Macros and You: An old attack becomes chic again

Some of the earliest computer viruses and malware were created using macros in Microsoft Office documents. These pieces of malicious code would run once the document was opened, and the infection would happen without the user even being aware that their machine had been compromised. While these types of attacks had fallen out of favor over the years, they've come back in style and are more popular than ever before.

What exactly is a macro? While you've probably heard the term thrown around before, most people don't actually know what they are, or what they're capable of. In short, macros are little snippets of code that run through your office software. Many people use macros to speed up a repetitive processes, like formatting items. Unfortunately, the same type of code that is used to perform the mundane can also be used to perform the malicious.

Due to the ease of abuse, Microsoft removed the automatic enabling of macros many years ago. This is ultimately what lead to the majority of these types of attacks going by the wayside. Because there was no longer a way to abuse this on most machines, would-be attackers changed their methods to more traditional programs, which are far easier to detect with a normal malware scanner.

With the recent surge in ransomware, new methods of delivery were needed by would-be attackers. The anti-malware engines had been able to detect many variants, and it was only getting easier. This meant that stealth was needed. What better way to do that than to bring back a tried-and-true method in Office Macros. Few people expected it due to the fact that these infection types hadn't really been seen in years. 

The basic attack is carried out like this:

1) An infected person sends you an email with the subject similar to "ATTN: Invoice Attached" that has a Word document attached. 

2) The person downloads and opens the file, only to see a garbled mess of characters with a notice that says "Enable macro if the data encoding is incorrect" in big bold red letters at the top of the window

3) The unknowing victim enables macros, thereby initiating the malicious code

4) The code runs, sending out an email to your Outlook contacts (attempting to infect them), downloads whatever payload(s) it wants, then runs the ransomware (locking your files)

Because of the sharp increase in these types of attacks, Microsoft, SUPERAntiSpyware, and many other security vendors recommend that all users disable macros if they do not need to use them. While Macros should be disabled by default, it is worth double-checking your preferences in order to ensure that you are protected as best as possible.

For more information on how to disable macros in Office files, please visit this Microsoft Support article.

NOTE: This is a recommendation specifically for home users, if you are in a work environment please contact your IT department first before making any changes!

Share

Happy 10 year Anniversary to us!

A lot can happen in 10 years

This past month, SUPERAntiSpyware® reached a milestone – we’re 10 years old! Let’s take a look back at some of the bigger events that have happened over the past 10 years, just to see how far we’ve come:

2006- SUPERAntiSpyware® is born, Twitter is launched, Pluto is demoted to “dwarf planet” status, the West African black rhino is declared extinct, 20th Winter Olympic Games open in Italy, Brontok email worm discovered

2007- Apple debuts the iPhone, Google Street View is launched, “The Sopranos” series finale, “Harry Potter and the Deathly Hallows” released, “The Big Bang Theory” debuts on CBS, Boris Yeltsin dies, Zeus/Zbot banking Trojan discovered

2008- Beijing hosts the Olympic Games, “Iron Man” is released, Bill Gates steps down as Chairman of Microsoft, The Large Hadron Collider is powered up, Barack Obama elected President of the USA, Conficker and Koobface information stealing worms discovered

2009- Chrysler and General Motors file for bankruptcy, Statue of Liberty’s crown reopens to public, Michael Jackson dies, Boeing 787 makes its maiden flight, Windows 7 released, Daprosy password stealing worm discovered

2010- BP Deepwater Horizon oil spill, Chilean mine incident, Supreme Court Justice John Paul Stevens announces his retirement, Burj Khalifa is officially opened, Eyjafjallajökull erupts in Iceland, “Don’t Ask Don’t Tell” repealed, Stuxnet Trojan cripples Iranian nuclear facilities

2011- Prince William and Kate Middleton married, Osama Bin Laden killed, “The Hunger Games” published, Steve Jobs dies, Japan tsunami hits Fukushima nuclear plant, Final launch of Space Shuttle Discovery, “Game of Thrones” premiers on HBO, ZeroAccess downloader rootkit discovered

2012- Hurricane Sandy hits East coast of USA, West Nile Virus hit 48 states throughout the year, Curiosity Rover lands on Mars, Dick Clark dies, Russia joins World Trade Organization, Windows 8 released, Flamer espionage Trojan discovered

2013- Pope Benedict XVI announces his retirement, Pope Francis elected, Edward Snowden admits to leaks of NSA materials, Nelson Mandela dies, DOMA ruled unconstitutional by US Supreme Court, “Frozen” debuts, CryptoLocker family of Ransomware is born

2014-Boko Haram kidnaps 280 girls, Seattle Seahawks win first Super Bowl in franchise history, Malaysia Airline Flight MH370 vanishes, Attorney General Eric Holder resigns, Malala Yousafzai wins Nobel Peace Prize, Reign Trojan dropper is discovered

2015- Jon Stewart leaves “The Daily Show”, oldest stone tools found in Kenya, David Lettermen leaves “The Late Show”, American Pharoah wins first Triple Crown in 37 years, Microsoft launches Windows 10, CryptoWall family of ransomware is discovered

2016- SUPERAntiSpyware® turns 10 years old

It’s hard to believe that it’s been 10 years since SUPERAntiSpyware was released to the general public. Just look at all the things that have changed around the world! Despite all of that change, one thing remains constant – we’re here to serve you.

In honor of our loyal customers, we’ve decided to run a small contest. If you go to our Facebook page and like/share this article with your friends, we’re going to enter you into a drawing for one of ten (10) SUPERAntiSpyware® Gift Packs! This gift pack includes a SUPERAntiSpyware® logo coffee mug, a SUPERAntiSpyware® logo pen, a copy of the SUPERAntiSpyware® install disc, a 1-year 3-user license, and some assorted goodies.

Not a bad deal, huh? The contest will go on until 12pm PST on April 29, 2016. Like and Share this post on Facebook now to enter!

Share

Ransomware: Revisited

A lot has changed in the world of ransomware since we last talked about it on this blog back in 2013. For those who are new to ransomware, this post should provide a primer of what this family of malware is and what it does. For those who are more well-versed, some of our best practices at the end of this post should help provide some extra prevention methods.

TeslaCrypt, Locky, CryptoLocker, CryptoWall, and other ransomware families are making their way around the internet at break-neck pace. If you find yourself in the unfortunate place of having fallen victim to this type of malware, you’ve essentially got two options: pay up or start from scratch. While this is not something that most people want to hear, it’s the unfortunate reality for a machine that’s been ravaged by these types of infections. Even the FBI has come out and stated that your best option at data retrieval is to pay the ransom (if you do not have proper backups)!

What is Ransomware?

Ransomware is a designation given to families of malware that encrypt your personal files, and then demand a ransom payment in order to be given the decryption key. The types of files that ransomware targets range from generic text files and documents, to pictures, to video games, to music, and even beyond. Unfortunately, the type of encryption that’s used is so strong, that newer versions of some ransomware are completely impenetrable.

Most ransomware families are spread by a special type of Trojan called a “dropper”. The purpose of a dropper is to run processes in the background of your machine to download and execute code from a remote server. That code then searches your computer for files of a specific type (or types), then modifies those files by scrambling them with high-end, two part encryption. After a critical mass of files have been encrypted, the ransomware will then typically create a few different unencrypted documents and/or display a dialogue on your machine telling you that you’ve been locked out of your files unless you pay the price. To add fuel to the fire, many different variants will have a timer imposed upon you for when payment is “due” to them. If you don’t pay in time, they either increase the ransom, or delete the encryption key from their server, thereby making it impossible to retrieve your files.

To make matters worse, many different ransomware variants will disable the Volume Shadow Copy Service on your machine. This service is used by Windows to perform automatic backups and create restore points. These backups are what you would typically use to “roll back” your computer to before a major change happened.

How did I get infected?

Ransomware droppers come in all different shapes and sizes, but one thing that’s true about them is once they’ve been started, it’s almost always too late. These droppers typically are files that you download from your email, other websites, or p2p servers (such as torrent sites). Unfortunately, this is changing rapidly, and we’re starting to see “drive-by” exploits occur in the wild through infected ad-streams on popular sites many people visit on a daily basis.

One of the most frustrating parts of ransomware infections are that they’re extremely difficult to clean up. Even if you run antivirus and antimalware scanners, once the damage has been done, there’s nothing that these pieces of software can do to reverse the damage. These tools, including SUPERAntiSpyware®, can remove the underlying cause of the infection (the dropper) in many instances, but the encryption itself can’t be reversed.

Some versions of ransomware will display messages saying that they are from the FBI, NSA, INTERPOL, or other law enforcement agency. They’ll accuse you of possessing illegal documents and/or visiting illegal websites. This type of scare tactic has fallen out of favor, as people have gotten wise to it. Most modern ransomware will simply display a page admitting freely that you’ve been infected and display instructions on how to pay the ransom.

If you have a home or office network, it’s also possible that your machine got infected due to sharing a network with another infected machine. Because of how these infections work, they simply spread out across the drive space they can see, encrypting whatever data that can be found, regardless if it is on the machine that was initially infected.

What about my data?

If your machine has fallen prey to a ransomware attack, there’s not a whole lot that can be done with the files that were encrypted. Creating new files without removing the underlying infection is a fool’s errand, as they will quickly become encrypted as well.

After coming to terms with the fact that your data has been encrypted, you will find yourself in the middle of an ethical quagmire. If you pay the ransom that is demanded, you will most likely get your files back; however, you’re actively giving these attackers what they want, which is your money. There’s also no guarantee that by paying, your files will be restored; however, if people didn’t get their files back by paying the ransom, why would people continue to pay? If you don’t pay the ransom, you will lose access to all of your files, some of which may be irreplaceable. This is probably one of the most difficult decisions you will make after an infection.

While we can’t tell you one way or the other to pay the ransom or not, one thing that makes it extremely easy to rebound from is the availability of recent backups. If your backups are good, it is far more palatable to format your machine and reinstall the operating system than it is to pay the ransom. There are a few older variants of ransomware that can be decrypted by special software; however, these versions aren’t found in the wild much anymore for that very reason.

How can I protect myself?

There are many different steps you can take in order to help ensure that your machine doesn’t fall victim to a ransomware attack. Below you will find some of the best practices we have to offer:

Back up your data frequently on an external hard drive AND in the cloud. One set of backups is very rarely going to provide you with 100% coverage, either due to timing differences between when you back up your data and what you’re working on, drive failures, or infection of files in your backup.

If you network computers in your home or office make sure that each machine has its own set of backups. Most ransomware infections can not only infect drives that are connected directly to the infected machine, but also the drives of machines that are connected to the same network as the infected machine.

Always disconnect physical backup drives from your machine when not in use. If you constantly have your backup drive plugged in, there’s a strong chance that the ransomware can find and encrypt files on your backup drive.

Don’t ever download from a site that tells you that something is outdated on your machine. Websites aren’t able to detect outdated software or drivers unless you give them access to your machine. If you think that you have outdated software, download the latest version directly from the publisher’s website.

Practice caution when downloading files of any kind, even if it’s something that your grandmother sent you. Many variants of ransomware will send out emails to logged-in accounts with copies of itself attached. Always make sure to save files to your machine before running them, and always scan those files with your antivirus and antimalware scanners.

Keep your antivirus and antimalware scanners up to date with both the most recent versions of the programs themselves and the most recent versions of the detection databases. You should also take this practice a step further and make sure to keep your operating system up to date as well, as many attacks rely on exploiting bugs that have already been patched.

Leave macros in Microsoft Office disabled if you do not use them regularly, and do not turn them on if you don’t. One of the most common attack vectors of ransomware is to have unknowing victims turn on macros in order to “fix” a document that appears to be corrupted. In actuality, once the macros are enabled, the dropper begins its work.

Don’t give yourself (or other users) more login power than you need. Having administrator rights to your machine is definitely something most people overlook. Unfortunately, if a ransomware infection sees that you have administrative access, it makes the computer much easier to infect.

(OPTIONAL) Use adblocking software while browsing the web, disable scripting within your web browser, disable Flash, and disable Java. Many of the drive-by attacks are distributed through infected advertisements, Javascript commands, or through the downloading of files automatically when you open the page. By turning off this vector of attack, you might limit some of your web browsing capability, but will be that much more secure against attacks.

Share

PUPs and You: How to Identify and Remove Potentially Unwanted Programs

The internet today is just as dangerous of a place as it ever was. Sure, there are plenty of trusted websites you visit on a daily basis that pose little to no risk to your computer. The worst that happens to most people are unwanted tracking cookies from ad servers being placed on their machine, which is a small price to pay for free access to these sites, especially since they are so easy to remove with programs such as SUPERAntiSpyware®.

Today we’re going to talk about Potentially Unwanted Programs or PUPs for short.

What are PUPs?

PUPs live in the grey area of the software spectrum. Sometimes, they can provide a service that you want, such as coupons or the ability to download videos from popular sites like YouTube; however, sometimes the programs that we classify as PUPs can be the underlying cause of unwanted behavior, such as displaying ads, installing other pieces of software, or modifying your web browser’s homepage. 

The most common sources of PUP “infections” are download websites that bundle other pieces of software in with the software that you are really trying to get. Unfortunately, many of the companies that make legitimate software don’t have a say in this bundling of software, as the download host is the one that is making a special installer that will offer up these other pieces of software before you can, or in order to, download and install the piece of software you want.

Many people just click the next button over and over again until they get the software they want installed. The downside to this method of installing software is that you leave yourself susceptible to PUPs on your machine, oftentimes not realizing what has been installed until it is too late. This is what many of these bundled installers are hoping for. They want you to blindly click through so they can get paid for the install of software, as these sites get paid for each piece of software they are able to distribute to end-users, even if they don’t necessarily want what they’re getting.

Once a computer has been “infected” by a PUP, the user may notice some major performance slowdowns or other erratic behaviors. The most common side-effects of PUPs include unwanted or unknown software popping up on your screen telling you there’s a problem, advertisements taking over your screen (either through the web browser directly, or through pop-ups outside the main browser window, system resources being hogged (slowing down the computer), toolbars being installed without your knowledge, and your browser’s homepage being redirected to an unknown/unwanted website.

How can I protect myself from PUPs?

The easiest way to avoid installing PUPs is to make sure that you’re downloading programs from trusted sources (always from the software publisher, if possible), you’re reading each of the screens on install wizards (removing any unwanted options from the installation), and do your research on whether or not the software that you’re looking for is safe and held in high regard by members of the community.

One of the biggest traps that are out there in the wild is the ubiquitous “Big Button”. You have probably seen these before. Say, for example, you’re looking for new media player software to play movies and music. In order to get that software, you go to a file hosting website, and you’re immediately greeted with three green buttons, a red button, and a yellow button, all with the word “DOWNLOAD” in bold capital letters across the center of it. Which one is the correct button to press?

Sometimes reading through the website isn’t enough to show you exactly which button is the real button, and which is an advertisement for another piece of software that’s been embedded near the correct button. Some websites even offer two different versions of the software: one that’s a clean installer, the other is an ad-supported/bundled installer.

This is why we recommend trying to download the software you want directly from the company who makes it. They want you to use their software, so they’re going to make it as easy for you as possible to get what you want. That means no bundled software and no ads that are disguised as download links.

Keep in mind that not all bundled software is bad. Many programs will offer downloads of legitimate products, such as Google Chrome or Dropbox. It’s a common occurrence in the software industry; however, if you’re not familiar with the name of the product a company wants you to install, you should always err on the side of caution and opt out of having that software installed.

How do I get rid of PUPs?

Most PUPs can be removed by going into your control panel and uninstalling them just as you would any other piece of software. In some cases, this unfortunately doesn’t always work. Programs such as SUPERAntiSpyware® try to remove these PUPs before scans, and most of the time we’re successful; however, new PUPs, new malware/spyware threats, and variants of existing threats, are created daily.  

A couple easy ways to try to get rid of these PUPs before running more in-depth cleaning are to make sure you remove any unknown browser extensions in your web browser, and using the add/remove programs feature within Windows.  Typically these PUPs will have their own uninstall files that can easily remove the threat once it is known. As always, make sure you exercise caution when removing programs, as not all “unknown” programs are malicious.

If you think that your machine might have PUPs that you can’t seem to get rid of, or any other malware infection for that matter, the best course of action is to first figure out exactly what you’re dealing with. If there is any distinguishing information you can see (like the program name), do a quick search to see how to remove the program. Most of the time, there will already be a removal guide available for the specific PUP or threat you’re dealing with.

Dealing with pesky PUPs can be time consuming, but remember, the time you take to fix the issue when you first notice it is time you save dealing with a computer that’s been slowed down by these unnecessary and unwanted programs.

Why are you calling <Software Name> a PUP? There’s nothing wrong with it!

There are many different criteria that go into classifying a piece of software a PUP. Keep in mind that the first letter of the acronym stands for POTENTIALLY. If a piece of software you want or use on a regular basis is being detected as a PUP, you’re more than welcome to keep using it or ignore the detection within SUPERAntiSpyware®. 

We try to not remove anything from your machine unless we know that it has un-welcomed side effects. Some of the criteria we use for determining if a piece of software is a PUP is outlined below:

-          The software is known to display advertisements. This covers everything from pop-ups, pup-unders, ad overlays, inserting in-text ads, and replacing existing advertising streams.

-          Hijacking one or more installed web browser. This covers everything from redirecting the homepage (with or without permission), altering search results, inserting bookmarks, installing unwanted add-ons/extensions, and installing toolbars that bring value to the maker rather than the user.

-          Bundling other software. This covers everything from including other software as a bundle (optional or otherwise) with a desired piece of software, being included in a bundle from another software or download site, making it difficult/impossible to opt-out of bundled software.

-          The overall sentiment of the program is bad. This covers install and uninstall trends for particular pieces of software based on reviews and removal guides from trusted sources, using alarmist notifications to trick the user into purchasing, forcing a purchase to clean or fix issues with or without explaining what the issues are, and using misleading uninstallers to either force download more undesirable software or trick users into keeping the software.

While this is by no means a comprehensive list, it is definitely a good starting point as to why we consider a program as being undesirable. There are plenty of other software review websites out there that will probably echo our sentiments; however, as always, if something is working for you, feel free to ignore the detection.

Share

Holiday scams

                The holiday season can be a very busy time for many people, but it is also a busy time for cyber criminals. There are a lot of online scams going around this time of year, looking to take advantage of increased shopping activity and people’s generosity. We’ve listed some tips and warnings about some of the most common scams.

Fake Retailer Websites
                A counterfeit website which mimics the site of a real retailer using similar layouts, color schemes, graphics and logos. Sites like these have been known to send low quality merchandise that doesn’t work or falls apart, or simply send nothing at all and just simply steal the personal and financial information you provide them.

Deceptive Advertising
                We’ve all heard the old adage “If it’s too good to be true, then it probably is.” This certainly applies to online advertising. If I saw an ad offering a Rolex watch for $100, for example, I would be very suspicious. Even if you didn’t end up buying anything from the site, simply clicking the link could install malware onto your system.

Point-Of-Sale Malware
                Over this past year there have been several data breaches from some major retailers. Many of these breaches were due to malware inside the Point-Of-Sale devices. When a card is swiped through, the malware will send a copy of your card information to the malware creators. The best way to protect yourself is to be diligent in checking the transaction history of your accounts. If you notice any unintended purchases, contact your financial institution immediately.

New Devices
                Many people will buy or receive new phones, tablets, USB drives, or other devices this holiday season. Devices like these can get infected with malware. Connecting your device to your work computer (even just to charge the battery) could wreak havoc on your company’s servers and systems. Make sure to check with your IT department about BYOD (Bring Your Own Device) policies.

ATM Skimming
                Holiday shopping may mean hitting up the ATM. Before inserting your card, double-check to make sure that the ATM hasn’t been compromised. If the keypad, card slot, or cover look different or loose, a device (or malware) may have been installed to steal your banking information. Another ATM tip is to cover the keypad with one hand while entering your PIN with the other. Criminals have been known to install tiny cameras in ATMs in order to find out your PIN.

Public Wi-Fi
                While it may be convenient to sit down at your local coffee shop and use their internet connection, you should be very cautious of what information you send over their free Wi-Fi. Systems like this are usually not very secure, and someone could steal your information with little effort. Never do banking or online shopping on public Wi-Fi.

Shop only on secure websites
                A lot of holiday shopping is done online – make sure that the site you are shopping on is secure. Look at the website address at the top of your web browser. If the URL begins with ‘https://’ then you know that they are encrypting your sensitive information. If the URL begins with ‘http://’ then the website is not using encryption. Additionally, most major browsers will display a lock icon in the address bar. You can click this lock to get more detailed information about the website.

Fake charities
                Make sure to do your homework on any charitable organization before donating. Their name and website may seem legitimate, but it could be someone trying to take advantage of your generosity and scam you out of money.

Social Media
                Some things to be wary of on social media sites such as Facebook and Twitter:

·         Phony Profiles
                A random person sends you a friend request. Even if their profile looks legitimate, you shouldn’t click that ‘Accept’ button quite yet. That new ‘friend’ could be a criminal after your data, and accepting their friend request gives them access to your personal info, posts, and your list of friends. Make sure that you only accept friend requests from people you actually know; otherwise you’re opening yourself up for an attack.

·         Hacked Profiles
                You see that one of your friends posted a link claiming that they got a free XBox for filling out a survey. In reality, someone has hacked their account and posted this malicious link. Contact your friend immediately and have them change their password.

Email
                Email is a very popular way for criminals to try to infect your system. Here are some of the more common email scams:

·         Malicious e-cards
                Looks like a simple greeting card, but downloads malware when you open it.

·         Grandparent scams
                Scammers target the elderly with an email from a “stranded” grandchild claiming to need money wired to them.

·         Letters from Santa
                An offer to send your child a personal letter from Santa Claus may be a phishing scheme to collect personal information.

·         Bank Account scam
                An email seemingly coming from your financial institution which informs you that your bank account has been compromised. You are given a link to follow or a phone number to call in order to verify your account information.

·         Shipping notification/Order confirmation
                You receive an email claiming to be an order confirmation or package tracking number. Make sure that the email is actually from a retailer you have ordered from before clicking any links within.

·         Golden rules of Email
                Do not follow unsolicited links
                Do not open unsolicited attachments
                NEVER send any financial information through email

Share