Posts in Category: Virus

Do you use an antivirus?

According to a Microsoft study, a Windows computer out of four DOES NOT have any antivirus, making the chances to get infected within a month very high (I would say that it's almost guaranteed).

And you? Do you use an antivirus, or you like the thrill to reinstall Windows every week?

Moreover, they made a test: can you recognize a "fake" antivirus that will scare you of a fake virus just to steal you money for a fake cleaning?

Can you pass it?

Avast is even more ridiculous!

Not long ago I wrote that AVG was ridiculous because it deleted every file that contained the string Førmat c: /autotest /q /u (I replaced the o with ø for a reason that you'll see later).
Today, after the fifth time that AVG would interrupt me while I was playing GTA IV for letting me know that it found some false positives, like SafeXP, the Office 2010 keygen and others, I decided to replace it with Avast.
Um, great, it looks great, I tell myself.
I'm going to write the result on dandandin and...

I got shocked! My server infected?? Then, I realize that Avast blocks the access to any website that contains Førmat c: /autotest /q /u!!!!!!!!!
WEIRD !!!!!!!!!!!!!!!!!!!!!!!111 !!!!!1111!1!1!1
This was my reaction:

AVG is ridiculous

I installed AVG on my home computer, needing a free antivirus.
 After installation, you need a full disk scan, and since AVG bugs you every 10 minutes with no chance to say "don't ask me again", I finally consented to that useless scan.

After a few hours, it found a virus and deleted it without asking.
 Intrigued, I checked the quarantine to investigate.
 It was HackerNovello.htm, a very old file (more than 12 years!) from an ezine that I found on IRC; New Bies:

                 @-,”ì'ì”,.,”ì'ì”,.,”ì'ì”,.,”ì'ì”,.,”ì'ì”,-@
                 |   _   _               ____  _           |
                 |  | \ | | _____      _| __ )(_) ___ ___  |
                -+- |  \| |/ _ \ \ /\ / /  _ \| |/ _ Y __|-+-
                 :  | |\  |  __/\ V  V /| |_) | |  __|__ \ :
                 |  |_| \_|\___| \_/\_/ |____/|_|\___|___/ |
                 @-,”ì'ì”,.,”ì'ì”,.,”ì'ì”,.,”ì'ì”,.,”ì'ì”,-@

                       NEW BIES (num 2) (data 07/03/99)

AVG detects a virus in a story where the author says that in the DOS time he put førmat c: /autotest /q /u in the autoexec.bat. This is a command that does a quick format of the system drive without confirmation.

Ok, just find "format c:" in any file and automatically becomes a virus to delete without asking??

Then it detect as virus stuff in grey range, as trainers for video games, almost all keygens, even joke programs (style: Invert the screen) and bugs you if Chrome uses more than 300 megs of RAM when I have more than 6 gigs free...


Ugh... when I have free time I will uninstall AVG...

Update: I had to replace the o with an ø in the format command, because Avast is so smart to block the access to any page that contains the string!! Weird!

LBE Privacy Guard: a must have for Android

If you have a phone or tablet with root access, you should definitely install LBE Privacy Guard!

This program acts as a filter to all applications, a window will appear to ask you whether or not to authorize the action.

The actions to be filtered are: phone calls, send SMS, access to contacts, network access, send your serial number or mobile number, send the GPS position.

It seems almost unnecessary, but helps a lot to find malicious applications!

Take, for example, Blob Blast, a malware that I found by chance.

First of all, let's explain how I found it: by clicking on a paid advertising into another unrelated application.

Why its programmer should spend money to advertise a free application that does not show even banner ads inside?

When we click on a banner advertisement, we must always consider the fact that for every click, are spent on average 30 cents. If 1000 people clicks the advertising, are being paid 300 euros. It means that the programmer expects to earn much, much more than 300 euro. But how he could make money if the application is free and does not show even banner ads?

With malware.

Let's see the permissions required when installing Blob Blast:

  • Services that cost you money:
    send SMS messages
    Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.
  • Network communication:
    full Internet access
  • Your personal information:
    read contact data
  • Allows an application to read all of the contact (address) data stored on your device.Malicious applications can use this to send your data to other people.
  • Phone calls:
    read phone state and identity
    Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
  • Storage:
    editing / deleting the contents of the SD card
  • Your Accounts:
    discover known accounts
    Allows an application to get the list of accounts known by the device.

Why a simple game like this, has permission to send SMS, read all the numbers and email contacts, go online and delete files on the sd card, when it should have no need to do that??

The answer comes to us with LBE Privacy Guard: When we open the game, we get told that the first thing the game does it to access the phonebook.

We want proof? If we disable the access to Internet, does not attempt to send the phonebook! It means that the game tries to access the Internet, and, only if it succeeds, tries to send the entire address book!

They probably want to sell user data to spammers, or, if the phone is in a particular country, send sms to premium numbers. For example, an application could subscribe you to some useless ringtone service with high weekly fee!

And so are all applications from Wee Cat Games! Forgotten Blocks, Tracy Says, Color Crash, are all malware! (Their contact details are also fake)

Here is an example of their ad:

 

I have already reported the problem to Google, hoping for a quick solution. Meanwhile, root your phone, install LBE Privacy Guard, it's free, and be more careful when you install an app

Finally!! Autorun on USB drives disabled by default in Windows 7!! Goodbye Viruses!

Finallly they did it!!! On the engineering Windows 7 blog, has been announced that the autorun for USB drives will be disabiled!!!

In fact, recently, USB drives viruses, has got an huge boost in diffusion:

usb pen drive virus spreading

In year 2001, Microsoft was provident, by disabling the direct autorun of executibles on usb drives, like is on CD. Unfortunately, too many hackers (and script kiddies) exploited the removabile drive autoplay menu by making a program named "Open folder to view files", with a folder icon. Like this:

removabile drive autoplay menu

Clicking on the first choice, we will be infected by the virus; only the second icon is the right one

For this reason, public computers are literally infested with dozens of such viruses, making mandatory the manual disable of the autorun, as instructed on the Microsoft website.

But finally, they disabled such exploit! The removable drive autoplay menu has been modified to only show programs that are already present on the host computer

removabile drive autoplay menu

Awesome!

How to detect a Conficker infection

Even if the much touted massive 1st april virus infection was not so massive, Conficker continues to spread itself.

Conficker is an auto-installing virus if you didn't installed the MS08-067 patch; knowing if you have been infected is a bit hard, because the virus does its best to hide itself.

Luckily, the Conficker Working Group, has found a simple but smart way to know if you have been infected.

In fact, the virus blocks all the connections to the antivirus company websites. In this page, we can see a table, that contains some images, hosted on "generic" websites, and antivirus company websites:

  • If you can see all the images: YAY! You are not infected
  • If you cannot see the three images at top: you have Conficker C (or higher version)
  • If you cannot see F-secure and Trend-micro logos: you have Conficker A or B
  • If you cannot see any image... your browser is set to don't show any images

The Dawn of the Dead (computers)

Do you remember Conflicker? The virus that in December has started to spread automatically exploiting a Windows Bug.

According to experts, that virus is designed to activate itself on today, 1st april 2009!

What will happen?

  1. Data loss?
  2. Massive spam sending?
  3. Massive distributed attack to other computers?
  4. Sending of sensible data to evil servers? (like: password, credit card numbers)
  5. April's Fool

In my opinion is the option #2... but i hope in an April's Fool!

 

Update: how to detect if your computer has been infected