Tuesday 13 October 2015

The Worst Malware Ever

The Worst Malware Ever

2015 is already the most dangerous year in malware history – and 2016 will be worse. Jane Hoskyn explains why, and reveals what you must do to stay safe

The title ‘The Worst Malware Ever’ may sound like one of those late-night shock documentaries on Channel 5, like ‘The World’s Worst Serial Killers’ or ‘Most Horrible Shark Attacks Ever’. Oh, if only it were that simple.

Unlike serial killers, the worst malware ever hasn’t been sentenced to life in prison, and it’s definitely not dead. When hackers face a challenge, such as an antivirus (AV) that’s been updated to block their precious Trojan or to patch a vulnerability, they don’t give up – quite the opposite. Malware doesn’t go away, it goes back to the drawing board, then bounces back in a powerful new form.


Just when you thought it was safe…


Hackers are determined workers, we’ll give them that. They’re driven by greed, glory and a desperate desire to beat the system (including your operating system). If a hacker has worked his (and it is mostly men) socks off to create a malicious bug, then figured out how to get the thing into your computer, he’s going to work around any attempts to block it. He’s a hacker; workarounds are his job. That’s why the worst malware ever will never stop evolving, and why your PC has never been a more dangerous place.

We’ll start this feature with our version of that late-night ‘shock doc’, rounding up the scariest types of malware ever. We’ll reveal how hackers are using deadly new tactics, and have found ways to infect more of your devices than ever before.

Then we’ll show you how to find out which nasties you’re vulnerable to and which are affecting you right now. Finally we’ll explain how to get them out and keep them out – at least until they’ve evolved into an even more terrifying form that no one can yet imagine.

THE NASTIEST MALWARE OF ALL TIME


1 Ransomware


Worst examples: CryptoLocker, Cryptowall, Koler, LockerPin

How it works: Ransomware is so vile it makes other malware look cute. If you think of other malware as a tech version of having your pocket picked, ransomware is the tech version of having your home held to ransom. Your PC is full of important personal data and a lifetime of photos and messages, so it really is your second home.

When ransomware gets into this treasure trove, it locks you out and demands a ransom, usually in Bitcoins. (One Bitcoin costs around £150, having stabilised after reaching a £700+ peak a year ago, so we’re not talking pennies here.)

That was the moderately bad news; now here’s the really bad news. Ransomware has got a lot nastier since it was first identified in 2006. By 2013, hackers were using the CryptoLocker ransomware bug to encrypt every file on an infected PC. In 2014 we met Cryptowall, which installed passwordstealing spyware at the same time as locking its victim’s computer. In 2015, ransomware has spread its wings.

Why it’s worse than ever: Ransomware makers – apparently bored with locking just PCs – have turned to tablets and phones. New Android ransomware such as Koler and the even newer, nastier LockerPin spreads via fake apps – a prime example of phishing, malware’s favourite form of transport. Security researchers at F-Secure have found ransomware vulnerabilities in iOS, too (www.snipca.com/17989; PDF), though at the time of writing they haven’t been exploited.

The future looks dim, doesn’t it? It’s not. Ransomware may be powerful, but ultimately it’s just fraud. Its infections can be removed safely and for free, and its ransom demands are nothing more than lies to extort money. Like all the other malware in this list, ransomware is not unbeatable – it just wants to scare you into believing it is.

2 Trojans


Worst examples: Zeus/Zbot, Citadel, Spy Eye

How it works: You may already know Trojan malware gets its name from the ancient Greek story of the wooden horse that was used to help Greek troops sneak into the city of Troy. Scroll forward a couple of millennia and your PC is now Troy, plundered by hackers who use Trojan horses (‘Trojans’) to get into your computer and wreak havoc.

This havoc takes many horrible forms. Different types of Trojan can be used to take malicious remote control of your computer (‘backdoor’ Trojans) and hide malware in your system (‘rootkit’ Trojans). Numerous types can spy on you by logging your keystrokes, taking screenshots and even hijacking your webcam (so-called ‘Trojan-Spy’ malware such as Spy Eye). They can hijack your computer, using it to send data or malware that overwhelms other computers or entire servers (‘Denial of Service’ or ‘DoS’ Trojans).

Trojans can also spread ransomware. Cryptowall and CryptoLocker were both spread using Trojan infections. Find more examples from AV firm Kaspersky (www.snipca.com/17988); the list is depressingly long.

Why it’s worse than ever: According to our security team at Dennis Technology Labs (DTL, www.dennistechnologylabs.com), banking Trojans are currently being used and abused in particularly alarming numbers. One single successful Trojan attack on a bank can see hackers funnelling money out of millions of accounts, including yours. The most infamous banking Trojan is Zeus, aka Zbot, which burst into life in 2007 and has since inspired thousands of variants that are getting scarier by the year. Type banking Trojan into Google and click News to read about the newcomers, from Sphinx (www.snipca.com/17990) to Shifu  (www.snipca.com/17989), which targets banking apps - previously assumed to be safer than banking sites.

On the bright side, says DTL’s Simon Edwards, “Your bank will end up taking the hit rather than you. This obviously doesn’t apply to ransomware, where you pay your own money”. That still doesn’t make us feel very safe, if we’re honest.

3 Worms


Worst examples: Mydoom, Koobface, The Moon, Moose

How it works: A worm is a type of program that replicates itself endlessly so it can spread between computers, potentially taking down a whole network.

Not all worms are malicious – they have been used by some software companies to spread security patches. But they’re also a very easy way for hackers to cause widespread destruction. Mydoom was used to spread virusinfected spam in the early 2000s, and Koobface made headlines in 2009 when it spread through social networks to build a vast botnet.

The trouble with worms, from the hacker’s point of view, is that they need holes to go through. So if you’re diligent about keeping your operating system (OS), software and browser up to date and patched, your PC is a dead end to a worm. But that’s not the end of the story. Why it’s worse than ever: As we saw,  hackers have turned to other devices to create their nefarious worm networks. Not tablets and phones, because we tend to keep those updated as well. Instead, they’re targeting our routers.

The best-known router worm is The Moon, which spread among older Linksys routers last year until a firmware update stopped it in its tracks. Then came Moose, which is still on the loose, spreading through numerous makes of router. If Moose infects your router, it uses your internet connection to post spam on social sites, and can be used to eavesdrop on your internet activity.

4 Zero-day attacks


Worst examples: No catchy names this time (‘CVE-2015-5123’, for example) – mostly affecting Flash.

How it works: Zero-day (known even more apocalyptically as ‘zero-hour’) attacks exploit new vulnerabilities - so new in fact that there’s no patch available. Most zero-day malware can’t be blocked by your AV either, because there’s no virus signature yet.

Why it’s worse than ever: Zero-day attacks are a relatively new problem, and their rapid growth is partly down to how we use our computers. These days we’re using fewer big, expensive, installable programs (such as Microsoft Office) and more free online tools based on plug-ins such as Adobe Flash Player (‘Flash’) and Java.

That’s great for our pocket and hard-drive space, but there’s a big security downside. As you’ll know from our article, zero-day vulnerabilities have made Flash and Java positively dangerous (though some readers are happy to take the risk). Flash is now so bad that, in July, Firefox took the dramatic step of blocking Flash content altogether.

5 Server bugs


Worst examples: Heartbleed, Shellshock

How it works: Heartbleed and Shellshock, both uncovered in 2014, are like industrial fishing nets for hackers. Rather than bothering to break into individual PCs, hackers use these server bugs to break into giant servers and grab thousands, or even millions, of passwords and usernames in one go.

Password manager LastPass famously suffered a Heartbleed vulnerability earlier this year, but the server’s encryption measures were too tight and hackers weren’t able to exploit the flaw. Other vulnerable sites and servers have included GitHub, SourceForge and even LibreOffice (see more on Wikipedia: www.snipca.com/18057).

Why it’s worse than ever: Heartbleed in particular made lots of headlines last year (it even had its own logo), and websites responded en masse by tightening their encryption to LastPass level. So has Heartbleed gone away? Nope.

The vulnerability still affects thousands of internet-connected devices, according to security researcher John Matherly (here’s a rather sobering map he posted on Twitter: www.snipca.com/18062). The key word there is ‘devices’. We tend not to be as security-aware when we’re browsing on our tablets and phones, so we may not notice if we’re using flawed servers and unencrypted sites.

What’s more, Heartbleed and Shellshock are a new type of attack - and they could merely be the start of something big. The next challenge for hackers is to unlock tight encryption measures used by sites such as LastPass, and they’re working on that right now.

6 Spyware


Worst examples: CoolWebSearch, Superfish, Rombertik

How it works: Unlike zero-day and server attacks, spyware has been around for ages and is easy to define: it’s malware that spies on you.

Early spyware such as CoolWebSearch (now an awkward teenager, 13 years old) was spread via phishing sites and adverts, mostly in Internet Explorer, but later in Firefox and Chrome as well. It hit you with pop-ups, redirected you to pornographic sites, slowed down your PC and, of course, spied on your private data. For years, hundreds of spyware attacks worked in much the same way.

Why it’s worse than ever: 2015 has seen spyware reborn in vicious new forms – and even pre-installed on computers by PC manufacturers. This horrendous buse of trust was first exposed in February, when Lenovo bundled Superfish spyware in new laptops). The company was forced to create a Superfish removal tool (www.snipca.com/18051), but didn’t learn its lesson, because it’s been found pre-installing two other types of spyware since (www.snipca.com/18050). Extraordinary.

Other new spyware, such as Rombertik, is spread by good old phishing, but is far more advanced than its predecessors. Once it’s got into your browser, Rombertik - first reported in May 2015 - runs checks to ensure it’s not in a sandbox or other virtual security cell. Then it decrypts, installs and reproduces itself, overwriting its original file so it’s almost impossible to find and remove. Finally, it settles in to record every move you make online.

One thing Rombertik isn’t is a “suicide bomb” in your PC (www.snipca.com/18054). It can’t destroy your PC or the files inside it – that’s not in the interests of spyware. For an accurate, detailed description, read this blog from security company Sophos: www.snipca.com/18053.

HOW TO STAY SAFE FROM THE WORST MALWARE EVER


Find your security holes


Bullies thrive on weakness, and hackers thrive on vulnerability. You can wipe out most of your PC’s vulnerabilities by keeping your OS and software up to date, and bolster your defences with a properly configured AV. For more guidance on making your PC hack-proof, see our article.

But as we’ve seen, hackers know all your best hack-proofing strategies, and they’re determined to stay one step ahead by looking for your latest vulnerabilities. So you need to find these security leaks and plug them.

You can do this using online tools that don’t interfere with your AV or firewall. The free online PC Pitstop Vulnerability Test (www.snipca.com/18082) looks for flaws in your software and reveals if, and where, you need critical security updates. It won’t close any holes for you, but it gives you the information you need to find appropriate updates and patches.

Qualys FreeScan (www.snipca.com/18083) is an even more thorough scanner, and will find holes in your browser and Wi-Fi network as well as your installed software and OS. It’s also free and works online, but you have to create an account to use it. To quickly scan your browser and add-ons only, use Qualys BrowserCheck (https://browsercheck.qualys.com). It works in any browser and doesn’t require an account, but it does install a plug-in unless you click ‘Scan without installing plugin’ below the green button.

Find and remove malware your AV missed


In all likelihood, there’s a Trojan or spyware on your PC right now. Malware is getting better and better at sneaking past your AV - which isn’t even designed to block some nasties, such as browser hijackers and adware (which may also be spyware).

The good news is there are plenty of free tools that can find and kill the intruders your AV missed. These tools aren’t designed to run constantly in the background, so they won’t conflict with your AV. We recommend keeping the latest versions of free, portable tools Malwarebytes Anti-Malware Free (www.snipca.com/18084), AdwCleaner (www.snipca.com/18085) and the opensource anti-spyware tool HiJackThis (www.snipca.com/18089) in a folder on your Desktop and on a USB stick. They all quickly scan your entire PC - including your registry and browsers - for malicious files, and then let you remove the nasties.

Microsoft also has detailed tips on removing spyware from different versions of Windows. Here are the guidelines for Windows 7: www.snipca.com/18090.

Dig out router worms


F-Secure’s free online Router Checker (www.snipca.com/18087) reveals in seconds whether your router is hosting a worm or other malware. Rather than looking for malicious files, it looks for malicious activity such as DNS requests that don’t end up where they’re supposed to go. If all is well, you’ll see a big green message: ‘No issues were found’. If all isn’t well, you’ll be told what to do next.

Most worm infections can be removed by updating your router’s firmware. Firmware updates also help prevent infections by patching holes. You’ll find firmware downloads and instructions on the manufacturer’s website. If you’ve tried updating the firmware and Router Checker is still reporting “issues”, try obliterating the worm with third-party firmware (search the router database at www.snipca.com/18088). See our article for more on dealing with router worms.

Remove ransomware from your PC, tablet and phone


Ransomware, as you know, is fraud: paying up won’t remove ransomware (most of the time), and ransomware can often be removed for free. But there’s no ‘one size fits all’ fix. The best removal strategy depends on the type of ransomware and the device it has infected.

The single most effective antiransomware tool we’ve seen is Avast Ransomware Removal, which is free (www.snipca.com/18092). However it only works on Android tablets and phones, and is specifically designed to remove CryptoLocker and Simplocker ransomware. If you’re not infected by either, the app serves no purpose; it’s not a ransomware-blocker. Of course, if you are infected, you won’t be able to use your tablet or phone, so you’ll have to download the app to your device via your PC using the link above.

Avast’s free AV app, ‘Mobile Security & Antivirus’ (www.snipca.com/18130), claims it can detect and remove ransomware before your device is locked, but we haven’t been able to test this.

Most PC ransomware is tougher to remove than mobile ransomware, but security firms are working hard to keep up with the hackers. Some AV programs have been updated to include tools for unlocking and removing certain ransomware infections, so check your AV’s website for details. Kaspersky Internet Security, which consistently tops the tests run by our security team at Dennis Technology Labs (DTL, www.dennistechnologylabs.com), can now remove ransomware including CoinVault (www.snipca.com/18093).

However, ransomware is evolving fast. (Stop press: it’s now been found in jailbroken iPhones, so iOS certainly isn’t immune: www.snipca.com/18098.) As a result, removal tools become obsolete. Your best long-term defence against ransomware and data-wiping malware is not removal, but backing up. “The only easy, practical way to handle ransomware is to keep your data backed up,” DTL’s Simon Edwards told us. “It costs a few pounds a month to store all your files securely in an online backup system like Google Drive. You can even store multiple versions of files, which will help if you accidentally back up files encrypted by the malware.”

Block zero-day attacks before they’re discovered


Finally, back to zero. If zero-day malware exploits holes that haven’t been patched yet, how are you supposed to stop it?

Start by looking for a Cloud Protection option in your AV settings, and enable it (Kaspersky Internet Security and Norton Security both include this). This setting aims to give you protection from internet threats the moment they’re discovered.

Also install the free tool Malwarebytes Anti-Exploit (www.malwarebytes.org/antiexploit), which wraps all your browsers in extra layers of security to keep out new threats. Anti-Exploit is not a substitute for AV, but is fast turning into an essential companion for it.


WORST MALWARE HELPER EVER: PHISHING


Phishing is the art of tricking you into downloading something unsafe by making you believe you’re downloading something safe. There’s no clever technology involved – just plain old con-trickery.

For example, you may click a fake Download button and find yourself installing a vicious new backdoor Trojan, completely unawares.

Or you could click an irresistible email attachment, such as a file claiming to be a nude photo of former tennis player Anna Kournikova (www.snipca.com/17981) – and unwittingly infect your PC with a self-replicating worm. The Kournikova worm was so notorious in the early years of this century that it even featured in an episode of US sitcom Friends (here’s the script snippet: www.snipca.com/17983).

WHY PHISHING WORKS


You could have the toughest AV in the world, but it won’t stop a slippery phish.

Whenever you download a file, you’ll probably see a security warning along the lines of: ‘This file has been downloaded from the internet, are you sure?’. The normal human response is ‘yes, of course I’m sure.’ So you click Yes or OK, thereby telling your AV and OS the file is safe. So you can’t blame them for failing to block it. Basically, you’ve installed the malware yourself.

This doesn’t mean you’re stupid (or even that Chandler from Friends is stupid). Far from it, you’re just a confident computer user. Con artists have taken advantage of human nature since time immemorial – and we fear they always will. See our article 'Make Your PC Hack-Proof' for ways to tighten your phishing protection and other AV defences.


DO HEARTBLEED SCANNERS WORK?


The internet came under serious attack by Heartbleed, and it fought back with oodles of free tools for checking whether the services and devices you use are at risk. There are also loads of free apps that claim to check your tablet and phone for Heartbleed vulnerability. Search Google for ‘heartbleed check’ and you’ll get pages and pages of them.

But do they actually work? No, by and large. A study by UK security consultant Hut3 found that “most of the tools available failed to detect the Heartbleed vulnerability” (www.snipca.com/18094) - and some may even contain malicious bugs (a classic example of phishing).

The one “notable exception” in the Hut3 test was the SSL Server Test (www.snipca.com/18095) from Qualys, the company that makes the excellent free BrowserCheck tool. It’s not the friendliest-looking site, but it may be the most reliable place to check whether a site is at risk of Heartbleed and other password steal attacks.