Malware as surveillance tool…

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker).”

In legal mumbo-jumbo, it’s called “computer contaminant” and there are number of laws that carry a stiff penalty, if and when the perpetrator(s) are caught.

Except when it comes to law enforcement…

Federal, and presumable local, law enforcements agencies, had been purchasing malware for surveillance purposes. The solution purchased by your tax dollars is a “turn-key Remote Control System” that manages infecting computers/portable devices including smartphones, collects data from the victims… oops, from the suspects, deletes itself from the target system, etc. Most of the solutions are purchased from Italy, France, Israel, etc., and it is  booming market. Just in recent years, DEA and US Army had purchased $1.2M worth of hacking… oops, surveillance tools.

From the recipient’s perspective, there’s no difference between the malware and computer surveillance. In either case, the system is compromised and it’s at the mercy of malware, or surveillance.

How do you differentiate between the good and bad guys? How do you differentiate between hackers and law enforcement agencies compromising your system?

The answer for the first question is simple, you don’t. There’s no difference between the two, regardless of the purpose of the hacking.

The answer to the second question is more complex. Generally, hackers compromise your system for financial gain, stealing information etc. You’ll know in a relatively short timeframe if and when the hacker owns your system. On the other hand, law enforcement surveillance/hacking you won’t know about, until they show up with an arrest/search warrant.

Protection against the malware, be that by hackers or law enforcement agencies, are limited. The major culprit for this limitation is the vulnerability of operating systems and applications, in addition to technologies developing against malware. By no means I am suggesting that software companies intentionally leave some backdoors in their software. While it is possible, I am not that suspicious… yet…

But I am suspicious enough to suspect that antivirus company may exempt the “surveillance tools” from being detected in their solutions. It’s probably relatively easy to achieve, but unfortunately, the actual hackers’ can easily mimic these “surveillance tools” and evade detection.

Depending on where live, you may want to install an antivirus and other security solution that is developed in a foreign country. For example… If you live in the US, Kaspersky might be a better solution than Symantec for detection surveillance tools from US law enforcement agencies. The drawback is that Kaspersky may not detect Russian hackers and law enforcement agencies malware.

Yeah, you cannot win this battle…



The not so cute PUPs…

Most people know and adore pups like these:

Adorable pups

The not so cute PUPs are Potentially Unwanted Programs that may come preloaded on your brand new computers, or installed alongside of programs that you add later. Just how prevalent these PUPs are? For example, 62% of the top 50 download @download(dot)com website includes PUPs.

So, what are these PUPs why are they pushed to you? They can be anything, such as adware, browser toolbars, homepage hijackers, nagging scare-ware, etc.

Adware is pretty much self explanatory; it’ll monitor your internet access and pops up ads related to you activities. While the popup ad can be annoying, like during your power point presentation (ugh!), this puppy will also collects your personal information and sends it “home”.

Browser toolbars install themselves into your browser to make your internet “browsing easier”. In exchange, this puppy will collect and send your personal information “home”, may popup ads, or redirects your search results to its paying customers’ websites based on your internet activities.

The homepage hijacker changes your current home page and acts as the browser toolbar afterward.

Nagging scare-ware is the trial version of security software. This software promises to clean up and secure your computer. The trial version will allow scanning your system, presents a scary results, but it does not allow you to fix them until you actually purchase a licensed version. The scary results have nothing to do with the state of your computer, they are auto-generated by the software to entice you to purchase the program. This puppy may have any of the other puppies integrated that will install as well.

Ok… They are not breaking my computer, so what’s the harm?

Other than changing the behavior and performance of your computer, they also collects information about you. This information can be extensive and correlated to offline data to tailor the popup ads to you and redirect your search result based on this information. The collected information about you also sold/traded to data brokers.

Ok… But I have nothing to hide and they probably have everything  about me anyway.

That’s seemingly a fair point, but… Your computer performance will degrade and your search result isn’t what you are looking for. Some people like popup ads and that’s fine, can’t argue with that. How you view your privacy is also a personal preference.

Except that data brokers want current information about the person, since that is what valuable for them. Old data is pretty much useless as far as popping up ads is concerned. They are more than willing to pay for it and that is the main reason why these PUPs exist. If you don’t mind being a product created by these PUPs, there’s one more thing you should consider.

Malicious malware had started to utilize these PUPs to do their dirty work for them. They tie into these programs to collect your information, redirect your browser to download their malware and take over the control of your computer. Once they do, they will make you pay a ransom to have your computer back. You don’t have to believe me, just read this blog from Malwarebytes.

So, what can I do about these PUPs?

Prevention is the best proactive measure that you can take for PUPs free computer. Pay attention to the installation routine of the program that you want. Most of the PUPs are included as a recommended “additional program” that is selected by default to be installed. In most cases, you can deselect the recommended program and it won’t be installed. The more aggressive installation routines don’t allow you to deselect the PUP and some of them installs it hidden from you.

Ok, what do I do then?

Once you settled down and stopped swearing, my recommendation is installing programs that removes PUPs. There are two of them on my computers that used on a weekly basis:

  1. Malwarebyte Anti-Malware
  2. Emisoft Emergency Kit Scanner

No, they do not install PUPs, don’t be silly, and they are free…

Preferably, download and install both of them, update the engine if needed to, and run them one by one. While they are very good at removing PUPs, each software has its limitation. Just do it at least once and you’ll see how many PUPs you had on your computer. You can select to keep them, if you don’t mind the privacy and security risk that these PUPs pose to your computer, or delete them. You should also run these anti-malware programs on a weekly basis, if you want to have a PUPs free computer.

The cost of malvertisement…

In the previous blog, we’ve looked at how malvertisement may affect you and what you can do to protect your system(s) against this threat vector. In today’s blog, we’ll look at the actual distribution channels and the cost for displaying malvertisement.

Beyond the advertisement shown in your browser, there’s a well established business model that isn’t that much different from any other business models.

Distribution channelThe picture on the left shows the typical business model. Basically the products are created (including malvertisement), sold to distributers, who in return make them available to consumers.

The difference is how other distribution channels are regulated and the requirements are enforced by various government agencies. You’d had hard time in the U.S. purchasing food at your supermarket, without FDA approval, buy a car without NHTSA approval, etc.

Unfortunately, the online advertisements are loosely regulated, with minimal, or no enforcement whatsoever. There’s no need for approval by the website or the advertisement network. They will pretty much blindly refer your browser to the site, where the actual ad is hosted. The actual site could be hacked websites, hosted servers, etc.

Hackers had discovered that they can just bid to display their ads at various sites. Since anyone can bid to display their ads, including the maximum price per displaying the ad, this is an easy way to have the malware distributed by reputable websites. The hackers’ malware incorporated in an ad (we call malvertisement), they bid to display their ad at targeted websites, and the advertiser network kicks in. When you visit the targeted websites, the ad becomes part of the website’s content, any script in the ad executed by your browser without you clicking on it. You probably recall a few websites that had some music and/or video already playing just by visiting their home page. This is the type of ad delivery that hackers use to load malware on to your system.

The process described is automated to the level that the chances are no humans evaluate the actual ad during this process. As such, malware is distributed without any warning. The sole exception might be your system protection that should stop the malware execution.

So, what is the actual cost for the hackers to display their ads? That depends on the website, where the ads are displayed. Malwarebytes blog states $0.927 per displayed ad with current malvertisement at the following websites:


Why neither the advertisement network, nor the websites are responsible for delivering malware in the ad, is beyond me. Holding the hackers responsible for the ad, but taking their money nonetheless, should be illegal.

Since your system protection should stop the malware, it raises a question. Why don’t the advertisement companies and websites test the ad for malware, prior to presenting it to the end users? It’s really not that hard to do:

  1. Advertiser receives the bid for the ad
  2. Client sends the ad to the advertiser
  3. Advertiser scans the ad for malware
  4. Advertiser approves the ad, if no malware found, and hosts it on their server
  5. Websites receive the ad from the advertiser, if they opt into their program

It’s harder to test the ad for malware by the website, but not impossible; real-time scanning for malware had been in existence for decades. The chances are that implementing such system would offset some or large part of the financial gains of displaying ads..

If security software on the client side can stop the malware, there should be no reason why advertisers and websites cannot scan the ad for malware. Samples of security programs that can stop 0-day malware:

There are certainly other security solutions that can stop 0-day malware, but antivirus isn’t one of them. The samples above are part of the security protection for my systems.

It’s unlikely that either the regulation or the advertisement distribution online will change anytime soon. There’s too much money to be made in the current ad delivery schema. As such, your favored website(s) might be serving up malware to your system that may just gobble them up. You should protect your system against them and by now, you should know that antivirus will not protect you.

Friends, don’t let friends rely on antivirus protection only…

Why antivirus software cannot protect your computer….

Practically everyone relies on antivirus solutions to protect their systems against malware. This blog looks at just how reliable these solutions are against malware? In order to have some meaningful analysis, there’s a need to know the number of new malware per month and the percentage of antivirus efficiency.

Let’s start with establishing the number of malware per month. There are various numbers floating around the internet for this purpose, arbitrarily, let’s use the “Mcafee Labs Threats Report, Fourth Quarter 2013”. Quote from the referenced report:

“McAfee Labs records 200 new threats every minute—more than three every second.”

Let’s not worry about the number of malware not detected by McAfee Labs, just calculate the per month number from the quote:

200×60=12,000 (per hour)
12,000×24=288,000 (per day)
288,000×30=8,640,000 (per month)

That’s a huge number of malware that’s being churned out on the monthly basis as of end of 2013; the number of malware released on today’s date is probably greater. Antivirus, are you up to the task?

The efficiency of the antivirus is measured in the percentage of malware, that is detected, deleted, and/or quarantined. Generally, this percentage is between 95-99 percentile, meaning that it’ll detect most of the malware. Any of the solutions and/or testing sites claiming 100% detection rate for a given antivirus should be treated as bogus.
Let’s look at the different percentages, starting at 97%, and their impact to the number of malware that will not be detected, based on the calculated 8,640,000 new malware per month from the above:

av efficiency

Let’s not dwell on the fact that most malware routinely disables the antivirus solution at hand and/or just exempts itself from antivirus scanning. Nor should we be concerned that minor changes to a given malware would cause non-detection by antivirus solutions. Let’s just go with the best case scenario.

That would be 99.9% detection rate, that still let 288 malware slip through the antivirus protection. The sheer volume of new malware is pretty much the main culprit for the non-detection. Expecting the antivirus solution to provide 100% protection is beyond the capabilities of the software.

So, what can you do?

To start with, keep your antivirus and setup frequent automated update for the virus definition file. There’s nothing on the market that is recommended to replace antivirus solutions. But antivirus needs help…

Augment the antivirus solution with additional protection that can protect against malware, that is not detected by antivirus software. In another word, use layered security protection for your computer. The layer can be as simple as not running your computer with an administrator account. Doing so will prevent most malware to disable your antivirus software and allows it to perform its protective function. You’d be surprise to learn how many malware still relies on old malware routine, once the antivirus software is disabled.

You could also add Microsoft EMET and Winpatrol as additional layer of protection to your system. Even if you just use the default installation of this two free programs, you’ll be better off than most computer users, who just rely on antivirus to protect their systems.

And nowadays, that’s all you can ask for…