Malware Campaigns

[razoreqx]

Wouldnt it be nice to have a thread or focus topic here for Malware Campaigns.  A place to track what we are all seeing in the wild?   I know ive worked with a few of you on leads you've shared with me in the past with some pretty good results.  


just a thought.

[Asyn]

Wouldnt it be nice to have a thread or focus topic here for Malware Campaigns.

Seems you just started one.

[polonus]

To all,

Well first a few things to be better protected against these kind of threats. Everybody can take these precautions. Enhance protection against malware campaigns by keeping OS and third party software up to date Secunia OSI can help the user towards that goal: http://secunia.com/vulnerability_scanning/online/
Malware campaigns may infect computers with malware that is meant for not fully updated and patched computers. Malware works on computers with bugs, holes or when users make wrong clicks and get the malware that way. So think first click later. That is the best advice I can give.
And when something seems too good to be true it mostly is not what you think it is.

Have avast installed with the webshield and the networkshield active. If something is blocked it is for a good reason, do never circumvent when you cannot go somewhere, else ask us here first.
 
Whenever you use an online proxy disable javascript there and realize fully that everything you do there online is being logged. When visiting an infected site via a proxy the avast shields may block you it is for your protection against malscript.

Then it is important for users to react to alerts in the browser not to visit particular sites. Whenever google safebrowsing, WOT, BitdefenderTrafficLight, M86 Secure browsing, DrWeb URL checker, avast web rep comes with a warning better not to visit that site, stay away or go back on your tracks.

Some users may seek additional protection from specific block lists through an extension like ABP (adblocking malware lists) for instance and some because script is the royal malcode road into the browser use script blocking extensions like NotScripts in GoogleChrome together with Better Pop Up Blocker extension.

Do not visit places on the net where there is questionable content (pirated content, smut etc.)
malware there is never far away....

Whenever you were alerted to a threat, open the main file of your browser and do a full scan of all of the browser folder and file contents - cache, history, the lot.
Better empty yout browser's contents from time to time and bookmark your favorites in a notepad file to go back to. Cleanse your temporal browser files from time to time.

If you have a hunch a site can be less secure, ask us here to scan the contents. Also report all incidents to avast to help us all be more secure. With a little effort and common sense everybody here can feel better protected,

polonus

[DavidR]

Wouldnt it be nice to have a thread or focus topic here for Malware Campaigns.  A place to track what we are all seeing in the wild?   I know ive worked with a few of you on leads you've shared with me in the past with some pretty good results.   

In all honesty I don't see the point, there are already a couple of topics that this category could come/fall under.

Such as the 'SECURITY WARNINGS & Notices - Please post them here' http://forum.avast.com/index.php?topic=52252.0 topic.

To the same degree what can the average avast user do about what is going around other than what they should already be doing for general protection. Keep OS, security applications, backup and recovery strategy, etc. up to date.

Take proactive measures, run browser either sandboxed or as limited user to prevent.limit the potential for damage should they come across malware. Use a browser that gives flexible configuration/add-ons to help prevent driveby attacks, exploits, hacked sites, etc. etc.

Add to that a healthy dose of common sense and suspicion.

The above and other pro-active measures are what a user should already be using and to hell with what the current flavour of malware campaign is.

Most already fail to do any or all of these measures, so knowing what is the current hot thing is going to make little difference to their behaviour. Generally this kind of information may be welcomed by the paranoid or those who have an interest in these things and they are generally well protected already.

[polonus]

Hi DavidR,

Well that is why I took a tour of those things a common user could do to be better protected. Secure practices is for everyone and we should start somewhere. Using a computer with full admin rights and clicking after everything that moves on screen is a certain way to get infected.
We tell the story over and over again. Those that have closed their eyes and ears already cannot be reached, they will fall prey to malware anyway and make the computer salesman happy.
For those that already use safehex there are some new tricks to be learned. Like with EMET.
MS Enhanced Mitigation Experience Toolkit, that also can improve security considerably.
I have to think here of the story of the Prague Golem when the Maharal took away the first letter of the word and the golem became inoperable, taking off the alef in the word emet (thruth), leaves you with the word met (meaning dead),

polonus

[mchain]

Hi,

As long as the genre is about what the average user of Avast! can do to protect themselves, then the following may apply:  (Home Users Only)

• Secure your PC firewall with a strong password
• Secure your Internet modem with a secure and strong password.  Be sure to set the modem on the highest settings possible (not default) for greatest protection
• Secure Avast! itself with a strong password
• Secure the super user account (that would be the Administrator account, not the user Admin a user may use on a daily basis) with a strong password
• Use strong passwords (random string characters are best) for all other user accounts on the computer
• Use a user limited account whenever possible when online, not the user Admin account.  Use user Admin only for updating security programs which cannot be updated in limited user, and also to update Microsoft Security updates
• Use Internet Explorer as little as possible

One of lesser-known advantages of using a third-party firewall is the ability to password-protect the firewall program you use.  This alone should help to prevent or minimize setting changes by other users of your computer, as well as help thwart an outsider attack.

Use another internet browser instead of Internet Explorer to browse the web.

Re razoreqx, I was just thinking about that, that a way to pass on exploits and/or malware found in a centralised location, would greatly assist Avast! engineers to react faster to unknown rogue programs or malware.  We are spending a bit of time searching and cataloging what we find, so why not a centralised place?

[Pondus]

What is the most secure browser
http://lifehacker.com/5867545/whats-the-most-secure-web-browser

[polonus]

Hi mchain,

There is a general pattern that plays through what all these malware campaigns will try to achieve and well abuse of unpatched software bugs to get their payload onto the vulnerable computer or abuse the unawareness/unpreparedness of the victim.
So just a couple of hours ago now  I was asked to update my adobe reader software.
I should have done so if I had the software. Why, because malware known as BKDR_SYKIPOT.B could be installed if my computer if I had been a target and vulnerable to this malware.

Reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) some couple of weeks ago and targeted attacks are typically organized into campaigns

Quote taken from Trendmicro's Malware Blog report of this malware campaign, see link: http://blog.trendmicro.com/the-sykipot-campaign/

So message here for the average avast user. Make sure your computer is no longer vulnerable for that attack/vulnerability (well at the beginning of that campains there may not have been a patched software version, so there was a vulnerability window open for this particular exploit for say about two weeks), second have anti malware intstalled that blocks, detects or removes the malware. Here we see how we are being protected by our avast av solution: https://www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/1324268708/

Third be responsible do not open infected mails or go to infected sites and open a malicious Microsoft Excel file without scanning or checking,

polonus

[polonus]

Hi folks,

Sometimes we can see some action in logs, see here: http://sakrare.ikyon.se/log.php?id=22756
When we check on the offensive code (hidden iFrame malcode) found there, we will find that we are being protected against this trojan horse by the avast webshield that block such a redirect as infected with JS:ScriptSH-inf[Trj]. Also see: https://www.virustotal.com/url/fad36bea028720dae5f9cf6cbc8e9b29931ed7b7ffe1cab420cde3c91d15080c/analysis/
On the other hand Google Safebrowsing had saved us as well: http://www.webutation.net/go/review/hjartligt.se  (plus an AV warning)

polonus

[polonus]

New VT now also will report user for new malware campaigns - example
https://www.virustotal.com/url/757c9e961dd8e72bff9f734b2cbe8fa56e9513b317e033cc434a98d6c993150f/analysis/
Just open up the additional information on a mass SQL Injection campain from
-http://statsmy.com/ur.php

polonus