Silicon Shecky

We all know Social Engineering is the most commonly used way to spread malware. There seems to be a device that can help with that, as far as e-mails go. Its not a cheap form of protection though.

We all know that Social Engineering is the easiest way to spread malware. As P.T. Barnum said, “There’s a sucker born every minute,” and in the age of the Internet, it is even easier to get to those suckers. Pyramid Schemes, Malware, Phishing Attacks, all heavily rely on the mark being trusting. Anti-Malware, Firewalls, and security devices have always had a problem with this angle of attack.

Now a company called Cyveillance is touting a new appliance to help mitigate the Social Engineering front. Two problems though. First, like all first generation, innovative ideas, the cost is more than most people make in a year. Over $100,000 for the device alone, not including all the scan types, and extra protection licenses added on.

Second, it only scans e-mail. This is nice for those instances where it is e-mail that has a bad link, but a lot of the malware is coming through hijacked ads on websites. This device doesn’t take any of that into account.

More information is available here and here. Overall the idea of a device like this, or algorithms and heuristics that can defend on this front, and be reliable, is where we need to focus our defenses on. Hopefully, someone can go the next step on this. After all, we are only as secure as the weakest link in the chain.

Apple finally admits to the MacDefender scareware and puts out instructions on how to prevent it. Too bad that within a couple of days there was a new variant that makes the instructions obsolete.

Ed Bott continues to report on this on his Microsoft Blog over on ZDNet, and to much hatred from the Mac Fanbois. They still deny the whole thing. It does not matter that Apple has confirmed the malware. It does not matter that Intego, a Mac Security blog is the one finding these items. No, the Mac is uber-secure and there is no malware for it. Malware for the Mac is impossible to create. Well, the new version reported by Intego doesn’t require any administrator password. This to me seems to be no longer any proof of concept, but a real threat. But I digress. The biggest problem in this situation are the Mac Fanbois who are denying this sort of malware exists. The whole argument they give though reminds me of something else in history, that happened almost 100 years ago.

There was a ship built in the early 20th century in England, which was highly lauded. This ship was huge, luxurious and was unsinkable. That is correct, the claimed nothing could sink this ship, no way, no how, don’t even ponder the notion, it can’t happen. Well, there is nothing wrong with calling something unsinkable, of course until it met a friendly iceberg in the North Atlantic on April 15, 1912. The iceberg decided to give the ship a nice bump, tore open a huge gash, and caused a lot of people to perish as the ship sank. We all know the name of the ship, it lives on. Titanic.

I look at claims of the Titanic, and the blindness that the builders of it had, and see similarities to the reaction of Mac Fanbois to Ed Bott and the MacDefender malware. Denial, short sightedness, and unwilling to admit the problem. Actually, this also reminds me of Microsoft when it first started getting hit big time with malware.

There are many arguments in this whole scenario that can be taken in. Yes, its a socially engineered piece of malware, but so are the majority of ones written fro Microsoft. Yes one piece of malware like this does not an epidemic make. Yet, the Mac community has a chance to learn from the past, realized that they are starting to be targeted, and get ahead of the rolling stone that could be coming at them. Denial only hurts them.

Oh, and just one more piece of history on the whole, you need administrative privilege for the malware to become installed. Last time I checked, OSX was written on top of a BSD Unix variant. There have been viruses for Unix for a lot longer than Mac or Windows.

We all know about the Fake AV, Fake Security Center, and similar malware. I’ve started running into a new variant, one that is a bit more of a pain.

I would say that 75% of my job winds up being removing malware from clients machines. I find it annoying, and really would love to find a way to rid the world of the scourge of malware, but that is a rant for another time.

I’ve watched the malware come in waves over the years. The spyware craze of the early 2000′s, the Melissa and I Love You viruses, the start of the Fake (Insert software here) malware. The Fake software ones have been merely annoying, and pretty easy to remove with standard tools, at least until now.

Over the last couple weeks, I’ve run into a new version of the Fake software malware. This one not only claims you have problems, but then turns around and at minimum hides folders on the machine so it seems that you’ve lost most everything. One variant even removes most of the system restore points, and hides essential folders. This second one, is the biggest pain to remove.

Combofix, Malwarebytes, and Superantispyware, will find and remove the malware, but the damage done to the machine between having to reset permissions, to unhiding folders ( and sometimes having to dig down to find what folder is still hidden), to repairing the system restore feature (got do %windir%\inf\sr.inf , right click and install to repair it) of XP is time consuming.

I know that the underworld of the internet makes a lot of money off malware, but this is just getting ridiculous. One would think that machines with up to date antivirus software should be able to stop this stuff, but obviously it doesn’t. It does make me wonder how different the variants are.