Viruses making a Comeback according to Microsoft Security Report

Just when you thought Viruses where on the way out, it looks like they may be raising their ugly head yet again. According to Microsoft, virus global detection rate hit 7.8% in the fourth quarter of 2012 with some nations reaching over 40%.

With the increase of Trojans and credential stealers, many thought we had seen the last days of old fashioned file infecting viruses. But Tim Rain, Microsoft’s Director of Trustworthy Computing, says that it looks like Virus use is again trending upwards, with some locations being hit harder than others:

“Locations with high levels of Viruses included Pakistan (Viruses found on 44% of systems with detections), Indonesia (40%), Ethiopia (40%), Bangladesh (38%), Somalia (37%), Egypt (36%), and Afghanistan (35%).  Looking at this list of locations it seems that most of these places don’t have the same levels of Internet connectivity/bandwidth that locations in North America and Europe have.”

And one virus seems to stand above the rest – Win32/Sality, a polymorphic file infector. According to Microsoft, Sality was detected on over 8 Million Windows XP machines in 2012. The virus was not as effective against Microsoft’s newer operating systems.

Just a reminder to keep your systems and anti-virus program up to date and if your company is still running Windows XP, it is really time to move on to Windows 7 at least. Windows 7 has several security enhancements making it inherently more secure against online threats as compared to the aging XP.

For more information check out the Microsoft Security Intelligence Report.


Chinese Security firm Discovers new BIOS based Virus

Chinese AV company 360 discovers a new Troajn, the “BMW Virus” (also called Mebromi), that can actually infect a computers BIOS:

“BMW 360 Security Center virus is the latest catch of a high-risk virus, the virus that infected a chain BIOS (motherboard chip program), MBR (master boot drive) and Windows system files, reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus.” – Translated 360 page

According to The H Security, when a system is infected, the trojan checks to see if the system has an Award Bios. If it does, it hooks itself to the BIOS. Once the system is restarted, it adds itself to the hard drive’s master boot record (MBR). Next it infects the winlogon.exe or winnt.exe system files (depending on Windows OS version).

The malware also is a Trojan downloader, it will connect out and try to download other viruses to the infected system.

If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive.

Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again.

Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely.

Do not Allow Internet Browsers or Security Programs Save Passwords

The first time you surf to a website that asks for a password, your browser will ask you if you want to remember it.

What a great idea! The browser can save the password and I won’t have to remember all the different passwords I have for different sites!

What seems like a good thing really isn’t. If your computer is infected by an advanced threat, like the ZeuS Banking Trojan, one thing they do is look for your stored passwords and send them to the malware control server.

This is just not your passwords stored by IE or Firefox, but also passwords stored by “Internet Security Programs” that are supposed to save and protect your passwords.

The best bet is to never allow your internet browser (or security program) save passwords for you.

So what can you do if you have already told your browser to save your passwords? In Internet Explorer go to “Safety”, then “Delete Browsing History”. You will see a screen like the one above. Just make sure “Passwords” is checked and then hit delete. 

In Firefox go to “Tools”, “Options”, “Security”, “Saved Passwords” and “Delete all”. That should do it.

 If you are interested in learning more about the current version of ZeuS and what it can do, check out Secureworks Threat Analysis.