Malware in a Barcode

Quick Response codes, also known as QR codes, are two dimensional barcodes originally invented by the automotive industry to keep track of parts during manufacturing. However, these barcodes can hold any type of information and were quickly adapted to all types of different industries. Most smartphones now have applications that can quickly read and process QR codes. You simply point your camera at the barcode and take a picture.

Kleczynski.com Quick Response code

The QR code generated above contains a link to this domain. While QR codes themselves do not contain malware, imagine a barcode that takes you to a malicious website. One that uses an exploit in your smartphone to install unauthorized applications. The possibilities are endless and as this technology becomes more popular, there becomes greater motivation to find ways to exploit it. John Vezina put it best when he said, “I could, if I wished, print out dozens of QR codes and peel and stick them to bus stops, power line poles, or anywhere the things can stick to.”

Teaching Security to the Hopeless

One of my Twitter followers suggested that I write about security tips for the technically challenged. Instantly, I thought about my last visit home.

If you’re anything like me, you’ll notice that your friends, your family, and even people you rarely interact with always turn to you with their computer troubles. Sometimes, the questions are easy to answer, like recommending anti-virus software. Other times, you get the friend or family member that is technically savvy enough to follow your advice. Unfortunately, most of the time you get to deal with the hopeless, my parents being a prime example. Luckily my mother doesn’t read this blog. If she did, I’d get an earful on my next visit home.

Continue reading

Malwarebytes Brand Exploited Through Search

It’s not often that I search for the term Malwarebytes on Google. I know how to get to my own company’s website by typing it into the address bar. However, when a friend or family member asks me how to get to our website, I almost always instruct them to search.

Unfortunately, there exists a market where bad people benefit by preying on our users. They create websites which advertise that they distribute Malwarebytes and instead, download a product of their own onto our user’s machine. They advertise on Google and turn up in search results. I’d equate this to a cereal company packaging their generic, less delicious brand into a Cheerios box and putting it on shelves.

Search result exploiting the Malwarebytes brand

If you see a page like this, it is fraudulent and you should go directly to www.malwarebytes.org instead.

It makes me sick, and I refuse to let it go on. Today, I instructed our legal team to pursue all of these cheaters in hopes that we can wipe them from the face of the Internet.

But that’s not all. How far is too far? Should advertisers on Google be allowed to use company names as keywords? If I search for Cheerios, should the first advertisement be for the generic brand? It’s allowed, a common practice, and in my opinion completely unethical.

California Looks to Fight Cybercrime

In August, the state of California created the nation’s largest e-crime unit, “a group of 20 investigators and prosecutors whose sole mission will be to thwart and prosecute cybercrimes like identity theft, Internet scams, computer theft, online child pornography and intellectual property theft across the state.” (source)

While this all sounds fantastic, I strongly doubt a team of 20 investigators can handle the amount of fraud, identity theft, and even such a broad category such as Internet scams which include malicious software. I wonder how closely this e-crime unit will work with reputable companies in the security industry to help find these criminals.

Mysterious Case of the Executable Hijack

I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.

Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.

I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.

What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.

It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.

Luckily, Malwarebytes Anti-Malware was able to patch Paul up — but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!

Sad News Regarding a Malwarebytes Employee

It is with a heavy heart that I announced the passing of a valued team member. Matt Russo passed away on Wednesday evening. Out of concern for his family’s privacy, I decided to hold off on the announcement until today.

I personally hired Matt to head up our social media push, including Facebook and Twitter. Matt always had a great personality and I enjoyed working with him directly. He will be missed by the entire Malwarebytes team.

Duqu: New Zero Day Malware Targets Businesses

Since the media has made a huge hype about this, I thought I’d clear up to my readers what Duqu is and how it affects you.

Duqu, also commonly referred to as the ‘son of Stuxnet’, is a Remote Access Trojan that uses a zero-day vulnerability in Microsoft Word to infect a machine. Once dropped on the system, Duqu’s primary task is to stealthily gather data, including logging keystrokes, making it a prime tool for cyberwarfare. However, Duqu is unique in that it was likely developed over several years and its primary method of distribution is through e-mail.

Specifically, Duqu is more likely used to target higher profile targets, such as large companies, from which it can steal data. Microsoft said they “see low customer impact at this time,” which makes sense if Duqu was indeed a targeted attack.

Here are a few tips for those who suspect they are vulnerable:

  1. While Microsoft has not issued a full patch just yet, it is important to know that a workaround exists. Simply click on the Suggested Actions menu.
  2. Scan all e-mail attachments you try to open with both anti-virus and anti-malware software. This should automatically be done if you have licensed versions of both products.
  3. The e-mails can be forged to look like they came from somebody else in the company. If you weren’t expecting an e-mail or the attachment looks fishy, err on the side of caution and ask if the attachment is indeed legitimate.

Note that these types of attacks are common and it is good practice to always follow the steps above.

Safe surfing!

How Many Security Researchers Does It Take to Rob a Bank?

Thought I’d share something that made me laugh today.

Moran Cerf talks about his work as a hacker who breaks into banks digitally. He reports these exploits to the bank and they pay him. Listen to his story as he attempts to break into a bank physically and everything goes wrong.

With this story, Moran won the 2010 Moth GrandSLAM story-telling competition.

I don’t think you’ll see me robbing banks anytime soon.