Jeff Duntemann's Contrapositive Diary Rotating Header Image

The Trojans Are Winning

Trojans sent as spam attachments are (thankfully) not as common as they used to be. Several years ago I would get fifteen or twenty every day. In the past year or so I only get three or four per week. Nearly all of them are executables of some kind, either simple Windows .exe or .scr files, or else an MS Office file (generally an Excel spreadsheet) containing a malicious script. This morning I got a flurry of phishing attempts delivered as PDF files. As I often do, I scanned the PDF file with both AVG and MalwareBytes to see which trojan was present. This time I got a negative from both utilities.

Now, an email telling you that you should open the attached file to see details of your order / bank transaction / payroll deposit etc. are guaranteed to be malware. If two well-regarded AV utilities call the file clean, I begin to wonder how effective our AV technology really is. I’m particularly disappointed in MalwareBytes, which has been razor-sharp so far at detecting email malware.

So I submitted the file to Jotti, which is an interesting one-file-at-a-time malware scanning service. I’ve known about it for some time but never tried it before, as I’d never received anything that managed to duck AVG and MalwareBytes both. What Jotti does is aggregate online file-scanning services, and then aggregate the results from all the services. The PDF exploit got past 14 of 20 scanning services used by Jotti, including AVG. Them’s lousy numbers.

Here’s a screen cap of the Jotti output report.

To get some perspective, I did a little additional testing. Things got worse. I saved a .zip payload out of an obvious phish email that came in yesterday, and submitted the zip to Jotti. One out of twenty scans came up positive. I then (carefully) unzipped the payload to a naked .exe, and submitted that. Zero. Zip. Nada. Nobody caught it. Wow.

What this tells me is that the Trojans are winning. Scanning things before you open them is no longer any sort of guarantee. Dodging malware now requires that you turn your paranoia knob up several notches. Here’s what I recommend for Windows users:

  • Run Internet-facing apps from an LUA, or with a privilege-limiter like DropMyRights.
  • Install and use NoScript, and allow scripting only on trusted sites. Be conservative on what “trusted” means. Javascript is evil.
  • Install and use AdBlock Plus. Until sites can guarantee that their ads aren’t serving up malware, I reserve the right to block their ads. It isn’t just small sites that are vulnerable; Gawker Media got hit a year or two ago.
  • Do not use Adobe Reader. There are lots of other PDF readers that are as good or better. I recommend PDF XChange from Tracker Software. What you want is a high-quality product with low market share. Adobe Reader is an exploit farm in part because the bad guys search it harder for exploits–and most of the exploits are highly specific to Adobe Reader.
  • Whatever PDF reader you choose, go to the options dialog and turn off Javascript. I have yet to hear any compelling reason for a PDF to execute JavaScript. Oh, and did I say that Javascript is evil?
  • Do not use Flash on a Windows system. Don’t even install it. Use a Linux instance to read YouTube or other Flash-based sites that you absolutely must browse.
  • If you’re geeky enough, get a VM manager and run Internet-facing apps (or at least Flash-equipped sites) from inside a VM. This makes bookmarking tricky, but a VM is a very tough thing for malware to get out of.
  • Don’t pirate software. In particular, don’t install something and then go looking for a crack to get past registration/activation. Cracks are virtually always malware, and the pirated apps themselves are infected as likely as not.
  • It sounds nuts, but we do it: Get an entirely separate machine for any kind of online banking. Ours runs Linux. We do nothing on the machine at all other than online banking. We turn it off except when it’s in use, which is an hour or two per week, tops.

Both Macs and Linux machines are harder to infect than Windows, but most of their supposed immunity comes from their being scarce enough that the bad guys don’t attempt to exploit them. I’ve seen a troubling increase in the number of exploits tuned for the Mac, which means that Macs are now mainstream. With success comes danger. Also, more and more malware comes in via social engineering, and since that’s a wetware problem, Macs and Linux boxes are no more immune to that than Windows. (The real malware danger in running a Mac is the all-too-common conviction that Macs are immune to malware. Uh-uh.)

It’s certainly true that the vast majority of malware infections are the result of Computing While Stupid. Alas, the line we’ve heard for years about keeping AV software installed and up-to-date is increasingly irrelevant. There is no way to harden a PC to allow you to do any damned thing you want. Nothing’s bulletproof. You have to dodge–and you have to dodge harder and harder all the time.


  1. Rich Rostrom says:

    Install and use NoScript, and allow scripting only on trusted sites. Be conservative on what β€œtrusted” means. Javascript is evil.

    Unfortunately, there are some sites which require Javascript for full functionality. Google Groups, for instance. A lot of blog sites use Javascript for commenting.

    Nonetheless I run with Javascript turned off normally – not because of malware, but because many sites are encrusted with Javascript widgets that hang or delay page loading, and have no content function. (They’re usually something to do with hit counters, ads, and so forth.)

    Do not use Adobe Reader… What you want is a high-quality product with low market share.

    That’s a weak response. Essentially it’s conceding that the malfeasors can’t be stopped, and resorting to the equivalent of genetic diversity to limit damage. It requires a lot of redundant effort by developers.

    It fails if one program is good enough to displace the others. In fact it is an incentive to avoid the most capable programs because they’ll be the most popular.

    Get an entirely separate machine for any kind of online banking.

    That’s a pretty expensive answer. ISTM one could do just as well by having a separate bootable volume on an external drive, which is connected only when banking. But even that is awkward. What if one needs to access the on-line bank while running one’s local accounting software? And what is the answer for a small business?

    1. I am conceding that the bad guys can’t be stopped–that’s mostly the point of this post. Dodging them is a multipart strategy, one element of which is to use good software that not a lot of other people use. I don’t want my chosen programs to replace their competitors, because then they’d be juicier targets. And as we’ve seen in the software business, unseating the king is a hard hack, else OS X would have replaced Windows years ago.

      Computers that can handle the Web competently are not only cheap, they’re often free, and I get them regularly from people who buy new boxes and just don’t want to put the old ones out on the curb. The machine we do banking on cost me…$85. And it’s not a crufty old orphan either, but a 2.8 GHz small form factor with 2 GB RAM. The peace of mind is well worth that much, and probably a great deal more.

  2. Tom says:

    Is it paranoia when they really are after you?

    I guess I have been lucky, but then I have a much lower profile than you do Jeff. I do very little financial work of any kind on line. Banking included, and I NEVER type in a password for any financial site. I use a password manager (Password Safe) and copy and paste both id and password. I have also considered moving to Linux for when I want to be really safe.

    One option for those that can’t afford a separate computer for Linux banking etc would be to use a live CD and log on from it. You would just not mount any of your real disks no matter what the OS was on them. Even some of the minimalist Linux distros would work for web access and will run pretty fast. Some will even load entirely into RAM.

    I was a Network Security officer until 2007 with about 25 servers on the network and at least half a dozen Internet facing web or application servers. I think I got out of that business just in time.

  3. Suep says:

    I wish the point about “*requiring* you to open attachments = malware” was true. πŸ™ You may recall, I run a small business. We are CONSTANTLY getting attachments from customers, the local building inspection departments, various other government agencies, and such like. Last week I got an email from some outfit, claiming to be representing my health insurance company, requiring me to register and log in, to see my details!!!!! I am sorry to say that it was legitimate. πŸ™ We called the insurance agent and asked. It is a “security feature”, and yes they were serious. πŸ™

    I am literally foaming at the mouth some days, but I don’t know what to do to stop this nonsense…

  4. Michael Brian Bentley says:

    Ed Bott is a staunch Microsoft proponent, so I read his tweets for MS related stuff. He’s not the guy I read for Mac-related anything.

    I had to clean up a program that my niece intentionally installed on her machine once. Last year some time. I had no idea what it was, but we got rid of it over the phone, and I told her to stop whatever payment she arranged on her credit card.

    For any previous issues involving stuff that could be called malware, I have to think back to the late ’80s. Delivered by 400K floppy disk.

    There may be malware for Mac OS X, Safari, Chrome, mail clients, Firefox. From his article and links, I’m not seeing a containment breach via those exploits into secure areas in Mac OS X. I don’t see an actual “pwn” of the OS. I do see where he says they started a calculator app, and wrote a file to the file system.

    There is mention in the article that a Skype exploit provides “root access” to a Mac. The Skype client doesn’t get root access. the Skype might facilitate his ability to execute a command, but there’s a bit more that’s involved to get root access than that.

Leave a Reply

Your email address will not be published. Required fields are marked *