By

What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.

By

riotassistance.ru infections

We’ve been seeing more website infections with a malscript that looks like:

(opening script tag) src="hxxp:// riotassistance.ru /Website.js">(closing script tag)

Note: We’ve also seen this same this but with nuttypiano replacing riotassistance.

Sometimes the last part: Website.js is something else:

Linux.js
Megabyte.js

and a few others. The common pattern here is obviously the riotassistance.ru domain and the last part of the URL has an upper-case first letter and is usually some random, but familiar word.

The other identifier is the seemingly useless string immediately following the malscript. In the example above it’s the:

Keep in mind that this will be different for each website, at least from what we’ve seen so far.

This malscript and it’s associated string has been found in index files and files that start with the word main, or in the footer.php file on WordPress sites. The footer.php that will be infected is usually in the theme folder for your site. So if you’re using the default theme, it will be the footer.php file in the theme/default folder on your site.

This same infection has been found in .js files as a document.write at the bottom of the .js file, such as this:

nuttypiano

Time to dig a little deeper…

We find that this domain is registered:

domain: RIOTASSISTANCE.RU
nserver: ns1.getyourdns.com.
nserver: ns2.getyourdns.com.
nserver: ns3.getyourdns.com.
nserver: ns4.getyourdns.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 8482 735000
e-mail: angles@fastermail.ru
registrar: NAUNET-REG-RIPN

According to abuse.ch, this registrar has 126 sites that associated to Zeus:

riotassistance.ru associated to Zeus registrar

We also find that the above listed email address is only registered on 4 other domains.

As far as cleaning this goes, obviously remove the malscript from your pages or replace the pages with known good backups.

From what we’ve found so far, this website infection happens via stolen FTP credentials. These FTP credentials are stolen by a virus/trojan on a PC that’s been used to FTP files to the infected website.

First, change all FTP passwords – immediately.

Second, run a full virus scan on all PCs used to FTP files to the infected website. This includes developers, authors, etc.

Third, if your site has been listed as suspicious by Google, request a review from the Google Webmaster Tools.

Post here if you have questions or send me an email if you’d like further help in cleaning this up.

Thank you.

By

The Internet Explosion

According to research, there are approximately 162 million websites on the Internet as of April 2008. To put this into perspective, in 1996 there were only 100,000.

Talk about a meteoric rise.

The cause of this growth has many roots.

First there are Internet Marketers (IMs) promoting “how to make money online”. This of course requires a website or more. Frequently IMs suggest you should have more than one website. These are referred to as “micro” sites. Micro sites are nothing more than a website with one or two web pages that get people interested in a “micro” niche to click over to your main site.

These micro sites are targeted with very specific, narrowly focused keywords to draw people in.

With unemployment so high, we have many people looking to make money online so the IMs are growing constantly which means the number of websites are growing as well.

Secondly, (notice I didn’t use “firstly” above – ugh) we have software makers pumping out “design a website in 30 minutes or less” products.

This makes many non-web developers think they can become web developers with no proper training. Many of the people in this category will remain self-proclaimed web developers and actually do more harm than good.

Also in this category we have many IMs creating websites that offer to help create websites – “with little or no training.” This is scary. Productive, but scary.

Note: Even my daughter has a website as a Math Teacher and my wife’s Aunt has developed a website for their vacation property. Their self-education is never ending and should be applauded. Both of these websites are under constant watch by me so I know they’re safe. [wink]

Third, we have the huge blog explosion.

There are so many blogs that Google has a separate category for searching through bl0gs on their Google Toolbar. (I know this because I use it frequently)

Why all of this concern about how many websites there are and how easy it is to create them?

I’m glad you asked.

This phenomenal growth of epic proportions has opened the door to cybercriminals. (You knew I was going to bring this around to hackers didn’t you?)

Really, it has.

Think about it. When the automobile was in it’s infancy and people could buy them without understanding them, owners had to bring them to specialists to fix them. Then as the market matured, people learned how to fix them themselves. Markets flourished with “how-to” books and auto parts stores.

In today’s world, auto mechanics are PhDs and knowledgeable in all things mechanical, electrical and electronic – the market has gone full circle. Once again fixing an automobile requires a specialist.

The Internet is the same way.

In the beginning web developers were in charge. The world couldn’t produce enough of them as the “dot com” bubble grew and grew and grew. The software tools weren’t what they are today. In 1998 you couldn’t take a course in Web Development – they simply weren’t offered.

Today, you can’t even watch the news on TV without the newscasters talking about following them on Twitter or Facebook. I see people at the gym on the treadmills using their cellphones to keep up on their Facebook friends. The Internet has reached epic proportions.

What the courses in Web Development don’t teach however is how to design a website that can’t be hacked. This is the real tragedy of this incredible growth.

Hackers know that with a potential pool of 162 million websites, they’re going to find many vulnerable to one of their attack methods. Cybercriminals know that many websites are created by non-specialists.

Not to say that all compromised websites serving malscripts to every Tom, Dick and Harry is the fault of web developers – it’s not. But even many experienced web developers lack proper security training.

Would you change your brake pads without bleeding the brake lines? (My father-in-law says “no”) Any good mechanic would tell you that just isn’t smart. That wouldn’t be safe.

We’ve been seeing a phenomenal growth in the number of websites serving up malscripts. Malscripts are made by hackers, inserted into legitimate websites that do nothing more than infect visitors with some remotely stored virus that gives the hacker remote control of the infected computer.

We frequently see requests like this in public forums and blogs:

“About a week ago Google posted a “this website might be harmful” message with our website listing. After review we have found out that someone has added damaging code to our software. we have been told it is http://removeddomain/E/J.JS/

IS THERE anyone out there that has experienced or knows this code and has advice on how to find and fix the problem. This is causing damage to our good name and service.”

The guy who owns this website is trying to conduct business on the Internet and hackers decide to make money off of him and in the process damage his company’s good name and service.

Now don’t you think that someone should have been watching that website? His concern is about his company and his reputation online but what about those who visited his website? Many of them probably don’t even know that just by visiting his website they were subjected to a computer infection.

Would you drive your car for years without ever bringing it in for service? Don’t you depend on those little indicator lights on your dashboard that tell you when your car needs servicing?

Why website owners aren’t more vigilant about their websites will remain a mystery to me. I guess many of them are so focused on their business that they don’t think about their website getting hacked.

That’s just my opinion.

Well, enough.

This rant will be closed with this erudite philosophy (thanks Ed):

“There is much to be said for modern journalism. By giving us the opinions of the uneducated, it keeps us in touch with the ignorance of the community. ” (Oscar Wilde)

The above post is my opinion – uneducated or not. You have now been kept in touch with the ignorance of the community.

By

Is the Internet worth it?

I know I’ll be accused of FUD (Fear, Uncertainty, Doubt) with this post but here goes.
The whole world knows the Internet is used for building businesses. Some businesses rely solely on the Internet – they simply wouldn’t exist without it.
However, with all the security threats, at some point you have to ask: Is it worth it?

On November 12, 2008 the 63rd Session of the International Telecommunications Union (ITU) Council met and discussed the current state of cybersecurity. The event concluded with the declaration that cyber-security is one of the most important challenges of our time. The ITU Secretary-General, Dr. Hamadoun Toure stated: “The costs associated with cyber threats and cyber-attacks are real and significant — not only in terms of lost revenue, breaches of sensitive data, cyber-attacks and network outages but also in terms of lives ruined by identity theft, debts run up on plundered credit cards or the online exploitation of children.”

While I might not totally agree with the severity he states, I do agree that the situation is bleak – and apparently only getting worse.

Hackers use any method available to achieve their goal – total domination of the Internet. Okay, that’s really extreme.

Think of your own specific situation. You undoubtedly have at least one anti-virus (AV) program installed on your working computers, right? (many of you have 3-4 different security programs installed)

How many times has it actually caught a virus? If your AV is set to scan once a day, how often has it detected a virus/worm/trojan during it’s scan? If ever, you have to

During the course of the past 2 months we’ve seen the following security issues:

  • Malware delivered by infectious Adobe Acrobat files (pdf)
  • “Common” websites delivering malware (i.e., www.mlb.com, www.businessweek.com, www.cbs.com)
  • 85% of malware being delivered by infectious websites
  • Numerous content management systems (CMS) and forums having various vulnerabilities
  • “Hacking” used in a multitude of political wars (website defacements, etc)
  • More intelligent malware (blocking of AV updates, disabling security software)

In addition to the above list, more malware has been delivered via social engineering. Social engineering is the “art” of using deception to get a user to intentionally install something which turns out to be malware (definition of trojan).

Back in October we saw the keyword “costumes” being abused by cybercriminals to get people to visit malicious websites promising to offer fantastic ideas on Halloween attire. Then in November we saw numerous emails be circulated that offered various food recipes for Thanksgiving many of which resulted in webpages that contained more than recipes. They offered recipes for infection (you can use that if you want).

Along with the holiday themed malware strategies, here in the US we were also going through a Presidential election which brought about an abundance of election themed malware attacks. Then we had the year-end holidays and New Year’s each with their own malware messages and accompanying websites.

Now with the Presidential Inauguration just completed we’ve seen numerous messages “flying” around the internet touting “Obama refuses to take oath”. When any of these links are followed, they lead the unsuspecting inquisitive reader to a website that delivers more than the message they were seeking. It also attempts to infect their computer with little pieces of code that are just the beginning of taking control of the infected PC.

All of this is actual, real world reality. I didn’t make this “stuff” up. I didn’t write these viruses/worms/trojans like some of you think.

Cyber crime is something we all have to deal with.

You’re in business to solve some real world problem. Whether you’re a plumber or a rocket scientist, you solve someone’s problem otherwise you wouldn’t be in business.

I selected computer security as my profession and I believe I do it well. I try to solve real world computer security problems. If you find my work offensive, you’re free to ignore it.

I don’t work in FUD. I just merely try to educate you so you know what you’re facing being online.

Please leave me your comments on this posting.

Thank you.

 

 

 

 

By

Are you really safe online?

According to a recent report by McAfee, here are some extremely interesting statistics:

  • 92% of users surveyed believed their anti-virus software was up to date, but only 51% had updated their anti-virus software within the past week
  • 73% of users surveyed believed they had a firewall installed and enabled, yet only 64% actually did
  • About 70 % of PC users believed they had anti-spyware software, but only 55% actually had it installed
  • 25% of users surveyed believed they had anti-phishing software, but only 12% actually had the software
  • 42% of businesses surveyed dedicate just one hour a week to proactive IT security management, despite the fact that 21% acknowledged an attack could put them out of business
  • 44% of businesses surveyed think cybercrime is only an issue for larger organizations and does not affect them
  • 52% of businesses surveyed believe that because they are not well-known, cybercriminals will not target them
  • 45% of businesses surveyed do not think they are a “valuable target” for cybercriminals
  • 46% of businesses surveyed do not think they can be a source of profit for cybercriminals

Interesting aren’t they?

If you’re a member of the 51% who had updated their anti-virus software within the past week, then you should read Secunia’s information after they tested 12 security suites. In their report it states that after testing 12 major security suites with 300 different exploits one suite blocked more than
10 times more than the next closest competitor – and it only blocked 64 out of the 300!

Here’s their report: http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

Do a Google search using “evading anti-virus”. In the SERPs you’ll see tutorials on how to make a virus, trojan or worm undetectable by current anti-virus software. There are specific steps.

Here’s an article about how one strain of worm was undetectable: http://arstechnica.com/news.ars/post/20080408-new-kraken-worm-evading-harpoons-of-antivirus-programs.html

In the darker forums where we lurk as part of our security research, we’ve seen numerous “how to’s” on evading detection. Many of them are so simple that anyone with just a little computer knowledge could create their own undetectable virus.

Many of the cybercriminal “mobs” offer to recreate their malware if you buy it and then find that it’s detectable by anti-virus software.

If you’re one of the 64% that actually had a firewall installed, how was it configured? If you’re like most people, you have the default firewall settings and you never, ever read the logs to see how people are trying to get in. Most of the people we’ve talked with reply by saying, “My firewall has logs?”

Has you firewall ever been tested? I guarantee it has been by a hacker, but have you ever had it tested? Have you had a security scan performed on your firewall? In the security world, we believe that an untested firewall is no security at all.

If you’re one of the 21% that acknowledged an attack could put you out of business and you only spend 1 hour a week in proactive security management, I’d like to say you’ll get what you deserve but that would be rude and a little – “in your face”.

The fact is, you could be “hacked” right now and you wouldn’t even know it. Maybe an attack wouldn’t put you out of business, but I’m sure it will cost you a lot more than preventative security management
would have cost you.

In risk management, isn’t it true that if prevention costs you less than the potential problem, it becomes a no-brainer to move forward with the prevention?

If you’re one of the 44% of businesses that think cybercrime is only an issue for larger organizations, I have to ask you this, “Where do you think most of the attacks on larger organizations is launched from?” The answer: hacked systems in smaller organizations.

If you’re one of the 52% of businesses that believe since you’re not well-known cybercriminals will not target you, I will tell you to Google the term, “security through obscurity”, or “security by obscurity”. Read everything you can about your adopted security strategy.

Cybercriminals find “hackable” computers by scanning IP addresses. Yes, sometimes, they will target a specific site, but generally, they just look for computers that have openings.

If you’re one of the 45% or 46% who think you’re not valuable to a cybercriminal, answer me this, “Do you turn your back on smaller sources of income?”

Hackers hack for money. Gone are the days when they would hack strictly to create havoc. They now make money from their craft. In some cybergangs, it’s believed that the money they make from one income stream is $150,000,000 (that’s right million).

Just as you might find every email address on your list valuable, they too find every computer that they control valuable. To you, the money is in the list. To cybercriminals, the money is in their botnet (their network of remotely controlled computers). Every controlled computer, whether a server or a PC,
is important to them.

I still find that one of the easiest ways for hackers to deface or hack a website is by logging in as you. They infect as many computers as possible. Then when you login to your website, they record your credentials and then just login as you. It’s that simple. How do they find your computer to infect it in the first place?

They don’t know who you are or where you live. They just hack as many computers as they can and the odds are, with so many people starting web based businesses, that some of the computers they infect will belong to people who own one or more websites.

It really is that simple.

If you still think you’re safe online, then keep doing what you’ve always done and you’ll keep getting what you’ve always gotten – whether you know it or not.

That’s a fact.

If you disagree, please tell me your comments.