One of the biggest threats that I have encountered this year is the Zero Access Botnet also know as Sirefef and max++. The reason this has been so dangerous is that it can bypass most antivirus systems, and installs itself as a rootkit which makes detection and removal extremely difficult. The normal use of this rootkit is to generate clicks from your machines and steal ad revenue from advertisers, but it can also cripple your machine and can be used to silently deploy other malware which can steal your passwords and financial information.
Even if you have an up to date antivirus and are very careful with what UAC(User Account Control see left for example) prompts you allow to run you can still be infected. Make sure not to click yes to any of these boxes unless you are sure what they are. This is because the virus uses many stealth and disguise techniques to get around most security measures. The virus typically uses a polymorphic packer that is tested against most antivirus programs daily and changed when definitions are updated to detect it. The main path of infection is through iframe exploits. Malware authors can create a small (1x1px) iFrame, which contains scripts necessary to exploit a target machine and force it to install the malware. These exploits target out of date plugins like Adobe Reader, Adobe Flash, and Java that allow this malicious code to run without your consent. If you have an old Windows XP machine or are using Windows 7 with UAC disabled this malware can be automatically installed without your knowledge just by visiting a compromised website. If you have Windows 7 or newer with UAC enabled then the installer will usually need the user to click “allow” on a UAC prompt to allow the installation. It can do so by making you think the UAC prompt is being generated by a legitimate application such as Adobe Flash Player, Google Chrome and Java Updater. A more in-depth explanation of its installation techniques can be found here.
In the case of rootkits, the best way to make sure you are completely free of them once you know you are infected is to reinstall the operating system. This is the only way to be absolutely sure However in most cases this is simply not feasible. One of the best ways I’ve found to remove the Zero Access rootkit is using Eset’s removal tool . While this tool is effective in removing the virus, it is unable to repair damage to windows system files and process so after cleaning the system you will need to run SFC /scannow to repair windows files, or if that fails a Windows system repair/reinstall may still be required.
As scary as this latest virus is there are things you can do personally and at your business that can keep you safe from this and other Malware. I’ve outlined the top 6 things I recommend below.
1) Antivirus. Make sure you have up-to-date antivirus software on at least your machine. In a business environment I usually like to implement the multi-tier approach of having both antivirus software on all machines along with a firewall capable of detecting and blocking viruses. While this alone will not completely protect you, when used in conjunction with the other recommendations below it can ensure you aren’t infected.
2) Patching. The primary method for infection is through security vulnerabilities in Windows, Microsoft Office, Adobe Flash, Adobe Reader, Java, Internet Explorer, Firefox, Chrome, and others. First you need to make sure you are not running old operating systems like Windows XP and Vista as these provide a very low-level of protection against attack. It’s nearly impossible to stop this virus from installing on these older operating systems if you visit a compromised website. If you are running Windows 7 or newer you should use Windows update to apply all security patches. Just patching Windows however, is not enough. Any 3rd party programs, especially the ones mentioned at the beginning of this paragraph also need to have the latest version installed to ensure they aren’t used to deploy the malware to your system. Keeping these 3rd party applications up to date is one of the biggest challenges in a corporate environment is a huge challenge and usually requires either expensive software or an experienced network management firm.
3) Firewall. I mentioned having a firewall that can detect and block viruses as a good idea, but for the best protection you should your firewall should also provide application inspection and control. These features can detect and block botnet activity so that even if you manage to get infected they can keep the virus from contacting the internet and updating itself, sending out your personal information, and downloading any other malware. You can also setup alerts to tell you if any botnet traffic is detected by the firewall. The only downside here is you need the right hardware, and configuration and monitoring of these devices requires advanced IT knowledge. Many IT firms can provide firewall management services. Examples of Firewalls that have this kind of functionality include Fortinet and Sonicwall
4) Application Whitelisting. This is one of the newest and most advanced methods of keeping a computer safe. Examples of some of the better programs are Faronics Anti-Executable and Bit9. These programs work by using a central server that controls a list of allowed applications on all endpoints. This is one of the best ways to protect endpoints from malware as it doesn’t rely on definitions that need updating, it simply stops anything that isn’t an approved application from running. Even if the malware masquerades as a legitimate program this software can detect and block it by using digital signatures and file hashes to recognize when a legitimate application is modified. The downsides to Application whitelisting is that it can be very expensive to implement and difficult to manage. Also, it is not a complete solution in and of itself because if you have vulnerable applications on your computer it can be bypassed.
5) Web Filtering. As we’ve seen the most common delivery method is though malicious iFrames on websites. One of the best ways to protect against these kinds of attacks is to implement web filtering at your organization. If you limit the websites your users have access to then you decrease the chances of them being able to access the sites that typically are used as delivery methods for this virus. This can be difficult to manage because you will will have to whitelist many sites that your employees legitimately require access to and it is possible that one of the allowed websites can get compromised. While this is not a solution by itself, implementing Web Filtering is another great layer of protection for your network. Many firewalls and and antivirus solutions provide this capability
6) User Training. In conjunction with the security software and methods listed above it is important to train yourself and your employees about the ways these viruses spread and what not to do. Most infections are spread via social engineering such as drive by attacks using a compromised website or being bundled with seemingly harmless applications. In addition to using the methods above in your organization you should train your users on what to look for. They should be instructed not to click on anything if they aren’t sure what it is, don’t allow UAC prompts, and many other techniques that can keep them safe. Many consulting firmscan provide social engineering testing and remediation services.
As you can see today’s computer environment is becoming more and more dangerous and protecting yourself from the advanced malware requires using multiple techniques to make sure there are no holes that crafty Trojans can exploit. This can be very difficult for a smaller IT department to address. Use the form below for more information on how we can help keep your network and business safe.
[contact-form-7 id=”6092″ title=”Contact form 1″]