Symantec Exposes Innovative Malware

I get e-mail messages every day from security vendors describing trends in malware, identifying the current most-wanted list, or reporting on new threats they've seen. Few of these seem worth writing about, though I read the details for my own edification.

However, in a recent meeting, Patrick Gardner, the senior director of development for Symantec's STAR (Security Technology and Response) group, showed me a couple of real eye-openers.

"Everyone knows" that the huge majority of viruses, Trojans, and other malicious software are written for the Windows platform. There are just so many more Windows boxes out there that it hardly pays to target MacOS or Linux. Sure, there are a handful of Mac viruses and even some Linux-platform threats. Sophos, Symantec, and ESET, among others, offer antivirus products for the Mac. But Windows is the main target for most.

Gardner introduced me to what Symantec calls Trojan.Jnanabot, an equal-opportunity, cross-platform bot that will infect Windows, MacOS, or Linux. Not surprisingly, it's written mostly in Java, the "write once run anywhere" language. Jnanabot spreads by posting links in a victim's social-networking accounts and sending attacks based on friend lists. The initial platform-independent Java script downloads platform-specific components to complete the infection. As the following chart shows, most of the real-world infections that Symantec has detected are Windows systems, but there's a sizeable chunk running Mac OS.

Facebook attacks are growing more common, and they're going beyond simple clickjacking attacks that drive traffic to fan pages. A threat that Symantec calls W32.Yimfoca.B (where do they get these names?) holds your Facebook account for ransom. It won't let you log on until you complete one of several surveys. The surveys themselves are legitimate, and the perpetrator gets paid as much as $1 for each "referral." Talk about monetization! If you see a warning like the one below when you try to enter Facebook, you've got trouble.

W32.Yimfoca.B holds Facebook account for ransom

STAR team researchers have also discovered new threats that run entirely on the Facebook backend, with nothing at all downloaded to your local computer. These malicious apps rely on the fact that Facebook apps commonly request way more access to your account than they really need. Users become accustomed to clicking OK without really thinking about what sort of access they're granting.

By reverse-engineering one such threat the team managed to create a sample backend-only Facebook "threat." They deliberately built it with no ability to spread automatically, for safety. In a virtualized real-world demo Gardner showed me how such an app can easily list all of your friends, send them Facebook messages, and post anything at all on your wall.

Malware is big business, and like any big business the most successful players are those who can innovate and stay ahead of the rest. The big security vendors are holding the line, but it's more important than ever to keep your antivirus or security suite 100 percent up-to-date.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio