This article is a tranlation of the
"AntiMalware Project from malekal.com".
Thanks to Val51, johnyjohn, MarcAurele and Shimik_Root for the translation.
Over the last few years, infections have become a real cash machine with the expansion of the Internet.
There are many ways of making money.
Those who make money are not only the groups that create on-line infections.
Some groups develop and send Trojans with an after-sales service.
Others sell WebMalwareKits etc.
Thus a whole ecosystem exists around infections.
Here are a few examples used to make money via infections:
- Turning your machine into a Zombi PC /Botnet (see also : http://www.answers.com/topic/botnet ).
Hackers build a network of infected PCs that they control and can rent for money in order to carry out several tasks. You can read this page for more information: http://www.securelist.com/en/analysis?pubid=204792095
As a rule, these tasks consist in:
- Using infected computers to launch attacks toward a specific website. Imagine 10,000 PCs carrying out continuous requests through a broadband connection towards one website !
- Using infected computers to relay spam e-mails for commercial products.
Making money via ads, infecting web users' computers with adwares. Hackers create adwares which display advertising popups or infections which cause redirections during Google searches. The hacker then earns a certain sum of money every time an ad popup is opened so the higher the number of PCs opening popups, the more money the hacker will make.
Deceiving web users by selling fake antispyware called Rogues/Scareware
Rogues single-handedly generate millions of dollars see:
http://www.secureworks.com/research/threats/rogue-antivirus-part-1/ & http://www.secureworks.com/research/threats/rogue-antivirus-part-2/
They are just hollow and empty shells... A simple graphical interface looking like a classic antispyware, yet without any update or cleaning process. The aim is very simple. The authors of these fake antispywares flood the web via advertising sales agencies (these are companies which display advertisements on websites, basically within a few seconds, several million websites can display the same ad for the same product). They generally use fake security alerts showing that your computer is infected and proposing to download those fake antispywares as a solution.
Hackers create infections which display alerts showing that your computer is infected (modified wallpaper with flashing red messages, bottom right icon next to the clock warning about an infection) while proposing to download a rogue. If the user is naive enough, on seeing these alerts he will download and buy this fake product which will not clean anything on his computer. Retrieving information for reselling such as e-mail, credit card number etc. either via infections (Zbot / Zeus, Banker etc), or via phishing.
Retrieving on-line gaming account IDs in order to resell them see : http://www.securelist.com/en/analysis?pubid=204791963
Various other e-mail scams like Scam 419 / Scam nigÃ
rian...
Creating fake security blogs to sell real antispywares and earn a percentage on sales. You must figure out that rogue creators open blogs featuring alleged disinfection processes via antispyware and that they earn money in the meantime,,,
etc.[/list]
In order to infect web users, malware creators use various ploys making good use of web users' gullibility and taking advantage of their lack of computer skills.
This article aims at giving you guidelines and examples of the methods used to infect large numbers of computers, the purpose of these examples being to better understand how infections spread in order to avoid them.
[size=150]Infection throught Web Sites[/size]
Infection on the website easy in surfing.
Authors of Malwares hack are permenatly hacking a lot of websites to infect internet user.
If possible big websites or themes which possibly bring a maximum of people, so for example hack sites or crack sites or pornsites.
These websites have 1 pixel wide iframe with a link to one or more websites which have the task and the files.
It's in easy that creating a website or a forum something easy to do.
Unfortunately these budding webmasters don't necessarily always have the computing knowledge or the minimal security not to be hacked.
So, Malware authors add an inutsible iframe to the website home/page browsers.
The visitors are going to carry out automatically the content of the iframe and are going to be homed an another address contraining one or more exploits if a failure on the OS or an other softwares = You are infected !
There is an example of a exploit of vulnerability on Acrobat Reader.
The visit of a website with Internet Explorer 7 which carries out elvish PDF,IE loads Acrobat Reader (AcroRd32.exe) to read this file.
Then, Acrobat Reader wish to connect to an address (195....100) to download the elvish code.
This elvish code is download and Acrobat Reader tries to carry it out on the file name ~.exe
If the file is carried out it settles the infection/the virus (Au choix) in the system.
In this example, there's only one exploit on Acrobat Reader but when visiting an hacked website, series of exploits are tested to have a chance that one of them works, it can be as much as twenty targeting different softwares : Quicktime ... ... ... and often Flash, ... via elvish PDF.
You have to understand that to have better chances to infect your computer a series of exploits targeting windows or other softwares are tested.
The aim for the authors of malwares being to rise the chances of infections attacking as many different softwares as possible since it is highly possible that there are not updated softwares on the targeted system.
Since mid-2008, are mainly targeted other softwares and in particular the plugins of your web browser.
The simple fact not to update these programs allows your PC to be infected.
You'll find further examples and explanation on the following page :
You must understand that it is important to update one's system but also one's softwares.
One non updated software is enough for your computer to be infected.
I respect : the simple presence of one non updated software is dangerous, ever if you don't use it.
In this case you should uninstall it to gain in safety because you can forget to update it.
Conclusion : instead of asking what's the best anti-virus, start by keeping your system and softwares updated, scaning the vulnerabilities and updating softwares.
Be updated with Secunia Personal Software Inspector (PSI) [size=150]Cracks Keygens et P2P[/size]
Not lecturing you about hacking, let us consider some facts so as to size up the risks of it…
In order to use paying softwares without spending a penny, many are who remove the barriers thanks to a program usually called crack or type a registration number generated by a keygen. ]All of these programs which make hacking easier are not necessarily infected, but malwaresâ€
designers take advantage of the growing interest of them so as to spread their malignant creations.
Thus, the too-much confident user, thinking that he might cancel the protection, runs a malicious program instead, with his administratorâ€
s rights, which will bring about the infection of the system.
The following infection
Bagle that deactivates Antivirus softwares and cleaning programs…
Scan extract realized by Virus Total:
- Citation :
- File keygen.exe received on 10.21.2008 12:41:09 (CET)
Current status: finished
Result: 10/36 (27.78%)
Compact Compact
AntiVir 7.9.0.5 2008.10.21 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.20 Win32/Themida
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.21 (Suspicious) - DNAScan
F-Secure 8.0.14332.0 2008.10.21 -
Kaspersky 7.0.0.125 2008.10.21 Trojan-Downloader.Win32.Bagle.aed
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3541 2008.10.21 Win32/Bagle.QA
Panda 9.0.0.4 2008.10.21 -
PCTools 4.4.2.0 2008.10.20 -
Symantec 10 2008.10.21 -
TheHacker 6.3.1.0.121 2008.10.21 W32/Behav-Heuristic-064
TrendMicro 8.700.0.1004 2008.10.21 -
We can notice that many antivirus softwares let the infection pass by. Here, Avast or Panda user (for instance) would have let the infection get into his computer without seeing anything.
And the palm goes to virut.
Scan extract realized by Virus Total:
- Citation :
- Fichier Rising_Star_188846661_svchost.exe received on 2009.02.13 11:18:51 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.13 Virus.Win32.Virut.q!IK
AntiVir 7.9.0.76 2009.02.13 W32/Virut.Gen
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.237 2009.02.13 Win32/Virut
BitDefender 7.2 2009.02.13 -
DrWeb 4.44.0.09170 2009.02.13 Win32.Virut.56
GData 19 2009.02.13 -
K7AntiVirus 7.10.628 2009.02.12 Virus.Win32.Virut.CF1
Kaspersky 7.0.0.125 2009.02.13 Virus.Win32.Virut.ce
McAfee 5524 2009.02.12 W32/Virut.n.gen
Microsoft 1.4306 2009.02.13 Virus:Win32/Virut.BM
NOD32 3850 2009.02.13 Win32/Virut.NBK
Norman 6.00.02 2009.02.12 W32/Virut.BS
Panda 10.0.0.10 2009.02.12 Suspicious file
Sophos 4.38.0 2009.02.13 W32/Scribble-A
Symantec 10 2009.02.13 W32.Virut.CF
TrendMicro 8.700.0.1004 2009.02.13 PE_VIRUX.A-4
That virus is able to infect hundreds of legitimate files in few hours. No way out but reformatting.
This video show how fake crack website lead to malwares :
https://www.youtube.com/watch?v=sHIAf2QfYxc Be aware that malwaresâ€
creators make fake cracks websites where all the cracks are infected, other websites contain exploits, and if your browser is not up-to-date, then you are undoubtedly infected.
Moreover, some infections coming from cracks proposed through P2P networks, once installed, convey corrupted cracks through P2P network so other internet users download them and be infected :
https://www.youtube.com/watch?v=Sqf9Oocv2U0 How to avoid this kind of misfortune…
1- By favoring
Free Softwares or
freewares .
2- Concerning cracks-hooked people, a mere file scan here
Virus Total should be enough for most of them.
Except in the case of an infection still unknown by antivirus softwares.
[size=150]Scareware : Fake Antivirus[/size]
Scareware are fake antispyware or programs detecting errors in Windows registry, on hard drives, etc... and asking you to fix them.
Those detections are imaginary and are created to suggest a paid version to you for disinfecting the false detections.
They are thus
swindles. With a price of ~ 40 Euros per scareware, these swindles generate several thousand Euros a year.
Scareware example showing fake detected threats:
Scareware can install automatically with an infection kit.
These infections show constant alerts to persuade the Internet user that he is infected. These alerts use some Windows elements to deceive the Internet user and persuade him that these alerts come from Windows, making these alerts justifiable.
These alerts are bubbles coming from a lower right icon next to the dock:
Infections can modify wallpaper too with bright colors to frighten the Internet user:
Finally these infections show uncountable alert popup very often and redirect the Internet user to scareware download webpages:
To better deceive the Internet user some windows use Windows elements as for example the Security Center.
For many Internet users, it is difficult to make the difference, as far as some scareware names are "Antivirus Windows" and use some Windows / Microsoft colors (blue, etc...).
The novice Internet user can then believe that the antivirus is simply edited by Microsoft.
Fake security center webpage :
Fake Internet Explorer alert webpage :
Some infections can redirect the user when searching on Google to show fake antivirus scan webpages.
These fake scan webpages are only animations but for a novice Internet user, he can believe that HIS hard disk is scanned and that fatal elements are detected.
At the conclusion of these fake scans, a rogue is suggested for download to disinfect your PC.
Since 2008, new methods are used by malwares authors to hit more Internet users.
Malwares authors:
- generate uncountable "fake websites" containing keywords liable to be typed in search engines by Internet users.
By clicking one of these "fake websites" in search results, the Internet user will be redirected to a fake scan webpage (Principle of the SEO poisoning).
- generate fake advertisement banners (malvertizement), which can end up on legitimate and often very busy websites. An Internet user who visits these websites can be then redirected to fake scan webpage. For example malvertizement on jeuxvideo.com
These infections use
social engineering excessively to deceive the Internet users.
For many Internet users, the confusion can be made between knowing if his PC is really infected by a malware which opens fake alert popup or redirects during Google searches.
Beyond it, an inexperienced Internet user who does not know the existence of these threats and who not master the IT tool can have difficulty in making the difference between true and the fake alarms.
Once again, inform you before purchasing a program.
Some blogs about rogues/Scamware :
MS Malware Protection Center - Some Rogues Screenshots from the encyclopedia :
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fWinwebsec http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fFakeRean http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/FakeXPA http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/InternetAntivirus http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fFakeSpypro [size=150]Removable disks infections (USB flash drive/external hard drive) [/size]
Removable disks infections are those which spread via USB flash drives, digital photography devices, external hard drives, etc.
USB flash drives now represent indispensable tools for sharing files; we connect them to friends or schoolsâ€
computers or in cybercafÃ
s… but the thing is that these removable disks are more and more used to develop infections.
The mere use of these peripherals within any infected computer leads to the infection of your peripheral and therefore to the infection of any computer in which you might connect it. Back home, if you connect it to your computer, that will be infected too.
In turn, every device connected to your recently-infected computer will be infected as well: a way to infect your friends, family and so on.
You must not only be careful with which computers you connect your USB flash drives to, but also USB flash drives used on your computer (pay attention when you let your friends connect them). There are breeding grounds for getting these infections, like schools, cybercafÃ
s, etc… in short, places where many USB flash drives might be connected.
It is possible to secure your computer and peripherals in order to avoid these infections; you may also find detailed explanations about the good habits to get, and about the functioning of these kinds of infection.
Once you understand how these infections work, you might be able to avoid them:
[size=150]Mail : Infections / Hoax / Scam / Phishing[/size]
Like many people, you may be receiving some e-mails
from recipients you donâ€t know that incite you to click on a link or open an e-mail attachment. The rule is rather simple: if you donâ€
t know the recipient, then delete the e-mail. Even though the e-mail seems to come from Microsoft or your best friend, you must be careful, because the
address might have been
faked or your best friend may be infected without knowing it. Remember that, for instance, if the e-mail is typed in English or in ill-translated French, then that can be a hint regarding the degree of danger the infection has.
Indeed, some of these e-mails from which the recipient is
unknown or
faked might contain, either in its attachment or in a link, an
infection.
Therefore, you must be very
careful when you choose to open an
attachment or to
click on a link proposed in the e-mail.
Hoaxes are e-mails spreading fake news.
- These rumors try most of the time to wound the recipientâ€s feelings with nasty news, so as to get him to pass the mail to his close relatives. The main subjects that are mainly tackled are: virus notifications, children disappearances, happiness promises, petitions, etc…
- Contrarily, some hoaxes intend to convey fake news by the means of a strong argumentation, mixing truth and lies, giving true and false figures… Most of the time, these hoaxes do not reveal the source of their figures.
- Hoaxes are generally ended by a sentence inciting the recipient to spread the rumor himself by sending it to his close relatives: “Passing on the news could save a life! ]"
More informations about hoax. - The «
scam », is a trickery that are usually sent by e-mails.
The
419 Scam / Nigerian Scam, coming from Africa, is one of the most active and consists of shaking internet users down by holding out a sum of money from which they could receive a commission. This scamâ€
s trickery comes from Nigeria and is also called “419†referring to a Nigerian penal code article that represses this kind of practice.
This trickery always looks like a mail (also called Spam today) in which, for instance, a young African, member of a rich family explains his need to transfer money quickly abroad for any reason (mainly because of the civil war raging in is country). He asks for your help regarding this transfer, and consequently offers you a commission concerning the sum to be transferred.
Another variant is making you believe that you are the fortunate winner of a lottery… that you never even took part of.
These trickeries
promise a big sum of
money under various pretexts (transfer of money, lottery) so as to eventually shake money down.
How to detect a scam?
- The e-mail is full of spelling mistakes . (Automatic translator)
- The domain of the address of the sender and its filename extension (@domain.com) are often illogical. (An e-mail from an alleged Nigerian with a .sk, Slovakia filename extension; an e-mail from some Microsoft lottery with a Yahoo.com extension…)
- Etc ...
More informations about Scam [size=150]Phishing[/size]
«
Phishing », is a fraudulent technique used by hackers so to get personal information.
Most of the time, the purpose of this technique is to get
banking information to use them ill-advisedly.
Phishing can be mainly realized either by e-mail or via forged websites.
The technique is simple: get the internet user to believe that the e-mail or the
forged website in which he is currently on is the real one of his bank.
Fortunately, one detail can make you identify this kind of e-mail or website: the address is never the same, even though it looks like it.
Moreover, you must remember that your bank would NEVER ask you by mail, for your banking information because they know the risk of Phishing.
Also keep in mind that Phishing is not always used to steal banking information but also to steal your
Paypal identity or your
videogames account information…
Recognize phishing scams and fraudulent e-mails More informations about Phishing [size=150]MSN worms[/size]
IM (instant messaging) worms spread via appropriate software (MSN, Yahoo Messenger, ICQ etc) and appear as a message from a supposed contact (It can happen even though the contact is off-line),
Here are a few examples :
- my hots pics
- haha this should be your default pic on Myspace
- Check out my nice photo album.
- wanna see the pics from my vacation? :>
- OMG YOU HAVE TO SEE THIS PICTURE!!!!
- IS THIS REALLY YOU ??? i cant remember who sent it to me...
- My friend took nice photos of me.you Should see em loL!
- I found these old school pictures... LOL
- Here are my private pictures for you
Here is the report from
Virus Total* about one of the downloaded files,
- Citation :
- Fichier viewimage.php reçu le 2009.02.08 21:57:53 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminà NON TROUVE ARRETE
RÃsultat: 17/39 (43.59%)
Antivirus Version Dernière mise à jour RÃsultat
a-squared 4.0.0.93 2009.02.08 Backdoor.Rbot!IK
AhnLab-V3 5.0.0.2 2009.02.07 -
AntiVir 7.9.0.76 2009.02.08 DR/Agent2.dfj
Authentium 5.1.0.4 2009.02.08 -
Avast 4.8.1335.0 2009.02.08 -
AVG 8.0.0.229 2009.02.08 -
BitDefender 7.2 2009.02.08 MemScan:Backdoor.RBot.YBJ
CAT-QuickHeal 10.00 2009.02.07 TrojanDropper.Agent.yyg
ClamAV 0.94.1 2009.02.08 -
Comodo 971 2009.02.08 -
DrWeb 4.44.0.09170 2009.02.08 BackDoor.IRC.Sdbot.3762
eSafe 7.0.17.0 2009.02.08 Win32.VirToolCeeInje
eTrust-Vet 31.6.6346 2009.02.07 -
F-Prot 4.4.4.56 2009.02.08 -
F-Secure 8.0.14470.0 2009.02.08 -
Fortinet 3.117.0.0 2009.02.08 -
GData 19 2009.02.08 MemScan:Backdoor.RBot.YBJ
Ikarus T3.1.1.45.0 2009.02.08 Backdoor.Rbot
K7AntiVirus 7.10.623 2009.02.07 -
Kaspersky 7.0.0.125 2009.02.08 Trojan.Win32.Agent2.dfj
McAfee 5520 2009.02.08 -
McAfee+Artemis 5520 2009.02.08 Generic!Artemis
Microsoft 1.4306 2009.02.08 VirTool:Win32/CeeInject.gen!J
NOD32 3836 2009.02.07 -
Norman 6.00.02 2009.02.06 Ircbot.AMAM.dropper
nProtect 2009.1.8.0 2009.02.08 MemScan:Backdoor.RBot.YBJ
Panda 9.5.1.2 2009.02.08 -
PCTools 4.4.2.0 2009.02.08 -
Prevx1 V2 2009.02.08 -
Rising 21.15.50.00 2009.02.07 -
SecureWeb-Gateway 6.7.6 2009.02.08 Trojan.Dropper.Agent2.dfj
Sophos 4.38.0 2009.02.08 Mal/Behav-243
Sunbelt 3.2.1847.2 2009.02.07 -
Symantec 10 2009.02.08 Backdoor.IRC.Bot
TheHacker 6.3.1.5.249 2009.02.08 -
TrendMicro 8.700.0.1004 2009.02.06 -
VBA32 3.12.8.12 2009.02.08 -
ViRobot 2009.2.6.1594 2009.02.06 -
VirusBuster 4.5.11.0 2009.02.08 Trojan.DR.Agent.Gen.15
Information additionnelle
File size: 102913 bytes
MD5...: 891accd8bec7b745a893e140857b642b
SHA1..: e3607a8c2e4609dcd7659f4dcd1d8c31147739bd
*VirusTotal is a website where you can upload a file and have it analyzed by various antivirus software. It allows for a better appraisal of suspicious files.
To conclude: never download a file from a link sent by a contact especially if the contact is off-line.
Within the last year, a new form of attack has appeared,
Some websites offer you to check if your contacts have blocked you. To do this, you must enter your MSN connexion information (user name and password). Once they get hold of your ID, these services will log on to your account and advertise themselves.
As a rule, the terms of use clearly explain that the service will use the account for advertising.
To sum up:
- Never ever give your connexion ID and especially your password.
- Read the Terms of Use and in case of a doubt, do not use the service.
[size=150]Conclusion[/size]
We hope this article will raise your awareness on Internet threats.
If your protection software is your ally, it does not do everything... A minimum of knowledge about computing and about the spread of threats as well as good surfing habits will enable you not to infect your PC anymore.
You will find more information on Internet threats in the pages below:
and remember PC security is not limited to the sofware installed.
If you want to take part in the AntiMalware Project, you can publish this document on your site or forum, you can send the PDF version to your friends by Email or simply use the banner as a link,
Html code : - Code:
-
<a href="http://www.malekal.com/ProjetAntiMalwares_en.php"><img style="border: 0px solid" alt="Projet AntiMalware"
src="http://www.malekal.com/fichiers/projetantimalwares/campagne_fightantimalware2-en.png"></a>
<br>
If you are simply a forum member, you can use this banner as a signature.
AntiMalware Project bbcode for forum signature: - Code:
-
[url=http://www.malekal.com/ProjetAntiMalwares_en.php][img]http://www.malekal.com/fichiers/projetantimalwares/campagne_fightantimalware-en.jpg[/img][/url]
For further informa
Sujet: Understanding viruses working and their dangers 
Jeu 12 Mai - 19:54
