Malevolent
malware, bad-ass botnets, virulent infections and other 2009 security
low-lights
by
Alan Zisman (c) 2010 First published in
Business
in Vancouver January 5 - 11, 2010 issue #1054
High Tech Office column
Let’s look back over 2009 in security. Or is that insecure?
2009 was only a few weeks old when tech website ZDNet referred to a
“big badass botnet” that was spreading fast. Ultimately, the malware
alternatively referred to as Conficker or Downadup infected an
estimated one out of 16 PCs.
Conficker spread itself in various ways, including on USB flash drives.
Ironically, the patch that immunized Windows systems from the infection
had been released by Microsoft the previous autumn, but too many users
were not up to date on Windows Update.
Windows vulnerabilities remained targets throughout 2009, but malware
authors also continued to target commonly installed applications.
Adobe’s free Reader, Flash and Shockwave seemed to always need updating
to close security holes, but they were not alone. Apple’s QuickTime,
Mozilla Firefox and more also played catch-up with vulnerabilities.
In February, the suggestion was made that routinely running Windows as
a limited user (rather than as the default “administrative” user) could
prevent an estimated 92% of Microsoft vulnerabilities. Nevertheless,
most users continue to run as administrative users, giving themselves –
and malware – the ability to install anything, anywhere, any time.
Also early in the year: a phishing scam disguised as a Canadian tax
refund notification was one of a range of scams and malware in 2009
that included faux messages relating to Michael Jackson’s death, H1N1
medications and Microsoft patches. The year ended with security company
McAfee warning of the “12 Scams of Christmas.”
Fake security software grew to be among the most prevalent perils for
Windows-users. These were often spread by fake – but real-looking –
pop-ups claiming that an infection had been detected. Clicking OK
installed a “scareware” application, typically a hard-to-remove program
pretending to be a no-name brand antivirus program. Some scareware
demanded money; others spied on the user, sending in credit card
numbers or other personal information.
While users are often warned of the danger of surfing seedy porn and
download sites, scareware pop-ups showed up in ads hosted by reputable
websites, including the New York Times, the Drudge Report and
Lyrics.com. These sites don’t deal directly with advertisers, which
makes it too easy for scammers to pose as legitimate advertisers.
Another malware growth sector in 2009: social networks. As networks
like Facebook and Twitter continued their explosive growth, they too
became vectors for infestation. In June, for instance, Symantec warned
of a worm-bearing e-mail that pretended to be an invitation to join
Twitter. Social networks were being increasingly used for phishing,
McAfee warned. Online gamers were targeted by the Taterf worm.
Most of 2009’s security perils only affected users with various
versions of Microsoft Windows or running the Windows-versions of Adobe
Reader, QuickTime and so forth. In October, Brian Krebs, the Washington
Post’s “Security Fix” columnist, suggested that businesses should stop
doing online banking on Windows systems. Krebs’ proposal: boot to a
Linux “live CD”and use that to go online for financial transactions.
Also in October, Microsoft released Windows 7, suggesting that the new
version was more secure than previous Windows releases. Of course, it
had said the same thing about those previous Windows releases when each
was new.
Even star-struck Windows users are at risk. Search for Jessica Biel
wallpaper, screen savers, photos or videos and McAfee estimates there’s
a one in five chance of landing on a Windows malware-serving site, as
Biel replaced Brad Pitt as the year’s most dangerous online celebrity.
While Mac OS X and Linux both remain more secure – and not just
less-targeted – than Windows, users of those non-Windows systems can
still fall for spam, phishing and other scams. These users, like their
Windows-using colleagues, need to keep their software patched and up to
date and to think before they click, especially when online.