Two new, popular malware attacks

It’s hard to predict which malware program will become the next “big one.” Rarely is the particular piece of malware that goes explosively viral (forgive the pun) new or innovative. The famous Melissa virus wasn’t the first Microsoft Word macro virus. The Michelangelo boot virus wasn’t the first boot virus to overwrite hard drive sectors. Nimba wasn’t the first HTML threat. And the Iloveyou worm wasn’t the first VBS malware program. The malware that takes off seems to be a combination of just the right social engineering and timing. I’ve given up on predicting what will become the Next Big Thing.

Although the latest two big threats aren’t the lead-off story on CNN Headline News, they have exploited more end-users than any threat of the past few years. My e-mail and cell phone are busy with messages from friends and family exploited and trying to clean up.

The first major threat going around these days is known as XP Antivirus 2008, though it’s also known by a few other similar names. A user is socially engineered into installing a bogus anti-virus program, which then, in a not so startling development, detects thousands of malicious viruses, and prompts the user to buy their program to get rid of the malware. Often the only malware program the user has is the XP Antivirus 2008 program itself.

The interesting aspect of this malware program is its capability to modify the normal Microsoft Windows desktop to look as if the status bar is sending an alert message indicating a virus infection. The alert warning looks like an official Microsoft Windows warning, bubbling up from the area where you normally expect legitimate programs to be. The XP Antivirus 2008 program install looks just as official, but once installed asks for money to get rid of the supposed viruses or starts stealing confidential information.

Too late, most users realize they have been scammed by the malware program. The Internet is full of sites and tools attempting to help users disinfect their PCs. Most solutions don’t work, no matter how well intended. The malware program is programmed to prevent easy cleanup, including blocking access to Web sites that can offer good help and preventing legitimate cleanup tools from running.

My advice with any successful malware-exploited PC is to back up the data, format your drive, re-install your programs, fully patch, and begin all over again. Change your online passwords and PINs, monitor your credit, and begin your cyberlife anew. Today’s malware is criminally motivated and trying to steal all your money, one way or another.

The other interesting malware du jour is a cross-platform infector, exploiting multiple browsers (Internet Explorer, Safari, Firefox, and so on) — any that are capable of running the Macromedia Flash plug-in. Malware writers are writing rogue Flash files that can exploit Windows, OS X, and Linux.

Legitimate Web sites — big, popular ones — are innocently hosting banner ads that end up containing these malformed Flash files. Users, even with fully patched systems and the latest browsers, end up getting their “edit-copy-edit-paste” clipboard hijacked. The malware program deposits a malicious URL link on the user’s clipboard so that every time the user pastes content, they end up pasting the bogus link instead of their content. This strange effect is an attempt to trick the user into clicking on the link or into inadvertently posting it into blog comments and the like. Here is a safe demo of the exploit. When you run it, your clipboard will be hijacked to contain www.evil.com as the text on the clipboard. You have to close the browser session and then copy new text to your clipboard to make it go away. In some cases, you may have to reboot your computer to get rid of the hijacking. Microsoft’s MVP blog has a more comprehensive blog post on the clipboard hijacker.

There are a few notable points with this attack. First, it appears that we have a new Flash exploit on our hands that needs to be patched by Adobe. Second, although the initial exploits may seem innocent enough, historically, clipboard pasting attacks often serve as a harbinger to wider system exploitation using improved coding. Lastly, the days of not running anything but Internet Explorer as a defense strategy are increasingly becoming numbered. As other OSes and browsers become more popular, expect malware writers to continue to focus their efforts accordingly.

The last few weeks have been full of many other popular attacks, and per usual, as a global society we seem no better prepared for them than in the past. Still, luckily, so far criminal attackers have not found a remote buffer overflow similar to the SQL Slammer or Code Red attacks of yesteryear. Can you imagine how much damage criminals could cause if they had the power of those attacks?