Malevolent malware, bad-ass botnets, virulent infections and other 2009 security low-lights

by  Alan Zisman (c) 2010 First published in Business in Vancouver January 5 - 11, 2010 issue #1054

High Tech Office column

Let’s look back over 2009 in security. Or is that insecure?

2009 was only a few weeks old when tech website ZDNet referred to a “big badass botnet” that was spreading fast. Ultimately, the malware alternatively referred to as Conficker or Downadup infected an estimated one out of 16 PCs.

Conficker spread itself in various ways, including on USB flash drives. Ironically, the patch that immunized Windows systems from the infection had been released by Microsoft the previous autumn, but too many users were not up to date on Windows Update.

Windows vulnerabilities remained targets throughout 2009, but malware authors also continued to target commonly installed applications. Adobe’s free Reader, Flash and Shockwave seemed to always need updating to close security holes, but they were not alone. Apple’s QuickTime, Mozilla Firefox and more also played catch-up with vulnerabilities.

In February, the suggestion was made that routinely running Windows as a limited user (rather than as the default “administrative” user) could prevent an estimated 92% of Microsoft vulnerabilities. Nevertheless, most users continue to run as administrative users, giving themselves – and malware – the ability to install anything, anywhere, any time.

Also early in the year: a phishing scam disguised as a Canadian tax refund notification was one of a range of scams and malware in 2009 that included faux messages relating to Michael Jackson’s death, H1N1 medications and Microsoft patches. The year ended with security company McAfee warning of the “12 Scams of Christmas.”

Fake security software grew to be among the most prevalent perils for Windows-users. These were often spread by fake – but real-looking – pop-ups claiming that an infection had been detected. Clicking OK installed a “scareware” application, typically a hard-to-remove program pretending to be a no-name brand antivirus program. Some scareware demanded money; others spied on the user, sending in credit card numbers or other personal information.

While users are often warned of the danger of surfing seedy porn and download sites, scareware pop-ups showed up in ads hosted by reputable websites, including the New York Times, the Drudge Report and Lyrics.com. These sites don’t deal directly with advertisers, which makes it too easy for scammers to pose as legitimate advertisers.

Another malware growth sector in 2009: social networks. As networks like Facebook and Twitter continued their explosive growth, they too became vectors for infestation. In June, for instance, Symantec warned of a worm-bearing e-mail that pretended to be an invitation to join Twitter. Social networks were being increasingly used for phishing, McAfee warned. Online gamers were targeted by the Taterf worm.

Most of 2009’s security perils only affected users with various versions of Microsoft Windows or running the Windows-versions of Adobe Reader, QuickTime and so forth. In October, Brian Krebs, the Washington Post’s “Security Fix” columnist, suggested that businesses should stop doing online banking on Windows systems. Krebs’ proposal: boot to a Linux “live CD”and use that to go online for financial transactions.

Also in October, Microsoft released Windows 7, suggesting that the new version was more secure than previous Windows releases. Of course, it had said the same thing about those previous Windows releases when each was new.

Even star-struck Windows users are at risk. Search for Jessica Biel wallpaper, screen savers, photos or videos and McAfee estimates there’s a one in five chance of landing on a Windows malware-serving site, as Biel replaced Brad Pitt as the year’s most dangerous online celebrity.

While Mac OS X and Linux both remain more secure – and not just less-targeted – than Windows, users of those non-Windows systems can still fall for spam, phishing and other scams. These users, like their Windows-using colleagues, need to keep their software patched and up to date and to think before they click, especially when online.