06 Jul The end of DNS-Changer Marco
02 Mar DNSChanger - Cleaning Up 4 Million Infected Hosts Kurt Baumgartner
18 May Another infected device Roel
22 Nov Malware in Lenovo Costin Raiu
11 Apr Infected devices Michael
04 Jan Another usb-media infection Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines – one can wonder, what will happen to them?
Computers in the internet have their own address – the IP-address. There are two versions:
You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.
The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release
The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.
Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.
This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.
Of course, if you know the address of the server you can still use it instead of the name e.g. 126.96.36.199 is “securelist.com” but this is not easy solution.
We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple – read below for more.
First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.
The good news is that the infections were blocked and the number of infection attempts is going down.
For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.
So, how to check if you are infected with DNSChanger?
The DNS Changer Working Group provides helpful information on their website – unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.
If you are infected, you can change your DNS entries to the free DNS-Servers from Google: 188.8.131.52 and 184.108.40.206. OpenDNS also offers two: 220.127.116.11 and 18.104.22.168, which we also recommend for additional security features.
The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.
Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection
The internet is full of infected hosts. Let's just make a conservative guesstimate that there are more than 40 million infected victim hosts and malware serving "hosts" connected to the internet at any one time, including both traditional computing devices, network devices and smartphones. That's a lot of resources churning out cybercrime, viruses, worms, exploits, spyware. There have been many suggestions about how to go about cleaning up the mess, the challenges are complex, and current cleanups taking longer than expected.
Mass exploitation continues to be an ongoing effort for cybercriminals and a major problem - it's partly a numbers game for them. Although exploiting and infecting millions of machines may attract LE attention at some point, it's a risk some are willing to take in pursuit of millions of dollars that could probably be better made elsewhere with the same effort. So take, for example, the current DNSChanger cleanup. Here is a traditional profit motivated 4 million PC and Mac node malware case worked by the Fbi, finishing with a successful set of arrests and server takedown.
Recently we released a product especially for netbooks, so we’re performing compatibility tests on newly released netbooks in an ongoing way. The other day we bought a brand new M&A Companion Touch to test. After initial checks, the testing group contacted me since they suspected a malware infection. Could this be yet another example of a factory-infected device?
A scan detected the following malware: Worm.Win32.AutoRun.aayn, Rootkit.Win32.Agent.hwq and Packed.Win32.Krap.g. For anyone interested, here are the MD5s:
After some analysis I was able to determine that these files had been present since February 2009, a long time before we got the netbook.
The AutoRun worm spreads to removable devices, exploiting weaknesses in how Microsoft implemented the functionality. I blogged about the problem over at zdnet. What probably happened is that somebody used an infected USB stick and hooked it up to the machine while installing some drivers for it.
The true purpose of this worm is to steal passwords for a number of online games, such as Lord of the Rings and Maple Story. It also uses a special downloader mechanism. The PE files are encoded and pre-pended by a fake RAR header to fool security solutions. We detect such 'malformed' files as Trojan.Win32.Ramag.
This case shows once again that even brand new products can leave the factory infected. Safeguarding against infected new devices is particularly difficult. Doing an offline scan with an up to date security solution normally is the most effective solution. As there will have been a time lapse between the device getting infected and you getting your hands on it, your security solution should have no problem detecting the malware.
Naturally, we've informed M&A of our findings - but since the device is out there, we are also warning users.
Some of you might have seen the blogpost that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers.
Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message.
Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work.
Naturally, we've notified IBM immediately – and IBM took the file offline.
We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis!
It seems as if we can't turn around anymore without hearing about infected devices of all sorts. This week we've already seen HP admitting to shipping infected floppy/flash drives - see SANS Internet Storm Center for details.
In the meantime, one of my co-workers went on vacation and treated herself to an MP3 player.
She got home and plugged her new toy into a USB port in her PC and yes, you guessed - it was infected. Fortunately she had KIS installed:
On the one hand, we all enjoy using our smartphones, MP3 players, flash drives and so on. On the other hand, we can't ever be sure that our devices are clean. So protect those servers and laptops folks...cause portable devices aren't going away anytime soon. Nor are they secure.
Yesterday I looked into a case where somebody had gotten a nice Christmas present - a new MP3 player. However this MP3 player contained a bit more than the person asked for. The device was infected with Worm.Win32.Fujack.aa. All the evidence clearly indicates the device was infected before the user opened the gift.
This is unpleasant, but infected removable storage media is nothing new. There was the case of infected Maxtor drives and Aleks recently blogged about his purchase of an infected Kingston flash card.
Of course, we've contacted the company concerned. They told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem. It was only this particular model – the Victory LT-200 that was affected.
I've noticed there seems to be a lack of clarity about how Windows behaves with USB media, so this seems like a good opportunity to clear up a few points.
The setting is Tamel, the centre of Katmandu, the capital of Nepal. There are hundreds of little shops which sell everything, ranging from Buddha statuettes to full rigs for Himalayan expeditions. I'm off into the mountains myself, so I buy a Compact Flash card for my camera in one of the shops which specialises in photographic equipment.
It seems from information on the Danish web site of Medion that some of the laptops they shipped recently were infected with the boot sector virus Angelina. This virus, which infects the boot sector of floppy disks and the MBR (Master Boot Record) of hard disks, dates from the mid-1990s.
Once commonplace, such threats are now rare. And on the face of it, you might not expect viruses as old as this to be still around. But incidents like this remind us that they haven't completely disappeared.
For those of you who haven't had to grapple with such viruses, they infect when the machine is booted from an infected floppy disk. Of course, this typically happens by accident, when the user forgets that there's a floppy disk in the drive. They infect at boot-up, before the operating system loads, so they will infect any PC configured to boot from the floppy drive. However, they only spread under DOS and (under specific conditions) Windows 9x. This is why they're not very common.
So, if such threats are rare, do we detect them? Absolutely, you never know when such 'legacy' threats might put in an appearance.
TomTom has followed in the less than illustrious footsteps of iRiver, no name USB sticks, McDonalds, Apple and others by shipping a device containing malware. In most previous cases the malware in question was a virus which spread to drives. So I was expecting the same when I got my hands on the files coming from the TomTom GO 910.
Kaspersky Anti-Virus detects these files as Virus.Win32.Perlovga.a and Trojan-Dropper.Win32.Small.apl. Trojan-Dropper.Win32.Small.apl is somewhat of a generic detection - it covers any file which has been created using a specific virus writers’ tool. Trojan-Dropper.Win32. Small.apl functions as an installer for Perlovga.b and...a backdoor! As I haven't seen any mention of a backdoor in coverage about the incident, I was surprised to come across it.
Even though it is a backdoor with limited functionality, the very presence of Backdoor.Win32.Small.lo slightly changes the situation. Perlovga is more of an irritant than a serious threat, but as it makes use of autorun.inf functionality to spread via disks there's a real danger of Perlovga.a and the Dropper file (which in turn installs the backdoor and Perlovga.b) being executed automatically as soon as Windows reads the drive/device.
This probably won’t be the last case of infected devices, and it would be nice to see a little more clarity regarding the precise payload. I suggest that the next company which finds itself sending out infected devices should contact us and ask us for a detailed analysis so they can issue an appropriate warning to their customers.
We saw a recent report of a Japanese hardware manufacturer shipping a batch of portable hard disk drives containing a Trojan. The Trojan, which we detect as 'Backdoor.Win32.Tompai', provides a hacker with backdoor access to affected machines.
It's not the first time that we've seen the distribution of infected media:in December 2004, Roel reported on an infected HDD-based MP3 player he had bought from iRiver
Maybe we're approaching the time when digital photographers should check their flash cards before they first use them? Of course, if anyone comes across any malware on their new flash cards, we'd like to hear about it:
contact us at blog [at] viruslist [dot] com.