Java Flaw Repair Email Camouflages Crafty New Malware Attack

NEWS ANALYSIS: The Java vulnerability that was announced in January is bad enough. But now there’s a new form of malware that pretends to be the update for Java that fixes it, but instead just adds more malware.

Updates are a particularly effective form of social engineering for people trying to distribute malware simply because people are used to clicking on them almost as a reflex. Haley said that Symantec even found one mass email purporting to be from his company containing a fake Symantec update that contained malware.

“Don’t click on attachments,” Haley said, and he cautioned against visiting websites that you don’t know for sure are malware free. Fortunately, most security software can scan the Web looking for sites containing malware and either warn you, or prevent you from going there.

Haley also noted that basic antivirus software is no longer enough. He said that the means of distributing malware have changed and now your security software needs to recognize attacks from a number of sources, not just viruses. Haley also suggested that you remove any applications on your computer that you’re not actually using. “Get them off the system, so if there’s vulnerability you won’t have it.” He also advised against removing the normal protections on mobile devices, especially Android devices. “We are seeing malware on Android. Don’t root your devices - that’s opening them up to malware.”

“Rooting” means defeating the security features built into a mobile device so that the owner can get greater control of its functions. But this also makes it easier for hackers to take control of the device remotely by planting malware on it.

All of this means that you need to be suspicious of updates to software that appear unexpectedly or otherwise out of sequence. Check the Web address that the update comes from, and if necessary check the vendor’s website to see whether a security update is being sent out.

It’s also a good idea to pay attention to the content of the message that appears in a pop-up on your screen or in an email. Do the version numbers make sense? When you hover over a link in an email, does the link match the address that appears at the bottom of the email? It’s worth noting that vendors almost never deliver software updates by email, so any email claiming to contain an update should be viewed with deep suspicion.

And since I know you’ll ask, I was nearly caught by that Java update exploit. But there was something a little off in the appearance of the pop-up window, so I killed it, and went to the Java site and updated from there. Do I know for sure that it was the Java update malware delivery that I killed? I don’t know for sure, but I didn’t want to find out, either.