Category Archives: Destructive behavior

Some malware can damage the operating system, such that it crashes and/or will not reboot. Webroot characterizes any behavior that results in loss of data or of the use of the infected computer destructive.

Rogues of the Week: XP Total Security & MS Removal Tool

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been said that sunlight sanitizes almost everything it shines on. Beginning this week, and every week from now on, we’ll focus a concentrated beam on the rogue antivirus programs our support staff and Threat Research team have been working to remediate.

Rogues have a tendency to switch up their names, user interface, and other outward characteristics, while retaining most of the same internal functionality — and by functionality I mean the fraudulent tricks these forms of malware use to make it difficult for someone to identify them as malicious or remove them from an infected computer. It’s not as though the charlatans behind these scams (or their parents) ever made anything that was actually useful or desirable.

So for our inaugural Rogue of the Week post, we bring you notes on MS Removal Tool and XP Total Security, courtesy of Threat Research Analysts Brenden Vaughan and Stephen Ham.
Continue reading

Webroot Answers Your Security Questions

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

I’m very pleased to present today the first in a series of videos we’ve produced. The videos have the lofty goal of addressing the most pressing questions relating to malware, cybercrime, and online fraud. We’ll take you behind the scenes at Webroot and introduce you to some of our Threat Research team in the process.

In this first video, Webroot’s Director of Threat Research, Jeff Horne, answers a question submitted to us via Twitter direct message about the motives behind most cybercrime, and whether there are any examples of malware or other types of malicious online activity that have been motivated by anything other than financial gain.

We’re planning to release a new video every other Monday from now on. When you’ve thought of that question you always wanted to know the answer to, tweet @webroot or send an email to blog (at) webroot.com, and we’ll answer the ones about cybercrime. We’ll try not to disappoint, but offer no promises. If you think of questions about something else, send them to Dr. Phil or Craig. We look forward to your letters!

Malicious PHP Scripts on the Rise

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Last week, I gave a talk at the RSA Security Conference about malicious PHP scripts. For those who can’t attend the conference, I wanted to give you a glimpse into this world to which, until last year, I hadn’t paid much attention.

My normal week begins with a quick scan of malware lists — URLs that point to new samples — that come from a variety of public sources. I started noticing an increasing number of non-executable PHP and Perl scripts appearing on those lists and decided to dig a little deeper.

In a lot of ways, PHP is an ideal platform for malicious Web pages. For programmers and techies, PHP is easy to learn. Virtually all Web servers run the PHP engine, so there are vast numbers of potential “victims” (though the numbers aren’t anything close to the number of Windows-using potential malware victims). And just like many forms of executable malware that runs on Windows — the type I’m more familiar with — the most successful malicious PHP scripts permit their users (the criminals) to control and manipulate Web servers for their own benefit and, most commonly, profit.

Continue reading

With Great Power Comes Great Responsibility

Posted on by

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The cloud delivery model gives vendors a great amount of power. It is easier to create, deploy, maintain and enhance a service than it has been at any other point in computing history. Just look at Facebook, which grew to 500 million members in a very short period of time. People readily share within it, many with a limited understanding of the potential risks to their private information.

The ability to make an enhancement and almost instantly put it into the customer’s hands is immensely powerful – and immensely dangerous. If you’re a software vendor and distribute software with a bug, the effect propagates slowly as people install the update. And often, you’ll hear about the problem and get a chance to fix it before many customers even become aware. With cloud technology, however, such mistakes instantly propagate to all users. Because of this ability to quickly affect a wide range of customers, the responsibility for a cloud vendor is greater than we have seen before.

As the industry rushes to capitalize on the cloud delivery model, users are faced with more and more choices, making it harder to distinguish between a robust, reputable vendor and a small, possibly risky, player. Selecting a safe bet vendor is critical. Many are software vendors that are just dipping their toes into cloud technology. But the cloud is a very different world, and there is a different approach and mindset to deliver upon.

It is up to customers and resellers to perform due diligence on cloud vendors so they can deliver success stories to their customers and business associates. As in any market, there are pros and cons and good and bad providers. Customers and resellers need to take the time to make educated decisions to discern the good from the bad, the safe from the risky. And cloud vendors need to invest in the expertise and solutions required to deliver the high quality of service customers expect.

The benefits of cloud technology far outweigh the potential risks, both in terms of power and quality of service. Smaller businesses and individual consumers can now access robust applications that were previously affordable only by larger firms. The risks can be mitigated by performing educated decisions and being diligent in your choices. There are plenty of options, and it is up to you to select a vendor who can responsibly manage the power of the cloud.

10 Threats from 2010 We’d Prefer Remain History

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.

Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.

Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.

Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.

Continue reading

Christmas IE Zero-Day Thwarted. Ho ho ho.

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Yesterday, two different 0 day exploits against Internet Explorer were published, just in time for the holidays when most of you (and many security researchers as well) are taking time off from work. The exploit, named CVE-2010-3971, is fairly serious, affecting the latest builds of IE versions 6 through 8.

Well, I’d normally get all hot and bothered about the fact that this kind of event might force some of our research team to spend their precious vacation time working the problem and coming up with a comprehensive solution. Normally, but not this time.

This time we headed the Black Hats off at the pass, and put a stop to these shenanigans before they started. Word from the Webroot Web Security Service team — the builders of our very slick cloud protection service for businesses — is that their Javascript heuristics engine is able to block any Web page that’s trying to use the exploits to try to take over your computer. The screenshot above shows what happened when we tried to browse to the proof-of-concept exploit page on a machine protected by the Web Security Service.

Of course, that’s great for corporate folks, but what about our home users running Webroot Antivirus or Internet Security Essentials or Complete? Well, we block it there, too. If you happened to stumble upon a Web page with the exploit running inside it, you might see a popup like the screenshot here, which is just telling you that we’ve prevented the page containing the exploit from loading in your browser. For the people playing at home, please ensure that you’re running the latest version of your antivirus with the most current updates, with the File System Shield and the Execution Shield turned on (and turn Gamer Mode off while you’re surfing).

So, tough luck exploit writer guys. Better luck next time. I know someone is getting a bigger lump of coal than usual in his stocking this year, and I can’t think of anybody who deserves it more.

Internet Misuse: Bandwidth Does Matter

Posted on by

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Recent studies demonstrate that upwards of 25% of Internet bandwidth in an office are consumed by employees misusing the internet. According to Gartner, the average growth of business email volume is 30% annually, with the average size of the email content growing in parallel. Add to this the growth of Web misuse from streaming media, downloads, file sharing, social networking, and spam, and it becomes pretty clear that the mismanaged cost to business of non-work-related Internet use is already bad and getting worse.

There are plenty of examples, including employees wasting more than two hours a day on recreational computer activities (according to a survey fielded by AOL & Salary.com) and that, according to an IDC report, “30% – 40% of Internet use in the workplace is unrelated to business.”

Studies and surveys such as these typically focus only on lost productivity — and there’s no doubt that’s bad enough. But they rarely discuss the significant hidden financial impact of bandwidth wastage from these activities.

Continue reading

Troublesome Trojan Trammels Torrent Sites

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

We spotted an interesting behavior from a Trojan dropper that belongs to a family of malware named Ponmocup. The file, update.exe (MD5 89f4ea9f0240239e0d97f202d22af325) leaves behind a payload that, among other things, modifies the Hosts file on infected computers to prevent users from visiting popular Bittorrent sites, including The Pirate Bay.

It’s an odd behavior for several reasons. We don’t see many Trojans modify the Hosts file anymore because such modifications are so easily reversed. But more to the point: Why would a criminal care whether anyone else be able to browse The Pirate Bay, a Web site known to host torrents of pirated, copyrighted material? And why also block Mininova, which changed its content model more than a year ago and no longer hosts copyrighted files? None of these things make sense.

It seems at first blush like the act of someone who fancies himself a copyright vigilante, sophisticated enough to build a custom tool such as this, but who isn’t smart enough to know which sites to block.

Continue reading

Malware Threats: What Would Churchill Do?

Posted on by

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

With Christmas fast approaching, (lest we forget the shops have kindly put all the Christmas goods out in September and early October again!) we can expect online attacks to increase as per their normal schedules, ramping up through the end of the year.

With apologies to Sir Winston Churchill, never in the field of Internet conflict was so much harm done to so many by so few.

For all the benefits the Internet provides our lives, no single technology has given so few criminals the ability to cheaply and easily target the many. We’ve seen the rise of the dark economy, where far flung cybercriminals trade skills and produce burglary tools for sale, and we live with the consequences every day. Sophisticated attacks target both our computers and our users, through social engineering.

While the increases in cybercrime incidents seem to indicate a greater number of attackers, the reality is that the growth of the Internet itself gives rise to the ever-increasing volume of botnets, keyloggers and spam. The Internet makes us all contactable and, to a degree, easily identifiable. As we surf the Web, we leave traces of our presence in the form of electronic footprints — cookies, blog postings, and of course, our activities on social networks and other online forums.

And yet, no matter what we do to stem the tide, the problems only seem to increase in size and scope.

You can tune in and listen live to more of Ian Moyse’s predictions for next year’s most serious threats in his free Webinar, ThreatNet 2011, Thursday, November 4, at 10am Eastern.

Continue reading

Game Trojans’ Biggest Tricks in 2010

Posted on by

By Andrew Brandt and Curtis Fechner

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s appropriate that this year’s Blizzcon, the two-day celebration of all things World of Warcraft, takes place during National Cyber Security Awareness Month. No other game is as heavily targeted by thieves as WoW, so we thought this would be as good a time as any to run down some of the malware threats that face gamers. 2010 has been a big year for Trojans that steal game passwords or license keys.

The people who create malware targeting online games show no signs of relenting, nor are they laying down on the job. Innovation is the name of the game, and password-stealers this year innovated their infection techniques to make them more effective and even harder to detect.

Two-factor authentication tokens, such as the Blizzard Authenticator, do a great job of preventing fraud. If you play WoW, the seven or so bucks the Authenticator costs can prevent a lot of headaches if your account becomes compromised by either a Trojan or a phishing Web site. The Authenticator displays a series of numbers that change about once a minute, and a gamer needs to enter these numbers along with a username and password to play the game.

However, while gamers who play Blizzard’s games might find themselves at reduced risk of phishing thanks to the Authenticator, other companies that operate the kinds of massively-multiplayer games most targeted by phishing pages and malware are also targets for theft, and don’t yet offer an equivalent method of securing login credentials.

Continue reading