Recently in Malware Category
Posted By Netgear Threat Lab at 3:08 PM, November 23, 2011
BIOS (Basic Input / Output System) is a small program that starts when the computer first boots up. When the BIOS is loaded to run, the computer loads only the most basic hardware information; nothing about the overlaying OS is known at that time. So if the BIOS is infected, it undoubtedly, would be a very terrible thing. Anti-virus software would have a terrible time trying to remove the virus, reinstalling the system would be useless, and even replacing the hard disk would do nothing to eliminate the virus.
One of the more memorable BIOS targeting viruses was known as the CIH virus (1999). This particular virus caused tremendous damage and was named as one of the world's top ten viruses by a number of security organizations. We recently found another BIOS virus infection spreading globally named Rootkit.Win32.Mybios.a. This virus is usually bundled with game software, tricking users into turning off their security software and subsequently attacking the BIOS, MBR (master boot record) , and windows system files.
First, the virus will drop bios.sys, flash.dll, my.sys, hook.rom and cbrom.exe in an attempt to infect the BIOS. Once the BIOS is infected, an additional ISA module called Hook.rom will be added to the BIOS. It's role is to detect whether the MBR is infected. If it finds that the MBR is not yet infected, it will write virus code located in the BIOS into about 14 sectors in the MBR, and then save the original MBR to sector 8.
Second, when the infected part of the MBR is loaded and executed, it will execute different viral code according to the OS (Winlogon.exe (XP/2003) or wininit.exe (Win7/Vista)). When the infected executable is run, the screen displays "Find it ok! ". This behavior can also be used to determine whether the machine has been infected by the virus.
Third, when the infected winlogon.exe is loaded at run time, it will attempt to download a variety of malicious programs from a remote server.
The virus will also load my.sys. This driver will hook disk.sys and prevent anti-virus software from repairing the infected MBR.
As always, we remind users to update their virus definitions as well as system patches and do not open suspicious files and game plug-ins. We remind users to update the pattern. Do not open suspicious files and game plug-ins.
Posted by: Netgear Threat Lab at 3:08 PM
Categories: Netgear Threat Lab , Malware
Posted By Jason at 5:11 PM, October 31, 2011
For the past two years, we are NETGEAR ProSecure have been advocating the need to ask "How well does my security system actually work?"
Multiple Reports have been conducted by third parties that show our systems are more effective at stopping threats than the others... And now ICSA Labs' Anti-Virus certification program is testing not only the WildList (a database of real-world viruses considered harmful to PC users) but also the Extended WildList, which consists of additional malware, such as keyloggers and Trojans.
ProSecure has been using the extended wildlist for two years now --- ahead of ICSA Labs.
Posted by: Jason at 5:11 PM
Categories: General , Malware , Viruses , Worms
Posted By Pete at 6:27 PM, June 5, 2011
Security Week writes that mobile security company NetQin is reporting that malware specifically targeting Android devices is spotted in the wild. The malware "BaseBridge" has been spotted in over 20 different Android applications throughout the Internet. You can find more detailed info on how the infection occurs in the link above, but the point I'm trying to make is that this is just the tip of the iceberg.
Smartphones and tablets have seen significant growth over the past few years. Their processing power and sophistication have gotten to the point where they are basically PCs in smaller form factor. They have fully functional web browsers capable of executing complex scripts, and have access to the same dangerous sites and files. However, compared to PCs, these Android or iOS based mobile devices have little to no malware protection (Even with more security software, PCs already see their fair sure of infections and attacks). Security companies and device makers really have to take a long hard look at hardening the security of these devices - in a hurry. It's just a matter of time before a cell phone based botnet uses a DDOS attack to take down a wireless data network.
Posted by: Pete at 6:27 PM
Posted By Netgear Threat Lab at 5:39 PM, May 27, 2011
Cloud anti-virus refers to the use of the "Cloud" for the purpose of stopping viruses. In recent years, a number of security vendors have deployed cloud-based AV solutions. In this type of infrastructure, virus data from the client is uploaded to the cloud server for analysis. The server(s) in the cloud will then report the results back to the client. Compared with the traditional use of local virus databases for virus detection, this technique is faster and more efficient.
Starting this year, a virus tailored to bypass "cloud antivirus" was found - the Bohu virus.
Bohu originates from China, and uses various social engineering techniques to disguise and spread itself. For example, it will be disguised as a "bohu HD player" software to entice users to download and install it.
Once users install the virus program, Bohu utilizes a number of techniques to disrupt and take down cloud-based AV:
1. Bohu will install Windows Sockets service provider interface (SPI) filter, and use this filter to prevent data transfer between the cloud server and clients.
2. Bohu will install Network Driver Interface Specification (NDIS) filter, using this filter, Bohu can detect network traffic, blocking HTTP request packets which contain specific domain names or keywords.
3. Bohu randomly inserts garbage code in its program to circumvent the Hash-based anti-virus detection.
While cloud-based anti-virus has its advantages, and more and more vendors adopt "Cloud AV"as part of their "cloud security " strategy, Bohu reminds us that relying on cloud AV alone is far from secure and that a multi-layered approach with local and cloud AV is recommended.
Posted by: Netgear Threat Lab at 5:39 PM
Posted By Pete at 3:35 PM, October 12, 2010
I think they may have been onto something when it was reported last year that Firefox was the browser with the most vulnerabilities. We've commented that the open source nature of Firefox could make it a bit more susceptible to exploits. Well, here's one that will make you think twice before logging into your online bank account with Firefox.
The folks at Webroot have discovered (it's a really nice read btw, which will give you good insight on how malware such as this operates) a new Trojan (Trojan-PWS-Nslog) that conveniences the user by making Firefox "skip" the step where it prompts the user whether or not they'd like to save their password. The user-entered password is then automatically saved and stolen. After that, the hacker makes off with the user's login and sells it to anyone willing to pay or uses it to do who-knows-what.
If you feel you've been a victim of said Trojan, run a scan with your updated AV software and reinstall Firefox. That said, in this particular instance it is very easy for users to unwittingly expose their passwords. It just shows again how important it is to protect your network/PCs with layers of defense (and even more importantly how more robust software code is needed throughout the industry but more on that in the future).
Posted by: Pete at 3:35 PM
Categories: General , Malware
Posted By Pete at 2:52 PM, September 23, 2010
One particular aspect of the Stuxnet worm that has raised eyebrows is the complexity of the worm. Not only does Stuxnet use a new way of propagating (by using specially crafted shortcut .lnk files), it also exploits four previously unpublished vulnerabilities in Windows, use stolen digital certificates to sign its own drivers, and is able to hide itself like a rootkit.
The sophisticated techniques used indicates a lot of careful planning and thought as well as expertise was put into Stuxnet. Personally, I feel that this is only the beginning and that we will see a new "cold war" featuring highly specialized malware attacking high priority targets.
Looks like governments and corporations throughout the world will be heavily investing in this area for both "good" and "bad" purposes.
Posted by: Pete at 2:52 PM
Posted By Pete at 2:34 PM, September 23, 2010
The Stuxnet worm has created quite a stir lately and has reached headlines of most major news outlets. What makes this worm different from the thousands of other active worms?
Unlike worms and other malware in the past, Stuxnet does not target your average PC sitting on the Internet. Rather, the worm spreads via USB drives and once it infects a machine, it targets a specific industrial control software used by Siemens. Once such a system has been identified, the Stuxnet payload reprograms the PLC (programmable logic control) of the control software and can give new instructions to the actual machinery itself - potentially turning motors on and off, shutting down cooling systems, and other good stuff (sounds like right out of a sci-fi movie right?)
Make no mistake, this is one piece of sophisticated weaponry. All indicators point that Stuxnet was created to attack an Iranian nuclear power plant. The plot thickens.
Posted by: Pete at 2:34 PM
Posted By Pete at 11:01 AM, June 10, 2010
What do you look for when you purchasing a digital camera? More mega pixels? more zoom? or better manual controls?
Well, here's a feature that definitely not on anyone's checklist: PC infecting worm.
1709 Olympus Stylus Tough 6010s came preloaded with a worm on the camera's internal memory. The worm itself does no harm to the camera, however as soon as the user connects the camera to their PC via USB the worm attacks and attempts to infect the PC.
Olympus has issued an apology but the damage has been done. Imagine taking some pictures on your new shiny camera only to get your PC infected when you try to view the pictures.
This is not the first time a product has shipped with malware and it certainly won't be the last. Companies will just have to be more careful in the manufacturing process and take the necessary security measures to secure their network.
Posted by: Pete at 11:01 AM
Posted By Netgear Threat Lab at 4:05 PM, June 8, 2010
With the 2010 FIFA World Cup closely approaching and the world going into a frenzy, spammers armed with malicious emails are also joining in on the festivities.
So far we've seen two types of these mal-emails:
The first is your typical Nigerian scam - The email claims that the recipient was just drawn as a winner in the online sweepstakes held by the International Federation of Association Football (FIFA). In order to receive the winnings the victims are required to provide detailed personal information. Further emails will eventually require them to pay a fee to secure their winnings. The personal information provided will be used in a vast array of crimes such as identity theft, distribute spam, phishing, and other types of fraud.
The other type of spam contains a PDF attachment. The message body has content such as a detailed guide to South African tourism, ticketing services, and other information to induce the user to open the PDF attachment.
The PDF file actually contains malicious code that exploits a known vulnerability in Adobe Reader. Once the user opens the PDF, it will automatically download and install a variety of malware.
FIFA has recently alerted fans about similar online scams on their blog. With the start of the World Cup approaching in a couple of days, expect to see more and more of these scams.
Posted by: Netgear Threat Lab at 4:05 PM
Categories: Malware , Netgear Threat Lab , Phishing , Spam
Posted By Pete at 5:06 PM, April 9, 2010
Gregg Keizer at Computerworld has reported that 1 in 10 PCs are still unpatched and vulnerable to the worm known as Conficker and that 25 out of every 1000 PCs are infected with the worm. A year ago, we reported Conficker (Kido) spreading like wild fire throughout the Internet.
I think what's alarming is the vast number of PCs that are either unprotected or under protected. Even with the people around me - friends, relatives, I see too many cases where they have no software anti-virus or their anti-virus subscription that came with the PC or laptop had already expired for 3 years! (We've all seen this before). If 4% of all PCs are infected by Conficker alone, I am scared to even imagine the number of PCs infected by the other 10 million threats!
The Internet is not getting safer anytime soon, so be sure to get yourself educated on safe Internet usage practices and get yourself and your loved ones as many layers of malware protection as possible.
Posted by: Pete at 5:06 PM
« General |
Main Index |
| Netgear Threat Lab »