Like a Bagle With that AntiVirus?

For three days after death hair and fingernails continue to grow but phone calls taper off. - Johnny Carson

I don't catch many viruses; on the rare occasion that I errantly click on some unknown executable, Avast jumps up and bellows. But today, I made a boo-boo and watched in horror as my friends, the two Avast bluecons in the notification area, silently disappeared!

You might be saying to yourself, "Uh-Oh..." - and you'd be right. There are more than 188 variations of the Bagle virus loose on the Internet. The latest variations pack the means to hide new kinds of nastiness inside your computer, and current antivirus software cannot save you. In fact, not only does this little booger jump out from it's invisible rootkit and whisk away the Avast service executables before they can even be started during an installation, it also disables the Windows Defender service, among other anti-spyware and antivirus installations.

That is correct. Traditional antivirus software, no matter how good, is totally, utterly USELESS against this new kind of threat. Read the previous sentence again and weep.

Bagle is really a whole suite of malicious tools. There's a part of the code that's a successful e-mail mass mailer, another part that downloads new content from the Web and a part that captures credit card and password information -- and they all interconnect. But a major part of Bagle's success has been its ability to turn off active antivirus protection; without that, Bagle would not have survived so many iterations.

Currently, Bagle is being used by its authors to create botnets, which these crooks use to sell to others or make money for themselves. So it's not enough for Bagle to disable active antivirus protection if they want to stay in business. Now, Bagle's authors are storing the program's nastiest pieces deep inside the Windows system kernel where they cannot be detected, in a rootkit. You can thank the fine people at Sony for helping the crooks with that innovation.

In case you aren't familiar with this stuff, you cannot see a hidden rootkit process in Task Manager -- and you cannot see it on the hard drive either. And I'm not talking about it having the "Hidden" attribute set on the file -- I'm talking INVISIBLE.

Don't kid yourself, these people are not script kiddies - they are hardened criminals and they are making a lot of money ripping off people's credit cards, getting into their bank accounts and their trading accounts. You DO NOT WANT the bagel virus on your machine! If you ever discover that your Windows Defender or antivirus service is "disabled" or that you cannot reinstall your favorite antivirus product, that's a dead ringer that you are INFECTED, and you need to take action right away.

Fortunately F-Secure offers a product called Blacklight that's specifically designed to find and remove rootkits; a free standalone version is available at the bottom of the page linked above. Oh, and don't click on unknown executables and expect Avast or your favorite AV to stop them. Instead, right-click and scan them first. When I finished scanning with the freebie, the product has detected 424 hidden items that may have needed to be cleaned - none of which Avast has ever found. Anyway, I purchased their F-Secure Internet Security 2008 product for $59.90, which allows installation on up to three separate machines.

Even after running the freebie and renaming obvious files like "wintems.exe" and "srosa.sys" and cleaning out \Windows\System32\Drivers\down\, the full-blown "for pay" product still found and eliminated other "parts" of the offender.

I figure that eventually all the antivirus vendors will be hyping that they can detect invisible rootkit viruses. But as of now, the F-Secure product is the only one that does. AVG, Panda and Symantec have "rootkit" betas or standalones, but as far as I have been able to determine at the time of this post F-Secure is the only firm that has completely integrated all of spyware, malware, antivirus, email spam AND rootkit detection into their base antivirus product.

Avast? You've been a good friend, but I am afraid that as for now, you are behind the bagel. And so we must now part.

Hey, it's us against them! And though it may cause some temporary annoyances, we will win.

Comments

  1. Anonymous7:02 PM

    I used Avast for years, and much as I regretted to do so, I switched to BitDefender.
    I had the same thing happen to me pretty much.
    My wife still uses Avast though with great results.
    Great Post by the way.

    ReplyDelete
  2. Thanks. After reviewing your site, I notice that you do not represent F-Secure. They do have an affiliate program through Commission junction, you know.

    ReplyDelete
  3. Anonymous9:26 AM

    Did you get hit on Vista or XP? Were you running as administrator or normal user?

    ReplyDelete
  4. Anonymous12:19 PM

    good article. We work primarily with small businesses. and while we believe every company should use a good SMB antivirus suite it does not even come close to being enough security in todays environment. Zero day responses strategies are an absolute must. This is a challenge for many of our customers who still have the false assumption that anti virus is enough. Part of our jobs as a trusted adviser is to help educate them.

    ReplyDelete
  5. Anonymous8:43 PM

    Greate post, it describes what happened to me exactly! I was running Norton 360 though, just by coincidence I found that the Norton icon had disappeared from my taskbar, and the weird stuff began to be noticed. UAC was disabled on Vista SP1 RC, windows defender and firewall was shutdown. Any attempt to install an antivurs resulted in "Not a valid win32 file" or in a failure of installation. This is a nightmare. The thing is, I just reinstalled vista "a clean install", but something happened when I tried to install norotn again, and this is freaking me out. I'm using an online scanner now and BlackLight as you mentiond, and just praying!

    ReplyDelete
  6. @Anonymous,
    What is WITH you people who have nothing better to do than post comments on people's blogs that have posts you "hope" will direct traffic to your site, and your site offers no real solution to the problem discussed?

    ReplyDelete

Post a Comment

Popular posts from this blog

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

IE7 - Vista: "Internet Explorer has stopped Working"

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

System.Web.Caching.Cache, HttpRuntime.Cache, and IIS Recycles

FIX: Requested Registry Access is not allowed (Visual Studio 2008)