Viruses making a Comeback according to Microsoft Security Report

Just when you thought Viruses where on the way out, it looks like they may be raising their ugly head yet again. According to Microsoft, virus global detection rate hit 7.8% in the fourth quarter of 2012 with some nations reaching over 40%.

With the increase of Trojans and credential stealers, many thought we had seen the last days of old fashioned file infecting viruses. But Tim Rain, Microsoft’s Director of Trustworthy Computing, says that it looks like Virus use is again trending upwards, with some locations being hit harder than others:

“Locations with high levels of Viruses included Pakistan (Viruses found on 44% of systems with detections), Indonesia (40%), Ethiopia (40%), Bangladesh (38%), Somalia (37%), Egypt (36%), and Afghanistan (35%).  Looking at this list of locations it seems that most of these places don’t have the same levels of Internet connectivity/bandwidth that locations in North America and Europe have.”

And one virus seems to stand above the rest – Win32/Sality, a polymorphic file infector. According to Microsoft, Sality was detected on over 8 Million Windows XP machines in 2012. The virus was not as effective against Microsoft’s newer operating systems.

Just a reminder to keep your systems and anti-virus program up to date and if your company is still running Windows XP, it is really time to move on to Windows 7 at least. Windows 7 has several security enhancements making it inherently more secure against online threats as compared to the aging XP.

For more information check out the Microsoft Security Intelligence Report.

“It was Just a Virus” – Full Data Breaches through Malicious Attachments

Process Monitor screenshot 3

If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”

I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.

Basically a corporate user would receive a crafted e-mail saying that they have receive a fax from their internal fax server. Sure enough the attached file would have a pdf looking attachment. But once the “attachment” is executed, the user gets a whole lot more than a fax.

The “.pdf” file is actually an executable malware file using a PDF logo as an icon. The file executes a data mining attack that searches the hard drive for personal data, browser caches, system files, registry settings, installed applications – including FTP and security programs, remote access programs, file manager programs, web site authoring software, and even clients for remote online storage.

Once it gathers this information, it tries to connect to a foreign server to upload the purloined data.

So should these attacks be considered as “just a virus”, or should this be considered a full data breach?

All the elements of “being hacked” are present. Private data files, including password files and databases could have been obtained. And then the information is sent out of the network to a remote hacker’s server set up to receive the info. Malware is already running on the system, so how hard would it be to use the system as a persistent backdoor into the corporation?

And lastly, these evil infiltrators are coded to bypass anti-virus and firewalls – only 2 AV companies detected one of the malicious executables I examined as containing a Trojan. And since the program connects back out to the malware server from your system after executing, your firewall does not block it.

Sure most companies consider that they were hacked when their server has been compromised, but what if a top engineer who kept classified research information on his system or an IT administrator of a secure facility allowed the phishing e-mail to run?

And how would these people even know that private data was sent out from their network if no network security monitoring was in effect? Would they just write off the attack saying, “It was just a virus…”?

Long gone are the misspelled fake looking social engineering attacks. E-mail attacks are getting much better, they look professional and are believable. Especially when your company uses some of the same software that the e-mail is pretending to be (like an incoming fax message).

Employees need to be warned about malicious e-mails and that they try to replicate legitimate communication. That if something looks or feels suspicious, that they should not run it and contact your support department.

Sure this will probably mean more calls to the data center, but if you can catch these things BEFORE they execute, you can take steps to protect your network. Especially if you find out what servers they are trying to connect out to as you can block the address so others who aren’t as vigilant will be protected too.

Malware Infection Rate by Country – Who has the most Viruses?

Ever wonder what the world virus infection rate is? Or how your country stands in protecting their system from viruses? Well, look no further than BitDefender’s Real Time Virus Reports at

Setting the sample rate to 7 days and you find that:

  • US sits at a 58%
  • UK – 55.05%
  • India – 62.53%
  • Russia – 83.92%
  • Germany – 34.13%
  • Italy – 35.55%

Iran takes the prize as most infected, 97.95% of systems scanned had malware!

Okay, a look at the top viruses for each country shows a lot of cookie based viruses. Which may or may not be real viruses, but the rates are high none the less.

But how does this compare to what other vendors are finding?

According to the latest Panda Labs virus report, the countries that had the most viruses for the 3rd Quarter of 2011 are:

And the least infected countries for Q3 2011:

That is a lot of infected machines. You have to wonder how many of those systems are infected with Bot malware, credential stealing viruses or backdoor trojans.

Always install your operating system and application software updates, keep your anti-virus up to date, use a firewall and a script blocking program like NoScript.

How to Recognize and Analyze a Fake Anti-Virus Message

I was surfing the web the other day looking for photos and received this error when clicking on an image in Google:

Wow, I thought, this can’t be good, Windows Security has found some critical issues on my system and needs to do a system scan. Something must be very wrong. Thank goodness that this helpful website is offering to scan my system for me.

Actually, nothing could be further from the truth.

Okay I knew right away that this was a fake message. How? I click on a photo and ended up at a completely different website that showed this security alert. This is not how Google normally behaves when you click on an image. It usually takes you to a webpage and shows the image you clicked on in the foreground, while the picture source page is shown in the background.

Also, Windows does not show alerts like this. Windows 7 uses a little red “x” on the white flag at the bottom right side of your desktop when there is a security alert. In addition, the message looks nothing like a standard alert from my anti-virus software, so I knew that this  online scan was bogus.

It would have been more believable too if I was actually running Windows at the time, which I was not, but what the heck, let’s see what happens when we click “OK”

(Never click on these messages by the way, just close the whole browser window with the red “X”. Run your own anti-virus program to do a scan, never an online one).

Right away the “helpful” program comes up and runs a system scan. It isn’t really doing a scan by the way, it just builds the page with html and scripts to make it look believable. It does seem to look like a legit Windows screen, except it all shows up in a browser window, and again, I am not even running Windows on this system!

It then wants me to click on the “Remove All” button, which I did not. Doing so will usually prompt you to download and install the bogus anti-virus program. Allowing the program to run will install the virus to your system. This particular brand of malware when installed will bring up a very believable anti-virus screen and tell you that you need to purchase a license to use it. It also asks for your credit card.

When trying to figure out how I was redirected to this fake AV site from clicking on a Google image, I found something interesting. Hovering over the picture, I noticed that the website that showed up under the image looked legit, but when looking at the image url (which displays if you hover over the image) it pointed to a completely different website. The Google Imgrefurl tag was a mile long, and contained random upper and lower case letters. Clicking on the image immediately took me to the bogus site and kicked off the fake anti-virus message.

So what can we do to see what the fake site is really doing?
(Just a warning – Don’t play with malware sites, especially on production systems, doing so could get your system infected!)

There are several free malware analysis websites available. For this one, I chose Anubis. Anubis is backed by Secure Business Austria and is developed by the International Secure Systems Lab. It is an open framework for malware analysis and  the nice thing is it allows you to submit sites by URL name. From the Anubis home page, just paste in the suspicious target website address and it will examine the webpage with a simulated Internet Explorer interface. Anubis acts like a IE Honeypot and records everything the page tries to do.

After you submit the page, it takes a few minutes for Anubis to preform the analysis. When it is finished it provides you with an indepth report of what it finds.

Submitting this suspicious URL to Anubis resulted in a 9 page report. Below is an abbreviation of what Anubis found that the website code tries to do:


  • Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. RISK-MEDIUM
  • Performs Registry Activities: The executable creates and/or modifies registry entries. RISK – LOW

– Further on in the report under Registry Activities, Anubis reported that the website code tries to modify 3 windows registry settings, and tries to read in over 50 more settings.

Finally it tries to read your Internet history and monitors the use of 6 keyboard keys and all three mouse buttons.

This is just what one of the Malware anaylsis programs found on the malicious website alone. Allowing the site to download the full malware to your system would bring in another level of problems.

With the rash of fake online anti-virus type attacks, including the most recent LizaMoon attack, it is important to remember to not allow any programs to run from unknown websites.