually infecting the computer with malware.
So, what's it going to be? The Test File? Excellent choice. But first, lets talk a little be about this test file.
This file was made by the European Institute For Computer Antivirus Research. This organization was founded in 1991, and it aims to further antivirus research and improve antivirus programs out there today. The file was developed in collaboration with the Computer AntiVirus Research Organization (CARO).
The file will not harm your computer in any way, shape, or form if your antivirus program does not pick it up after a scan.
Let me state for the record that this test file is NOT malware and will not harm any computer if downloaded. Please do not claim or report that I am distributing malware.
Go to This website and download eicar.com using the http protocol. Your antivirus should give off alarms if it is protecting you in real time. If your antivirus program is not designed to protect you in real time, you can run a custom scan for the location of the test file.
After detection, your antivirus program will either delete the file or quarantine it depending on your exact settings.
One thing you could do is find a sample of malware and then scan the file and see if your antivirus program detects it. But if your program does not detect it you are infected with malware that may have already done its work to your computer.
Your second option is to buy the most expensive protection out there. because if it's expensive it has to be good.... right? Sorry, but no. Cost is not an indication by any means of how good an antivirus program is.
Your last option is to try to download a file on the internet called the EICAR Standard Anti-Virus Test File. This is a harmless file that has become the industry standard for testing antivirus software without actually infecting the computer with malware.
So, what's it going to be? The Test File? Excellent choice. But first, lets talk a little be about this test file.
This file was made by the European Institute For Computer Antivirus Research. This organization was founded in 1991, and it aims to further antivirus research and improve antivirus programs out there today. The file was developed in collaboration with the Computer AntiVirus Research Organization (CARO).
The file will not harm your computer in any way, shape, or form if your antivirus program does not pick it up after a scan.
Let me state for the record that this test file is NOT malware and will not harm any computer if downloaded. Please do not claim or report that I am distributing malware.
Go to This website and download eicar.com using the http protocol. Your antivirus should give off alarms if it is protecting you in real time. If your antivirus program is not designed to protect you in real time, you can run a custom scan for the location of the test file.
After detection, your antivirus program will either delete the file or quarantine it depending on your exact settings.
Monday, March 11, 2013
Spotlight On Malware: The Conficker Worm.
By popular request, here is a look at the Conficker Worm. This worm is also known as Downup, Downadup, and Kido.
First, Conficker sounds like a weird name. Where did it come from you ask? The origin of the name is thought to be a portmanteau of the English term configure and the German pejorative term Ficker. Conficker comes in 5 flavors, all of which we will talk about separately. The five flavors have been dubbed A, B, C, D, and E.
The first variant of Conficker (A) was discovered in early November of 2008. It spread through the Internet by exploiting a vulnerability in a network service (specifically MS08-067) on Windows 2000 through Server 2008. Windows 7 could have been affected, but during that time Windows 7 was in beta and the beta was not publicly available until January 2009. Although Microsoft released an emergency patch on November 23, 2008 to patch the vulnerability, a large number of PCs still remained unpatched as of January 2009. The final thing that Conficker A does is update itself to Conficker B, C, or D.
The second variant (B), discovered in December, added the ability to spread over LANs through removable media. The second variant also disabled Windows AutoUpdate and blocked certain DNS lookups. The final thing that Conficker B does is update to Conicker C or D.
The third variant (C) which was discovered in early February 2009 did much of the same stuff as Conficker B did. The final thing that Conficker C did was update itself to Conficker D.
Conficker D is where things get a little more interesting. This variant was discovered in March of 2009. It did what Conficker C did, however, it also added a few extra features such as disabling safe mode, and searching for processes that are related to anti-malware programs and killing them at one second intervals. The final thing that Conficker D did was download and install Conficker E.
Conficker E was discovered 3 days after Conficker D. It protected itself in the same manner as D (disabling anti-malware) and had a very interesting final payload. The final action was downloading and installing a spambot and SpyProtect 2009. Conficker E also removed itself on May 3 of 2009, leaving the copy of Conficker D still on the computer.
That is it for this Spotlight On Malware blog post. Once again, this was by popular request.... Now stop requesting it.
First, Conficker sounds like a weird name. Where did it come from you ask? The origin of the name is thought to be a portmanteau of the English term configure and the German pejorative term Ficker. Conficker comes in 5 flavors, all of which we will talk about separately. The five flavors have been dubbed A, B, C, D, and E.
The first variant of Conficker (A) was discovered in early November of 2008. It spread through the Internet by exploiting a vulnerability in a network service (specifically MS08-067) on Windows 2000 through Server 2008. Windows 7 could have been affected, but during that time Windows 7 was in beta and the beta was not publicly available until January 2009. Although Microsoft released an emergency patch on November 23, 2008 to patch the vulnerability, a large number of PCs still remained unpatched as of January 2009. The final thing that Conficker A does is update itself to Conficker B, C, or D.
The second variant (B), discovered in December, added the ability to spread over LANs through removable media. The second variant also disabled Windows AutoUpdate and blocked certain DNS lookups. The final thing that Conficker B does is update to Conicker C or D.
The third variant (C) which was discovered in early February 2009 did much of the same stuff as Conficker B did. The final thing that Conficker C did was update itself to Conficker D.
Conficker D is where things get a little more interesting. This variant was discovered in March of 2009. It did what Conficker C did, however, it also added a few extra features such as disabling safe mode, and searching for processes that are related to anti-malware programs and killing them at one second intervals. The final thing that Conficker D did was download and install Conficker E.
Conficker E was discovered 3 days after Conficker D. It protected itself in the same manner as D (disabling anti-malware) and had a very interesting final payload. The final action was downloading and installing a spambot and SpyProtect 2009. Conficker E also removed itself on May 3 of 2009, leaving the copy of Conficker D still on the computer.
That is it for this Spotlight On Malware blog post. Once again, this was by popular request.... Now stop requesting it.
Thursday, March 7, 2013
Where did this whole issue with Malware begin?
Some of you that have read my blog and like it may say "Alright, I'm hooked. But when did this all start?"
Well, I have the answer for you.
The first piece of malware in my opinion was the Elk Cloner virus. This virus was written in 1982 by a 15 year old high school student named Rich Skrenta. The virus was originally written as a joke, created and put onto a game on a floppy disk. The virus attached itself to Apple II operating systems using a technique now known as a boot sector virus. It was attached to a game, the game was then set to play. On the 50th boot of the game, the virus was released. So instead of playing the game, the virus would change to a blank screen that read a poem about the virus known as Elk Cloner:
"Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!"
It may be worth mentioning that today's malware is spread by the fact that 1 out of every 8 flash drives are infected with malware. These infected flash drives pass from hand to hand with no one being the wiser, echoing the way Elk Cloner spread back in 1982.
That will wrap it up for this post. Be sure and comment below if you have a question, or you just want to tell me how awesome I am.
Well, I have the answer for you.
The first piece of malware in my opinion was the Elk Cloner virus. This virus was written in 1982 by a 15 year old high school student named Rich Skrenta. The virus was originally written as a joke, created and put onto a game on a floppy disk. The virus attached itself to Apple II operating systems using a technique now known as a boot sector virus. It was attached to a game, the game was then set to play. On the 50th boot of the game, the virus was released. So instead of playing the game, the virus would change to a blank screen that read a poem about the virus known as Elk Cloner:
"Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!"
It may be worth mentioning that today's malware is spread by the fact that 1 out of every 8 flash drives are infected with malware. These infected flash drives pass from hand to hand with no one being the wiser, echoing the way Elk Cloner spread back in 1982.
That will wrap it up for this post. Be sure and comment below if you have a question, or you just want to tell me how awesome I am.
Sunday, March 3, 2013
My Take on Third Party Tech Support.
We've all had issues with software or hardware at one point in time, there is an argument that some software is even designed to fail at some point. But when we need help, who do we turn to? Tech Support can be offered in house for free, it can offer representatives who are quite knowledgeable and can help you with your issue. If you are not satisfied, you cancel or return the product or service. This translates to less money on the bottom line for the company offering the support, so they offer support for free, knowing that doing so is cheaper then trying to get a paying customer back.
However, some companies outsource Tech Support to a third party service. Those that work for these third parties often work on commission from service packages sold. Some even go as far as to refuse service unless you buy a support package even when you have already bought and paid for the software. Some claim that if you do not buy the support package, your product or service will stop working altogether. In the case of a computer: "Your hard drive will be physically damaged and you will lose all your data if you do not pay." Those who work for third party support have a "I do not care about your issue, now get off the line" mentality.
Sound shady to you? Well, some third party support companies and organizations are not like this. They do not use deceptive business practices in order to get a sale. What I have said to discredit third party support is not true for all third parties, but I will be honest: There are just too many bad apples in the bin. I am not trying to discredit any one company or organization, and this is only an opinion of someone who has gotten the runaround with tech support several times in the past. If you do not agree, that is fine by me.
I would like to call upon companies that outsource Tech Support to do it in house. I ask this because of two things.
1. Ultimately, outsourcing a service does not relieve a company of accountability for the results produced, no matter if positive or negative.
2. You make and maintain the product or service, you should know how to use it and fix it better then a third party.
However, some companies outsource Tech Support to a third party service. Those that work for these third parties often work on commission from service packages sold. Some even go as far as to refuse service unless you buy a support package even when you have already bought and paid for the software. Some claim that if you do not buy the support package, your product or service will stop working altogether. In the case of a computer: "Your hard drive will be physically damaged and you will lose all your data if you do not pay." Those who work for third party support have a "I do not care about your issue, now get off the line" mentality.
Sound shady to you? Well, some third party support companies and organizations are not like this. They do not use deceptive business practices in order to get a sale. What I have said to discredit third party support is not true for all third parties, but I will be honest: There are just too many bad apples in the bin. I am not trying to discredit any one company or organization, and this is only an opinion of someone who has gotten the runaround with tech support several times in the past. If you do not agree, that is fine by me.
I would like to call upon companies that outsource Tech Support to do it in house. I ask this because of two things.
1. Ultimately, outsourcing a service does not relieve a company of accountability for the results produced, no matter if positive or negative.
2. You make and maintain the product or service, you should know how to use it and fix it better then a third party.
Subscribe to:
Posts (Atom)