1/01/2008

Like a Bagle With that AntiVirus?

For three days after death hair and fingernails continue to grow but phone calls taper off. - Johnny Carson

I don't catch many viruses; on the rare occasion that I errantly click on some unknown executable, Avast jumps up and bellows. But today, I made a boo-boo and watched in horror as my friends, the two Avast bluecons in the notification area, silently disappeared!

You might be saying to yourself, "Uh-Oh..." - and you'd be right. There are more than 188 variations of the Bagle virus loose on the Internet. The latest variations pack the means to hide new kinds of nastiness inside your computer, and current antivirus software cannot save you. In fact, not only does this little booger jump out from it's invisible rootkit and whisk away the Avast service executables before they can even be started during an installation, it also disables the Windows Defender service, among other anti-spyware and antivirus installations.

That is correct. Traditional antivirus software, no matter how good, is totally, utterly USELESS against this new kind of threat. Read the previous sentence again and weep.

Bagle is really a whole suite of malicious tools. There's a part of the code that's a successful e-mail mass mailer, another part that downloads new content from the Web and a part that captures credit card and password information -- and they all interconnect. But a major part of Bagle's success has been its ability to turn off active antivirus protection; without that, Bagle would not have survived so many iterations.

Currently, Bagle is being used by its authors to create botnets, which these crooks use to sell to others or make money for themselves. So it's not enough for Bagle to disable active antivirus protection if they want to stay in business. Now, Bagle's authors are storing the program's nastiest pieces deep inside the Windows system kernel where they cannot be detected, in a rootkit. You can thank the fine people at Sony for helping the crooks with that innovation.

In case you aren't familiar with this stuff, you cannot see a hidden rootkit process in Task Manager -- and you cannot see it on the hard drive either. And I'm not talking about it having the "Hidden" attribute set on the file -- I'm talking INVISIBLE.

Don't kid yourself, these people are not script kiddies - they are hardened criminals and they are making a lot of money ripping off people's credit cards, getting into their bank accounts and their trading accounts. You DO NOT WANT the bagel virus on your machine! If you ever discover that your Windows Defender or antivirus service is "disabled" or that you cannot reinstall your favorite antivirus product, that's a dead ringer that you are INFECTED, and you need to take action right away.

Fortunately F-Secure offers a product called Blacklight that's specifically designed to find and remove rootkits; a free standalone version is available at the bottom of the page linked above. Oh, and don't click on unknown executables and expect Avast or your favorite AV to stop them. Instead, right-click and scan them first. When I finished scanning with the freebie, the product has detected 424 hidden items that may have needed to be cleaned - none of which Avast has ever found. Anyway, I purchased their F-Secure Internet Security 2008 product for $59.90, which allows installation on up to three separate machines.

Even after running the freebie and renaming obvious files like "wintems.exe" and "srosa.sys" and cleaning out \Windows\System32\Drivers\down\, the full-blown "for pay" product still found and eliminated other "parts" of the offender.

I figure that eventually all the antivirus vendors will be hyping that they can detect invisible rootkit viruses. But as of now, the F-Secure product is the only one that does. AVG, Panda and Symantec have "rootkit" betas or standalones, but as far as I have been able to determine at the time of this post F-Secure is the only firm that has completely integrated all of spyware, malware, antivirus, email spam AND rootkit detection into their base antivirus product.

Avast? You've been a good friend, but I am afraid that as for now, you are behind the bagel. And so we must now part.

Hey, it's us against them! And though it may cause some temporary annoyances, we will win.