I have a lot of e-mail addresses and thus attract my fair share of unwanted and malicious e-mail. The latest malware spreading e-mail to land in my in-boxes has purported to be from the package delivery company UPS. Thursday, I received two of these, but there have been other similar messages recently.
As you can see in the picture below, it came with an attached ZIP file.
A malicious email that was not from the UPS package delivery company
ZIP files are commonly used as a container to transmit malicious software. The number in the name of the ZIP file is probably there to evade detection by antivirus software; the numbers were different in the two messages received Thursday.
The ZIP file contained a single EXE called UPSInvoice_997612.exe. I uploaded the file to VirusTotal.com, where 4 of the 36 antivirus applications detected it as malicious.
As I've noted before: never decide to trust an e-mail message based on the sender. It is very easy to forge the "From" address when sending e-mail.
And, hopefully by now it should go without saying, Windows users should never run an executable file sent by e-mail. Mac and Linux users (including the many new Netbook Linux users) can ignore this warning.
See a summary of all my Defensive Computing postings.
PC World reported yesterday about the latest malicious attack on innocent websites (see Web Attack Worm Infecting Hapless Sites by Erik Larken). While this particular story is news, the concept is old - there is no safe neighborhood on the Internet.
The websites that have been infected with this particular brand of malicious software are, very likely, innocent bystanders. Their crime is simply being hosted in an environment with buggy or mis-configured software.
If you have your own website, EriK Larkin has an excellent suggestion, run a Google search on the entire site to look for this malware infection. Specifically, do a search like
site:mywebsite.com winzipices.cn
Needless to say, replace "mywebsite.com" with the name of your website. It is important that there not be a space after the colon. Hopefully, as shown below, the search finds nothing.
To see infected websites, search for "winzipices.cn". However, do not visit any of these infected websites.
Alex Eckelberry, of Sunbelt Software (the company behind CounterSpy), has been writing recently about hacked websites at iPowerWeb. See Problems at iPowerWeb? and The iPowerWeb Chronicles: Problems persist. Yet, in early April, StopBadware said that iPowerWeb is much improved in terms of protecting the sites they host.
Not to pick on any particular hosting company, the important issue is that websites with no ill intentions, can still end up installing malicious software on your computer. And yes, Macs and Linux are safer from malware infestation, but not from the porn Alex turned up, and not from scams.
Shadowserver has more technical details on this latest exploit.
See a summary of all my Defensive Computing postings.
I got a taste today of the ever present danger that is the Internet. A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer. Hopefully the details of the scam, described below, will educate anyone not yet sufficiently skeptical about life on the Internet.
Initially, Google sent me to
clarkjohnlzl22.blogspot.com
which purported to mention my client by name. It doesn't. But it does have a big video box with the usual Play button on it. Clicking the Play button, at least as of this writing, takes you to
gift-vip.net/videos/?name=crystal+children
Recently it took me to
gift-vip.net/videos/?name=steve+harvey+bald
On another computer, it took me to
websoft-a.com/download/504/411/0/
Update. January 24, 2008: The next day, the Google Alert email linked to another malicious web page peggynoonztj46.blogspot.com. Just like the clarkjohnlzl22 phony blog, this site too had a video that required the installation of software from gift-vip.net
The video doesn't play, but instead generates the error window shown below.
Clicking anywhere in this error window leads you down a dangerous path. There is almost no getting away from the nagging to install the software. For example, clicking Cancel, just results in nags similar to those below (one is from Firefox, one from IE6).
Here again, clicking Cancel or the official "X" does nothing useful. These prompts also prevent access to other open Firefox tabs. The only way to get out of this is to kill your web browser. But, clicking the "X" in the top right corner of the browser window does nothing (technically, the install prompts are modal). Normally you can right click on the task bar entry for a program and close the program from there. That too, doesn't work in this case.
To kill your browser in Windows XP, use Task Manager (see my prior posting Task Manager - useful enough to run all the time). Right click on the task bar and select Task Manager from the pop-up menu, then navigate to the Applications tab. Click on your web browser in the list of active applications, then click on the End Task button at the bottom of the window.
In the interest of research, I downloaded the file. Don't try this at home. Needless to say, I didn't install the software. Instead I had it analyzed at VirusTotal.com a great web site that analyzes a single file with many different antivirus products. (for more see Can you trust that file?).
As is usual at VirusTotal, some antivirus programs found the file to be malicious, others gave it clean bill of health. Among those that felt the software was safe were NOD32, BitDefender, Ewido and eTrust-Vet. Most products however, considered the file malicious. Among them were:
AntiVir 7.6.0.48 2008.01.23 HEUR/Malware
Avast 4.7.1098.0 2008.01.23 Win32:DNSChanger-SF
AVG 7.5.0.516 2008.01.23 Generic_c.FTY
ClamAV 0.91.2 2008.01.23 Trojan.DNSChanger-2168
F-Secure 6.70.13260.0 2008.01.23 Trojan.Win32.DNSChanger.aqd
Kaspersky 7.0.0.125 2008.01.23 Trojan.Win32.DNSChanger.aqd
McAfee 5214 2008.01.23 Puper.gen.d
There are two lessons here. First, any one anti-malware product can only provide so much protection. Second, any software that is pushy about getting itself installed, you don't want.
Update. January 25, 2008. As a couple people commented below, another point here is that you are safer by not running Windows. The comments were about Macs but the same can be said about Linux.
See a summary of all my Defensive Computing postings.
When it comes to antimalware software, the first decision any Windows user needs to make is whether to go with an integrated suite of software or pick and chose specific products, such as a firewall, antivirus, and antispyware software. If a suite came preinstalled, it's certainly a tempting option. Dealing with a single company and not having to install new software has obvious appeal. But, I think it's the wrong way to go.
For one thing, the software suites can be complicated to use. Oftentimes they have been known to slow down the computer. And they cost money, whereas there are many free antivirus, antispyware, and firewall programs to chose from.
Plus, they may be overkill. In what has been called feature creep, they typically include many different types of protective software in addition to the baseline antivirus, antispyware, and firewall. This added complexity can negate the single product simplicity advantage.
Among the extras are antispam software that many people don't need, and, a case can be made that fighting spam is a server side thing, not something best done on your computer.
My colleague from The Personal Computer Show, Alfred Poor, has recommended against software suites many times on the show. He cites "bloatware" as the main reason:
"... the publisher piles on features not because they are practical or useful, but so that they can win the 'battle of the checkbox' where buyers go for the program with the most features. This leads to more software running in the background, which means a performance hit at the very least, and an increased chance of conflicts with other applications. My advice is to buy what you need, and no more."
Another big consideration is that, taken as a whole, software suites don't offer the best protection.
Leo Notenboom, made this argument last week on his Ask-Leo Web site. Quoting from How do I pick the right tools to protect my system?
"Would a bundled application (all defenses in one) be necessarily more effective than several standalone products? In my fairly strong opinion, no. I base that primarily on the four+ years of problem reports and feedback that I've received here at Ask Leo!. It just seems that the combined suites cause more problems and miss more malware or security issues than a well chosen set of individual solutions."
Why don't the suites offer the best protection? Here too, I agree with Leo:
"My theory is that the suites start with a really good single product...in order to create a suite the manufacturer then buys or creates what I can only assume are second-rate additional components..."
The ZoneAlarm firewall is a case in point. I like the free firewall and would buy the commercial version for the additional features. But I can't; at least not without also buying either antispyware or antivirus software from CheckPoint. So I pass.
Interestingly, I disagree with Leo's recommendations for antivirus, antispyware, and firewall software. But, even people who disagree on the specific choices, agree that making specific choices is the way to go.
As for Alfred's point about bloatware, a comparison of the assorted software bundles offered by ZoneAlarm/CheckPoint shows no less than 16 types of defensive software included in the top-of-the-line product.
Another example of an antimalware product being assimilated into a suite comes from Eset.
In his newsletter/blog last week, Scot Finnie discussed the stand-alone NOD32 anti-virus program vs. their suite of anti-malware software called Eset Smart Security. As for the new version of NOD32, Scot writes "...my preliminary impression of Nod32 3.0...was quite positive. That product is available as a standalone upgrade to Nod32 2.7..."
But regarding the suite he says "I looked pretty extensively at Eset Smart Security in late beta, and I didn't think much of the firewall at all. Plus I have no use for Eset's antispam solution. So I am definitely recommending *against* the new $60 Eset Smart Security (ESS)."
Finally, a note from the school of hard knocks.
After reading some good reviews of F-Secure Anti-Virus a while back, I installed it on a couple machines. On one machine, when I later installed Spy Sweeper, the antispyware product from Webroot, I learned about an incompatibility with F-Secure Anti-Virus.
Another machine had the free ZoneAlarm firewall installed. When I tried to install F-Secure Anti-Virus, it complained about ZoneAlarm, basically saying it's either us or them. The F-Secure product would not install unless the ZoneAlarm firewall was removed.
What possible conflict could there be between an antivirus program and a firewall? My guess is that F-Secure had a single installation program for both their software suite and their standalone antivirus, and they hadn't customized the antivirus installation to not bother checking for firewall software. Just a hunch.
The debate over individual antimalware products will continue until Windows truly becomes secure. Until that day, fight assimilation and opt for standalone antimalware products.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
