Malware on Hard Drives

Kapersky Labs have uncovered a malware that exists on hard drives. They say it’s a piece of work by a group called the Equation group. Or it could be the work of NSA. The malware is so sophisticated that there’s no known tool to remove them. The malware can rewrite the firmware of hard drives. They are impossible to detect, let alone remove. The Equation group has been known as far back as 2001.

Unveiling the Mask aka Careto

PC World has a very interesting article entitled, “Unveiling ‘The Mask’: Sophisticated malware ran rampant for 7 years.” It’s also known as Careto, a sophisticated malware that ran rampant and undetected for 7 years. It has infected hundreds of government and private organizations in more than 30 countries. Kapersky Lab, an antivirus firm believes the virus could be state sponsored. Excerpt of the article from PC World:

“When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations,” the Kaspersky researchers said in the research paper. “The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.”

Read the rest of the PC World article.

Check If You Have DNSChanger Malware

An estimated 275,000 computers are infected by the DNSChanger malware. Users who have the five year old malware may lose their Internet connection on Monday, July 9. If access to the Internet is ok, the other scenario is, they could be redirected to another website.

So, how do you know if your computer is infected by the DNSChanger malware? There is an organization called DNS Changer Working Group (DCWG) which launched a new tool to check if your computer is infected or not.

Just go to http://www.dns-ok.us/ to check if your PC’s health.

If the box in the resulting website is green, your computer is ok. If the box is red, your computer is infected by DNSChanger. Now, it’s highly unlikely that my Ubuntu desktop contains the DNSChanger malware. Here’s the snapshot of my result.

If you have the malware, you can run any of these free tools to remove DNSChanger.

Removing Antivirus Live Virus

I was working with a client on Friday to remove a nasty malware called Antivirus Live. This rogue and fake antivirus program disables the browser from accessing the internet. It prevent users from launching or installing applications. The virus hijacks the computer with popups telling the user the computer is infected with many viruses, although they are not really there. The fake antivirus program recommends that a user buy their antivirus program to remove the viruses.

A year ago, I posted an article documenting how to remove the Antivirus Pro virus. It’s similar to Antivirus Live, in that it fakes the user there are viruses on the computer and recommend users to buy their own solution. Battling Antivirus Live is a bit more involved because the tools and processes I use before were ineffective with Antivirus Live. I ran Malwarebytes but it did not detect any malware or viruses.

So, I searched the internet for Antivirus Live and came across this website. It recommends that you use SuperAntiSpyware, MalwareBytes and Microsoft Security Essentials to remove Antivirus Live virus. The SuperAntiSpyware program turned out to be the super star. It was able to remove Antivirus Live as well as a few more. In the end, it found 67 items, in which 2 were viruses, and the rest were tracking cookies. I was disappointed with MalwareBytes. I’m not convinced with Microsoft Security Essentials either, but I left it on the computer.

If you ever face the Antivirus Live virus, just follow the instructions here.

One thing I forgot to mention. I had to boot into Windows Safe Mode (Press F8 on boot up) to perform all the drive scans. Otherwise, it would be impossible to launch any program in normal Windows mode since the computer is hijacked.

Panda Cloud Antivirus 1.1

PCMag.com just published a new article entitled, “Best Antivirus Software for 2011.” The title was a bit misleading because it focuses only on antivirus software that were recently released. There are a number of antivirus software suites that were ommitted, and were not included in the test, since they haven’t been released yet. One area that I really want to focus on, is in the area of free antivirus software. We all love free stuff.

Panda Cloud Antivirus 1.1 gets the Editor choice award. Not bad for a fairly new product. What are the pros and cons of Panda? The good. It’s great a keeping malicious software from installing on your clean computer. The bad. It’s not as effective at removing viruses. The author recommends another antivirus software for malware removal.

I think Panda Cloud Antivirus 1.1 deserves a try. If it does a great job of protection, there’s no really need for removal. After all, what else can you ask for a free product.

Short URLs Lead To Dead Ends

What happens when you click on a failed short URL? You can’t go anywhere. You are stuck on an island. You can’t browse the main index page since the domain you are given is the domain of the URL shortener service. One way of finding the true URL is to check if the URL short service has a lookup function.

If it doesn’t, you’re pretty much dead on the water. That’s dilemma for short URLs. It works great when it does, but if it doesn’t, it’s useless. One more thing, clicking on a shortened URL sometimes requires a leap of faith since you don’t know what page you’ll be landing. This is especially troublesome for pages that contain malware and viruses.

If you are giving out short URLs, it always good practice to check if the short URL works. If you don’t trust other services, you can always start your own.

Antivirus System Pro

I have a client who just recently got his system hijacked by the nasty Antivirus System Pro malware. I could not remove the rogue virus running the normal antivirus software. I ended up removing the program files, DLL files and several registry entries from Windows. What a struggle that was. Here’s some info about the Antivirus System Pro from remove-malware.net.

Antivirus System PRO (aka AntivirusSystem PRO or AntivirusSystemPRO) appears to be the representative of the new generation of rogue anti-spywares. Being a clone of the infamous Spyware Protect 2009 and System Guard 2009 scarewares, Antivirus System PRO inherits its determinative traits; moreover, the hackers have been driving a lot of traffic to the websites promoting it, one of which is Antivirsystem.com.

Antivirus System PRO infiltrates the target computers through illicit browser-hijacking techniques or via Trojans using backdoor tactics to trespass undetected. When inside, Antivirus System PRO freeware will do its best to convince the victim to register its license. For this purpose, Antivirus System PRO usually floods the compromised system with its exaggerated popup alerts that state the PC is badly infected and needs a remedy, i.e. Antivirus System PRO full version which demands payment.

The deceitful effect of Antivirus System PRO pop-ups may he reinforced by its bogus security scanners that emerge out of nowhere and claim to detect more infections on your computer. The ultimate goal of Antivirus System PRO is to brainwash the victim into purchasing its license; if the victim is “stubborn” and refrains from installing the pimped scamware, Antivirus System PRO will attempt disrupting the target system. Therefore, it’s strongly recommended to remove Antivirus System PRO rogue as soon as possible.

In case you run into the same issue, perform the following to remove the annoying Antivirus System Pro malware.

Delete the following files:

  • c:\windows\sysguard.exe
  • c:windows\system32\iehelper.dll.

You may have to boot to the Windows command line to remove these files especially if the DLL file is running in the background.

In addition, you need to remove these registry entries:

  • HKEY_CURRENT_USER\Software\AvScan
  • HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “system tool”

Good luck. It’s an annoying virus if there was one.

Avast For Ubuntu Linux

Windows is a popular and a bigger target for malware. Meanwhile, the Linux operating system remains practically virus free. So, why am I installing an anti-virus software on a Linux system? Is it necessary? Most likely, you will not find a virus on a Linux system. But, you may have downloaded an infected document specifically written for Windows that you can pass along to a Windows user. At the very least, you will earn extra points for being a good samaritan.

There are a number of factors involved as to why Linux is practically virus free. Linux is less popular and a harder target for malware, the Linux privilege system makes it more difficult to write, install or attached to files, certain Linux distributions like Ubuntu have no open ports except for services specified by the user.

Avast is software designed to remove and protect computers from viruses, spyware and rootkits. It’s free for non-commercial use with automatic updates. Avast boasts 50 million users worldwide. Why Avast? I’ve had good success with Avast in the PC front. I thought I would give it a try in Ubuntu Linux.

1. Download: Avast Linux Home Edition – Free

2. Double click on the deb file you’ve just downloaded. Ubuntu’s Package Installer will start. Click `Install Package` to begin installation. Please note: it says, `Reinstall` since it’s already loaded on my system. If a new install, it will say `Install Package.`

3. Once installed, press Alt-F2 and type `avastgui` to run the Avast.

4. This is the main Avast screen. Before you scan for the first time, I recommend you update the database first. It will take several minutes to download the latest Avast database, but it’s a minimal wait for those with broadband connections. Once finished, you have several options which directories to scan, either your home directory, selected folders or the entire file system. There are also 3 ways of scanning: quick, standard and thorough. Select one and click `Start Scan` to begin.

5. Avast ran into permissions problems with directory owned by root in my home directory. Since that directory owned by root was not important, I went ahead and deleted it. Avast ran fine after that. I had the same issues with when I ran Avast on the entire system. There were issues with certain files and directories owned by `root.` Instead I run Avast from root.

6. You can run Avast from root via the terminal by typing the following:

# sudo avastgui &

7. Like most results, 99% of the time, you will not find a virus unless you’ve downloaded one of those Word document files!