Search Engine Malware – The Same Old, Same Old

In the News within the past 3 days –

Web security firm Armorize – over 6 million e-commerce web pages have been compromised in order to serve malware to users.

Ed Bott Report – criminal gangs that specialize in malware love search engines, because they represent an ideal vector for getting Windows users to click on links that lead to potentially dangerous Trojans. The latest attack targets ads, and the social engineering is frighteningly good.

Not in the News –

The specifics may be news but, this particular malware attack vector is so old I’m surprised that more Internet users aren’t aware of it. No, I take that back – based on a conversation I had just last night.

Me: “So, what antimalware applications are you currently running?”

She: “Well, I can cut and paste and I can get on the Internet, but I don’t worry about all that other stuff. I don’t understand it anyway.”

I’m well past the point where I allow myself to show surprise when I hear this type of response – it’s just so typical. Given that level of knowledge, it’s hardly surprising then, that consumer confidence in the reliability of search engine results, including relevant ads, is taken for granted.

I’ve yet to meet a typical user who would consider questioning a search engine’s output as to its relevant safety.  It’s been my experience, that typical Internet users blindly assume all search engine results are malware free.

This, despite the reality that the manipulation of search engine results, exploiting legitimate pages, and the seeding of malicious websites among the top results returned by search engines in order to infect users with malware, is a continuing threat to system security.

Here’s how the cyber crooks do it:

When a potential victim visits one of these infected sites the likelihood of the downloading of malicious code onto the computer by exploiting existing vulnerabilities is high.

Let’s take, as an example, a typical user running a search for “great vacation spots” on one of the popular search engines.

Unknown to the user, the search engine returns a malicious or compromised web page as one of the most popular sites. Users with less than complete Internet security who visit this page will have an extremely high chance of becoming infected.

There are a number of ways that this can occur. Cyber-crooks can exploit vulnerabilities on the server hosting the web page to insert an iFrame, (an HTML element which makes it possible to embed another HTML document inside the main document). The iFrame can then activate the download of malicious code by exploiting additional vulnerabilities on the visiting machine.

Alternatively, a new web page can be built, with iFrames inserted, that can lead to malware downloads. This new web page appears to be legitimate. In the example mentioned earlier, the web page would appear to be a typical page offering great vacation spots.

Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

Install an Internet Browser add-on such as WOT (my personal favorite), which provides detailed test results on a site’s safety; protecting you from security threats including spyware, adware, spam, viruses, browser exploits, and online scams

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus and anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all e-mail attachments

Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

The following comment (posted here March 15, 2011), illustrates perfectly the issues discussed in this article.

Funny you write about this today. I was reading about the spider issue Mazda was having and wanted to know what the spider looked like so I Googled it, went to images and there it was. There was also a US map that had areas highlighted, assuming where the spiders exist, and before I clicked on the map I made sure there was the green “O” for WOT for security reasons.

I clicked on the map and BAM I was redirected instantly and hit w/ the “You have a virus” scan malware. I turned off my modem then shut my computer off. I restarted it and scanned my computer w/ MS Security Essentials and Super Anti Spyware. MS Essentials found Exploit:Java/CVE-2010-0094.AF, and Trojan:Java/Mesdeh and removed them. I use WOT all the time, but now I’m going to be super cautious.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Norton Cybercrime Index – Scaring You By The Numbers

Where I live in Canada, Winter weather can be very uncertain, and driving and travel conditions are obviously affected accordingly. So, for safety’s sake, it’s important to be aware of highway, expressway, and local road conditions.

A fairly typical February day in my neighborhood:

Luckily, The Weather Network which is available either Online, or via broadcast TV, provides a “road conditions” report which indicates which roads are clear, ice covered, snow covered, slippery, and so on.

I’m very certain that this road conditions report has value, and is an effective aid designed to increase safe driving awareness and reduce the risk factor associated with Winter driving.

But, I’m less certain about a new service (February 16, 2011), Norton Cybercrime Index, which is ostensibly designed to alert users to the slippery spots, and other unsafe road conditions, on the Internet highway – by assigning a unique daily cybercrime index number.

According to the company, “The Norton Cybercrime Index alerts consumers to today’s online trouble-spots and potential hazards, including the day’s most dangerous websites, the most hijacked search terms by cybercriminals, as well as top scams, identity theft and spam. The free tool includes expert news about the day’s most dangerous threat and advice on how to avoid it to stay safe online.”

Adam Palmer, Norton lead cyber security advisor, referencing this new service, made the point that Norton’s “goal is to have people add the Norton Cybercrime Index to their daily routine to get a clear understanding of the dangers that are threatening them online, and to take preventative action to avoid falling victim.”

And that’s where I take issue with this type of “helper aid”. Internet threat level indicators are utter nonsense – they just raise the fear level (a good thing if you sell security applications), and have little, or no, constructive purpose.

Either a continuing unsafe condition exists, or it doesn’t. If it does exist, applying an arbitrary numerical descriptor has no positive impact on a specific individual’s behavior.

Unless one has been on an Intergalactic voyage for the last few years, the average Internet users is reasonably aware that the Internet is a veritable unlimited hunting ground for cybercriminals. The daily specifics covering a few selected threats, out of literally thousands of such new threats, is counterproductive. The reality is, many security threats morph and change by the minute.

I can hear this imaginary conversation at my local pub.

He: I see the Internet threat level hit 142 today.

Me: Yeah, but yesterday it was at 183. Must mean things are getting better, no?

So my question is – just how is Norton Cybercrime Index supposed to make Internet users’ more cyber-aware, and more vigilant? It seems to me that Internet users’ who are lacking in cyber-awareness, or who engage in unsafe surfing practices, are unlikely to pay any attention.

Undoubtedly, the majority of Internet users’ need to “get a clear understanding of the dangers that are threatening them online”, but that requires education, and a consistent dedication to practical principals of cyber security. Not an artificial reliance on a threat indicator that is essentially meaningless, and potentially confusing.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Twitter, Tweets, Cyber-Criminals And You

I like the idea that technology makes it easier to stay “connected”, but Facebook , Twitter and the like, take that connected feeling well past my comfort zone. While I do have several Twitter accounts, those accounts are dedicated to professional tweets only.

Despite my personal reluctance to be “hard connected”, I can certainly understand the attraction of social networking – particularly for the “wired” generation. I have no problem accepting that the social relevancy of Twitter and Facebook, is substantial.

Although, I must admit, I fail to see the social relevancy of the inane “look at me” tweets, posted to Twitter by celebrities like Demi Moore, or Ashton Kutcher. I’m just not driven by the paparazzi mentality, I guess.

Despite the obvious benefits of social networking, these sites are not without risk. Twitter, Facebook and other social networking sites, are now a veritable snake pit of nasty socially engineered malware attacks.

The “wired” generation, who are anything but “wired”, in my view, when it comes to good security practices, have taken their inadequate security habits over to Twitter, Facebook, and elsewhere. As a result, social networking sites have proven to be a gold mine for cyber-criminals.

Not a day goes by, where I don’t report in my Tech Net News column, on another virus, worm, or Trojan, targeting Twitter and Facebook users. Despite constant warnings NOT to click on embedded links, or respond to social network generated emails, a considerable number of users blithely ignore this critical advice. Go figure!

On balance, social networking is a good thing – it’s opened new doorways of opportunity to stay connected. But, with those positive opportunities, comes a new set of opportunities for cyber-criminals. Now, more than ever, if you are a social network aficionado, you need to be aware of the risks.

Minimum social networking safe practices:

Don’t let your guard down – assume every link in Twitter is potentially unsafe – including links from friends.

Be particularly cautious of shortened URLs.

Don’t trust social network e-mails – including emails that are purportedly from Twitter support.

Be aware that a single wrong click can lead to a drive-by-download infection.

It should go without saying that you must keep all applications (including your operating system) patched.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Rogue Security Software On The Rise – What You Need to Know Now!

If the day should ever come when anti-malware applications achieve a 100% effective rate in the detection of malware, or software developers develop operating systems and applications that are fully malware resistant, I’ll have to find something else to Blog about! It doesn’t look like that day is likely to happen soon however. In the meantime many of us will continue to download and test/tryout the latest, greatest, and newest anti-malware tools.

Knowing this, Cyber crooks will continue to develop and distribute “rogue security software”. Unless you have had the bad experience of installing this type of malicious software, you may not be aware that such a class of software even exists. But it does.

Rogue security software is software that uses malware, or malicious tools, to advertise or install itself. Often, after installation on a system, an attempt is made to force users to pay for removal of nonexistent spyware. Rogue software will often install and use a Trojan horse to download a trial version, or it will perform other actions on a machine that are detrimental such as slowing down the computer drastically.

After installation of rogue security software, false positives; a fake or false malware detection warning in a computer scan, are the primary method used to convince the unlucky user to purchase the product. After all, a dialogue box that states “WARNING! Your computer is infected with spyware! – Buy [XYZ] to remove it!” is a powerful motivator. Clicking on the OK button takes the user to the product download site.

Another warning message typical of rogue anti-spyware software is as follows: “System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date anti-spyware solution”.

Generally, reputable anti-spyware software is capable of detecting rogue software if it attempts to install, or on a malware scan. But this is not always the case. Anti-malware programs that rely on a definition database can be behind the curve in recognizing the newest threats.

A good partial solution to this problem is to ensure you have installed, and are running, an anti-malware application such as ThreatFire3, free from PC Tools. This type of program operates using heuristics, or behavioral analysis to identify newer threats.

As well, Malwarebytes, a reliable anti-malware company has created a free application to help keep you safe and secure. RogueRemover will safely remove WinAntiSpyware/WinAntiVirus, SpyAxe, VirusBlast, VirusBursters, as well as a number of other rogue applications.

Download from MajorGeeks.com

An absolute must is to make sure that the security application you are considering installing is recognized as legitimate by industry experts. An excellent web site that will keep you in the loop, and advise you what products work and have a deserved reputation for quality performance is Spyware Warrior.

Some current rogue software includes:

• AntiVirGear
• AntiVirusGold
• Cleanator
• DriveCleaner
• EasySpywareCleaner
• InfeStop
• Malware Alarm
• PCSecureSystem
• PestTrap
• SpyAxe
• Spydawn
• Spylocked
• SpySheriff
• SpySpotter
• Spyware Quake
• Spyware Stormer
• Spy-Rid
• System Live Protect
• UltimateCleaner
• VirusHeat
• VirusProtectPro
• WinAntivirus2006
• WinFixer

Always remember of course, that you are your greatest line of defense against malware. STOP. THINK. CLICK