Thursday, August 28, 2008

XP AntiVirus 2008 Fun...Not

Many of you have more then likely heard about the newest wave of malware, XP AntiVirus 2008, 2009, or the other list of names they are toting now. For those of you who have, skip below to the "story", for the rest, continue, and I'll briefly describe the newest trendy threat.

Threat:

Over the past few months large-scale web-defacement sprees have been compromising legitimate (popular) websites and injecting a whole slew of malicious code. Big-name sites once compromised, would deliver malware directly to the unsuspecting users who visited the site. With trust on the malware distributors side, many users would ignore the typical security precautions.

As this practice became more wide-spread the malware became a bit more "realistic" and "authentic" looking. The attacks turned from the typical "mysterious" files being pushed to the system, to an elaborate social-engineering workshop.

New malware is being developed that looks and functions much like real software. The first to hit the circuits was XP AntiVirus. The malware looks and functions exactly like real Anti Virus software, however in the background it is stealing all of your personal information (passwords, financial information, etc, etc).

Users would visit a legitamet (and trusted) website, which would inform them that "XP" had released an update to their AV product. Knowing they were on a popular, trusted site, they would then click "Ok", download the software and become infected.

Screenshots:



The Background:

My mother owns a number of computers, ranging from personal servers (that I have setup) to a few laptops. She runs Linux on everything, not by choice, simply because I force her to. I don't mean to sound harsh about it, but Linux doesn't suffer from half of the problems Windows does. And that is even more true with someone like your mother (who is more then likely not computer savvy).

However, I lied a bit, she does own and use one Windows-based laptop. Only one, every other component runs Linux (even the router). She refuses to give up this system, at all costs. Mainly due to a few very Linux-unfriendly websites and my lack of time to help get them working.

Of course this one Windows system is the one I receive the most "calls" about. Nothing is every working correctly, and every time I touch the thing there is another piece of spyware.

So after this last "rebuild" of the system I locked things down really well. To the point she was annoyed at the lack of usability. Unfortunately I made the mistake of locking the system down from external "unwanted" penetration. I didn't put much protection in place from the user. I assumed all of the "awareness" would work, and the system would stay in a fairly clean state.

Don't misunderstand, there were security applications, that prompted her when malice actions may be present (even if she was the one who started them), but lets face it, everyone clicks "Allow" anyway.

The Problem:

I was partially correct, the "awareness" did work, she herself did not infect her system with anything. But my brother did.

She was out of the house, and he "snuck" onto the system (which just-so-happened to be mistakenly unlocked). He downloaded the XPAV software to his PSP (Portable Playstation) and then transferred it to the laptop. He then installed the application (or should we now call it malware). Allowed all web-updates and downloads of further trojans. And then denied the entire thing.

The Solution:

This malware is changing everyday, and each infection is different. The malware downloads a number of additional malice components, and most is undetectable by current signatures.

So a complete re-install of Windows, and a lot of yelling was in order.

The Lesson:

Of course you have heard this before, and I can assure you, you will hear it again. The user is always the weakest link, and no matter how secure the system is, you have to educate the users. And protect yourself against them.

Also, don't just educate the primary user, stress the issues to anyone who may come in contact the system.

Oh - and lock your screen when you walk away.

More information of the malware can be found: here, here, or here.

No comments: