Jeff Duntemann's Contrapositive Diary Rotating Header Image

January 11th, 2012:

The Trojans Are Winning

Trojans sent as spam attachments are (thankfully) not as common as they used to be. Several years ago I would get fifteen or twenty every day. In the past year or so I only get three or four per week. Nearly all of them are executables of some kind, either simple Windows .exe or .scr files, or else an MS Office file (generally an Excel spreadsheet) containing a malicious script. This morning I got a flurry of phishing attempts delivered as PDF files. As I often do, I scanned the PDF file with both AVG and MalwareBytes to see which trojan was present. This time I got a negative from both utilities.

Now, an email telling you that you should open the attached file to see details of your order / bank transaction / payroll deposit etc. are guaranteed to be malware. If two well-regarded AV utilities call the file clean, I begin to wonder how effective our AV technology really is. I’m particularly disappointed in MalwareBytes, which has been razor-sharp so far at detecting email malware.

So I submitted the file to Jotti, which is an interesting one-file-at-a-time malware scanning service. I’ve known about it for some time but never tried it before, as I’d never received anything that managed to duck AVG and MalwareBytes both. What Jotti does is aggregate online file-scanning services, and then aggregate the results from all the services. The PDF exploit got past 14 of 20 scanning services used by Jotti, including AVG. Them’s lousy numbers.

Here’s a screen cap of the Jotti output report.

To get some perspective, I did a little additional testing. Things got worse. I saved a .zip payload out of an obvious phish email that came in yesterday, and submitted the zip to Jotti. One out of twenty scans came up positive. I then (carefully) unzipped the payload to a naked .exe, and submitted that. Zero. Zip. Nada. Nobody caught it. Wow.

What this tells me is that the Trojans are winning. Scanning things before you open them is no longer any sort of guarantee. Dodging malware now requires that you turn your paranoia knob up several notches. Here’s what I recommend for Windows users:

  • Run Internet-facing apps from an LUA, or with a privilege-limiter like DropMyRights.
  • Install and use NoScript, and allow scripting only on trusted sites. Be conservative on what “trusted” means. Javascript is evil.
  • Install and use AdBlock Plus. Until sites can guarantee that their ads aren’t serving up malware, I reserve the right to block their ads. It isn’t just small sites that are vulnerable; Gawker Media got hit a year or two ago.
  • Do not use Adobe Reader. There are lots of other PDF readers that are as good or better. I recommend PDF XChange from Tracker Software. What you want is a high-quality product with low market share. Adobe Reader is an exploit farm in part because the bad guys search it harder for exploits–and most of the exploits are highly specific to Adobe Reader.
  • Whatever PDF reader you choose, go to the options dialog and turn off Javascript. I have yet to hear any compelling reason for a PDF to execute JavaScript. Oh, and did I say that Javascript is evil?
  • Do not use Flash on a Windows system. Don’t even install it. Use a Linux instance to read YouTube or other Flash-based sites that you absolutely must browse.
  • If you’re geeky enough, get a VM manager and run Internet-facing apps (or at least Flash-equipped sites) from inside a VM. This makes bookmarking tricky, but a VM is a very tough thing for malware to get out of.
  • Don’t pirate software. In particular, don’t install something and then go looking for a crack to get past registration/activation. Cracks are virtually always malware, and the pirated apps themselves are infected as likely as not.
  • It sounds nuts, but we do it: Get an entirely separate machine for any kind of online banking. Ours runs Linux. We do nothing on the machine at all other than online banking. We turn it off except when it’s in use, which is an hour or two per week, tops.

Both Macs and Linux machines are harder to infect than Windows, but most of their supposed immunity comes from their being scarce enough that the bad guys don’t attempt to exploit them. I’ve seen a troubling increase in the number of exploits tuned for the Mac, which means that Macs are now mainstream. With success comes danger. Also, more and more malware comes in via social engineering, and since that’s a wetware problem, Macs and Linux boxes are no more immune to that than Windows. (The real malware danger in running a Mac is the all-too-common conviction that Macs are immune to malware. Uh-uh.)

It’s certainly true that the vast majority of malware infections are the result of Computing While Stupid. Alas, the line we’ve heard for years about keeping AV software installed and up-to-date is increasingly irrelevant. There is no way to harden a PC to allow you to do any damned thing you want. Nothing’s bulletproof. You have to dodge–and you have to dodge harder and harder all the time.