Big malware players return during the autumn

By Giedrius Majauskas on October 3, 2011

Rogue AV market was mostly dead through August and September. Although this might be caused by Chronopay raid, the timing of the raids did not match with the decline. Additionally, we have seen significant shift to different kind of malware: google redirects, new kinds of rootkits, Bitcoin mining software and other kinds of parasites that do not require payment gateway which are easy to shut down.
Well, the nice play is over, and we see at least 3 large fake software families on the rise. The most interesting is Security Sphere 2012. The same guys had distributed biggest amounts of Fake AVs during last year. And that means the summer pause is over.
Interesting to note, that the pause was around 2 months long, quite similar to the one during last year. The timing is off by 2 months (end of May – mid July in 2010, August – September in 2011). Maybe we should call this (un)deserved holidays of malware makers?
Does that mean police got the wrong guy? Not necessarily. A warm place does not stay empty for long, and no single arrest will kill rogue antivirus business. It is a multi-million industry, where bad guys earn much more than good guys. For example, SuperAntiSpyware was bought out for around 8 mil USD only, which is insignificant to profits of Fake Antivirus payment processors.
There are some good news as well. Windows 8 will come with AV pre-installed and some security issues fixed. This should make malware makers life somewhat harder and we will see less aggressive infections. The single fear is that it will reduce overall investment in security software and this would result in poor quality antivirus solutions for everyday user.
At the moment, the best protection is strong Internet Security (or AV+Anti-malware) program and decent internet browsing habits. This will never go out of style.

Posted in | Leave a response

Which new Kindle would I choose?

By Giedrius Majauskas on September 28, 2011

So, the new Kindle Fire and several supplemental models are out. I wrote my expectations in the previous post about Kindle. To tell the truth, I got more than expected from Amazon’s announcement and it is much harder to choose now.
First, there is Kindle Fire – a new tablet with Android and Kindle application. It allows movie streaming as well. The biggest PRO’s – color, Android applications and movie streaming. The cons – sunlight readability on Kindle Fire should be poor compared to other Kindle versions. And that is very important if you read books outside your home. Secondly, E-Ink is one of the most power saving display technologies around. Kindle could be used for weeks, and IPADs – for hours only.

Then there are 2 other models : regular Kindle without keyboard present and Kindle Touch with infrared based touch screen. It is obvious that the last model is my total favorite. The reason is following: I love both touch screen and e-ink for my reading device. Button based interface is clumsy for my tastes and I do not use keyboard that much.
Thus my choice is quite obvious. I am planning purchasing Kindle touch when it will be available in Baltic countries (only regular Kindle is), and for media consumption I will use my laptop or maybe Ipad.

Posted in | Leave a response

Kindle Fire will be announced on September 28

By Giedrius Majauskas on September 27, 2011

Kindle Fire is supposedly the next generation e-book reader that is no longer based on e-ink technology. E-ink technology, which would offer significant energy saving and sunlight readability benefits, is not so suitable for tablets. First of all, it is slow, thus it is not so suitable for multimedia content. Secondly, it does not offer that much usability we are used to either (well not at affordable price).
Additionally, there is much more money in the tablet market for Amazon. Kindle Fire would run on Android and Amazon has its own application store, which (I assume) will come preinstalled. This would offer an initiative to distribute more paid applications through it and even some exclusive ones.
As far rumors goes, Kindle Fire is quite similar to RIM’s PlayBook, which was not that successful on its own. The reason being that it is manufactured and developed by the same company – Quanta. This reduced Kindle Fire development time.
Kindle Fire should be unveiled on September 28 and will ship on November during the holiday season. This would make a nice present for a geek, though some would prefer Iphone 5 :) .
Will I switch to Kindle Fire? Only time will tell. I would like to see it performance and see how it compares to Ipad 2. The problem with color displays is readability in the sunlight, thus I am not throwing my old good Kindle away in favor of Kindle Fire.

Posted in | Tagged | 1 Response

Is malware payment gateway shutdown the end of Fake AVs?

By Giedrius Majauskas on August 27, 2011

Head of ChronoPay

Several botnets were shut down and the CEO of rogue parmacy and fake antivirus credit card processor was  arrested recently. This resulted in the significant drop of malicious software activity in August. Many took time to celebrate and rightfully so. However, I do not think this is the end of Fake AVs or malware in general.
First, some background. The days of malware made by computer nerds for fun are long gone. The most of malware is created for profit, and as long as you see something on your PC, you can safely assume that it is for profiting. Fake AVs are best known and annoying nowadays as they collected payments directly by asking to pay for non-existing full version.  To make you pay, they scare you with non-existing threats for your PC. There were some variations with this, like recent PC Repair malware that scares with hardware errors instead of viruses, but the way they collect payment is the same: They ask for you to pay directly.

These payments cannot be processed easily, as every bank, Visa and Master Card looks for scams. Thus payment gateways are major bottleneck and risk point for malware makers. And taking even single of them down (not the website, but the company itself) hurts each of them significantly. Differently from malware skins and websites, it is more complex and costly task.

So, what will happen once the payment gateway gets down? There are many ways malware makers can still make money, and our experience shows that they do exactly that.

For example, we see a rise of clickjacking attacks, which forces user to click on their affiliated links that might not be harmful per se. The user is redirected from “real” websites or search results to the websites malware makers insert. The owners pay malware makers for traffic or sales.  Some of them are innocent, some just do not care about the source of the traffic. The famous google redirect virus, though there are other implementations as well.

Another possible way to make money for malware makers is distributing legal anti-malware or anti-virus programs instead of fake ones. This is illegal according to affiliate guidelines of all legitimate affiliate networks, but they might hope not to be caught. While there are various opinions which software is more likely to be distributed illegally, I would say this is not important at all. This can happen and will happen with all legitimate malware removal programs.  We have seen such things in the past as well.

Thirdly, one could spice up things with using other, non-security related programs that will require payment. This is already happening with VLC, which “paid version” is distributed by malware makers. There are affiliate programs for various codec packs as well, which are distributed by malware makers.

And lastly, they could return to adware or spyware model of operation, which pays less than others, but has less risks as well.

Thus it is highly obvious that we will not see less infections in the long run. What we see is the result of both some security program makers and PC owners focusing on visible forms of malware and judging amount of infections from that.

Posted in | Leave a response

Upgrade to Ndrive 11 – my experience and review.

By Giedrius Majauskas on August 10, 2011

Ndrive 11 is a navigation that has a version for Android phones. I have reviewed version 10 already, and version 11 is not new either. However, It was not available for Lithuania in android market until recently. Although there are maps for East European countries including Lithuania, Baltic countries were excluded for available country list in Android Market.
Ndrive 10 was free program, and maps were purchased through its website. This is what made program available in some countries. This is different in version 11: You purchase region based versions through Android Market (pricing is about the same). This effectively disables older version of Ndrive on your PC and might make the maps you purchased prior upgrade unusable.
The application itself has a faster feel than older version. Its interface is slicker, although many of the functions remained the same.The biggest Ndrive 11 upgrade is integration of Facebook and Foursquare check-ins. However, it is done through browser only and requires separate logins.
What I like about Ndrive most is their Point of interests database. It is huge in Lithuania, and even bigger in Portugal where application originates from. You will have no problems in finding lodging, eating places or interesting objects.
I also like its speed limit notification, even if you cannot trust it everytime. Speed limits change, and Ndrive cannot keep up with the changes.
Although I haven’t used Ndrive 11 that much yet, there are couple issues that should be addressed. First, It lacks pinch-zoom in navigation mode. This is required to get overview of the general area and find an alternative to the route it suggests. Such feature is necessary if one sees road blocks.
Secondly, Ndrive handles speed limits incorrectly. If you drive faster than speed limit, Ndrive will show that speed limit till you drop bellow it even if you drive out of that road span and speed limit changes. This might cause some problems.
Thirdly, the trap database is far from full. There are majority of traps added, but Ndrive warns of traps pointing to your direction only. However, some traps can test your speed both ways, and some trap entries have incorrect pointing directions.
Overall NDrive remains good alternative for navigation programs as long as Google navigation is unavailable. It could become somewhat better though.

Posted in | Tagged , | 2 Responses

Tracking Social behavior on websites: 6 things to implement right now

By Giedrius Majauskas on July 13, 2011

Keeping and tracking information about social sharing and actions becomes more and more important for anyone that cares about site’s visitors and site itself. However, not all tools allow easy tracking “out of the box”, so there is some work for developer. I assume that google+, share and retweet buttons are already on the site.

1. Add the site to Google Webmaster tools

Obvious, huh? However, this allows tracking of Google+ button clicks easily and produces valuable data about click profile changes. This should be a basic step for each larger website anyways.

2. Fix the Facebook open graph tags.

Facebook’s open graph like buttons do not work properly “out of the box”. There are couple tags required for them to become useful and traceable. You will be able to contact page liker’s from within FB after the fixing the tags for home page. You should not forget to define facebook admins for the site in the web page headers. Then you will be able to add and monitor your webpage in Facebook’s business insights.
This tool will allow easy validation of each page: https://developers.facebook.com/tools/lint/

3. Add social events tracking to Google Analytics

This one is very important if you are using Google analytics. Although GA tracks Google+ clicks out of the box, it does not track other social events. So, you should add some custom JS in the page code to launch specific analytics events on social button actions. The generic code is to launch trackSocial method in Javascript:
_gaq.push(['_trackSocial', network, socialAction, opt_target, opt_pagePath]);
Only the network and action are required and they are passed as custom text. The opt_target parameter is useful when one uses like button for other page than default one. This page offers the best explanation how to implement facebook likes and tweet tracking : http://code.google.com/apis/analytics/docs/tracking/gaTrackingSocial.html
Note, that this code is for asynchronous tracker. It will require some modifications if you use synchronous tracking, and you should probably switch to asynchronous tracker anyway. Also, you should switch to new Google analytics interface to see the tracking results.

Fix the JS of sharing buttons to track social actions as well

The code above is not universal. It tracks clicks on the default sharing/like buttons only. However, you will not be notified after shares resulting from social sharing plug-ins like AddThis or similar. However, as long as you have access to API or can modify JS, you can track these events as well:

<script type="text/javascript">

var addthis_config = {
data_ga_property: ‘UA-xxxxx-xx’,
data_track_clickback: true,
pubid: “addthis-id”
};

</script>

This configuration is enough to start tracking social Addthis actions in google analytics. Similar approaches might be applicable by other social sharing services.

5. Consider installing Seevolution or other JavaScript heatmap tool

Some services cannot be tracked easily. In such cases there are one option only: track clicks directly. And the best tools for that are javascript heatmap trackers. There are some choices there, though Seevolution ( http://seevolution.com ) is great and allows tracking several sites for free.

6 (bonus). Add google Alerts for tracking your website name and brand names over the web

Not every social interaction originates on your site. You should monitor your mentions on google alerts and some other services as well. This might lead to perfect opportunity to get more exposure and new visitors.

Will these 6 things cover all social interactions about your website? Definitely not. However, implementing these steps will result in much better understanding of what is happening around your site.

Any additional ideas or comments?

Posted in , | Leave a response

Status progress: what I am working on now, February 2011

By Giedrius Majauskas on February 25, 2011

Its end of the February already, and time flies really fast. So I think it is good time to do some retrospective about what I am doing and where I am going.
Last year was a blast – wedding, trip to Portugal, significant success with 2-viruses.com, starting up my own company. Most of these things are somewhat covered here. Each of these things would not be possible without my coworkers and team. It would not be possible without other people I have (virtually) met last year.
There are things that weren’t covered here. For one, my work on www.jurgita.lt and development of social code for new jurgita.com. Although many years due, we will do the change. I am really impressed what we did: an own engine to handle professional relationship within a niche, that is extendable and reusable. It took a long work hours of planning and implementation, and it is far from complete. All the things that are done now will be reused on further version of jurgita.com. We have not forgotten that project, as well.
We also work on a community site for healthy living, to provide a better way creating support groups and niche-specific information about ways to improve health with healthy eating, sports and healthier lifestyle. The project is far from completion – there are lots of things we are planning on adding and lots of information has to be processed and presented there.
There is also other, secret Lithuanian project we are working on now. It will launch soon, and this service is really needed in Lithuania. This project is result of co-working of 3 -4 companies, and it is related to publishing.
This, also work on older projects have given me insight about both my strength and weaknesses, which need to be improved and adjusted. I know that there is lot of learn, but only learning and trying new things will provide motivation to move forward. So here a small list of things I want to learn and do in 2011:

  • Learn Chinese (long term goal)
  • Improve English (permanent task)
  • Improve Link building and other SEM skills
  • Learn coding for Android (this year goal)
  • Attend at least one conference and find more like-minded people

So, that is my top goals for year 2011.

Posted in | Tagged | Leave a response

Malware tactics : impersonating legitimate programs

By Giedrius Majauskas on February 4, 2011

A goal of typical fake antivirus program is convincing you into giving away your credit card details. This can be done in several ways:
1. Simulating PC problems: showing porn, slowing it down, blocking other programs. This forces users into searching for solution to make PC usable. Quite often fake antiviruses try leaving user no other choice than purchasing the program.
2. Directly scaring about threats – creating “magic” PC scanners that can detect PC problems through network in seconds. Typically, these problems involve keyloggers, info stealers and similar applications that can cause major monetary loss
3. Impersonating legitimate software or brand to win user’s trust. Sure, the most favorite brand is Microsoft, but quite often other brands suffer.
Even if typical rogues involve 1,2, there is a significant wave of programs that mimic legitimate brands. The last one would be fake AVG Antivirus 2011 – a clone of Antivirus 8, Antivirus GT and other rogues. This time it targets AVG brand, and copies legitimate program design. This tactics is likely to work because of 2 reasons: Most people have heard about legitimate AVG, which is decent and popular antivirus, and it is hard to find negative information about AVG antivirus 2011 in the net that would warn user from purchasing the rogue.
Many users know little about Antivirus market and AVG itself. They haAVG-Antivirus_FakeAlertve heard that many people use it, they might have seen its logo or design. But they know little about how AVG should be distributed or why this “AVG” does not uninstall normally. Googling about AVG Antivirus 2011 uninstall problems will not lead to many related results, as the ways to uninstall legitimate AVG differs from ones used for removing fake version.

Now worst thing one can do is purchasing fake AVG antivirus 2011. Even if one agreed to spend some money on antivirus, the credit card details are likely to be misussed by the makers of the fake antivirus. Thus it is best to change compromised credit card in your bank.
If you look for solution for Fake AVG Antivirus 2011 problems, try my guide at 2-viruses.com. Alternatively, Malware researcher Xilibox created a tool to help register this rogue for free. However, whatever way you choose, scan your PC with decent anti-malware tools afterwards. Do not leave trojans around, or you will see new skin of this rogue family again.
Funnily enough, this is not a sole rogue that impersonates AVG these days – Here is MCAVG too. AVG is doing something right, I think.

Posted in | Tagged , | Leave a response

Palladium Pro – ThinkPoints successor in the wild

By Giedrius Majauskas on January 7, 2011

Last autumn was lead by ThinkPoint (or fake Microsoft essentials alerts) family of malware. Together with Security Tool Virus it was one of the biggest and the most promoted parasites. Most of other parasite families were divided in smallish, slower attacks that haven’t hit that huge amount of PCs. However, in late November ThinkPoints family went silent. Till now.

Meet Palladium PRO – a new fake antivirus related to ThinkPoint. The parasite is similar in many aspects to ThinkPoint: same infection scheme, almost same design, same scaring stragegy. Paladium Pro virus is introduced by faked Microsoft Security Essentials popups, saying that PC needs another internet security program to remove huge amounts of infections. After that, system reboots and users are greeted with Palladium Antivirus splash screen. The rogue uses Microsoft’s name to convince users that this antivirus is made by Windows makers themself. Its scan claims, that it managed remove some of infections, but others need special, paid, heuristical module which costs around 70 USD. Funnily enough, Heuristical modules are used for parasite identification mostly (in real antivirus) as it analyses behavior patterns of executables rather than helps in removal process. But most users infected with Palladium Pro do not know that.
Differently from its predecessor ThinkPoint, Palladium PRO uses a file in %APPDATA% folder to check if users have paid or not. If the file with specific name exists, it will claim that system is cleaned sucessfuly and most annoying popups will stop. However, trojans promoting scareware Palladium Antivirus will not be gone, and might hinder system work or download other versions of fake antiviruses. This means that if you are infected with rogue antiviruses, you need to scan system with decent anti-malware programs to remove all the Trojans and secure the system from similar intrusions.
How to get rid of Palladium Pro guide is available on 2-viruses.com

Posted in | Tagged , | Leave a response

Link exchange requests gone wrong

By Giedrius Majauskas on January 1, 2011

Link exchange between sites of same niche is valid and accepted way of site promotion with some search engine benefits. However, the requests for such link exchange go wrong sometimes. On New Years Eve I got such a request that I would like to share.

Now what is wrong with this letter? I would say EVERYTHING.
Firstly, it is obvious, that the sender is using automated or half-automated messages. It is obviously a template letter. I strongly doubt they have seen my site as they haven’t shared anything about it. There is no motivation to add a link.
Next, even without looking at the sites, I can spot a lie – our site niches are not related. This means that there are not only no use for me, but one would likely to get a penalty for linking to unrelated sites.
Third, a small detail. The names of sender does not match the ones in message header. This is one more proof of automated scheme.
Fourth: if you are sending non-automated message, do not add a line “if you do not want being contacted again”… Thats smells like automated message.
Thus, it is clear that these 2 sites, hxxp://globadstrategies.com and hxxp://workfromhome.business.edu.pe are promoted by trying to get any link, not only related one.
How to do it right way? Do some research, people. Talk with the people behind related, however non-competing websites.

Posted in | Tagged | 1 Response

Next »