Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010 went live this week, and we've created a slideshow to help users see what's new and what needs work in one of the leading security programs.
UPDATED: Benchmarks provided by CNET Labs were added on Monday, August 24.
A new season of security suites is upon us, and Kaspersky has made improvements to its Kaspersky Internet Security and Kaspersky Anti-Virus programs that include changes indicative of where security software as an industry is leaning. Three new features along with expected upgrades to its antivirus engine keep Kaspersky competitive.
The main window of Kaspersky Internet Security 2010.
(Credit: Screenshot by Seth Rosenblatt/CNET)The full-feature suite Kaspersky Internet Security offers a complete and competitive range of security options. The new features in the 2010 edition include a behavioral-based detection system called the Urgent Detection System. The UDS utilizes the anonymous data of 10 million Kaspersky customers who choose to participate in submitting their system scans to Kaspersky's central servers for analysis. In fact, the UDS must be opted-out of--there's a check box and data collection statement to read when you install the program.
Although this might sound insidious, it's actually a smart way to leverage a huge consumer base for security purposes as long as the data remains anonymous. Symantec's Norton 2010 will contain a behavioral check, too, and what both do is look at programs installed on your computer and judge their safety based on how many people have them installed and how they behave. Among UDS's better sub-features are the ability to customize how long it takes to pass judgment on a new program and per-user configuration of the rules governing program behavior.
Even if a program has deep penetration and it starts behaving badly, Kaspersky will block it. If it's an unknown, Kaspersky will treat it skeptically, monitoring and restricting the program until it has been proven safe. The Vulnerability Scan option, available under the Scan tab, utilizes tech from Secunia to determine which programs are potential security risks because they lack recent updates or patches. For programs that may not warn you that they have a pending security update, such as Adobe Flash, having this tool baked-in could be exceptionally useful.
... Read more
Last week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.
Antivirus2010, Anti-Virus-1, and other variants of the AntivirusXP infection have never been hosted on Download.com.
(Credit: Seth Rosenblatt/CNET Networks)However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected with malware. What you don't realize at this point is that it's hacked your hosts file, too, so that when you go to a software site you don't ever make it to the site you're trying to get to.
You wind up on a skinned Web site that looks like the site you're expecting, but isn't. With the Download.com spoof, you can see that they're using our old design, which CNET abandoned last summer. Clicking on any link besides the download button will take you to the same page that the legitimate site would've taken you to. Hit the download button, though, and you get their fake malware remover, which in fact does the opposite, perpetuating the infection.
Removing the infection is tricky because of the differences between the variants. Some people have complained that they get locked out of their Task Manager, for example, but not all reports include that complaint. The fix that I cited for Antivirus XP 2008 may work, but users who have Windows XP Home Edition don't have a gpedit.msc. Home Edition users will have to edit their Registry directly.
Malwarebytes' Anti-Malware has proven to be one of the few malware killers that can effectively remove Antivirus XP 2008 and its variants, and it should work against the latest ones, too. The First Look video of Malwarebytes' Anti-Malware on the right will help you get started with the program.
Keep in mind that there is no substitute for cautious browsing. Don't install every Facebook app that comes your way, don't click on ads on unfamiliar sites or sites that are known vectors for attacks, and don't install software from anybody that's not a vouchsafed source.
I've pasted below the entire list from BleepingComputer of changes to your hosts file for your edification. Be warned that it may change as variants are developed.
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.comO1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
(Via Ars Technica)
Internet security firm Intego said on Thursday that it has discovered a new Trojan horse in pirated copies of Apple's iWork '09 productivity software that could allow an attacker to take control of the infected computer.
The Trojan horse, OSX.Trojan.iServices.A, discovered circulating in copies of the software on BitTorrent trackers and other pirate sites, is rated serious, according to Intego's security alert.
When iWork is installed, the Trojan is installed as a start-up item as a part of iWorkServices. It has read-write-execute permissions for root control of the computer, Intego said. The malware connects to a remote server over the Internet and may download additional components to the infected computer.
As of early Thursday, at least 20,000 people had downloaded the iWork '09 installer, according to Intego.
Meanwhile, an Italian researcher has uncovered a way to inject malicious code into memory of OS X-based computers, which would enable attackers to easily hide their activities, according to The Register.
Security firm Sophos warned on Thursday that e-mails being circulated on the Web that purport to offer a free iPhone game instead are carrying a Trojan horse that can take control of infected Windows machines.
The e-mails have subject lines like "Virtual iPhone games!" and "Apple: The most popular game!" The attachment is called "Penguin.Panic.zip," which refers to the iPhone game of the same name.
The Trojan has been identified as Troj/Agent-HNY, Sophos said.
Sophos has not yet seen versions that run on Mac OS X, the Apple iPhone, or other mobile devices.
Antivirus XP 2008 is back, unfortunately. It's not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent "security" it's selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.
Antivirus XP 2008's Web site looks legit, but caveat emptor.
Yeah, Google.
Apparently, though, the virus is now being spread in more insidious ways, and numerous people who claim safe browsing habits and up-to-date security definitions are being infected--including two of my friends.
In helping them remove it, I discovered an excellent post on the CNET Forums that explained a detailed and accurate method of removal. I've retyped it below with more detail in case you're not able to get to the forums. It's not particularly complicated, but if you're not comfortable with advanced settings, I'd recommend proceeding cautiously or get a friend to help.
The scan window from Antivirus XP 2008 also looks legit. It's also not.
A warning before we begin: do not boot your computer into safe mode. Leave it running as you normally would. I tried restarting into safe mode, and the malware was prepared for that--its folders and files became undetectable.
First, in the Start menu, click on Run. If you can't find the Run option, hit WIN+R. (That's the key with the Windows icon on it.)
Type in msconfig, and go to the Startup tab. You're looking for two files. One begins with the string of letters "lph," and the second begins with "rhc". The examples provided are longer strings, "lphc35dj0e1an" and "rhc75dj0e1an", but after the first three letters, the strings are known to change on different computers. Uncheck the boxes next to both of them, then click on Apply and OK or Close at the bottom of the window.
The scan window from an older version of Antivirus XP 2008.
Restart your computer, and then delete the main files the spyware uses. In Windows Explorer, navigate to C:\windows\system32 and delete the lph*.exe file. Then go to your Program Files folder, C:\program files, and delete the rhc folder and everything in it. Keep in mind that these strings are known to change.
Restart your computer normally. You'll notice that the background hasn't changed. To restore your desktop settings, you'll need to go to Start > Run again, or Win+R. This time, type in Gpedit.msc. On the left nav, look for User Configuration near the middle. Navigate through Administrative Templates, then Control Panel, and finally Display. When you click on display, you'll see a list of options open in the central pane. Right click on "Remove Display in Control Panel," and click "Properties." Then choose "Disabled."
Repeat those same steps for the following attributes: Hide Desktop, Prevent changing wallpaper, Hide Appearance and Themes, Hide Settings, and Hide Screen Saver. Change all to "Disabled," then hit Apply, OK, and restart your computer.
You will still see the Antivirus XP 2008 desktop "theme", but now you can change it. Anywhere on your desktop, right-click and select properties. The first tab that opens should allow you to change your theme. If you also suffer from massive icons, use the last tab on the right, Settings. In the middle of that tab's window you'll see a Screen Resolution option, most likely set to 800x600. Move the slider to the left to choose a more aesthetically appealing resolution.
Submitted by Scott, Vernon Hills, Ill.
This past April, a friend of mine, Jeff, called me on a Saturday afternoon, letting me know that I was instant messaging him right then. I obviously wasn't. He said that after some lines of basic text, I acted panicked and asked for money to be wired to an African bank account, which Jeff knew immediately was bad news for the real me.
I immediately changed some passwords in key accounts and found that my Hotmail account had been mysteriously compromised. The evildoers had got a ton of my contacts and sent out some boilerplate e-mails to unwitting friends and family, most of whom I assumed were smart enough to sniff a scam. I figured my first wave of defense would be good enough until I had more time to filter everything. That was really going to suck, I reasoned, but I had other things to do in the time being.
That evening we were at some friends' house for a dinner party. Our friends' 2-year-old child accidentally set off a carbon monoxide alarm in the basement, and in the ensuing chaos of children, the alarm, and a boisterous party, I received a call from my obviously distressed mother who had just been instant messaging me and was at her wit's end with worry.
Here's the conversation she relayed:
'ME': Hi Dad!
Parents: Hi Scott, it's Mom here
'ME': OK, how are things?
Parents: Good, how are the girls?
'ME': Good
Parents: Did you hear about Heidi's sister yet?
'ME': Yes [at this point, Mom was wondering why I was spewing all these one-liners]
'ME': Mom, in trouble and need help...[wire money pitch followed]
'Parents': Call me! What's going on? Are you serious?
'ME': Phone not work well...problems here
That's when my mother called my cell, and unlike all the other friends and family who ignored those obvious scam e-mails, poor Mom's stomach was sinking downward and her mind was scrolling through worst case scenarios like any good mother's would. I answered the call in the middle of the carbon monoxide din, which only made me feel even more trapped when I discovered the true purpose of the call. It took a few minutes to calm Mom down, and after explaining the earlier incident with Jeff, we ultimately had a good laugh over the mess. Except now I had to deal with the keylogger Trojan (TrojanSpy/ProAgent) I had somehow contracted.
The villains had sent off about 10 messages and made contact with three people through IM before I was able to change the password. It was a bold and shocking violation of privacy. Amazingly, they preyed on the right folks from a contact list of over 100: my parents, the most likely to cave at an unknown peril to their first born.
I use Norton Internet Security on all my PCs and am very careful with my security all-around. When I called Norton, they said I was at fault for opening up a 'legit' program that Norton could not distinguish as good or bad. Can't Norton scan for keylogger code?! I purchased XoftSpy, which appeared to do the trick of identifying and eliminating the keylogger, or so I thought. I used a second Trojan antispyware package for a "second opinion" to confirm it was gone and it identified some totally new Trojans! The horror!
Realizing I was going to fall into a trap of continually spending $30 registration fees, I figured an absolute confirmation was necessary, so I took Norton up on their $99 eradication service and a nice representative gave my system a good natural cleansing. I showed him the results of the other package that reported my infection, and he pointed out it was a fake to entice someone to pay for the registration! My God, who can you trust?!
It took two hours for the representative to clear out all the infections and to this day I've had no other issues. The villains did send login ID requests to PayPal, eBay, Amazon, and other financial sites, a fact which will haunt me for years as I wonder when they'll mine all those prior e-mails for something I missed, something sensitive to my life.
One lesson learned is to purge old accounts. My Hotmail account had 8 years of old e-mails, many with password information requests that I had sent. Stupid. I removed those and thanked my lucky stars that the policies have changed over the past few years and that some sites now force you to change old passwords. If not, maybe I would have been cleaning out my bank account via eBay or PayPal.
I was hoping we'd have an 'ID Theft' registration site that financial sites could reference in case my life savings was in the process of being wired to Somalia or the like.
Editor's response
We don't have a lot of first-hand accounts of IM scams in our annals of Spyware Horror Stories, but when they happen, the cons are mighty effective. Similarly to phishing e-mail, IM scams count on the recipient's assumption that their buddy is in truth the typist and on the recipient's conditioning to click the offered link.
Thanks to the speed and breadth of the communication medium, malicious message can spread widely and rapidly through a victim's buddy list. Even a bare link devoid of context can net a good deal of response from users who trust a friends' mysterious URL bait in hopes of an entertaining payoff.
Most of the ruses I'm familiar with involve phishing links such as this one or a hidden .exe download. Scott's haunt used the IM medium to deliver a twist on a '419' scam. Instead of asking for a bank account number in exchange for a percentage of some bogus money trade, this method took advantage of IM's personal touch by begging for a direct money wire. The tactic wouldn't be as convenient as an e-mail blitz that nets the numeric key to clean out a bank account, but it could well whip up enough panic in a dear relative or friend to elicit some cash. You would have been wise, Scott, to alert your IM provider and buddies of your compromised accounts.
Making matters worse is the keylogger that first got you into the mess and the successful rogue antivirus trick that dug you deeper. I may be a little biased here given my place of employment, but if you're not scouting software on a site that's known to offer safe downloads (a few spring to mind,) you should at the very least be using a link-rating tool such as McAfee Site Advisor or AVG LinkScanner, the latter of which has also now been sewn in various degrees into the premium and free versions of AVG Anti-Virus.
Editor's note: This article was updated on February 21, 2008. The original was published on February 28, 2007.
Like its mythical namesake (dramatized in Lego), whatever crawls out of a digital Trojan horse will be a nasty surprise. A Trojan horse usually takes the form of an innocuous software program that unleashes a flood of malware or viruses after it's installed and run. Since attacks and ease of removal vary--an ad generator is easier to remove than a stealth rootkit--there's no one-size-fits-all solution. However, there are some common spyware removal techniques that can help you pick your way through the wreckage.
Reboot Windows in Safe Mode
What is Safe Mode?
Safe Mode is a diet version of the Standard Mode of Windows that your computer ordinarily runs. Rebooting in Safe Mode loads minimal programs and disables most device drivers that manage hardware like CD drives and printers. The result is a more stable iteration of the Windows operating system that's better suited for disabling malware while you perform a system scan.
How do you use it?
If you can, follow the necessary steps for a safe shutdown process and then reboot. When you restart Windows, as the screen begins to load, press F8 repeatedly until the Windows booting options appear. Select "Boot in Safe Mode" from the menu of options. Once in Safe Mode, you should be able to run your installed antispyware software with less interference from the malicious software that the Trojan brought onto your system.
System Restore
What is System Restore?
System Restore strings out a safety net if everything goes kaput. Under default Window settings, System Restore saves a snapshot of your computer configuration once a day and on major upgrades that can be used to replace corrupted files. In the event of a Trojan attack, System Restore can revert Windows to a previous, uninfected state. It won't restore everything, like changes to your user profile, but it does reinstate biggies like your Registry and DLL cache.
When do you use it?
When purging your computer of spyware, System Restore has an optimal time and place. You wouldn't want your computer including corrupted files as the reference point of the day, so it's important to disable System Restore before you start cleaning. You can reactivate it once your system is spick-and-span.
How do you use it?
The paths for accessing System Restore differ by operating system. In Windows XP, disable System Restore by right-clicking My Computer and selecting Properties. Under the Performance tab, select File System, then the Troubleshooting tab, and finally check Disable System Restore. You'll be prompted to reboot. Follow these steps to uncheck the box before restoring your system.
To use System Restore after scrubbing your computer, choose Accessories from the program list in the Start menu. You'll find System Restore under System Tools.
This comprehensive article from TechRepublic demonstrates how to create and use System Restore in Windows Vista.
Scan with antivirus/antispyware apps
Downloading diagnostic and removal tools with an infected computer is a huge time sink--spyware can cripple your speed and Internet access. The Trojan's payload could prevent EXE files from downloading or launching. Also, malware can affect the performance of installed security software on your PC. If you store your antivirus/antispyware programs on a CD or flash drive, however, those malware-busting apps can commence their swashbuckling unhindered.... Read more
From The Nightmare by Henry Fuseli
Published by William; Sydney, Australia
In our house, we used to share a computer. I had Spybot - Search & Destroy and Norton Antivirus installed on it, and I became the scanning boss since my parents barely knew how to click a mouse. After about a year, I discovered "DriveCleaner" in the program manager window. I tried uninstalling it, got an error, then saw the progress bar roll backward fairly fast. At least these malware people have a sense of humor.
But then: My computer was exceedingly slow and gave me constant pop-up problems. Stress session. I tried looking up fixes for this on the Web, but I believe it infected hosts.dll, as the search came up with more variants of DriveCleaner, which I didn't realize, so I installed them anyway.) "Please pay to remove 3,960 infected items." I was so stupid and desperate, I did.
Stress attack. Angry relatives. Internet banking now forbidden. I burned everything to a DVD and reinstalled Windows. Of course, lovely Dell supplied our computer with Windows XP Home Corporate, and did I mention the DVD had auto-run? Stress attack. Actual nightmares of virus.
I reinstalled again and this time, disabled the auto-run registry key. Whew. Then I took about a month to reinstall the drivers, as the small spectrum of default colors just didn't cut it.
Now I've got a new computer with ZoneAlarm, Avast, and Spybot - Search & Destroy installed. Soon I'll get AVG and McAfee Site Adviser (for Firefox or Internet Explorer) as well. Throughout the entire scenario, I thought the infection was my fault. It turns out my father had a close call with DriveCleaner, and you can guess what happened when the truth came out.
Stress. Relief. Dramatic arguments over not telling me. My dad got me to remove his Windows account and create it again. This seemed to damage the Trojan heavily, but it was still there opening ports for its nasty friends to come and play.
Editor's Response
Realizing you're not solely responsible for a catastrophic computer meltdown is an immeasurable relief, but don't let yourself off the hook yet, William. Although your pop may have been the first in the family to fall prey to the rogue antivirus app, don't forget who also bought the ruse, paid out, and lost Internet banking privileges, not to mention a portion of the contents in that account.
Your most fundamental weakness in this episode wasn't the malware per se, it's that you allowed yourself to get panicked and lazy. Had you been calm and proactive, you could have compared DriveCleaner's phony prognostication with a second opinion, and not grabbed at the first seemingly-solid repair option that was dangled in front of you. These mal-intended apps prosper by scaring you into action, and the more clear-headed you are, the less likely it is you'll succumb.
You also would have seen by running an Internet search that DriveCleaner is a no-goodnik that makes security vendors' malware list, including Symantec's, Norton's publisher. And DriveCleaner is twice damned by LinkScanner Lite and McAfee Site Advisor, which both assign the link blaring red "stop" signs. In the twisted justice of search engine optimization (SEO,) DriveCleaner's site is also the top slot on Google, which may mislead some users into thinking it's safe.
At a time like this, it would be prudent to remember that as an ultraindexer, Google reflects what's live online, but doesn't vet it. CNET blogging partner Michael Horowitz's recent article has just the pithy example.
Seen more as a prank than an actual threat, a Trojan horse for the Apple iPhone, first reported on Saturday, has already come and gone. Still, users should be on the look out for a package called "iPhone firmware 1.1.3 prep," described as something you need to install before updating to the new 1.1.3 firmware. Billed as an "important system update," the code does little more than cause annoyance. According to various sources, once the Trojan is installed it simply displays the word "shoes."
However, the Trojan also overwrites several legitimate applications, including Erica's Utilities, Launcher, Doom, and OpenSSH, meaning that if you uninstall the Trojan, you will need to reinstall these applications later. This appears to be a consequence of poor programming.
The risk to iPhone users is now considered negligible since the host sites have all been taken down.
As antivirus vendor F-Secure concluded in its blog, "This time it was an 11-year-old kid playing with XML files who created the Trojan. Next time it might be someone else with more skills and with specific target."
