Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

The Trojan That Never Was

image

How not to handle a PR debacle, Part 767:

Avast, the free antivirus I’ve been using, and recommending, for while, has lost my confidence by a double whammy: mis-identifying pretty much every executable on my computer as a Trojan, and then not telling me about it.

Apparently an update to the software will misidentify a lot of files as containing the Trojan Win32:Delf-MZG, suggesting you do a boot scan to clear out infections. Do so, and you’ll likely find that Avast will be deleting a lot of major program files, including those in the Windows directory.

This is bad, because these are what are called false positives—i.e. not infected. An update to the Avast virus database created the error—and has, apparently, since been corrected with a further update. But not before hundreds, maybe thousands, of users, did what I did: boot scan and religiously delete
“infected” files.

You won’t, at the moment, know any of this from Avast.

Their blog hasn’t been updated since November 30. There’s nothing on their home page to suggest there’s a problem: the website lists the latest update and doesn’t indicate there’s been a problem.

But do a Google or twitter search and you get a sense of the frustration:

Twitter is throwing up a tweet every couple of minutes:

image

Yahoo! Answers is exhibiting similar frustrations. Even Avast’s own forums are lively with confusion.

The point here is that everyone makes mistakes. But Avast don’t seem to have helped their users to avoid panic by not only correcting the problem but in trying to ensure that their users find out about it easily and quickly.

This is not excusable in this era of the real time web. Twitter is the obvious choice, but there’s no sign of Avast on its official twitter feed since November 30. (see screenshot above.) Avast should be using all channels to reach its users.

Antirvirus is just an extreme example—it’s an industry that is used to updating its product on the fly. But security is also about informing its users—and Avast, sadly, is not much different from most companies that think they can brush over glitches and pretend they never happened.

A mea culpa is in order, and a promise that this isn’t going to happen. Crying wolf on viral infections is not a good security procedure.

KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Updater Fever

image

I sometimes wonder what software companies—Apple, Google, Microsoft, Yahoo!, they’re all the same—want from their customers.

I spend enough time with novice users to know how confusing using computer software can be. Especially online: It’s a scary world out there (they’re right to be scared) but these companies, which should know better, make it more so. By trying to hoodwink into using their products they are undermining users’ confidence in using computers in the first place. If they keep on doing this, expect more people to use computers less—and certainly to install less software, or experiment in any way online or off.

Take what just happened. I use Windows Live Writer to blog: it’s an excellent program, by far the best things Microsoft has done in years, and today it prompted me that an update was available. I duly clicked on the link to download the Writer beta installer:

image

Only, of course, it wasn’t the installer but The Installer From Hell:

image

Prechecked are six programs, none of which I have on my computer right now. There’s no single button to uncheck those boxes, and most novice users may not even know they can (note the confusing text above it: “Click each program name for details” and “Choose the programs you want to install”—nothing to explain to novices that these choices have already been made for you, and how to unchoose them.)

It’s not as if Microsoft is trying to sell us smack. This is free software. But it’s very damaging in ways only someone who spends time with real people can understand. Even when the software is installed for example, you get this last little twist of the Knife of Befuddlement:

image

This might not seem like much, but if you’re an ordinary user, finding your home page all different and your search engine altered to something else can be as disorienting as coming home to find someone’s moved your furniture and the cooker is now in the bathroom. Well, not quite that much, but you get the idea.

Of course Microsoft’s not alone in this. Even Google’s been playing the game, and Yahoo! tries to bundle the toolbar in with pretty much every piece of software that’s ever been downloaded–which also alters the homepage, and default search engine, and probably moves the fridge around as well.

The problem is that the more these companies try to fool us, the easier it is for real scammers to scam us—because what they both do starts to look very similar.

Take this scam that I came across this morning. A splog (spam blog—a fake blog) had used some of my material so when I tried to access the page to find out why, I instead got this believable looking popup

sc565

This without me doing anything other than clicking on a link to a blog. A graphic in the background appeared to be checking the computer for viruses, and of course this window is nigh on impossible to get rid of. Try clicking on the red cross and you get this:

sc566

Try to get rid of that and you get this:

sc567

And then this:

sc568

It’s obviously a scam (it’s adware), but it’s darned hard to get rid of. And to the ordinary user (by which I mean someone who has a real life, and therefore doesn’t see this kind of thing as intrinsically interesting) there’s no real difference between the trickery perpetrated by these grammatically challenged scammers, and the likes of Microsoft et al, who try to inveigle their software and homepage/search engine preferences into your computer.

Either way, the ordinary user is eventually going to tire of the whole thing and say “enough!” and go out fishing or, if it’s that time of year, wassailing.

Let’s try to avoid that.

(And yes, the latest version Live Writer is good, though don’t use the spellchecker. Just a shame that it’s made by Microsoft.)

links for 2008-09-15

Is That a Virus on Your Phone or a New Business Model?

This week’s WSJ.com column (subscription only) is about mobile viruses — or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn’t new: It has been around since March 2005. But this isn’t much comfort if you find yourself — as a lunch companion and I did — bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. “I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously,” says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses — usually lumped together under the catchall “malware” — and, despite lots of scare stories, I couldn’t find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I’m adding it here for anyone who’s interested. Apologies to those sources who didn’t get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Technorati Tags: , , , ,

What Your Product Does You Might Not Know About

Vodka

Empty vodka bottles used for selling petrol, Bali

Tools often serve purposes the designers didn’t necessarily intend — increasing their stickiness for users but in a way not clearly understood by the creator.

Take the System Tray in Windows for example (and in the bar, whatever it’s called, in Macs.) And this array currently sitting in my overburdened laptop:

Systray

These icons usually either notify the user if something happens, by changing color, animating itself or popping up some balloon message, or they will be quick launch icons: double click or right click to launch the program, or some function within it. Or they can be both. Or, sometimes neither, sitting there like lame ducks taking up screen real estate. (These ones should, like all lame ducks, be shot.)

Skype-tickBut the thing is that for users these icons actually sometimes do something else, acting as useful sources of more important information. I’ve noticed, for example, a lot of people — including myself — use the Skype icon (left) as the best, most visible way of telling whether their computer is connected.

First off, Skype is better and quicker at establishing a connection than most other connection-based programs with icons in the system tray. Secondly, the icon is a uncomplicated but appealing green, with tick in it — an obvious and intuitive signal to even the most untutored user. (It helps that the Skype icon is a dull gray when there’s no connection — once again, intuitive to most users.) When the Skype button turns green, users know they’re good to go.

Za-tray2Another good example of this is the Zone Alarm icon which alternates between the Zone Alarm logo and a gauge, red on the left and green on the right, to indicate traffic going in and out (see left). Another useful tool to see whether your computer is actually connected, and like the Skype icon, much more visible and obvious than the regular Windows connectivity icon — with the two computer screens flashing blue. I’ve gotten so used to having the Zone Alarm icon tell me what’s going on I have not been able to switch to other firewall programs, or Windows own, because they don’t have the same abundance of visual information to offer.

Za-logo3ZA-iconI’m not convinced that Zone Alarm’s new owners CheckPoint get this: They have dropped the disctinctive yellow and red ZA logo in the system tray for a bland and easily missable Z (left). The ZA icon  was an easy and prominent way to know your firewall was working and they’d be smart to resurrect it.

What does all this mean? Well, Skype have been smart to create a simple icon that not only does things like tell you your online status (available, away) but has also become a tool to help folk know whether they’re online or not — not always clear in this world of WiFi and 3G connectivity. In fact, for many users I’m guessing the green tick is more recognisable a Skype logo than the blue S Skype logo itself.

I don’t know whether Skype knows this, or whether the Zone Alarm guys realise their icon and gauge are much more useful to users as a data transfer measure than Windows’ own. But it’s a lesson to other software developers that the system tray icon could do a whole lot more than it presently does, with a bit of forethought. And if it can’t justify its existence, just sitting there saying, then maybe it shouldn’t be there?

Beyond that, we’d be smart to keep an eye out for how folk use our products, and to build on the opportunities that offers.

The Failure of the Smartphone Interface

I still don’t understand why people think that a stylus is a good thing, or that mimicking a Windows environment — designed for navigation by mice and other pointy things — is regarded as a worthy goal for mobile devices.

Take what Walt Mossberg, who has emerged as something of an expert on the new Treos, has to say about them in his mailbag (the URL isn’t a permalink, so don’t know how long it’s good for):

I have reviewed both devices, and I find that the Windows Mobile software on the 700w is considerably inferior to the Palm operating system software on the 700p. Too many common actions in the Windows version take more steps than the same actions on the Palm OS version, and often require navigating menus. You are likely to use the stylus more often in the Windows version as well.

I think in the near future we’ll wonder what the hell we were doing with our mobile interfaces. Why is it harder to answer a smartphone than it is to answer a normal mobile phone? Stylii were designed for sitting in restaurants and at desks, not when you’re standing in heavy pedestrian traffic outside Leicester Square tube trying to find someone’s phone number. Windows was designed for laptops, desktops, more or less anything with a flat surface and a mouse nearby, not for navigating on crowded trains or in fast-moving cars (especially when you’re driving).

Palm still looks good because it’s relatively simple as an interface. But it’s still looking dated, even while we’re still waiting for something better to come along.

How to Split Your Screen Down the Middle

Here’s something for the directory of monitor extenders — stuff that increases the size, scope or general bendiness of your screen — SplitView , from the guys who brought you DiskView:

SplitView increases productivity by making it easy to work with two applications side by side. It helps make full use of your high resolution monitor and gives the benefit of dual-monitors without their associated cost.

Given it costs $19, that statement is indeed true. The problem is simple. Having two monitors is great — if you haven’t done it yet, you haven’t lived — but it’s also neat because you can pretty much keep them separate, a bit like having two desks to play with. That’s because Windows treats the two screens as one for some functions – moving windows and whatnot — but as two for functions like maximising programs etc. Very useful if you’re moving between two documents, or dragging and dropping text using the mouse.

But what happens if you have one supersized monitor, with high resolution? You have all that real estate, but not the same duality, if you get my drift. This is where SplitView jumps in. A small program that incorporates itself into the pull-down resize menu on the left-hand top corner (right clicking on its icon in the toolbar at the bottom of the screen has the same effect), SplitView lets you make the program take up half the screen on either the left or right in one move (or via keyboard shortcuts).  So now you have two monitors in one:

I can imagine this would also be useful for those of us used to dual monitors but forced into single screendom when on the road. Now your laptop can be split in two, making it easy to drag and drop and stuff. Its author, Rohan, says he wrote it “as a ‘me-ware’ – something i needed myself, and then productized it.” Good productizing, Rohan.

Microsoft’s Spyware Gate

Microsoft have launched a new version of their Antispyware application, now rebuilt and renamed Windows Defender. Initial reports are favorable, including Paul Thurrott, who is good on these kind of things:

Windows Defender Beta 2 combines the best-of-breed spyware detection and removal functionality from the old Giant Antispyware product and turns it into a stellar application that all Windows users should immediately download and install. Lightweight, effective, and unobtrusive, Windows Defender is anti-spyware done right, and I still consider this to be the best anti-spyware solution on the market. Highly recommended.

Expect this program to become part of the next Windows operating system, meaning that spyware is going to be kept out of most computers by default. This is a good thing. What is less good is that it lets Microsoft decide what is and what isn’t spyware, giving them one more gate to control. Also, spare a thought for all the companies that have been selling antispyware software for the past few years; I can’t see many of them surviving past Windows Vista.