Some 30% of computers with a security solution installed scanned last week  were infected with some kind of malware.  In the case of computers without any kind of protection, the figure goes up to 44%. Source:http://www.infectedornot.com

Malware creators are trying to put a large number of threats in circulation and install them silently to prevent security companies from detecting them and generating the necessary vaccines. 

Therefore, traditional security solutions must be complemented with other types of online solutions like BitDefender, which uses the ICSA Labs certified scanning engines, so you can feel secure about their virus protection.

As for the malicious code that has appeared in the past week, highlighted are the Bindo.A and Nuwar.HU worms.

Bindo.A aka autoply.exe is a worm designed to spread and infect as many computers as possible by copying itself under names like autoply.exe or MSshare.exe to the shared folders of any P2P programs that the targeted user might have installed.

It also creates a file called AUTORUN.INF in all drives it copies itself to, in order to be run every time that the drive is accessed It is very easy to detect the presence of this worm on the system, as it increases the number of shared files in the P2P shared folders on the computer.

Bindo.A also changes certain shortcuts in the desktop so that they have two execution paths: the original one and one that runs when the original program is launched.

BitDefender is a FREE online virus scanner, which takes a while to run and it is advisable to run this when you have no other programs using resources.  When opened, you will have to click the ‘I Agree’ user license after which you will be taken to the Options page.

Click image for larger view.

The default setting is to scan all of your computer, which is the safest option.  Under the ‘Settings’ the default option is for BitDefender to try and clean the infected files.  There is a warning that if disinfection fails, the files will be deleted.  You can change this option where it says ‘click here’ and a pop-up window opens (ensure you do not have pop-up blockers turned on).

Click image for larger view

Under the heading ‘Action options’ select ‘Prompt user for action’ and under ‘Second action’ again select ‘Prompt user for action’ then click OK, then click where it says ‘Click here to scan’.  BitDefender will then load the anti-virus engine and virus signatures.

If it fails to update, select ‘Yes’ to continue and scanning will start.

Click image for larger view 

When scanning, if an infection is found you will be prompted for an action and you will see the location of the infected file.  You can select ignore, disinfect or delete.  If disinfection fails however, the file will be deleted so use this with caution and ensure that it is not an important file.

Nuwar.HU is a new variant of the infamous “Storm Worm” which takes advantage of Halloween to spread. It ends processes of certain security tools that might be installed on the computer.

Nuwar.HU drops a rootkit called noskrnl.sys on the system and sets it as a service so that it is run automatically when the computer is started. Nuwar.HU spreads in email messages with subjects like “Have a Happy Halloween everyone” or “Party on this Halloween” among many others.

These messages include links to certain web pages that show a ‘dancing skeleton’ animation. If the user downloads and runs the animation offered on the website, the worms infects the computer and turns it into a zombie system at the service of a malicious user.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

There is an article about rootkits here and advice on searching your hard drive for the presence of rootkits and tools to remove them which you can get more information by clicking here.

This is a very nasty and insidious spyware/malware program.  Spyware experts are now saying that the makers are borrowing  code from other malicious programs to install rootkit like features on infected machines.

More recent versions of CWS spyware now have features similar to rootkits which allow the program writers to hide their files on Windows operating systems.

These new variants can hide their settings in the registry and also hide rootkit files in alternate data streams.

The software is usually installed on a machine by visits to malicious websites or  emails using various ploys to get users to download and install the script.

Once installed, CoolWebSearch will hijack browsers and redirect users to some of the several bookmarks it imports.  When you attempt to change your homepage back again it constantly overwrites it,  it slows down general performance and causes Windows to freeze, crash or reboot, and can also make you victin to a Denial of Service (DOS) attack.

Getting rid of it is now much easier.  TrendMicro have a free CoolWebSearch removal program

Use this utility to get rid of CoolWebSearch and it’s related programs. 

Also download Spybot S&D and use its TeaTimer protection, which runs in the background and alerts you to any attempted registry changes.

If you are running Windows, also use  Advanced Windows Care.  Both of these programs will add a large number of changes to your Registry.  This is nothing to be concerned about as the changes are necessary to stop any nasties from attching themselves to your pc and making changes you really don’t want.

Keep your anti-spyware up to date and if you click on any links that prompt you to download, read the EULA first.

Check for rootkits on your machine.

As with all programs, regular updates is essential to offer you greater protection.

May 2008 Important Note: Grisoft have now incorporated this as part of the new AVG Anti-Virus v8.0.1
It is only available in the paid version NOT the free version, so please scroll to the bottom of the page for more Rootkit Removers

Grisoft has developed quite a following with its free (for personal, non-commercial use) security applications, and for good reason.

Now there’s an anti-rootkit utility in AVG’s free software stable, too, and for users seeking a minimum of interaction, AVG Anti-Rootkit Free may very well be the Right Tool for the Job.

Grisoft makes its free AVG Anti-Rootkit application available for download. Users download the avgarkt.exe setup file, which features simple installation.

In keeping with the goal to make AVG Anti-Rootkit a very simple tool, the file features a simple .exe install file that triggers a setup wizard.

Users can select between a normal interface (which Grisoft recommends and sets as the default) or a low graphics interface (which is optimized for visually impaired users who rely on screen-reading programs).

Users must accept the AVG Anti-Rootkit Free license agreement before they can use the program to check their Windows system for stealth rootkit programs.

Next, users must specify the location of the AVG Anti-Rootkit Free installation files.

As with most software programs, users must specify the name of the Start Menu Folder. This is the name the AVG Anti-Rootkit application receives on the user’s Start menu.

Once users have specified all setup information, the free anti-rootkit utility installs itself.

Due to the way most anti-rootkit applications operate, it’s necessary to reboot Windows to enable proper operation. AVG’s free anti-rootkit application is no different. AVG’s setup utility gives users the option of rebooting immediately automatically or manually rebooting later.

AVG purposefully keeps its anti-rootkit interface simple. There are very few options for users to choose, thereby helping simplify the already confusing and complex world of rootkits.

AVG includes concise educational information aimed at helping regular (non-IT professionals) better understand the threat stealth rootkit programs present.

The Learn More tab lists information on what rootkits are and how users can protect their PCs from the stealth threats. There’s also a link to Grisoft’s site where additional computer security information is made available.

Users can check for AVG Anti-Rootkit Free updates using the third tab (About & Update). Clicking the About & Update tab also reveals the current version users have installed.

An interesting note, Grisoft informs users on this third tab why the AVG Anti-Rootkit uses random window titles. The reason is that AVG’s programmers wanted intentionally to change the name of the window the free anti-rootkit application uses to help thwart detection efforts rootkit hackers might program into their malware.

If users click the Check For New Version button found on the third About & Update tab, they are directed to Grisoft’s Web site. Here users will see whether the version they are using is current or whether updates must be downloaded.

The Search For Rootkits tab is the meat of the program and the reason users will download it in the first place.

Clicking the Search For Rootkits button triggers a search of stealth rootkit programs. The free AVG application tracks its progress in the progress bar at the menu’s bottom.

By default, the Search For Rootkits button only searches critical Windows directories on the root drive.

When no rootkits are found, AVG presents a congratulations window.

When rootkits are found, AVG displays those that are found (with information on the rootkit path and type). Users can then highlight the rootkit items in question and click the Remove Selected Items button to eliminate the offending files from their Windows systems.

With the In-Depth Search, however, AVG Anti-Rootkit searches for stealth rootkit files on all the hard drives and partitions within a system.

Just as with the simple rootkit search, the AVG Anti-Rootkit Free application tracks its progress as it works. Should users wish, they can terminate the search using the provided Stop button.

These are all the options a user can select when working with AVG’s free anti-rootkit program. By purposefully keeping the application easy to use, AVG engineers have created a free malware detection utility that’s the Right Tool for regular (personal) users seeking to check their systems for unwanted stealth software.

Download your copy here

Do NOT rely upon just this Rootkit finder, use a few others too as they all vary in their search definitions and criteria.

You can find a comprehensive list at AntiRootkit.com

I recommend the use of IceSword and Rootkit Unhooker, but there are many free to use rootkit finders listed. Check the column on the right to ensure it is Free and do NOT use the Beta versions.

What is a rootkit?

A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Grisoft which I have covered in another post.