Category Archives: Viruses and malware

Listen to true (online) crime stories

ListenThe Internet is an amplifier. It amplifies everything, including the apparent number of bad guys on the planet. Decades ago, we were vulnerable only to thieves in our neighborhood. Now we’re vulnerable to connected thieves everywhere. Here’s a recent podcast by WNYC’s Radiolab about ransomware, botnets, and Internet crime for fun and profit.

From Radiolab’s notes:

First we meet mother-daughter duo Alina and Inna Simone, who tell us about being held hostage by criminals who have burrowed into their lives from half a world away. . .

Then reporter and author Joseph Menn tells us about the surprisingly lucrative professional hacker structure in places throughout the former Soviet Union. Finally, the co-creator of one of the most notorious online marketplaces to ever exist speaks to us and NPR cyber-crime expert Dina Temple-Raston about how a young suburban Boy Scout can turn into a world renowned black hat hacker.

Bad News: CryptoLocker screen

An excerpt from a listener’s comment:

Here’s some advice:
But remove the drive after you backup, if you use an external. CW 3.0 is known to infect any attached devices, NAS devices or even networked computers.

If you see an unexpected major slow down with your PC, shut it down immediately. This is caused by the encryption process (and in some cases a failing hard drive; also a good time to shut it off and get it checked out).

If you see a link file (.html), picture (.jpg) or text file (.txt), titled “DECRYPT_INFO” or any of those types of files (usually small) with a name like that, you have been infected and the virus is in the process of encrypting your data. Shut down immediately.

I’d add that you shouldn’t click on links or attachments within email messages, even those that seem harmless.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695


The tyranny of CryptoLocker has ended, or at least paused.

Ding dong the witch is dead:

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

CryptoLocker screenshotIf you have been infected by the CryptoLocker ransomware and all your files have been encrypted without your consent, go to FireEye and Fox-IT’s decryptcryptolocker website post haste. These noble folks seem to have located the CryptoLocker servers that store the unique private keys (called “master decryption keys”) for infected systems and will allow you to decrypt your encrypted files . . . gratis!

I warned about CryptoLocker when it first appeared in the fall of 2013. It is a very malicious piece of work.

I applaud FireEye and Fox-IT. I’m not sure how they were able to locate the CryptoLocker servers. (New randomly-named servers were created every day.) Also, it seems that CryptoLocker’s claim that the private keys would be destroyed after several days wasn’t true, since FireEye and Fox-IT appear to have found the keys intact on one or more CryptoLocker servers. In any case, FireEye and Fox-IT deserve a big round of applause.

The Register published a good article about decryptolocker and its background. According to their article, my celebration may be premature:

Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns.

Lions and tigers and bears! Oh my!

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Whither Microsoft Security Essentials?

I’ve recommended and used Microsoft Security Essentials (MSE) for several years. I prefer it to McAfee and Norton antivirus programs. Recently, Microsoft, in a long tradition of muddled corporate communications, has hinted that the quality of and future for MSE is uncertain. They’ve also hinted that updates for MSE on Windows XP may cease when they quit supporting Windows XP next April.

microsoft-security-essentialsI’ve not seen a clarification from Microsoft. For the moment, I’m recommending that clients remain with Security Essentials. That recommendation may change. In the meantime, like the authors of the following articles, we’re left guessing:

Interpretation Hoopla About Microsoft Security Essentials

Microsoft’s Security Essentials isn’t the best antivirus program, according to Microsoft

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Make off-line backups NOW.

A new improved piece of malware that’s targeted at Windows users has entered the stage. It encrypts ALL of your Windows computer’s document files — .docs, spreadsheets, photos, etc — as well as any files that it finds in your Dropbox or on your network’s shares, and demands a ransom to decrypt them. It overwrites your original unencrypted files with zeros. Here’s one sad CryptoLocker story.

CryptoLocker is nasty. It apparently propagates via Phishing attacks: you know, those emails that contain a malicious link and/or attached file. Supposedly CryptoLocker is delivered by an email that looks like it’s from a legitimate company such as FedEx, UPS, a bank, or other business.

One bad feature of CryptoLocker is that it encrypts every file that it can find and gain write access to: this includes your backup files that reside on any online external drives. If it has a drive letter, its files will be encrypted by CryptoLocker. Here is a YouTube video clip of someone who paid the $300 ransom.

Malwarebytes documents CryptoLocker. The best protection is to use offline backup systems. Carbonite would be immune, as would offline tape backup systems.

Sophos has a good CryptoLocker page with video demo. It notes,

A Naked Security reader just commented that from a single infected computer, he was “faced with 14,786 encrypted files over local and mapped network drives.”

Backup system must include versioning

Let’s assume the worst: your files have been encrypted by CryptoLocker. To ensure that you can restore an unencrypted version of each file, your backup system should include a feature called versioning. You’ll need to select from a backup set that was done before CryptoLocker infected your computer . . . and these earlier versions must be stored off-line, or CryptoLocker will encrypt them, too!


Update, 6 Nov 2013: I’ve read that CryptoLocker is distributed via an emailed attachment. The attached file purports to be a PDF file. It is in fact an EXE file. When the victim clicks on the attached file, the attack begins.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

0 bytes free = an obnoxious infection

Last week I ran into an ingenious Windows XP infection.

"Claustrophobia" by NinaValetova
“Claustrophobia” by NinaValetova
The victim’s hard drive rapidly runs out of free disk space. I never did identify the exact culprit. The virus continually appends to a hidden file named “avenger.txt” in the root of drive C:. When I found it, c:\avenger.txt was over 500 gigabytes in size!

My cure was to reformat the disk and install a fresh copy of Windows XP.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Recent virus vectors

Within the last year or so, Microsoft Windows has become pretty secure. (I didn’t think that I’d ever use the words “Windows” and “secure” in the same sentence.) Microsoft has been relentless in fixing Windows’ vulnerabilities and distributing those fixes through Windows Update. Now the malware creators have turned to Adobe Reader, Flash, and Java to spread their infections, so it’s doubly important that you keep these three programs up to date so that they block the latest exploits. Rust, and the malware scourge, never sleeps.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java in browsers continues to be dangerous.

Michael Horowitz has updated his helpful page. The gist is that Java is fine, as long as it doesn’t run in a browser. To be safe, just remove it from your computer.

We discussed Java’s vulnerabilities last September:

Oracle just doesn’t seem to be fully committed to securing Java. Michael’s page does a good job of sorting out the Java confusion.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

John McAfee: curiouser and curiouser.

John McAfee’s first anti-virus program was very good. Over the years it’s degenerated into bloatware with a large advertising budget.

He seems to have flipped out in Belize, where he is suspected of murdering his neighbor. While hiding, he has recently started his own blog to chronicle this strange saga from his point of view. John asks, “How did I end up as a murder suspect on the lam?” His disguises made me laugh.

The Telegraph article John McAfee asked message board users how long it takes to be traced includes a video clip.

Who is John McAfee? The Telegraph article John McAfee: sex, drugs and anti-virus software.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

An old Java security flaw is discovered Sept 26.

A small outfit called Security Explorations has again found a serious security hole in Oracle’s Java. This is java flaw 51 that they’ve found.

This latest discovery of a serious security problem with Java has not, as of 29 September, been repaired by Oracle.  A website with malicious code can own any computer (with Java installed) that merely visits the website. This vulnerability exists in all versions of Java for all platforms from release 5 through 7 (the latest). That ‘s the bad news. The good news is that as of today this vulnerability is not known to have been exploited. The ball is in Oracle’s court. They need to patch Java ASAP.

I recommend that, if you don’t need it, you uninstall Java. If you or your business or bank requires Java, leave it on one web browser that you use for that purpose only. Install a second web browser (e.g. Opera, Mozilla Firefox, Google Chrome) without Java, and use this as your main browser.

Note that this is Java, not Javascript. Despite their similar names, the two languages are unrelated.

See Java may still be vulnerable even after Oracle security patch. 3 September

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Java may still be vulnerable even after Oracle’s security patch.

diagram: Baptiste MATHUS
This is a comedy of errors.

For four months, Java has been vulnerable to attack. Oracle responded recently with Java version 7, which patched the holes in version 6. Java version 7 adds two functions; unfortunately those functions include new improved vulnerabilities.

Andy Greenberg wrote about the latest Oracle problems with Java in a recent Forbes article.

Java has been with us since 1996. I recall the joy that greeted its introduction by Sun Microsystems: a Java program could be written once and then execute on Windows, Mac, and a variety of Unix machines. The slogan was write once, run anywhere. As malicious attacks have intensified, we’ve learned that the architecture of Java makes it vulnerable to attack. It includes file system access and acquires the same rights as the currently logged-on user. That means if you are logged on to your PC as Administrator, a malicious Java program can do whatever it pleases on your PC.

The vulnerability in Java version 7 means that if a website contains malicious Java code, all that you need do is visit that website — you need not click on any links — and your Windows, Mac, or Linux machine is taken over (if you have Oracle’s Java installed on it). And you probably wouldn’t know it.

The open door to your PC is provided by having Java execute within your web browser. Until Oracle gets their Java act together, I recommend that you uninstall Java. Using Mozilla Firefox web browser with the NoScript add-in will also protect you. These days, few websites use Java anyway. Some multi-user games require Java, and a few financial reporting sites use Java. I don’t even have it installed on this Windows XP machine.

Sept 7 2012 update: Oracle has resorted to accepting payments from McAfee: when you download the Java update from Oracle, it defaults to installing McAfee Security Scanner, unless you opt out. Oracle ought to stop trying to maintain Java by themselves. As far as I know, it’s not generating revenue for them, so their heart isn’t in maintaining the code. Oracle and the user community would be better served by re-branding Java as open-source.
Reportedly many European bank sites use Java to provide on-line banking. I’d recommend that these users make certain that they keep their Java updated and use Mozilla Firefox with the NoScript add-on. The Safari browser on Macs prompts you before executing Java code, and disables it afterwards, so this should be okay for European banking users.
A good workaround would be to boot from a Ubuntu (Linux) live DVD/CD, and do your banking with it. It includes its own JRE (Java runtime environment), which is not vulnerable to Oracle’s Java vulnerabilities — or any Windows’ vulnerabilities, either.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

DOJ indicts 7 very clever Internet crooks.

illustration by Russ Bellew

This scam rewarded hard work with huge income, while it lasted.

I’m not smart enough to have dreamed up this scam: hi-jack millions of users’ clicks and redirect them to ads that pay the crooks for each click. Allegedly, over 14 million dollars of income was collected since 2007. Six of the 7 indicted people reside in Estonia, where they have been arrested by the Estonian police. The US Department of Justice (DOJ) is seeking their extradition for trial in US federal court on charges of wire fraud and computer intrusion. The seventh suspect has not yet been located.

Part of the scheme employed a piece of malware that’s named DNSChanger. These guys spent serious time fabricating this scam: they had to first set up 2 bogus DNS (Domain Name Service) servers in the U.S., create and propagate the malware, create affiliate relationships with advertisers, create bogus websites, arrange payment with advertisers, etc. Basing the bogus DNS servers in the U.S. would guarantee fast DNS lookups for hijacked American victims.

I see plenty of DNSChanger infections

Want more info?
DNSChanger Malware details from the FBI (a well-done 6-page 360KB PDF file)

Last year I wrote about one instance (of many that I see) of DNS hijacking (Malware hi-jack of DNS address). A computer whose DNS record points to a malicious DNS server is “owned” by the bad guy who installed the redirection. My first thought was that the bad guy could harvest on-line banking login credentials. These Estonians fabricated a much more elaborate scheme, which was probably harder to detect than the scam that I’d imagined.

Articles with details of this scam

Joab Jackson, in a Computerworld article titled DOJ charges seven in massive clickjacking scheme fleshes out this story and CNET’s Seven accused in $14 million click-hijacking scam article by Elinor Mills adds still more detail. According to her story, the FBI spent 2 years investigating this case after NASA discovered DNSChanger on over 100 of its computers. This led to the discovery that the infection had spread to millions of computers in over 100 countries.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Microsoft scrambles to thwart Duqu worm.

Source: The Hacker News
Duqu flow and Execution Diagram

From eastern Europe with love.

In September, a new worm, dubbed Duqu, appeared in Hungary. It shares some characteristics with the Stuxnet worm. It spreads via infected Microsoft Word documents and then exploits a vulnerability in Windows’ TrueType parsing engine.

It appears that Duqu captures keystrokes and attempts to steal digital certificates. It sends them to “its master” in encrypted form within a 600 KB JPEG file and related encrypted files. Initial reports indicate that once Duqu is behind a firewall, it uses multiple methods to spread within a workgroup.

Microsoft plans to issue a 4-part patch to thwart Duqu on November 8, along with its usual “patch Tuesday” updates. I’ve not heard if Microsoft Security Essentials latest update will detect Duqu.

A new generation of infection

Stuxnet introduced new techniques: it uses encryption to hide itself on the target computer and to hide the contents of its stolen data that it sends “home”. Even the IP address of “home” changes randomly. Once it has set up shop in an infected computer, it resists further infection from unknown infections. Duqu uses similar techniques and seems to remove itself after 36 days, to reduce the chance of detection.

As usual, don’t click on any unexpected email attachments.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Another reason that I don’t recommend Norton 360

Norton 360 screenshot
Malware infects a PC despite protection by Norton 360.


A couple of years ago, I discovered that Symantec’s Norton 360 prevented Windows’ critical System Restore function from working [Norton 360 has (at least one) fatal flaw]. This flaw placed it on my “Not recommended” list.

For the past few months, suspicious pop-up ads had been appearing on a client’s Windows XP laptop that was protected by a current copy of Norton 360. Recently, it nagged her to purchase disinfection “from Microsoft” for an annual fee. The offer’s many misspellings raised her suspicion that maybe the offer wasn’t actually from Microsoft. A full scan by Norton 360 found no infections, yet the obnoxious pop-ups clearly indicated that the computer was infected..

When I scanned the laptop with SuperAntiSpyware and Malwarebytes’ Antimalware, they discovered 4 malware infections. Since Norton 360 had failed to do its job, I removed it (using Symantec’s software removal tool) and replaced it with Microsoft Security Essentials. Then Security Essentials found another malware infection.

I’m surprised that Norton 360 failed to defend against these infections. Symantec is a serious company and Norton 360 has an impressive user interface with many user-configurable parameters, but in this instance it didn’t work. Microsoft Security Essentials has a less impressive user interface, but it works pretty well.

Nobody (or computer program) is perfect.

I’m fond of saying, “There is no perfect anti-virus program”. All occasionally produce a false negative or a false positive, and relative performance varies from week to week. publishes quarterly results of anti-virus program tests.

I’ve seen other big-name anti-virus programs fail before:


Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

The hits just keep coming.

XP Total Security 2012 Trojan Horse screen view
More bad guys than ever are launching cyber-attacks for fun and profit.

Desktop Attacks

I’ve recently encountered an old enemy: a Trojan Horse that’s been around for 3 years or more. It’s recently calling itself XP Total Security 2012 and it’s gotten nastier and more tenacious than its earlier incarnations. I no longer spend much time trying to remove this bad boy: I just backup the infected computer’s data, format the hard drive, re-install Windows, and restore the (scanned) data. Most security experts agree with this tactic.

Server Attacks

Elinor Mills, in an article that appeared in CNet News, June 17, 2011: Keeping up with the hackers, included a chart of recent major break-ins.There are some surprising headliners in the Victims column: RSA, who specialize in security, Sony makes multiple appearances, payroll giant ADP, Citigroup, US Senate,et al.

Sony has been hacked so often, that there’s even a website, This can’t be good for Sony’s reputation!

I’m thinking of moving from Windows to Ubuntu for my daily web-browsing, just to avoid these constant attacks, security patches, updates, etc.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Google remotely removes Droid Dream infection from Android phones

Image: Luckyz derivative work: Beao
Google removed infected apps from about 260,000 Android phones.

Google went into the smartphones of about 260,000 Android smartphone users who had downloaded infected apps, and remotely removed the infected apps, as described in their blog. They pushed a service called Android Market Security Tool March 2011 unto those users’ phones.

This action has of course raised privacy concerns. As with everything that Google provides, Google reserves the right to do what it wants with your data. This LA Times article summarizes Google’s actions.

Apparently Apple has similar control over its customers’ iPhones.

Developers for Android must register with the Android Marketplace before they may upload apps, so it should be easy to identify the bad guys. It’ll be interesting to see what “law enforcement” (who? The Internet police?) mentioned by Google does with the evidence.


Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695