Security → Not Even Security Managers Immune to FakeAV Infection

from
»www.pcworld.com/article/ ··· k.hp_new
"..
Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV.
..
I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it.
.."

a lot of things are possible but this story...you decide

Cudni

I know several well-known security folks that got hit by malware so no surprising story at all. About the BIOS part of the story I have doubts.

Edit: can be the lad got hit by a drive-by download, but IMO he exaggerates terribly.

Why would a "security" person being using IE? Right there is the problem and I sure would not characterize this person as a "security" manager.

I also find it hard to believe that he got infected withut a whimper just because he left a tab open (even if it was on IE) and didn't visit the tab so supposedly didn't know the website was busily infecting his computer all the way to his BIOS!

Geez...first of all, where was his classic HIPS? Where was the Proxomitron? Either one would have protected him. He didn't say what OS he was using but if Win 7 then where was his Online Armor? The classic HIPS in it would have protected him. But Proxo (with Sidki's latest filters) would be the easiest protection! And he is a "security" manager? Besides, he must have been running as Admin. I do that on "nasty" ole XP but I have strong protection. Just using an antivirus program is NOT sufficient protection especially if you use IE (any version...although evidently 9 is more secure....I wouldn't know since Microsoft doesn't want XP users to be secure since they have barred us from using IE 9).

As for this malware affecting the bios? I find that even more difficult to believe...especially since he claims this entire infection was TOTALLY SILENT.

Why didn't he run something like Avira's Rescue Disk? Other AV have something similar. Surely, a "security manager" would have a current Rescue disk (current meaning ready to go...it will get the latest definitions after booting with it). There are so many holes in his story. I wonder how much he was paid to concoct that?

So what, this is a zero-day drive-by that is affecting IE that he has discovered?

quote:

---

My antivirus software is up to date and actively scanning, and my system is fully patched.

---

A/V is Fail.

quote:

---

Sophos says there are so many variants being released constantly that it can be difficult to detect using traditional signature-based antivirus, which is what I have. Even with the latest updates, the newest variants can get through. Some variants are also employing polymorphic code, which changes itself so frequently that the MD5 hashes used by antivirus programs cannot be effective. Well, that explains how I got it despite having a good, up-to-date antivirus product.

---

Sophos (an A/V) is Fail.

quote:

---

I was searching on Google. Search terms are being "poisoned" ... brought instead to a compromised website where the malware is lurking in an image or JavaScript code

---

How is malware lurking in an image? So there are unpatch malware image exploits against IE out there? JavaScript, think NoScript (though it does not help in the case of IE).

quote:

---

the pages I opened must have contained the JavaScript or image version. It opened in a new tab, where I left it for later viewing, and it infected my system. Pop-ups appeared, all my browser sessions closed, and my antivirus programs were disabled. This is what's known as a "drive-by download."

---

He's discovered a zero-day drive-by! Some image or some JavaScript code on some page, all by itself, with no user interaction, disabled his A/V program & further closed his browser sessions. That must be some nasty code!

quote:

---

I tried running three different antivirus and malware-cleanup utilities I already have on my system. None of them worked. In fact, they wouldn't even start.

---

Why try A/V? He & Sophos already said they are Fail.

quote:

---

I tried to boot into safe mode, and that's when my computer went completely dead. It wouldn't boot at all. Even booting from the operating system CD didn't work.

---

A boot CD wouldn't even work? Hmm?

quote:

---

I discovered that the malware actually got into my system BIOS.

---

(Again) that must be some nasty code!

quote:

---

I had to disconnect my CMOS battery for a day to clear the BIOS

---

There was one time that it took me 40 days & 40 nights before my CMOS could be cleared. He was lucky to get off on only 24 hours.

quote:

---

completely reinstall Windows and restore from backup

---

Wonder how he was accomplishing that?

quote:

---

during my initial restore attempts, the system crashed in the middle of the restore process, which corrupted my backups. I lost my two most recent backups

---

What kind of backup system would corrupt the source media? I bet you it was that virus he had that did it. Probably even before he attached the backup to his system.

quote:

---

after I got infected, my kids' computer also got hit with a variant called "XP Security Center." And the same day my infection happened, my company's desktop services manager

---

Good thing they weren't affected by that same nasty code! Oh the horrors it would be to have to go through that 3 times (I'm shuddering as I write).

quote:

---

Nobody is safe anymore

---

The world is a dangerous place.

quote:

---

"J.F. Rice," whose name and employer have been disguised for obvious reasons

---

I think some other details have been disguised too?

Not to say it can't happen, but heck, I'm not a security person and yet whenever something tries to modify anything on my computer I usually get several pop-ups from my various security programs asking if it is okay, not to mention the UAC pop-up. When I use Google to search, WOT and Norton Site Safety are on, so I don't even click on a result if they rate the site wonky.

I've even drifted away from IE7 to Pale Moon, so now I've also got to give permission to No-Script before a web page will even display properly.

I'm going to make a mental note never to trust anything that this "security professional" says. Obviously, he doesn't know about what he's talking about.

I agree with you Mele20 partly. Seriously... who is their right mind still uses Internet Explorer? God, that thing is an exploit waiting for a time to happen.

I don't use Proxo, I don't use a "Classic HIPS" component. I just use a simple combination of NIS2011 and MalwareBytes AntiMalware, both running as resident scanners. I don't use Internet Explorer, I use Google Chrome religiously.

Nope, no viruses. No infections. No nothing. I surf the web calmly and safely knowing that what I have in terms of defenses will do the job and do it well all without eating CPU cycles.

I feel the need to explain my previous statement about my doubts regarding BIOS infection.

- there are 'proof of concept' demonstrations performed by security researchers, but I have never heard of any BIOS infection that occurred 'outside the lab'. It's also highly unlikely that such will happen, hence I have to rate all stories about infected BIOSs as being science fiction, besides, a FakeAV like article author is talking about will never be able to infect a BIOS.

- article author J.F. Rice is talking about disconnecting the CMOS battery for a day to clear the BIOS. This statement demonstrate clearly he is talking crap, disconnecting for a period of 5 minutes will do the job too.

J.F. Rice's name is "disguised for obvious reasons", to me these reasons are that he is a true crotcheteer and fiction-monger hence he disguise his real name.

I agree. I stopped reading after the mention of internet explorer. I use IE on test systems, but have yet to start using it again as my main browser on my main computers.

There seems to be some confusion here between CMOS and BIOS. CMOS is a tiny section of static RAM that is used to store configuration parameters. Usually it is bundled with the clock/calendar chip. There is no capability to store actual executable code in CMOS ram. I don't care what you write there, it can't execute. It can really mess up your system by having crazy settings that get used by the BIOS, but the most likely outcome of that, is that the system can't boot at all. Perhaps the optical drive could be disabled in CMOS, preventing CD boot. Still, no executable code.

As for how long you have to disconnect the CMOS battery for it to lose its contents, that will depend greatly on the temperature. If you keep the CMOS clock/calendar chip cold enough, it could hold its contents indefinitely, except for the clock/calendar circuitry drawing current and draining the remaining charge from any bypass capacitors. Last time I looked, my motherboard had a jumper that could be configured to short the CMOS VDD pin to gnd, effectively discharging the CMOS instantly. To do that, you had to remove the jump from the left 2 pins of a 3 pin header and install it on the right-most 2 pins of the same 3 pin header.

Now, on to the BIOS itself. Last I checked, BIOS is stored in NOR flash memory and this doesn't care one wit what you do with the CMOS battery. If the flash BIOS was infected, no amount of screwing around with CMOS is going to make it forget and go back to uninfected state.

Just my .02

How secure is IE9 with the new ActiveX Filtering and the enhanced SmartScreen Filter turned on?

I seriously doubt the BIOS infection part. Unless he was running a system that had some sort of built-in storage, such as a readyboot or something similar, to boot straight into an enclosed environment.

As for the drive-by on google images? It's been verified in the wild repeatedly. A lot of the top results on google image search for a number of popular searches, have embedded javascript to do a drive-by just by moving the mouse over the image. NoScript should take care of that. It'd also render the image search virtually worthless, I'd imagine. Really, that's code fail on Google's part and they should have been working on fixing it the first time it was reported.

What the heck @ disconnecting CMOS for a day...

Guy is nuts.

said by y010 :

---

If the flash BIOS was infected

---

So you are opinion it is indeed true this happened with the flash BIOS of author's box?

I just sent the article to a friend of mine who, just last night, bragged about how they were experts and wouldn't run into such problems. He who has the last laugh...... I am not laughing, of course. I am fortunately aware enough to know that even those that know lots of security measures and are so called 'pros' can get bit in the backside. Thanks for postng the article in that I no longer take the magazine and wouldn't have seen it were it not for this post.

And, after reading everyone else's posts here, I must say that you are all pretty petty. Some companies who work in a secure industry and still use IE, and some of those still use XP! Some of those companies are run by people who are not security pros themselves, but have had their system's IT do the job for them to keep them secure. Whether the writer is actual and whether the BIOS actually got hosed is really not the point of the article, IMHO.

No offense, but running an out-of-date browser, OS, or web plugin/application of any kind is what's asking for an infection. So long as your OS, browser, and plugins are updated, the only real infection threat stems from zero-day infections and PEBKAC issues.

Internet Explorer is still the most targeted web browser out there by the bad guys. By virtue of the fact that you aren't using something that everyone is trying to "beat down the doors" on makes you a lot more secure.

Yeah...that "security through obscurity" thing's been working out real good for Mac users lately:

»en.wikipedia.org/wiki/Ma ··· Defender

Again, it's best to fix the underlying problem and run updated software. Leaving yourself vulnerable and hoping nobody exploits it is where you begin asking for problems.

Safari is the Internet Explorer of Apple. Anyone in their right mind uses Firefox or Chrome on a Mac.

There are a lot of inaccuracies in that PC World article, and some things that seem hard to believe.

The part about FakeAV infecting the BIOS seems to be the hardest part to believe. And furthermore, for a so-called security manager, there are a few things he was doing that are not very secure, like using IE with just an antivirus. That won't cut it with many of today's threats.

He says that images are infected, when that is not entirely accurate. The images themselves are not infected, but rather the link to previews in Google image search that contain php or javascripts which redirect you to the FakeAV sites.

I haven't read the article yet, and when I do I will probably treat it with much the same skepticism that others here have shown. But if you kept up at all with what came out of the battle between HBGary Federal (security pros) and Anonymous (counter-security pros) a few months back, you'll know that those guys (HF) claimed to have access to any number of attack vectors and other back-doors which many of us here would exhibit considerable incredulity over, at least at first glance.

Remember, those guys' foremost customers are the Feds and other spooks, both from a "How do we break in?" perspective and a "How do we protect ourselves from break-ins?" perspective. So I wouldn't take any of the claims that they made lightly. They (HF) were raising the specter of BIOS attacks at least five years ago, and at the time were promising that these would be out in the wild any day now (no doubt because they were creating their own, too).

I have read this article and I find it quite... amusing. I am not a believer that security starts with not using IE, I know it is the most targeted and well broken into platform but its not a death trap (I do believe however that some HTML 5 features in time will prove to be the next activeX)

To pick apart this article;
-This expert hasn't dealt with or heard much about FakeAV until infected?
-You still believe that safe mode is safe?
-Bios infection? (I do have a machine at work that I can not boot via a newly created CD and my USB boot thinks grub doesn't exist but it also doesn't like a simple usb hub so it could just be the machine its self.)
-Your 'backup' seems to be located on your system's hard drive.

Those four points will do it. I've come to know much about FakeAV even before I came to the first infection and its been around for a while now, it's actually easier to kill on a networked computer than one just used alone. I myself had started to dabble in enabling software to run in safe mode before I switched to the better option of offline repair via PE or vendor rescue CDs. Lastly backups aren't backups if they are in the same danger zone for this very reason my organization's backups are replicated at another building. Its a 16 (actually 15 +1 hot) array with a good bit of redundancy but it doesn't mean jack if the place were to burn down. With that said if you "backups" on your computer's drive and it fails... they aren't really backups are they.

Out of the box, it's just fine and if a "Security Manager" was infected, he should stick to managing and stay out of security.

Anyone have a link to a site that will infect your IE9 browsing PC that you can't ALT-F4 out of or at the very least, log off?

For those who have been around a bit longer than Windows XP -- say WIN98 days -- there were most certainly virus types that would corrupt your CMOS. See »www.symantec.com/connect ··· rus-bios and »www.mcafee.com/threat-in ··· ?id=1440 for more information. For about 6 months there were a couple of places selling a whole lot of Packard Bell replacement chips. Didn't hear much about it after that, until a year later when a story emerged that it was traced to a kid now in the Korean Army, and that their military wasn't going to pursue any charges for known-hardware damages in the tens of thousands of U.S. dollars.

see Manager read PHB

Sure, when a virus flashed a BIOS with evil code, we used to hotflash them to fix them. This guy though, he's referring to "CMOS" settings and not BIOS code... and he had to unplug his battery?! What is this, 1989? He could have jumpered CMOS reset.

And he tried using three cleaning utilities, meaning he was incapable of recognizing malicious registry keys with his own eyes and he had to redo his windows?!

Everything about that article stinks.

Also, I find it amusing some people here think they know better than the people who do this for a living...

I certainly don't claim to know better how to manage people...

I never named names and I most certainly wasn't referring to you.

Nuts. I thought I was being clever and funny