The latest malware news has been featuring The Flame. A malware made famous for its complexity, sophistication, and massive size – a full 20MB.
Just a day later we meet Tinba, a banking trojan that performs MITM in-browser attacks. Whereas Flame is 20MB Tinba is 1/1024th the size, 20KB.
Just to put some perspective on things.
Apparently Tinba is “The worlds smallest banking trojan” but it’s plenty dangerous, hijacking the browser and stealing information from banking sites.
Both of the malicious programs attempt to steal or spy on the user but they go about it in vastly different ways.
A recent blogpost showed how Chrome, Internet Explorer 9, and Firefox are all vulnerable to a specific bug that can be used to trick the user into downloading a file when they meant to download something else.
flash11_updater.exe download supposedly served from
adobe.com is, in reality, supplied by the attacker
The bug isn’t really the issue here, though. I mean, it’s definitely useful for social engineering and I can think of a millions ways that I could infect people with this but what I’d like to draw attention to is the response given by the browser vendors.
The response to this has apparently been:
- Chrome: reported March 30 (bug 121259). Fix planned, but no specific date set.
- Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.
- Firefox: reported March 30 (bug 741050). No commitment to fix at this point
I think that says a lot about browser security. None of them have fixed it and only Chrome has stated they ever plan to, though they’ve given no date. At least Firefox and Chrome gave some discussion.
Think about it this way. If I were to post “Hey guys, update Adobe Flash Player, big security update!” and I linked to the Flash page with the download started I bet a lot of you would install it without a second thought. I’d probably fall for it too if it were linked from a forum I frequent.
This isn’t the biggest security flaw ever, it’s useful for social engineering and there’s definitely potential here but it’s not going to lead to millions of infections (on its own at least.) I just think it’s interesting to see how vendors see ‘low priority’ security flaws.
Check out the proof of concept here. Tell me this wouldn’t fool you if I’d linked to it saying that it was a security update for Flash. Be honest.
I do some informal virus removal type stuff once in a while on various forums and I often come across a topic where the first thing I see is “Reboot into safe mode, run your antivirus.” Obviously this isn’t from one of those cool forums where those guys know how to use all those crazy tools and whatnot, it’s just some guy trying to help and that’s cool but he is very wrong.
Rebooting isn’t a good idea when you’ve just been infected. It’s one of the worst. Thing about how every time you install Windows Updates you need to restart and any time you install a new driver you have to restart. Basically, every time software wants to get deep into the machine you end up restarting.
So does it really make sense to restart?
The fact is, if you haven’t restarted your machine it’s probably going to be fairly simple to remove the malware. 95% of malware executes from your /user/appdata/ folder. I’ve cleaned so many machines just by navigating to that folder, finding what’s out of place, and deleting it. It’s not gonna work every time but if the machine hasn’t been reset and it’s 64bit Windows Vista/7 your chances are very very good.
Registry settings also need a reboot to stick. So before you restart you can (or someone who knows what they’re doing if you don’t) go to your */run and remove potentially malicious stuff. There are also Firewall and AV settings in the registry that a virus might mess with.
The first step should never be to reboot. In my opinion the first step is to flip the switch on your internet (prevents information being sent/ payloads received) and start deleting what you can. If you have another computer go download an AV to a USB stick and bring it over and run it.