CyberSafety.co.za

• Does your computer talk to you? Can’t use the Internet? Have your files disappeared? You might be infected…

Users are often advised to use an antivirus to check if their systems are infected, but with the current cyber-crime scenario, this is simply not enough.

“It takes a least a basic grasp of security issues to work out if a computer is infected, and many first-time users have little or no idea” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “However, while many of today’s threats are specifically designed to go undetected, there are still some tell-tale signs if a system has been compromised.”

Global IT vendor Panda Security has produced a simple guide to the 10 most common symptoms of infection, to help users identify if their systems are at risk:

1. My computer speaks to me: There are all types of pop-ups and messages on the desktop either advertising things, saying that the PC is infected and needs protection etc. This is a typical, surefire case of an infection. There is either spyware on the computer, or it has been infected by a fake antivirus also known as “rogueware”.

2. My computer is running extremely slowly: This could be a symptom of many things, including infection by a virus. If it has been infected by a virus, worm or Trojan, among other things, which are running on the computer, they could be running tasks that consume a lot of resources, making the system run more slowly than usual.

3. Applications won’t start: How many times have you tried to run an application from the start menu or desktop and nothing happens? Sometimes another program might even run. This could be another type of problem, but it’s a symptom that tells you that something is wrong.

4. I cannot connect to the Internet or it runs very slowly: Loss of Internet communication is another common symptom of infection, although it could also be due to a problem with your service provider or router. You might also have a connection that runs much more slowly than usual. If you have been infected, the malware could be connecting to a URL or opening separate connection sessions, thereby reducing your available bandwidth or making it impossible to use the Internet.

5. When I connect to the Internet, all types of windows open or the browser displays pages I have not requested: This is certain sign of infection. Many threats are designed to redirect traffic to certain websites against the user’s will, and can even spoof Web pages, making you think you are on a legitimate site when really you have been taken to a malicious imitation. 

6. Where have my files gone? Hopefully nobody will be asking this type of question, although there are still some threats around designed to delete or encrypt information and to move documents from one place to another. If you find yourself in this situation, get help as quickly as possible.

 7. My antivirus has disappeared, my firewall is disabled: Another typical characteristic of many threats is that they disable security systems (antivirus, firewall, etc.) installed on computers. Perhaps if one thing shuts down it might just be a specific software failure; but if all your security components are disabled, you are almost certainly infected.

 8. My computer is speaking a strange language: If the language of certain applications changes, the screen appears back-to-front or strange insects start ‘eating’ the desktop; it is likely that you have an infected system.

 9. Library files for running games, programs, etc. have disappeared from my computer: Once again, this could be a sign of infection, although it could also be down to incomplete or incorrect installation of programs.

10. My computer has gone mad… literally: If the computer starts acting on its own, you suddenly find your system has been sending emails without your knowledge, Internet sessions or applications open sporadically on their own, your system is probably compromised by malware.

Panda advises all users, who have identified with one or more of the scenarios above, to look for alternative security applications to the one (if any) they have installed. Users don’t need to uninstall their existing application; but can simply use a free, online antivirus such as Panda ActiveScan. Alternatively, they can install an antivirus that is compatible with other engines, such as Panda Cloud Antivirus, which is also free.

“Getting a second opinion on the health of your PC could save your data, your privacy and in many cases, your money”, concludes Matthews.

More information is available in the PandaLabs blog: http://www.pandalabs.com

For more information about Panda, visit http://www.pandasecurity.com/.

Panda Security’s anti-malware laboratory has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

“The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations.

Once a computer is infected, any attempt made by the user to run a program or open a document will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95 (almost R600). Victims are also offered ‘premium’ tech support services for an additional €19.95 (about R150). Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“Users are often infected unknowingly – in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” says Matthews. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus.”

For this reason, Panda has published the serial numbers required to unblock the computer if it has been hijacked on the PandaLabs blog. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of the fake antivirus.

PandaLabs recently published a report about the lucrative business of rogueware. The shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats and that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying. The PandaLabs report is available here.

The serial numbers and a video demonstrating how this scam operates is available on the PandaLabs blog.

Panda Security’s malware analysis and detection laboratory has released a comprehensive study on the proliferation of rogueware into the cyber-crime economy.

Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. Panda predicts that it will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year. Approximately 35 million computers are newly infected with rogueware each month (approximately 3.5% of all computers), and cyber-criminals are earning approximately $34 million per month through rogueware attacks.

“The Business of Rogueware”, Panda’s report, reviews the various forms of rogueware that have been created, and shows how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cyber-criminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

In early 2009 social media sites such as Facebook, MySpace, Twitter, and Digg, became large targets for rogueware distributors. The top five social media attacks involving rogueware are:

1. SEO attack against Ford Motor Company

2. Comments on Digg.com leading to rogueware

3. Twitter trending topics lead to rogueware

4. Rogueware exploits WordPress vulnerability to facilitate Blackhat SEO attack

5. Koobface moves to Twitter

“Rogueware is so popular among cyber-criminals primarily because they do not need to steal users’ personal information like passwords or account numbers in order to profit from their victims,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially since popular social networking sites have become mainstream.”

Rogueware morphs quickly and proves difficult to detect

There are approximately 200 different families of rogueware, and Panda expects the variations to continue to grow. In the first quarter of 2009 alone, more new strains were created than in all of 2008. The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008. In Q3, Panda forecasts a rogueware total greater than the previous eighteen months combined.

The primary reason for the creation of so many variants is to avoid signature-based detection by (legitimate) antivirus programs. The use of behavioural analysis, which works well with worms and Trojans, is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information. However, Panda Security has started to identify more advanced malware variants that are using typical Trojan features, rootkits and other techniques to subvert virus detection technologies.

How rogueware business works – and tracking the source

The Panda report details how the rogueware business works. The rogueware business model consists of two major parts: programme creators and distributors — not unlike a traditional business. The creators are in charge of making rogue applications, providing the distribution platforms, payment gateways, and other back office services. The affiliates are in charge of distributing the rogueware to as many people and as quickly as possible.

Panda’s research reveals that the affiliates are mostly comprised of Eastern Europeans recruited from underground hacking forums. They earn a variable amount per each install and between 50-90 percent commissions for completed sales. The Panda report includes financial statements and photos from events hosted by the leaders of these organizations that are not dissimilar to corporate sales events.

To read the full report, click here.

For real-time updates on Panda’s research, follow @Panda_Security