Navigating the Internet without web browsers would be like trying to drink your coffee without a mug. It simply doesn’t work. But the browser is also what stands between you and the millions of malware circulating websites out there. Accordingly, all major browsers have their own various forms of protection to protect users from malicious software infections.

NSSLabs recently conducted a test in which the five leading browsing programs Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera had to demonstrate their ability to protect against socially engineered malware downloads. A total of 754 real cyberthreats were used in this comparison. All five browsers were subjected to 550 test runs against these 754 unique malware URLs, resulting in over 18,000 test cases per browser.

Internet Explorer 10 is the safest, Opera ends up with the wooden spoon

The results of NSSLabs’ test are astonishing as there is a gap of almost 98% between the safest and the most insecure candidate. While Internet Explorer 10 blocked an impressive 99.96% of malware samples, Opera only scored a poor 1.87%. The second safest browser was Google Chrome with 83.16%. The only two programs that scored closely together were Apple Safari 5 and Mozilla Firefox 19 with 10.15% and 9.92% respectively.

Source: NSSLabs

Do I still need a security program?

Almost 100% detection of all malware samples sounds great in theory. One might be led to believe that this result renders anti-virus programs obsolete, however this is a erroneous belief. Malware downloads are indeed one of the most prevalent infection vectors, but they are far from the only infection source. A browser can’t protect you against the dozens of new exploits for Adobe Reader, Java, Flash and other programs that appear every month.

Certainly it does make a difference which browser you use for navigating the Internet. While Internet Explorer appears to be a safe choice, all the other browsers are definitely not according to NSSLabs.  Another point to bear in mind though is that this comparison only takes malware downloads into account when measuring browser security. The number of new critical exploits targeting the browsers themselves and how quickly the publishers react to them has not been taken into account.

This is why we strongly recommend that you use a security program with the best possible real-time protection. While on the subject,  you should definitely take a look at Emsisoft Anti-Malware.  With its three powerful layers of protection you don’t need worry about how safe your browser is, because every malware attack will be thwarted reliably.

Complete test as PDF.

The results of Virus Bulletin‘s April 2013 test are out now. Windows XP was chosen as the test platform, because a lot of people still use this operating system. A total of 45 different security programs had to prove their protection ability against approximately 20,000 threats (per week).

The test results for Emsisoft Anti-Malware 7.0 were once again impressive: 100% detection of all extended and standard WildList malware samples and no false alerts at all. Therefore Emsisoft Anti-Malware was awarded with the VB100 award for April 2013. Right after achieving 100% detection in the AV-Comparatives Real-World Protection Test, this is the second awesome result for Emsisoft within less than a month.

Have you ever received a contact request on Skype from someone you don’t know? This may happen from time to time, particularly if your Skype name is publically searchable. But what is really behind these contact requests and why do people bother? To find that out we played along and the following conversation ensued:

At first sight it appears to be someone looking for companion. But the dialogue is suspiciously general, questions are never really answered and the responses don’t allow for a meaningful discussion of any kind. When asking “Are you a bot” the invariable answer is “lol no i’m not a bot silly.”

The contact in our example has listed their birthdate as 1980, but claims to be 25 years old. That doesn’t add up either and when we ask about it, the question is completely ignored.

All this makes it obvious that instead of chatting with a real person we are in fact dealing with a chat bot. And this begs the question, why would a chat bot be interested in a human companion? Surely not for an engaging conversation… The answer to that question becomes clear when we look at the link the helpful Eva sent us when she offered her “free passes”. We are asked to sign up to what appears to be an X-rated video chat site:

It looks like our Eva is in fact Nancy, but who cares about such minor details when it appears we have a free date? Lets move on to the registration:

This looks like a standard registration form, so lets complete it and click Continue:

Now wait a second, our credit card information is required and that’s not what we had agreed to. Why would we need to provide payment details if “today’s charge is $0.00″ anyway? There goes our free date and at the same time this reveals the true aim of this scam: credit card fraud.

“Safe Secure Encrypted” sounds good, but unfortunately we are not convinced of the accuracy of this statement. The site doesn’t even use the HTTP secure protocol (which would give the URL the “https://…” prefix), so our dating adventure ends here.

Its all about the money

While chat bots may have a legitimate purpose (such as leaving an automated message when you are offline), that isn’t the case here. The only purpose of chat bots like the one we encountered, is to trick people into signing up and submitting their credit card details insecurely. Whoever gains access to the requested information (name, card number, CVC/CVV code and so on) can use your credit card on the internet for whatever they want. That’s a chilling thought, as scammers won’t waste any time in getting their hands on your money.

If you have become the victim of a (suspected) credit card scam, it is recommended that you contact your credit card provider (bank or financial institution) as soon as possible. They can block your card immediately and will tell you what steps you need to undertake to regain access to it.

Almost 10 years after we embarked on our journey to create the best possible antivirus product on earth, we have reached an important milestone. The renowned Austrian antivirus testing organization AV-Comparatives published the first real-world protection test in its 2013 test series.

Emsisoft Anti-Malware celebrated its test debut with a perfect score – 100% infections prevented!

The test included 422 live samples obtained by accessing websites that point to malware or use exploits to infect, as well as malicious email attachments. This provides a good overview of the typical everyday risks that users may face.

Download the full report (PDF).

For its outstanding scanner performance in the File Detection Test Emsisoft Anti-Malware attained “ADVANCED” level certification:

While the software faced a number of low prevalence false positives, we believe that this is expected for an initial test and that we can rectify the issue in upcoming tests.

Try our masterpiece now and experience the benefits yourself: Download Emsisoft Anti-Malware

Java is installed on almost all computers. This is an obvious security risk, considering that there are regular announcements on new Java vulnerabilities that enable hackers to infect your PC with malware. However, most users don’t even need Java and can safely uninstall it without losing needed functionality. Keep reading to learn all you need to know about Java and avoid unnecessary security risks to your PC!

Java and JavaScript – there is a huge difference

Both words sound closely related, but they actually aren’t. Whereas Java is a complete programming language or run-time environment for programs, JavaScript is, as you may deduce from the name, a scripting language. Scripting languages are mostly used to run rather small tasks, especially within your browser. JavaScript as a part of a website generally doesn’t have access to your computer’s filesystem and can’t run any programs or create files. Java, on the other hand, can. Running Java applications is basically like starting a regular program on your PC, which of course includes
the ability to modify files on the system.

On one hand, Java programs can be run locally on your PC, and on the other hand, as a so-called Java applet in a browser that supports Java. Java applets are embedded in a webpage by means of simple HTML code:

When accessing the webpage with this HTML code, the Java applet called “javaprogram” is downloaded from the web server to your computer where it is run. Java applets are usually used when a website requires access to local files or your computer’s hardware.

Why is Java so dangerous anddo I really need it?

Depending on which browser you are using and your settings, there may be security restrictions placed on Java, but these are frequently bypassed by vulnerabilities (“exploits”) within the Java environment or your browser itself. By default, Java applets are forbidden from interacting with other programs outside of the browser and from accessing files on your computer. However, if these restrictions are bypassed by an exploit, your system is wide open to anyone.

WARNING!
THE CURRENT JAVA VERSION IS CONSIDERED VULNERABLE!

Although Oracle, the company behind Java, has published several security updates in recent weeks, new vulnerabilities have already been discovered in the current version that enable specially crafted websites to gain full access to your system. As security updates are usually released with a delay of several months, this means that at any time, the current Java version may be vulnerable. All recently discovered vulnerabilities have one thing in common: They are exclusively related to browser Java applets, not locally installed Java programs.

Do Bilet, Benfry or ThinkFree ring a bell? Probably not, and this comes as no surprise – there are hardly any frequently used Java applets. Java applets are primarily used in business environments and company intranets. As a private user, you are more likely to encounter websites that use JavaScript or Flash. Things are a little different for desktop applications. There are quite a few well-known programs that require Java.

How to use Java securely

Here is Emsisoft’s security advice concerning Java:

	If you don’t need Java at all: Uninstall it! As with any other software, you can do this from the Control Panel via “Programs and Features”.
	If you are using Java programs, but don’t need browser integration, disable it. Information on how to achieve this can be found on the Java Homepage.
	If you do require Java, be sure to keep it up-to-date at all times. Don’t hesitate to apply new updates when they become available, as they may fix critical vulnerabilities.
	As critical vulnerabilities are usually not discovered before there is a new infection wave, it is important to use security software with real-time protection. Emsisoft Anti-Malware is able to reliably detect attacks even by unknown malware, thanks to its three security layers.

A few days ago, the famous Russian web portal COMSS published their January 2013 antivirus test results. With a total of 46 participants this is one of the most comprehensive reviews we have seen in a while. Microsoft’s Windows 8 32-bit was used as the testing platform and the programs had to prove their efficiency in the following categories: overall detection, simulation tests, protection at start, anti-phishing and performance.

Amongst this tough field of competitors, Emsisoft Internet Security Pack was able to demonstrate why it offers the best possible protection and why no computer should be without it. With a final score of 8.8 and an incredible detection rate, the security solution took first place ahead of Avira Internet Security 2013 and Kaspersky Internet Security 2013. Try the anti-virus test winner now and experience its first-class technology and easy-to-use GUI.

The following products took the first 10 places:

1. 1) Emsisoft Internet Security Pack 7.0 – 99,7% detection, score 8.8
2. 2) Avira Internet Security 2013 – 99,7% detection, score 8.2
3. 3) Avira Free Antivirus 2013 – 99,6% detection, score 8
4. 4) Kaspersky Internet Security 2013 – 99,5% detection, score 7.9
5. 5) Avast! Antivirus Free 7.0 – 98.8% detection, score 7.8
6. 6) G Data InternetSecurity 2013 – 99,9% detection, score 7.7
7. 7) TrustPort Internet Security 2013 – detection 99,6%, score 7.7
8. 8) Bitdefender Windows 8 Security – detection 99,0%, score 7.5
9. 9) Bitdefender Internet Security 2013 – detection 99,0%, score 7.5
10. 10) McAfee Internet Security 2013 – detection 98,7%, score 7.4
    

The complete test can be found here: Global COMSS.TV antivirus test: January 2013
(English by Google Translate)

Major download platform download.com aka CNET has awarded the Emsisoft Emergency Kit with their highest rating “Spectacular”. The kit is a collection of tools for malware detection and removal. A great benefit: It does not require installation and can be started directly from a USB stick or other removable media. Both the download and usage of the program are completely free for private users.

Conclusion of the reviewer: “In the right hands, Emsisoft Free Emergency Kit can bring powerful tools to bear on a wide range of PC troubles.”

The complete article can be found here: CNET Editors’ review.

The websites of the famous US broadcaster NBC as well as various popular NBC shows like “Late Night with Jimmy Fallon”, “Jay Leno’s Garage”, and possibly others have been hacked. Attackers managed to inject malicious iframes both inside the homepages as well as some JavaScript files that point to the RedKit exploit kit:

Malicious iframe inserted into the NBC main page

Malicious iframe inserted into one of the NBC JavaScript files

Malicious iframe inserted into the Late Night with Jimmy Fallon main page

Malicious iframe inserted into the Jay Leno’s Garage main page

Overall we observed the attackers use the following drop sites for their attack:

http://barbecuechickenrecipes.org/ctuk.htm

http://moi-npovye-sploett.com/qqqq/1.php

http://nikweinstein.com/cl/google.php

http://priceworldpublishing.com/aynk.html

http://toplineops.com/mtnk.html

http://umaiskhan.com/znzd.html

http://umaiskhan.com/ztuj.html

http://walterjeffers.com/ctuk.html

http://wordpresspluginsstudio.com/ctuk.html

http://www.jaylenosgarage.com/trucks/PHP/google.php

Once a user visits one of the affected NBC websites the RedKit exploit kit will scan the user’s PC for exploitable versions of various browser plugins like Adobe Acrobat or Java and send a viable exploit (for example CVE-2013-0422, CVE-2010-0188)  to the unsuspecting user’s browser. The exploit will then install the infamous Citadel or ZeroAccess malware on the user’s PC.

Citadel is the name of a a whole malware family that belongs into the category of “bots”. Once a system is infected with Citadel the attacker (usually referred to as “bot herder”) is able to take full control over the victim’s PC. Today Citadel is used mostly for banking fraud, espionage, as well as as a distribution network for other malware. At the moment the detection rate of the Citadel variants used for the attack are particularly low. Emsisoft users though are already protected as Citadel is picked up based on its behavior by the Emsisoft Anti-Malware behavior blocker:

Emsisoft Anti-Malware detecting the new Citadel variant used for the attack

ZeroAccess belongs into the category of bots as well. Unlike Citadel though ZeroAccess is commonly used for click fraud. The ZeroAccess malware will essentially cheat advertisement networks out of money by simulating clicks on advertisements or by redirecting search requests. As with the Citadel variants. detection rates of the ZeroAccess variant used by the hackers are quite bad:

Detection rates of the ZeroAccess variant used by the NBC attack according to VirusTotal

Emsisoft Anti-Malware users though are protected as ZeroAccess, like Citadel, is picked up based on its behavior by the behavior blocker:

Emsisoft Anti-Malware detecting the new ZeroAccess variant used for the attack

In the mean time we have also issued signature updates to allow users affected by the hack to use our free Emsisoft Emergency Kit to find and clean any Citadel and ZeroAccess infections.

“Your computer is blocked!” – Not something you enjoy seeing when using it. Unfortunately thousands of PC users worldwide find themselves in a situation where, all of a sudden their computer is unusable unless they pay a fee to unlock it. The FBI or a similar national law enforcement organization seems to claim that access to the computer has been restricted. The usage of pirated software, distribution of child porn and copyright infringements are most often brought up as grounds for these restrictions. “Seems” is the keyword here, because a malware infection, not an official law enforcement organization, is responsible.

While the idea of scaring a user into paying money to regain the use of their computer isn’t new and has been used for years by rogue security programs, the “scare” factor is much greater with so-called ransomware because in many cases the PC cannot be used at all, with the only active option remaining, being the entry of the unlock/payment code.

The last months have shown a massive increase in ransomware infections with new variants, droppers and infection methods each day. We have previously discussed ransomware in 2011 – The Renaissance of Ransomware, but because the risk of catching such an infection has increased so much we want to afford it extra attention to make computer users aware and point out preventive measures.

There are two main categories of ransomware, the so-called screenlockers and crypto ransomware. Screenlockers are wide-spread; they use exploit kits, infected sites and downloads and target home users as well as corporate computer users. Crypto ransomware often (but not exclusively) spreads through dedicated server hacks and home users will not be affected as much by this category of ransomware.

Screenlockers

Screenlocker ransomware can infect a computer in a variety of ways. Popular methods include the use of Java exploits as many Windows users have outdated versions of Java installed, which contain certain vulnerabilities that can be exploited by malware to infect a system. And of course porn sites with videos or other site content that when executed/activated actually installs malware.

A typical screenlocker will usually display a law-enforcement logo. Which logo that is depends on the screenlocker variant, but can also depend on country. Furthermore an offense is specified; as mentioned already, this often concerns copyright infringement, child porn distribution, software pirating and similar. Next of course is the most important thing – the payment method. Sometimes a specific unlock code is required, but in most cases a prepaid payment method like Ukash or PaySafe is used.

Some screenlockers add extra elements, for example to give the impression that webcam capture is activated or geographical data is being collected, by displaying the IP address and location (see image).

Windows as well as all third-party software present on your computer is up-to-date. Especially Java and Adobe Reader – two programs that are commonly exploited by malware for the simple reason that they are installed on so many systems and many users use older versions. For further advice on how to keep your computer safe, also see this article.

In particular, the number and variety of screenlocker infections have exploded in 2012. One of the most common screenlockers is Reveton (see image), commonly referred to as the FBI moneypak trojan. While during the first months of 2012 this infection was seen only occasionally, there was a major outbreak in July/August and since then other variants have also been increasing in prevalence, causing screenlocker infections to surpass the amount of rogue infections.

While the ransom screen can look convincing, it is nothing more than a scam, with the only objective being to scare a computer user into paying the ransom. Fortunately, removal of a screenlocker is possible and our experts on the Emsisoft Support forum are always there to help victims of such scams to regain access to their computer.

Crypto ransomware

Well-known crypto ransomware infections are ACCDFISA and Dorifel. Unlike screenlockers, crypto malware actually encrypts personal files (on all drives connected to the computer at the moment of infection), which makes it a much more severe threat than screenlockers. Newer crypto malware variants make recovery of encrypted files extremely difficult if not impossible. A preventive security solution is imperative as important personal files could be irretrievably lost, which, especially in a corporate environment can cause serious problems. A few preventive measures, necessary for any server are:

• Make sure all the latest server/software updates and patches are installed. Server hacks are often performed by exploiting an existing software vulnerability. Whenever a zero-day vulnerability is discovered a software company will release a patch to fix this and it is crucial to apply such patches as soon as possible.
• Make sure offline backups (backups stored on a medium not connected to the server computer) are made regularly, because data on any connected backup drive will be affected, making the backup useless.
• Use strong passwords, containing random characters. This will make gaining server access through brute-forcing a lot more complicated.

Other crypto ransomware like Birele infects home users as well as corporate users, using the same methods as screenlocker ransomware. In some cases recovery of the encrypted data is possible.

So, how much money is involved?

A typical screenlocker usually asks for $100 – $200, crypto ransomware may ask a lot more (it is not uncommon for newer ACCDFISA variants to request sums of $4000).

The reason for this difference can be explained by looking at the targeted victims (loss of critical files on a server used to store company/customer data can mean a direct financial loss for the company). Millions are made yearly by people who set up these scams. The images show a few ransom amounts from different variants. As ransomware is so “popular” and recovery can be difficult, prevention is essential, not only for corporate users but for home-users as well. To summarize, we recommended that all users heed the following advice to save themselves a lot of trouble and frustration:

• Make sure all software is up to date and especially when using servers running 24/7, ensure you are using strong passwords.
• Use a real-time Antivirus solution with a good behavior blocker such as Emsisoft Anti-Malware, which will detect the changes ransomware makes at an early stage.

Last week, a new zero-day Java vulnerability created quite a buzz on the Internet. To illustrate just how effectively this vulnerability is exploited, lets have a look at an email our research lab received, supposedly from LinkedIn.

Below you can see the email as we received it. It looks harmless enough and appears to be sent to us from a genuine LinkedIn email address.

The message looks pretty authentic, but as it happens “Carlos Green” doesn’t sound familiar. A simple right click and copy of the hyperlink reveals the actual URL address:

hxxp://cdn-iix.static.unkn0wn.or.id/linkfrrequest.html

Which in turn redirects us to:

hxxp://shininghill.net/detects/solved-surely-considerable.php

Analysis of this URL reveals that it exploits a vulnerable Java version (7 update 10 or older) in order to install the well-known ZeuS banking trojan. The image below illustrates how an executable with a size of 285184 bytes, named “readme.exe” is retrieved from the remote server. A quick check of the binary data reveals that this is the same file as the ZeuS executable that will end up infecting the system.

After the malicious code is loaded the browser will redirect to the normal LinkedIn website. The installed malware is detected by Emsisoft products as Trojan.Win32.Zbot.

When testing the malicious URL on the same system with the latest Java update (7 update 11) installed, the site will still make an attempt to infect the computer but will not succeed in requesting and retrieving the readme.exe file. In the end no malware is installed.

More information about this Java vulnerability can be found in the Oracle Security Alert for CVE-2013-0442.

Java exploits are among the most common sources of infection. Many computer users have Java installed but do not keep it up to date. This makes it a profitable business for malware-writers and-distributors to look for (new) vulnerabilities and exploit them.  New exploit kits are sold for thousands of dollars.

If you have become the victim of this exploit and need help cleaning your computer, our experts in the “Help, my PC is infected!” Emsisoft Forum are always ready and willing to offer additional help. The removal service is free even if you are not an Emsisoft customer yet.

To prevent infection in the first place, make sure you:

• Keep Java and other commonly exploited software (e.g. Adobe Reader and Flash player), as well as your Windows installation up to date.
• Use an Antivirus solution with a good behavior blocker, such as Emsisoft Anti-Malware. Traditional signature-based detection alone is ineffective against this type of malware.