This is a real example of why just relying on an antivirus to detect all malware will fail. Today I got, for the nth time, a few of those scam emails that have an infected attachment and a message enticing me to open it. Since I hate to disappoint, I went ahead and opened one, just to see what my antivirus would do (But also having fail-safe measures in place).

I’m currently using Kaspersky Internet Security 2012, one of the top security suites and my current favorite. Normally upon receipt of the email Kaspersky would quarantine the suspicious attachment… if it detects it as malicious. But it didn’t. The attachment was compressed in a file, so I thought maybe that’s why and went ahead and extracted the file from it. Nothing. No response from Kaspersky. So I forced a scan of the object, and still was not detected as malicious!

I then went to a website where individual files can be scanned by many scan engines. This particular one scans the file against 42 different engines. Kaspersky, Avast, Symantec, VIPRE, McAfee, you name it. All the big brands and more. Well, only 4 out of the 42 detected the file as malicious!

Why is that? Because the creation of different malware samples outdoes by far the updating of signature files (the files that tell your antivirus program which files are good and which ones malicious). Signature files are what antivirus scanners mostly depend on to detect malware.

I said it in 2009, and I’ll reiterate it today. Want to have a better chance at staying malware-free? Follow the model I laid out back then, in my pivotal article on the subject.

P.S.: 4/12/12: It’s the morning after, and I decided to analyze that piece of malware in detail, so I tried to fetch it from the trash folder in my email… Wasn’t able to. Kaspersky beat me to the punch and deleted it. In re-analyzing the file (from an alternate source) against the 42 scan engines, the count had changed to 7 out of 42 recognizing it as malware. Kaspersky was one of them. So relatively good.

As I’ve mentioned before, rogue security/maintenance programs are programs that pretend to perform a valuable function, while in fact being malicious in nature. These kind of programs have been in the rise lately, so I wanted to give you a list of the latest names different rogue programs have been showing under. This is not a complete list but includes the main ones seen in the wild:

• Windows AntiHazard Helper
• Windows AntiHazard Center
• Windows Process Director
• Windows Guardian Angel
• Windows Software Keeper
• Windows Problems Stopper
• Windows Health Keeper
• Windows No-Risk Center
• Windows Antihazard Solution
• Windows Risk Minimizer
• Windows Managing System
• Windows Safety Tweaker
• Windows Tools Patch
• Best Virus Protection

The most common infection method is by visiting a malicious website or a non-malicious website that has been subverted to infect its visitors.

Removal procedure for these infection vary from one to the other, but generally speaking, if you see one of the above programs, 1) Know that whatever alert it might prompt you with is false and should be ignored, and 2) If you don’t know how to remove it yourself, contact an expert who can help you. Some of these are tricky and have a specific sequence of steps in order to remove them successfully without damaging your computer.

Microsoft will release this coming Tuesday the 13th, on its usual schedule (second Tuesday of every month), the monthly updates for its different software products. The batch will contain 6 updates, one of which has the highest severity rating – critical – belonging to the Windows operating system.

Last week Adobe released an update for Adobe Flash player. This latest version, 11.1.102.62, patches vulnerabilities that, if exploited, could allow an attacker to take control of the affected system.

Last week as well Google released Chrome 17.0.963.65, to address multiple vulnerabilities in the web browser. Notice that Flash in Chrome is embedded in the browser, so to bring Flash to its latest version all you have to do is update Chrome to the latest version.

Computers with their software up to date are the least likely to be affected by malicious attacks.

I always wanted to write a headline newspaper style. Seriously though, I’ve seen some news agencies and other doomsday style people write headings like this for this subject. Several people have asked me about this, so here are the facts:

1. There was an FBI operation called Operation Ghost Click that, back in November, took control of certain servers that were being used by a gang of cyber-criminals as Control and Command servers. This means malware was created that made the infected computers look for these servers when looking for the address of certain websites, and re-directing them to malicious ones. If your computer was infected, it was subject to this re-direction problem.

2. Those malicious servers, now in control of the FBI, have been kept running these last 3 months to avoid the infected computers, or computers affected by the infection, from being unable to access websites. But the servers are scheduled to be shut down on March 8.

3. if your computer is infected with the malicious software that makes it a slave of those servers, or if the settings changed by the malicious software are not corrected, the affected computers will lose internet connectivity when those servers are shut down.

That’s the basic story.

What to Do

Any good antivirus scan should detect the presence of the malicious software, called DNSChanger and labeled a Trojan (DNS: Domain Name System. See this article from last year if you’re interested in knowing what that is).

Even if the Trojan is removed, certain settings in your computer might still be crooked. Avira offers a repair tool for it. Click on this link to download it: Avira DNS Repair-Tool. Download it and run it to correct changed settings or simply to verify that your computer’s DNS settings have not been messed with.

If you need help with this, contact a computer professional.

This past Tuesday, as it’s done every second Tuesday of the month, Microsoft released its monthly updates, 9 of them. You can go to www.windowsupdate.com to download and install the latest updates, if your computer is not set to download and install updates automatically.

Adobe just released a patch for the latest known zero-day exploit: http://www.adobe.com/go/getflashplayer

Google Chrome version 17.0.963.56 was just released. Clicking on the wrench icon on the upper right of a browser window and selecting “About Google Chrome” will confirm you have the latest version or download and install it.

The Mozilla corporation released Firefox 10.0.1 to fix a security vulnerability: http://www.mozilla.org/products/download.html?product=firefox-10.0.1&os=win&lang=en-US

It is always recommended to keep computers up to date in their software patches, to avoid security risks that might end up in infected computers.

In my last article, a few days ago, I covered Symantec’s network being hacked back in 2006. One of Symantec’s products, pcAnywhere, was included in the list of programs which had its source code stolen.

In the most recent development of this story, now Symantec has released a technical white paper on the subject where it states “At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks”.

If  you have pcAnywhere installed in your computer, I recommend you disable or uninstall it altogether to avoid the possibility of it being used as an attack vector to your computer(s). Contact me if you need help with that.

The security software giant acknowledged last week that hackers had broken into its network when they stole source code of some of the company’s software.

At first, two weeks ago, Symantec spokesman Cris Paden stated a hacker made off with source code of Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, back in 2006. Cris otherwise downplayed the seriousness of the theft.

A few days later, however, Paden issued a revised statement, saying source code of Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, had been stolen.

Having stolen the source code for these products means hackers, malware creators and other scum of society can create malware that exploits vulnerabilities in Symantec’s software, thus making it easier to render the antivirus useless during a malware infection, or in the case of pcAnywhere (a remote access suite that Symantec sells), opening the door for unauthorized remote access to computers with pcAnywhere installed on it.

In the specific case of pcAnywhere, the hacker who is believed to be responsible for the source code steal announced a few days ago the code was being released to the “blackhat” community for free-for-all exploiting.

I personally don’t recommend Symantec products, and haven’t for a long time. But with these developments I’d really suggest to stay away or move away from Symantec products.

On the second Tuesday of the month, as usual, monthly Windows updates are being published. So that’s this coming Tuesday the 10th, at approximately 1 pm EST.

For being the first updates of the year, this batch is relatively bulky. Worth mentioning among the 7 security updates being released on Tuesday that patch 8 security bugs, is one labeled “security feature bypass”, a label never used before by Microsoft.

If you have automatic updates turned on, the only user intervention needed is a possible computer restart after the updates have been installed.

If you don’t have automatic updates turned on, it behooves you to get any and all outstanding Windows updates installed, including the ones being released this coming Tuesday. Software updates comprise an essential element in any sound computer security strategy.

This week’s test drive is the recently released F-Secure Total Security 2012. As usual, upon installing it and updating its signature file, I proceeded to throw the computer at malicious websites to see how effective F-Secure was in thwarting the malware therein.

First round: downloaded a program right out of a Russian website, and emulating a gullible computer user, proceeded trying to open the program just downloaded. F-Secure real-time protection module jumped, blocked it from opening, alerted me to its existence, and nuked it. A posterior in-depth analysis revealed the program was indeed never allowed to open, so no damage to the computer. First round: Pass.

Second round: A fresh Trojan. Same behavior, same result as first round.

Third round: Another very nasty Trojan, the most frequent type of malware these days. Same result, the real-time protection module didn’t even let the file finish downloading and rendered it harmless. Pass!

Fourth round: A fake antivirus. Same result: No luck in infecting the computer. It became obvious that these attempts to infect the computer were pretty much useless. I actually ran out of malicious websites to throw the computer at! And despite all the efforts, not only did the computer not get infected with any payload, the files containing malware were not allowed to stay in the computer, in fact they weren’t even allowed to arrive at the computer. Because no malicious file was allowed to open (execute), some of the security layers were not even called upon! (Like the firewall).

Conclusion

Similar to my recent review of Lavasoft’s product, F-Secure passed the test but at the cost of some system performance impact: I spotted 12 different processes running in the background when F-Secure is running. That’s a lot of processes for just one program. And even though my test computer is fast, I was able to clearly perceive the performance degradation once F-Secure was installed. So users with old or slow computers might want to stay away.

The updated list of security products that have passed my test follows. The sequence is simply the order in which they have been tested and does not represent any kind of performance score:

1. Kaspersky Internet Security 2012.

2. VIPRE Antivirus Premium.

3. ZoneAlarm Extreme Security Suite 2012.

4. Avira Internet Security Suite 2012.

5. Emsisoft Internet Security Pack.

6. Lavasoft’s Ad-Aware Total Security Suite 2011.

7. F-Secure Total Security 2012.

And remember, any of the above products provide enough protection to keep you safe while surfing the web IF complemented with AppGuard, as laid out in my article from over 2 years ago on the subject.