Advertising what exactly in cleaning malware

There is a new anti-malware product that has been advertised on TV.

They claim this USB key has software on it that magically will vacuum malware, viruses and Trojans off your computer.

They also claim that it is used by government agencies, companies and IT professionals and they’ve been around for many years.

A screen showing a woman getting hit with many pop-up windows. A bit far-fetched as if you had that, your computer would be useless. [Note that the computer was running Windows XP.]

OK. So let’s take a look at some their facts.

The domain they use has been around for a bit over 3 years. How did those IT professionals know about it beforehand?

Me personally, up until a couple of months, I never heard of the product.

If it is used by governments and companies, why no listing of them on the web site. I see other companies boasting clients.

Viruses are out-dated. Mostly malware, some Trojans and rootkits.

While PC Magazine gave it 4 out of 5 stars it did say it may not be suitable for the typical [novice] user. In addition, according to their review the “cleanup process wiped out some essential Windows files, making remote assistance necessary. No realtime protection against new threats. Doesn’t clean up malware traces in the Registry.”

So basically it will scan files on the computer and nothing else and could cause further problems which will probably require further costs.

If you have to purchase a product like this, what does it says about:

  • Your current security product on your computer?
  • Yourself when it comes to know what to and what not to click on?

I know of many people who’ve gone years without any security issues and they would be classified as novices. [Yes, I try and keep them informed, but that doesn’t stop everything.]

If you keep on getting hit with security issues, maybe you should seriously stop and think before clicking on something.

Oh and this isn’t much new. Most security products have software which you can download and dump on a USB key or a DVD that will do the same or better than what is offered. [I am guessing most will actually go into the registry and not touch system files either.]

In an additional note, there has been many so-called security products that claim to fix these security issues. One advertised on CNN claimed to fix these problems. When I tested it on a fresh installation [security updates but no applications] of Windows XP a couple of years back, it claimed there was all kinds of registry and other issues. On a new computer? Seriously?

Advertisements

Major malware issue with recent Lenovo computers

If you are using or you know anyone using a Lenovo laptop bought within the last year, Lenovo has installed something called SuperFish. According to experts it is an encrypted form of adware. The software dumps ads and probably gathers personal information.

Until the situation is fixed, don’t use your Lenovo laptop for anything like using a bank web site or work related.

Uninstalling the software is not enough. You also need to remove a certificate.

Even that may not be enough.

If you have a Lenovo laptop, contact them for support…. And good luck.

[Updated: 2015/02/21]: After researchers went deeper into SuperFish this week, they found that it insert ads into random web pages and also tampers with computer security in such a way that an attacker could actually spy on all web browser traffic on the computer.

SuperFish allows attackers to see all the communications that’s supposed to be confidential such as banking transactions, passwords, emails, and instant messages.

[Updated: 2015/02/24]: The SuperFish CEO has denied that there software contains malware. Uh huh.

Meanwhile, researchers now saying at least 12 other products – including some used for parental control – are using the same developer’s kit.

Finally, Lenovo says it has created a package to properly remove SuperFish from the system.

When free isn’t so free

I had b?tched to DivX Networks in April how they could bundle Conduit malware [as most people call it] with their free DivX player. [Malwarebytes as well as other anti-malware software consider any from Conduit software to be malware.]

I finally got a response back from them – 3.5 months later. The guy who responded claimed there was an issue with their mail system. Got lost somewhere – so was claimed.

It seems that DivX received many complaints that the Conduit crapware was causing problems. It has since been removed from further installations and their new policy states that they will only bundle software that is beneficial [as was called by a product manager] and no search related software.

It’s bad enough if you use a single web browser, but if you have three browsers, you have a doozy of a job to remove the crapware off each web browser. [I guess a reason why you shouldn’t have too many browsers. One to use and a second one in case the first one has an issue with a web site.]

If there is a way to block out Conduit? I’m doubting it. In most cases, it is included in the free software you are installing.

This is what I tell people: If it is free, definitely do a custom installation. Otherwise crapware like this gets installed. One free software I downloaded had 4 separate installations if you chose a custom installation.

Know of any other software that have [or had] Conduit crapware included in the installation?

I have always suggested that when something is free off the Internet, always choose a custom installation [or equivalent]. Unlike the standard/complete installation [or whatever they may call it], in many cases the custom installation will actually allow you to see what is installing and what changes will be made during the installation [additional programs, changing the default home page in your browser, changing the default search engine in your browser, etc.].

Microsoft takes down malware pushing domain – affects legitimate sites

Recently, Microsoft seized 22 domain names from No-IP.com the company was aiming to put mostly [malware] criminals out of business; the domains were allegedly being used to conduct attacks against Windows users. Microsoft obtained a court order allowing it to seize control of the targeted domains. However, while some subdomains were allegedly being used in the attacks, the takedown also affected other servers that were used for legitimate reasons.

Some are questioning how Microsoft could request and get court approval to do this. As well, according to No-IP, Microsoft failed to notify them to take down the malicious domains.

Unsure if Microsoft has responded to the allegations that they never warned No-IP. But, I am sure No-IP were warned by others that they are hosting malware and did nothing about it [or didn’t push hard enough].

Microsoft did take things in their own hands. But No-IP should of known that it could happen to them, if not by Microsoft pressure then by some other company.

As for Microsoft pushing their muscle, I don’t think it was Microsoft’s job to verify the facts. It was the court who are responsible to make the final decision. Whether or not the court [before the approved take down] asked Microsoft if it would affect legitimate sites is a question that needed answered. This is like asking for a warrant to arrest a suspect. The judge reviews the evidence given and may request further information or not. [I’m assuming the court who gave the approval to Microsoft knows a bit about technology.]

I think it is also time that registrars should be partially responsible for what goes on with sites they have registered. Too many of them will register a site without caring. Why else would someone register the domains [if they still exist – don’t check!]: adobe-downloads.com, windowsenterprisedefender.com, and microsoftantispyware.net.

In the end, I’d be safe than sorry. Take down the domain. Those with legitimate sites can go after No-IP for knowing they are hosting suspicious web sites which could affect their site’s operation. [Of course I’m not a lawyer.]

[Update 2014/07/04:] Microsoft has since apologized to those legitimate sites that were affected for the “technical error”. Note that it took the court about a week to grant Microsoft’s request for the takeover. I am still thinking that the judge involved didn’t do his/her homework and see if it would affect others.

But according to reports, to did do some damage to the Syrian Electronic Army as well. According to Kaspersky Labs, the takedown impacted a quarter of the “advanced persistent threat” actors it’s been tracking.

The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year.

Vitalwerks, which runs No-IP, said it now has 18 of 23 domains commandeered by Microsoft on Monday using a restraining order granted by the state’s federal court. I will assume these house the more legitimate sites.

Meanwhile, at one point No-IP that said it was under DDoS (distributed denial-of-service) attack but it did not affect its DNS infrastructure.

CryptoLocker ransomware becoming relevant

There is a new strain of malware called CryptoLocker that is making its rounds. Unlike your typical malware which causes havoc with systems, this one is part of the ransomware family.

Ransomware is just like what it sounds – it takes your computer hostage and the malware makers want money from you.

While some ransomware has been easy to correct – just reboot your computer – this strain is nasty.

Typically the file which does the work comes in the form of an Email [although you could get hit by going to a web site you shouldn’t be on]. So that the email passes anti-virus scanners, it is typically stored inside a ZIP compressed archive file.

Reports have it that they are coming from fake shipment or invoice notices from courier companies like FedEx or UPS.

Note: Some clues here – if you aren’t expecting anything or received anything, why would you get an Email from them? As well, if you look at the Email [but not the contents], why so little information about you?

The ransomware writers are still using the old double extension issue that still exist today in Windows. By default if you don’t do anything when you view a file, you will only see the file name [example: “My_Invoice”] instead of the full name “My_Invoice.pdf”. So the malware writers are sending the file “My_Invoice.pdf” but in reality it is “My_Invoice.pdf.exe” [programs would also fall under the above]. So you think it’s an Adobe PDF file when in fact it is a program.

Note: Another clue. If you are using Windows Vista or later, you would get a warning that what you just opened is trying to modify your computer. Adobe PDFs don’t modify your computer.

Once the program starts up, you may not initially see anything difference until after hours, if your computer stays on all day and night. Then the program comes alive and encrypts every kind of data files. This includes Adobe PDF files, Microsoft Word files, Microsoft Excel files, Microsoft PowerPoint files, Microsoft Outlook PST files, JPG images, BMP images, etc. In fact, there are a few dozen file types it encrypts.

Once encrypted, it should also place a text file or two in each folder saying what it did as well as when you boot up the computer.

You may see the following image [or similar to it]. If you do, then your system is infected with the ransomware.
crypt

Rebooting the computer doesn’t help. In fact, if any files that were open when it was encrypting were in use [and couldn’t be encrypted], they will be encrypted after rebooting the computer.

You will notice that when it encrypts the file, the file name itself hasn’t changed. But if you try to open a file, Windows will respond that the file is corrupt or something similar.

There is no way to unencrypt the files [and there are just too many to do anyways].

The ransomware writers will ask for anywhere between $100 and $1000 to be paid. You also need to pay by the date and time mentioned or the “key” to decrypt will be destroyed forever. They generally give you 72 hours from the time the files were encrypted.

If you pay the ransom, it doesn’t mean they will actually give you the key to decrypt. It is a gamble.

An up to date anti-virus software will at least detect the malware. Anti-malware software can clean the software, but even if the software cleans the malware, it can’t decrypt the files. In fact, if you remove the malware, you probably can’t decrypt the ransomware.

The only sure things to do is to back-up regularly [if you have critical files], be careful when you get attachments from those [even friends] that are unexpected or seem a bit odd for the sender, and keep up to date on operating systems updates.

I personally know of one case where someone got hit with ransomware.

If you do get hit with this malware, other than paying, you may want to have the disk wiped and Windows and your applications installed from scratch. Even if you paid, you do not want to take chances that remnants are on your system.

Watch out for scammer web sites impersonating companies

If you ever have to contact a company for whatever reason, do not trust the search engines completely. In many cases, they are not Microsoft [or Google, or Yahoo or…] support and will probably charge you quite a bit of money when contacting actual Microsoft [or Google, or Yahoo or…] help would be free in some cases.

Many times these are like the same scammers who call and complain that your computer is full of malware.

Find what you need from the company’s actual web site.

In particularly I came across one scammer web site. The typical web site that supports all kinds of operating systems and computer manufacturers and who claim they have many certified technicians available 24 hours a day. [Note that I will not mention the web site.]

But I really didn’t come across this “company” by a search engine searching for help.

Instead I clicked on a bad link and I got the following message [more after the image]….

scam_site

[I blurred out the scammers toll free number.]

The page above is on the same web site. So the question is why would a “legitimate” site have this also on their site?

If you try the page on another computer, you get the same two pieces of malware they claim is on your computer. Wow! A coincidence that both computers have the same malware. [And the only way to get rid of the message is to kill your browser completely from the Task Manager or reboot your computer. The page actually is harmless.]

Watch out from Conduit software

A word of warning. If you use DivX to view videos [as well as some other free software], it installs Conduit search software.

Conduit takes over your search engine and default home page in your web browser(s).

In Programs and Features it may be listed as “Conduit Search Protect” or “Search Protect by Conduit”. If you see it, uninstall and then use some antic-malware software to remove remnants.

Malwarebyte’s Anti-Malware software considers it as [a form of] malware. Additionally, if you use your favourite search engine, do a search on the keywords “is conduit malware”.