STFU && RTFM

In a post a while back, I wrote about how to remove Personal Security, a rather nasty piece of spyware. I recently had a computer in that was badly infected.
 
I tried removing it with MBAM, but it kept on returning. Annoyed, and not wanting to do a reinstall, I found a list of files, folders and registry entries to remove, after which the problem was solved.
 
Files:
c:\Program Files\PSecurity\
c:\Program Files\PSecurity\psecurity.exe
C:\Program Files\PersonalSec\
C:\Program Files\PersonalSec\psecurity.exe
C:\program files\PersSecurity\
C:\program files\PersSecurity\psecurity.exe
C:\program files\PersSecurity\system.dat
C:\Program Files\PersonSecurity\
C:\Program Files\PersonSecurity\psecurity.exe
c:\Program Files\Common Files\PSecurityUninstall\
c:\Program Files\Common Files\PSecurityUninstall\Uninstall.lnk
c:\WINDOWS\system32\win32extension.dll
c:\Documents and Settings\All Users\Start Menu\PSecurity
c:\Documents and Settings\All Users\Start Menu\PSecurity\Computer Scan.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Help.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Personal Security.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Registration.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Security Center.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Settings.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Update.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PSecurity.lnk
%UserProfile%\Desktop\Personal Security.lnk
 
Registry entries
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PSecurity"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersonalSec"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersSecurity"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersonSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
 
Keep in mind that not all of the entries show up, and even after removing them, you might still see Personal Security on the computer. At any rate, I’d recommend running a scan with MBAM after removing these entries.

I’ve recently had a few users call in, telling me that they’ve been infected with Personal Security, a rogue anti-spyware program from the same family as Cyber Security. Luckily, it’s pretty easily removed. Here’s how:
 

1. Turn off System Restore on the infected computer
2. Download and run rkill.com, which kills the processes
3. Download and install Malwarebytes’ Anti-Malware
4. Run a full scan of the computer
5. Remove all threats
6. Reboot, then repeat step 4

 
The second search should turn up no threats at all. If it does, repeat step 2, then step 4. If a second removal run doesn’t do the trick, my advice is to reinstall the computer.

I’ve been a happy user of AVG Free for a long time. Granted, it’s never been exactly easy to get, but a google-search does the trick. Having run version 7.whatever for some time, I got a message that they’d soon stop supporting it, and that I should upgrade to version 8. All fine and well, I did so, and after another google-search found the free version, which I downloaded and installed.
 
Now, I don’t mind paying for quality products, but frankly, there are so many good, free anti-virus solutions out there, that I really don’t see the need to pay for one (and the ones you pay for are in my experience usually inferior as well…).
 
So, back to my story. I had “upgraded” to AVG Free 8, and updated the databases when, in the corner of my eye, I saw the following message:
 

 
Naturally, I updated the signature files, but my system tray still looked like this:
 

 
I browsed around the web, and found that I wasn’t the only one experiencing this problem. Browsing around some more, I found a FAQ hosted with Grisoft, telling me that:

Database is outdated, but no new updates are available
 
The “Database is outdated” message is displayed, when the database is older than one week. This is in most cases caused by incorrect time or date settings of the computer. To check the time and date, please proceed as follows:

Windows XP or 2000
• either double-click on the time display in the lower-right corner of the screen
• or open Start – Settings – Control Panel – Date and time
• make sure the date and time are set correctly

 

Windows Vista
• either click on the time display in the lower-right corner of the screen and select “Change date and time settings”
• or open Start – Control Panel – Clock, Language, and Region – Set the time and date – Change date and time
• make sure the date and time are set correctly

I followed the instructions, and after a few restarts, the problem was gone. Paradoxically enough, a different computer, on which I also run AVG Free was upgraded a week or so after this first one. The problem occured there as well. In fact, every computer I have seen running AVG Free 8 seems to have the problem. It seems AVG is mucking about with the time and date settings, which is disappointing to say the least.

Fighting and defending against computer viruses is one of the largest challenges facing businesses and individuals in the IT world of today. To guard against this, most people have anti-virus software installed on their computers. However, even though you have anti-virus software installed, how can you be certain that the policy-files are the ones your anti-virus supplier has supplied? What is done by the different developers to secure the transfer of these files? What sort of knowledge and access would be needed to hack through the protection?
 
I’ve asked these questions to a few of the leaders in anti-virus software development. Only two answered my questions; here’s what they said:
 
Norman

Norwegian security solutions developer Norman, whose security suite was recently crowned the winner in a Norwegian test of anti-virus solutions, could tell us that they have been using more or less the same method since the fall of 1999. Their method entails distributing all their software files as ZIP-archives that have been signed and encrypted by a proprietary algorithm. Once downloaded to the client computer by their program Norman Internet Update (NIU), whereupon NIU proceeds to decrypt the downloaded files.
 
In order to hijack the transfer, three key elements are needed:
 
1. Knowledge of, and/or access to the utility used to encrypt and sign the files
2. Ability to spoof the NIU-client in order to make it download the files from a different site
3. One would also need to hack the protocol used between the NIU-client and the update servers, a protocol encrypted with a separate, proprietary algorithm.
 
Norman has seen many attempts to hack the method since it was employed, none of which have succeeded
 
Sophos

The British anti-virus developer Sophos, that develops security solutions for businesses, tells us they use a different method. They use a secured end-to-end SSL v3.1 2048 bit encrypted tunnel, using a Corba based management methodology. Within the tunnel (which uses pre-verified certificates distributed via the installer) a 512bit key-pair is agreed between server and each client for layered complexity.
 
To hijack the transfer, the following would have to be done: First off, the attacker would need a copy of the certificates shared during installation (denying regular users local administrator access would simply and quickly make this a lot more difficult for an attacker). Secondly, the attacker would need to gain access to the VPN-tunnel (2048 bit), or crack said tunnel if they don’t have the certificate. On top of this, the attacker would need a copy of each of the pre shared keys for each computer, and work out the Sophos-specific implementation to crack the keys assigned to the computer. The entire process would need to be repeated for each computer, as every computer has a different key.
 
Conclusion

In spite of significant advances in the field of computer security solutions, there are still many threats out there, and time has shown, and will most likely continue to show, that there is no such thing as absolute certainty. Because of this, it is imperative that developers of security solutions not only worry about their own end and the computers belonging to their customers, but that they also worry about, and take steps to ensure, the transfers and updates of policies. In spite of limited responses to my inquiries, the answers I have received bear witness that these are problems that are taken very seriously indeed, and the steps taken thus far seem to have been effective.