Protecting your PC is important, until Oracle comes along…

Computer security can be complex and there are a slew of books available on this subject. They are well intended advises that work most of the times and for most people. The basic principal in these security advises include:

  1. Remove local administrator rights for the user account
  2. Only login as administrator account, if and when necessary
  3. Use strong password and change them periodically
  4. Keep both operating system and application patched all the times
  5. Implement layered security, don’t just rely on antivirus products
  6. etc….

These are all well intended and useful that can be verified by evaluating white/gray/black hats recommendations for mitigating exploits. Take for example Parvez’ posting on the subject of User Access Control (UAC) escalation, quote:

Office documents are opened in medium integrity so these are ideal targets to abuse the UAC bypass. Since these bypasses are so effortlessly achieved the only real course of action would be to set UAC to “Always notify” or remove local admin rights for the user. In the end, using agents like Microsoft EMET or MalwareBytes Anti-Exploit would be the best mitigating action to take from initially being exploited in the first place.

The fact that a gray hat, Mr/Ms Pervez, agrees with security experts should prompt you to follow their advise. So, you go ahead and add Microsoft EMET and MalwareBytes Anti-Exploit (MBAE) to expand your layered computer security protection. Since EMET is free for Windows OS and MBAE does have a free for home use version, it wasn’t too bad and you feel good about the added security protection.

Then one day, or rather frequently, Oracle’s Java update comes along and you install it. After all, keeping applications updated is one of the security advises. So, you download the file named “JavaSetup8u91.exe” from Oracle and use “run as administrator” to install it. The executed file will download additional files that will start installing the update. Well, first you’ll need to decide, if you want to allow additional software to be installed, like this one:

Where's the image?

Or this one:

Where's the picture?

You can install these PUPs (Potentially Unwanted Program, or Potentially Unlimited Profits for Oracle depending on your view) or not, your choice. Now the Java update installation will start and displays the process status:

Where's the picture?

Let’s not start discussion about 3 Billion devices are vulnerable pretty much all the times, let the installation finish. Except that the newly acquired Microsoft EMET stops the installation with a popup message:

MS EMET stops Java installsAs a result, the Java update failed notice is displayed:

Really, what happened?

As a security conscious person, your initial reaction is “Did I just try to install some malware?” Or, is this just a false detection by EMET? You go ahead and check the download source, file properties, including the digital signature and everything looks just a OK.

Disable EMET for the time being and restart the Java update. That didn’t help, the installation still fails with error code: 1603. Then disable MalwareBytes Anti-Exploit and the installation still fails. As a last ditch effort, you disable the antivirus and finally, the Java update completes successfully.

Really Oracle? It’s not enough that Java is a popular target for malware, due to its less than ideal code base. What’s next, we will need to disable layered security protection just to enable Java to run on our computers?

Maybe we should “start discussion about 3 Billion devices are vulnerable pretty much all the times” after all…

The not so cute PUPs…

Most people know and adore pups like these:

Adorable pups

The not so cute PUPs are Potentially Unwanted Programs that may come preloaded on your brand new computers, or installed alongside of programs that you add later. Just how prevalent these PUPs are? For example, 62% of the top 50 download @download(dot)com website includes PUPs.

So, what are these PUPs why are they pushed to you? They can be anything, such as adware, browser toolbars, homepage hijackers, nagging scare-ware, etc.

Adware is pretty much self explanatory; it’ll monitor your internet access and pops up ads related to you activities. While the popup ad can be annoying, like during your power point presentation (ugh!), this puppy will also collects your personal information and sends it “home”.

Browser toolbars install themselves into your browser to make your internet “browsing easier”. In exchange, this puppy will collect and send your personal information “home”, may popup ads, or redirects your search results to its paying customers’ websites based on your internet activities.

The homepage hijacker changes your current home page and acts as the browser toolbar afterward.

Nagging scare-ware is the trial version of security software. This software promises to clean up and secure your computer. The trial version will allow scanning your system, presents a scary results, but it does not allow you to fix them until you actually purchase a licensed version. The scary results have nothing to do with the state of your computer, they are auto-generated by the software to entice you to purchase the program. This puppy may have any of the other puppies integrated that will install as well.

Ok… They are not breaking my computer, so what’s the harm?

Other than changing the behavior and performance of your computer, they also collects information about you. This information can be extensive and correlated to offline data to tailor the popup ads to you and redirect your search result based on this information. The collected information about you also sold/traded to data brokers.

Ok… But I have nothing to hide and they probably have everything  about me anyway.

That’s seemingly a fair point, but… Your computer performance will degrade and your search result isn’t what you are looking for. Some people like popup ads and that’s fine, can’t argue with that. How you view your privacy is also a personal preference.

Except that data brokers want current information about the person, since that is what valuable for them. Old data is pretty much useless as far as popping up ads is concerned. They are more than willing to pay for it and that is the main reason why these PUPs exist. If you don’t mind being a product created by these PUPs, there’s one more thing you should consider.

Malicious malware had started to utilize these PUPs to do their dirty work for them. They tie into these programs to collect your information, redirect your browser to download their malware and take over the control of your computer. Once they do, they will make you pay a ransom to have your computer back. You don’t have to believe me, just read this blog from Malwarebytes.

So, what can I do about these PUPs?

Prevention is the best proactive measure that you can take for PUPs free computer. Pay attention to the installation routine of the program that you want. Most of the PUPs are included as a recommended “additional program” that is selected by default to be installed. In most cases, you can deselect the recommended program and it won’t be installed. The more aggressive installation routines don’t allow you to deselect the PUP and some of them installs it hidden from you.

Ok, what do I do then?

Once you settled down and stopped swearing, my recommendation is installing programs that removes PUPs. There are two of them on my computers that used on a weekly basis:

  1. Malwarebyte Anti-Malware
  2. Emisoft Emergency Kit Scanner

No, they do not install PUPs, don’t be silly, and they are free…

Preferably, download and install both of them, update the engine if needed to, and run them one by one. While they are very good at removing PUPs, each software has its limitation. Just do it at least once and you’ll see how many PUPs you had on your computer. You can select to keep them, if you don’t mind the privacy and security risk that these PUPs pose to your computer, or delete them. You should also run these anti-malware programs on a weekly basis, if you want to have a PUPs free computer.

Malvertising at the watering hole…

The basic definition of malvertisement is:

infected online advertisement.

The legitimate website is supporting its operation cost by displaying adds from advertisement clearing houses. The actual add is downloaded in the background by your browser and the content of it is loaded, usually on the right side of the main content, but can be anywhere, including popping up the ad.

The ads can be useful for some people, but mainly annoying to others. It’s a business model where you receive “free” content and the website in question earns money to operate the site. You don’t necessarily need to click on the link in the ad to generate income for the website, just displaying the ad earns income for the website. The size of the income does increase, if and when the visitor clicks on the ad.

So, what’s wrong with this business model? The short answer is… nothing. The long answer…

The advertisement clearing houses collects potential clients, pretty much in discriminatively since their income depends on clients advertising products. Clearing houses also sell the client advertisement to other clearing houses, in addition to advertising companies selling it to these clearing houses. The cross selling is mainly due to the clearing house clients, some have more than others and in targeted advertisement it is important which website(s) will display the ad(s). As such, by the time the advertisement makes its way to the website, the actual ad could be originating from US, Europe, Asia, etc., and may have been going through 6-10 online advertisement companies.

The problem is that neither of the companies, including the website where it’s displayed, check the content of the advertisement for malware. As such, hackers love this venue for distributing their malware. They can create their ad, including malware, that may mimic legitimate products, and purchase advertisement time at the targeted website through the advertisement clearing house network. While the link is in their ad, you don’t need to click on the link to have the malware executed. It will load in the background as the website in question loads and in five minutes flat, your system is compromised.

So, what can you do against malvertisement based attacks? After all, like most people, you cannot give up visiting favored sites…

Notifying the website in question doesn’t do much good, especially after your system had been infected by the malware. The best a notification can achieve is that the malvertisment will be removed from the website, that will prevent other people getting their systems infected. Hackers will just purchase ad time with different fake brand name, may use the same malware, or create a new one.

Antivirus isn’t provide much of a protection against malware in advertisement, since the malware utilized isn’t know as of yet. Once it is known and blocked by antivirus, the hackers will create a new malware, and the perpetual cycle of unknown to known malware begins…

So, does that mean that there isn’t really much one can do, other than not using the internet? No, not really….

Let’s look at how the malware works in the malvertisement. The “payload” in the malware exploits known vulnerabilities in different applications. Different, as in most malware will try exploiting 3-4 different but vulnerable applications. Here’s a list of vulnerabilities that had been exploited in a recent malvertisement:

  • CVE-2013-2551 (Internet Explorer)
  • CVE-2014-0322 (Internet Explorer)
  • CVE-2010-0188 (Adobe PDF Reader)
  • CVE-2013-2460 (Java)
  • CVE-2014-0497 (Flash)
The underscored first four digit in the CVE numbers indicates the year the vulnerability had been discovered, while the second four digit is a serial number for the vulnerability for all applications, operating systems, etc., in the given year.

The list above is a mixture of old and new vulnerabilities where the malware will try exploiting the applications. Once the exploit had been fully executed, the malware will stop processing the rest of the vulnerabilities. The order of list arbitrary in this blog, it does not indicate the actual order how the malware will process them.

So, what does this information tell you?

I can just hear you say, “I know, I know!”, and you are correct. Keeping your system and applications up to date will prevent most of the malvertisement or malware exploiting your system. Just keep doing it and you should be much better off than most people who do not…

Malware and their target…

Malware targets applications, hardware, and operating systems (OS) by exploiting known/unknown vulnerabilities in their software code. Why is that important to know? Well, knowing which components of your computer used for exploit is half of the battle in protecting your system. If you don’t want to read about this subject and just want to protect your system, here’s a shortcut for protecting against malware…; the link will take you to my blog on the subject…

Comparing malware introduced in subsequent years, in our examples below 2012 vs. 2013, will not just identify the main targets, but also show the direction that the malware heading. It should also remove some of the myth, that people have about system vulnerabilities… Let’s look at the target types first, shall we?

Image source: Netwar Project

Malware targets:

By and large, the applications are the most targeted software for exploits, followed by hardware and operating systems. Let’s leave the hardware out of this analysis, that’s another blog, and continue with the operating system platforms.

Operating system:


The operating system vulnerability had increased by close to 300% across all popular platforms, pretty much evenly. The number of critical vulnerabilities increase from year to year had been from 30 to close to 100%. The greater number of vulnerabilities for Windows platform is largely due to the greater operating system market share for Windows. Believe it or not, hackers do know about ROI (Return on Investment) and prefer to target Windows platform dues to its market saturation.

Browsers:


The vulnerability of the Mozilla browsers seems to start decreasing as its market share decreasing, while Chrome had about 50% increase due to its growing market share. Internet Explorer (IE) vulnerabilities on the other hand tripled from year to year, keep in mind that IE numbers include version 6 to 10. In another word, non-supported but still used versions.

JAVA:


JAVA is one of the hackers favored applications, right after the Adobe software. It’s easy to program a JAVA applet and most people do have JAVA installed. It does help that the auto update feature is broken most of the times and the security updates aren’t as frequent as they should be.

Adobe Acrobat Reader:


The Adobe Acrobat Reader is probably the hackers most favored application. Practically everyone with computer has this application and Adobe isn’t known for creating secured code and/or releasing security patches in a timely manner.

Adobe Flash:


The number of Flash Player vulnerabilities had actually decreased from year to date. That’s good news, but mainly due to the news that Adobe had announced that stopped developing flash for the mobile platform. The replacement for flash will be HTLM version 5 and Adobe AIR. Hopefully, the desktop platform will be the next where flash disappears.

There are other hackers favored applications, such as Microsoft Office, media players, etc., but these applications did not have the size of growth year-to-year as the applications listed above.

So, again, why is that important to know? Well, if you keep your operating system and applications up to date, you’ve just substantially decreased the chance of your system being exploited…

Malware and why you should be concerned…

Malware is any software that disrupts computer operation, gathers sensitive information, or gains unauthorized access to private computer system. Once it gets a hold of your system, it will cause:

  1. Loss of productivity
  2. Embarrassment with customers
  3. Lost sales
  4. Lost data
  5. Substantial financial loss
  6. Frustration and loud swearing…
    Angry

I’ve been getting questions about how malware infects computers. That made me realize that there is some misunderstandings that the general public has in this area. Certainly lots of information available via the web nowadays on this subject; however, most of the available information is intended for IT people and as such, this type of information requires a certain level of technical knowledge in the area of networks, computer systems, malware, etc. The available information is accurate, but most small business owners have limited time and/or interest in reading through pages and pages of technical information, much less following some and/or all suggested protection for computers.

I cannot really blame small business owners for shying away from reading all the gibberish (to them), that’s available about how to secure small business systems. Nonetheless, they must have some basic understanding of how malware can reach their business systems, in order to prevent getting malware on their computers. I’ll try to use common terms and simple explanations; hopefully, this won’t be that hard to follow…

The malware can reach a computer, laptop, tablet, smartphone in four different venues:

  1. Internet access, wired and wireless
  2. Internet browser
  3. Email clients, in the form of attachment and/or links
  4. Removable storage media, such as CD/DVD, flash drive, etc.

Statistically, 90% of malware reaches the IT equipment over the network while the remaining 10% is attributed to removable storage media. The typical unsecured setup, wired and/or wireless, for internet access would look like this:

Missing image...

Unsecured small business/home system

Why is that important to understand this process? Well, knowing how your business systems may become victimized by malware will help you to prevent it. If knowing this information will simply make you more aware of how to use your small business system, that’s great.

The actual goal of this blog post is to assist in transitioning you from your current set up to a secure business system that looks like this:

Secure system

Secured small business/home system

The end result has accounted for all four potential weaknesses and removed and/or limited the impact of malware through these venues. Let’s take it step by step on how to eliminate and/or limit the way malware can reach the system.

1. Internet access, wired and wireless

Computer worms and automated scripts for hackers constantly scan the Internet for available services and exploit them automatically, if and when the vulnerable service is identified. For this reason, you should make sure that your computer or network is not open to this type of exploitation from the internet.

Adding a hardware-based broadband router and/or firewall remove the first major venue off the list. The cost for something of that nature would be around a hundred bucks. Something this simple can eliminate up to 10% of online risks through the Internet. The default factory configuration of the broadband routers blocks all Internet access to your system, in another word, just by installing one made your computers 10% more secure. Go ahead and test your computer at ShieldsUP! and confirm if your computer is at risk after you installed the broadband router. ShieldsUp! will scan your computer for available services at no cost. The result of this test should look like this:

stealth

Stealth

Please keep in mind that the portable devices, laptops, tablets, etc., require a software based firewall, if and when connected to networks, that are not under your control.

If your system scan does not show the same result, adjust the firewall rules to match the result and/or contact me to do it for you.

Let’s move to the next venues to protect your system from…

2. Internet browser, 3. Email clients, and 4. Removable media

Protection against #2, #3, and #4 venues are principally the same:

2.1  Do not use an administrator account for everyday tasks, such as browsing the web and reading emails.

I do understand and somewhat agree that running your computer with an administrator account does make life easier, especially when the User Access Control or UAC warning disabled, but consider this. If you do that, you’ve just made the hackers/malware life real easy. When you’ve logged on to your computer with an administrative account, any programs that you’ll run will be running under this access rights. And that’s any program, even the ones that you’re not aware that is running in the background such as malware. Do you see just how easy you made it for the hackers? He or she does not need to find a way to gain access to the administrative account; you’ve already given it to them.

The administrator account can also disable the antivirus solution to prevent protecting against the malware. You really should remove the administrator account access from your account that had been created when Windows was installed. Proceed with caution and don’t lock yourself out of your system. Create and administrator account first with a reasonable password for the purpose, name it whatever you want, log in with this account to test it first. Once the new account had been tested successfully, proceed to remove the administrative access for the account that you’ve been using. This step-by-step guidance, titled “How to change user account type in Windows…” can assist you performing this task.

If your program(s) require administrative level of access, you should consider replacing them. If that’s not an option, you’ll need to run the program via the “Run as…” option, that’ll grant administrative access just for the program in question and not the whole system. Alternatively, if you have the UAC enabled, Windows since Vista and later will popup a window for entering administrative credentials, if and when the program requires this access level/right.

2.2 Use caution in browsing the web and reading emails

This is how the majority of malware gets on your computer, about 80% of them. Both the browser and email based malware utilizes social engineering to convince the end user that they must perform some action. End users usually need to click on a link that downloads the malware and installs it. The convincing part can be as simple as offering nude picks of celebrities, or links to your financial institution sites, law enforcement warning, etc.

For social engineering sample and how to be cautious in reading emails, please see this link

Internet browsing on the other hand is a different story due to how the browsers work. All web pages are just scripts for browsers and they are executed under the logged on user’s access rights to the system. Browsing the web with an account that have administrative access to computer is asking for trouble, as explained above in “a.”. So, what can you do, other than not browsing the Internet logged on with an administrator account?

Common sense will protect you in most cases. Certainly, staying away from “shady websites” such as porno, pirated software, MP3 download, and similar sites, will avoid getting malware on your computer. It would nice that this avoidance would secure you from malware, but that’s not always the case. Hackers are smart and know that most people intentionally do not go to these shady sites. As such, they hack legitimate websites and place either their malware and/or link to their malware at these sites. This is called “watering hole” based attack, where the end users don’t suspect that the legitimate sites will install malware on their systems. The legitimate sites that had fallen for this type of malware distribution and they still do. CNN and Facebook are probably the most commonly used websites that had fallen to this malware distribution. Protecting against watering hole based malware is covered in “2.3.” below.

2.3 Keep the operating system and applications updated

Most, if not all malware takes a hold of your computer by exploiting known software vulnerability. Software companies do release updates to remove this vulnerability and you should install it as soon as they become available, be that for the Windows operating system and/or applications installed on your computer. Nowadays, most software has an automatic update feature that will download and install the updates automatically. You should not disable the automatic updates, let them update in timely manner, as they should, to prevent known vulnerabilities of the software to be used against your computer.

Don’t just trust the automatic update that it’ll do its job, sometimes they don’t. Since the majority of the malware reaches your computer through the browser, you should periodically test the security of the browser and its plugins at this link, a plugin installation required:

https://browsercheck.qualys.com/

The Qualys plugin will scan your system for missing patches that includes browser, operating system and applications. The results displayed in your browser with links to the updates. Here’s the results for my system:

Browser:
browser

System:
Operating system result

Applications:
Application results

The computer missing updates is vulnerable to exploits, be that Windows PC or in this case an Apple computer. The latter one may not have as many malware as the former one, but nonetheless, it can be exploited just as well as Windows PCs if and when it’s missing updates.

2.4 Purchase and install antivirus product (approximated $50-80), update definition files frequently

This does not require much explanation, I hope. As long as you don’t use an administrative account for everyday tasks, it’s a worthwhile investment. You could also forgo purchasing an antivirus software and use Windows Defender, if you have Windows Vista or later version. The Defender is free with the operating system and provides protection against malware. The Defender and other antivirus effectiveness is greatly increased, if you follow the security recommendation in this blog.

2.5 Removable storage media

Generally speaking, most of the malware on removable media is rather old. An up to date antivirus will stop older malware from infecting your computers. Nonetheless, you should:

a. Disable “AutoPlay” for removable storage media:

In the “Control Panel” select “Hardware and Sounds”, click on “AutoPlay” icon, and select “Take no action” for software and games at the minimum.

b. Scan the removable media:

Your antivirus software by default will ask you, if you want to scan the removable storage media, just say yes…

Following these recommendations will protect you against most known vulnerabilities, about 95% and so far, it costs you about 175 bucks, some time to install, and configure the components.

So, what about the remaining 5%, how does one protect the system against that?

There are other options that can increase protection of the system with additional software. Knowing that sophisticated malware, among other malware, utilizes buffer overflow technics; you need a solution that will protect against this technology. One such software is Microsoft Enhanced Mitigation Experience Toolkit, or EMET for short. This protection is free from Microsoft and easy to configure and just by selecting the default option during installation, it will protect your system against most of the malware relying on buffer overflow technics.

You can also download and install Winpatrol – Scotty for free, which will monitor changes to Windows startup environment. All malware will change this environment and Winpatrol will alert you, if and when the startup environment is about to change. You’ll have the option to deny or allow the change.

With the additional protection installed, your system is protected against 99.9% of malware, provided that you have done and remain committed to following the steps in this blog post. That’s not bad for 175 bucks and some of your time invested. This is pretty much the best that someone, who is not an IT professional can do in today’s environment. Corporations spend millions of dollars, thousands of hours on installation and training, yet they are struggling to get to this level of protection.

If you have gotten this far, that’s great. You’re on your way to have a home/small business system, that will resist most, if not all malware trying to exploit your systems.

This seems complicated, but if you break it down and do one step at the time, apply some patience, it can be done by most computer users. If you run into trouble you can always re-read part of my blog, or contact me for help.

Alternatively, if you are short on time, you should hire BITS to do it for you. Contact Otto via email, or call the office at 203.569.7610. Based on your business needs dictated operational requirements, we can tailor a security protection for you.

How to secure your computer against malware…

Securing computers against malware isn’t that hard, at least in theory. It does require basic understanding of how computer works and using common sense approach.

The security protection for computers outlined below:

  1. Use non-privileged user account (no admin) for day-to-day tasks such as email and web browsing
  2. Apply system security and other patches as they become available
  3. Keep application software, such as Adobe PDF and Flash, JAVA, MS Office Suite, etc. up to date with patches
  4. Disable system services that are not required
  5. Uninstall software that is not used
  6. Keep antivirus software definition files up to date
  7. Exercise caution in browsing the web and reading email

This protection can be effective against known malware, that targets system/application vulnerabilities for simple reason. The system has been patched, the antivirus knows about the malware, and the end user is cautious in his/her internet access. Understanding how the malware can get on to his/her system is half of the battle against malware.

Most, if not all, malware uses email, web pages, or combination of both to exploit unsuspecting users:

Email email/web based exploits:

  1. The user receives an email with attachment that exploits and application vulnerability, such as Adobe PDF Reader, MS Office Word and/or Excel, Winzip, etc. The attachment has most of the malicious code; however, it certainly can download additional malware, once it takes a hold of the system
  2. The user receives an email that while it does not have attachment, it contains links to the malware. The link is represented as a “legitimate” website; however, the HTML code under the name of the website redirects the user to a site where the malware resides (also called “spear fishing” read more about it here…)

Web page exploits:

  1. Legitimate websites are hacked and the malware is uploaded to the sites
  2. People visiting the hacked website(s) download and install malware without the user knowledge on his/her system (also called “watering hole” attack)

That’s all good and seems easy to follow, but why so many computers are hacked? The answer is two fold…

The most common answer is likely that the end user did not follow the basic security steps outlined above. After all, we can always point fingers at the end user, right or wrong…

The other answer is zero-day exploits…

The zero-day attacks are based on unknown system and/or application vulnerabilities that yet to be discovered and fixed by software companies. The antivirus software does not protect against these type of attacks, neither do system and application security patches since the vulnerability is unknown. In another word, the computer with latest antivirus and security patches can easily fall victim to zero-day attacks.

“That’s not good, even if I follow these steps, I can still “easily fall victim”. Why should I follow the common sense based security practice? What difference does it make, if I am hacked by known or unknown malware?”

The frustration is understandable, but the common sense based protection does have benefits. A large number of the malware is known and this approach will stop them infecting your system.

Exercising caution in browsing the web and reading emails (#7) can prevent the smaller number of zero-day malware infecting your system. In addition, augmenting the antivirus protection of the system with software that protects against zero-day malware is another option, that can overcome carelessness in browsing the web.

The software that can target protection against zero-day malware is available; however, writing about them will be in another blog…