As many of you know, RJS started as an AS/400 software consulting business over 20 years ago. For many years, we focused the majority of our time and developing in the iSeries / IBM i realm. As our software company grew, however, we expanded to other platforms (namely Microsoft Windows) to better serve our customers.  

So as we continue to expand, we’re always curious to hear from our readers. Today we’d like to know what operating system you are currently utilizing at your company (vote in the right toolbar poll). If you use more than one, feel free to select the OS you have/would have an RJS product running on. As always, thanks for your insight!

When I came across my first TDSS Trojan last year, I was surprised by how difficult it was to remove this nasty bug.

At the time, Kaspersky had just released an automated TDSS removal tool. When using it, however, we periodically ran into issues with the tool replacing the wrong services within the operating system.

Sophos had a lengthy manual process to solve the problem. Users were supposed to boot from their Linux-based scanner CD, scan for and identify infected service files, copy back the original service files (like atapi.sys) from the CAB files and then ultimately replace the infected files.

These were poor fixes and luckily, both companies have since created modern automated tools that can easily defeat the TDSS family. Or so we thought.

The newest member of the TDSS family appears to be indestructible.

According to an article published by Kaspersky, the latest TDL-4 variant uses public peer-to-peer (P2P) network channels instead of private channels. This means command and control traffic is difficult to distinguish from other P2P traffic. Worst of all, an infected PC can receive its commands not only from the command and control servers, but also from other infected PCs. This makes it virtually impossible to cut the head off the snake. This is quite similar to several high-profile botnets we’ve seen before, including Rustock, which needed the collective powers of Microsoft and the FBI to shut it down.

If the enhancements to the TDL-4 variant weren’t bad enough, the authors are now offering the services of the botnet to third parties to be used in denial of service (DDoS) attacks. This includes an affiliate program that rewards joining members with cash payments for each new infected PC they add to the botnet herd.

Browse safely, my friends!

The Microsoft Malware Protection Center (MMPC) has identified a new “severe threat level” rootkit, dubbed “Trojan:Win32/Popureb.E.” This rootkit variant burrows so deeply, Microsoft recommends reinstalling the operating system and then rebooting to a restore point prior to the infection. That’s a pretty extreme repair suggestion coming from Microsoft! This has rightfully led to some raucous laughter from the Mac and Linux camps.

In this day and age there are only a few ways to get a rootkit installed:

1)      Your web protection doesn’t filter out hostile links on legitimate sites.

2)      Your email protection doesn’t filter out hostile attachments and spam messages.

3)      Your users click on everything they see in their browser and/or email clients without any thought regarding where it came from.

4)      Your users plug USB devices brought from home into their work systems.

5)      Your desktop systems are configured to boot from sources other than the hard disk.

Items 1 through 4 are easily solved with a quality AV solution that offers gateway filtering for email and web, as well as an endpoint device control policy.

Item 5 is perhaps most critical. Passwords and domain level authentication are easily avoided when bypassing the hard drive and booting from an alternative source, thus an open door for a rootkit to install itself. I suggest taking a quick visit to your local bookstore, perusing the magazine section and then grabbing one of the many Linux Live DVDs floating in the pages of your favorite tech mag. This nifty (and free) DVD allows you to run a full-featured OS, including network discovery tools, rainbow tables and system recovery tools that allow you to mount the hard drive and do all manner of evil to it.  Imagine your office midnight cleaning crew taking a well deserved break, seating themselves down at your workstation, booting off of live CD they happen to have, and surfing the internet/torrenting software which they’ll copy to a USB drive they’ve also connected.

Everything I just mentioned in item 5, however, can be defeated by disabling secondary boot options in BIOS and setting an admin password to protect it from unwanted changes. With time, tools and knowhow, someone could open the case and reset the BIOS by pulling the battery or shorting out the reset pin, but that takes time and effort. What this is intended to do is stop end users from leaving CD/DVDs in the PC or inadvertently booting from USB hard drives or flash drives and possibly infecting the hard drive outside of the operating system protection.

Fakefrag is a relatively new addition to the Scareware family that was introduced last fall. Instead of behaving like the familiar FakeAV variants, this one tries to convince you into purchasing the offered protection by exploiting a supposed hard disk problem. Normally Scareware is just a plain nuisance and can be easily removed. This new variant, however, is more similar to Hostageware. If you allow it to run long enough, it will completely cripple your PC until you provide your credit card at which point everything will be magically restored!

A few thoughts on malware:

- Last week, Microsoft released their key findings report on malware infection rates of Windows by OS versions. Windows 7 is by far Microsoft’s securest OS to date.

- Mac OSX is also extremely secure. Basically the only way you can defeat it is by exploiting holes in the installed software and tricking the end user into providing their admin password thus giving the malware free run of the system.

- Ubuntu and other Linux distributions separate the user from escalated admin privileges. The admin password is required to make major system changes.

- Malware authors will always take the path of least resistance. It’s all about return on investment.

We’re entering an age where the OS is extremely secure and the weakest link is the end user. The obvious path of least resistance for a malware author is via social engineering, as evidenced by the aforementioned Fakefrag. Why go through all the hard work of attacking a hardened OS when the right sales pitch can net you a willing end user with a readily available credit card? Just ask the AppleCare center which was flooded with calls from Mac owners looking for assistance in removing the FakeAV variant MacDefender.

Check out this fantastic video by Symantec on what Fakefrag can do to your computer: