OPLIN 4cast #344: Basic protection

Wednesday, July 24th, 2013

virusThere was an interesting posting on the codeinsecurity blog a little over a month ago, which we didn’t see until recently, called “The anti-virus age is over.” The author, Graham Sutherland, argues that anti-virus (AV) programs cannot keep up with all the new types of malware in circulation and should just be considered “…a filter for the most basic attacks.” We know a lot of libraries still depend primarily on AV software for protection, so it seemed like it might be worthwhile to look this week at some of those new types of malware mentioned by Mr. Sutherland. (We’ve put the names of the malware types in bold.)

  • What is a polymorphic virus? (wiseGEEK) “Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.”
  • Advanced Persistent Threats: The new reality (Dark Reading/Michael Cobb)  “What is an APT? Though the term originally referred to nation-states engaging in cyber espionage, APT techniques are also being used by cybercriminals to steal data from businesses for financial gain. What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced. Unlike the majority of malware, which randomly infects any computer vulnerable to a given exploit, APTs target specific organizations with the purpose of stealing specific data or causing specific damage. The Conficker worm, for example, used many advanced techniques but did not target a particular organization. It infected millions of computers in more than 200 countries. In contrast, Stuxnet was designed to target a certain type, a certain brand and a certain model of control system.”
  • Advanced Persistent Threats get more advanced, persistent and threatening (The Register/John Leyden)  “Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.”
  • New course teaches techniques for detecting the most sophisticated malware in RAM only (Network World/Linda Musthaler) “The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It’s a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn’t be there.”

Sandbox fact:
One article above mentions a “sandbox.” Anti-virus software can sometimes combat difficult malware by using a virtual environment (sandbox) on a computer to run and test code from untrusted sources before it is installed for actual use.

OPLIN 4Cast #300: Threatening innovations

Wednesday, September 19th, 2012

You have to admit, the people who try to take over your computer or steal your private information for their own shady purposes are undoubtedly inventive. It seems as if every month they develop at least one surprising new major exploit of computers and the Internet, and recently they have been more active than they have been for years. We’re seeing news stories about routers turned into botnet clients, government-built viruses (just who are the good guys?), and new PCs shipped pre-infected with malware. And what the heck is a UDID anyway?

  • Router botnets are more of a reality than you think (SecurityWeek/Steve Ragan)  “Unfortunately, those are just some of the ways to maliciously flash a router without anyone being the wiser. Updated firmware (as in ensuring the device is current on the latest version) can help in some cases but not all, as attacks that target retained settings within the device’s memory can still lead to compromise. In the end, using an open router within an active SOHO [Small Office/Home Office] environment will come down to risk tolerance. If the business is ok with the risk, no need to worry.”
  • Cyber clues link U.S. to new computer viruses (Reuters/Jim Finkle)  “The United States has already been linked to the Stuxnet Trojan that attacked Iran’s nuclear program in 2010 and the sophisticated Flame cyber surveillance tool that was uncovered in May. Anti-virus software makers Symantec Corp of the United States and Kaspersky Lab of Russia disclosed on Monday that they have found evidence that Flame’s operators may have also worked with three other viruses that have yet to be discovered.”
  • Microsoft disrupts the emerging Nitol botnet being spread through an unsecure supply chain (Official Microsoft Blog/Richard Domingues Boscovich)  “The discovery and successive action against the Nitol botnet stemmed from a Microsoft study looking into unsecure supply chains. The study confirmed that cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people. In fact, twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware.”
  • What’s the big deal with iPhone UDIDs? (Ars Technica/Chris Foresman)  “The UDID [Unique Device Identifier] could be used as a sort of ‘anonymized’ token. However, many developers connected a UDID with users’ real names, user names, passwords, location, or other data. While the UDID alone would be of little use to hackers or identity thieves, network snoopers could correlate these UDIDs with other data gleaned from multiple apps, which privacy advocates believe is plenty to home in on a particular person.”

Malware fact:
According to McAfee Labs [pdf], more than eight million new kinds of malware were launched in the second quarter of 2012.

OPLIN 4Cast #236: Security forces endanger cloud security

Wednesday, June 29th, 2011

A week ago on Tuesday (June 21), the FBI raided a data center in Virginia run by a Swiss hosting company, DigitalOne. The FBI was looking for evidence of international cyber crime rings that have been distributing “scareware,” a false alert that appears on people’s computers telling them their security software must be updated/repaired and then sends them to a link that loads malware on their machine. This would not have been particularly noteworthy, except that the FBI took machines containing servers for completely legitimate and legal businesses, and thus had possession of data that should be private. As a result, some people wonder about the wisdom of putting their data in the “cloud,” i.e., using servers hosted in large data centers.

  • FBI busts two scareware, fake AV gangs in global operation (eWeek/Fahmida Y. Rashid)  “The FBI seized three racks of servers from the hosting facility, causing several Websites and services, including Curbed, Eater, Instapaper and Pinboard, to go offline. ‘The global reach of the Internet makes every computer user in the world a potential victim of cyber-crime,’ said U.S. Attorney B. Todd Jones of the District of Minnesota. The FBI worked with police in Cyprus, Germany, Latvia, Ukraine, France and Romania as well as with Canada’s Mounted Police and London’s Met Police.”
  • Sites rebuild after F.B.I. raid on data center (New York Times/Verne G. Kopytoff)  “The agents, who were seeking the servers of a single client, nevertheless seized three enclosures filled with servers for ‘tens of clients,’ the company said. Sergej Ostroumow, DigitalOne’s chief executive, declined to name the client that was the target of the investigation. He said he did not know the reason for the raid. In an e-mail on Wednesday, Mr. Ostroumow said he was working to restore his company’s Web site, which was also taken offline by the raid, but added that ‘we have e-mail and the hope that we will receive all servers back very soon.’”
  • The FBI stole an Instapaper server in an unrelated raid (Instapaper Blog/Marco Arment)  “Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. […] Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.”
  • FBI seizes servers in brute force raid (TG Daily/Trent Nouveau) “While most Americans probably don’t really care about a few downed sites, the brute force raid executed by the Feds surely doesn’t bode well for the future. One can’t help but wonder what comes next: mass Gmail seizures, Amazon cloud server confiscations, or perhaps entire data centers carted off in FBI trucks? Clearly, U.S. law enforcement officials must learn how to minimize ‘collateral damage’ to neutral civilian infrastructure during cyber-related raids.”

Bounty fact:
Microsoft has been offering a $250,000 bounty since early 2009 for information leading to the arrest and conviction of those responsible for launching the sophisticated Conflicker worm, which was apparently the delivery mechanism for this scareware.

OPLIN 4Cast #214: PDF malware

Wednesday, January 26th, 2011

skull in Adobe logoThese days, when you click to download a PDF file from the web or your e-mail, your computer may well ask, “Are you really sure??” That happens because PDF files have been getting more and more dangerous lately as they become more and more popular as carriers of malicious software. It used to be that common executable (.exe) files were the carriers of choice for computer malware, but most e-mail software now blocks those. Lately, Portable Document Format has been on the rise as a delivery vehicle for malware. But since PDF is not a programming language, rather a file specifying how to render a page, how do you get it to do malicious things to a computer? The answer is to exploit weaknesses in the software (like Adobe Acrobat Reader) that processes the PDF file; the PDF file itself doesn’t do anything but deliver the exploit.

  • The rise of PDF malware (Symantec Connect/Fred Gutierrez)  “We have seen an ever increasing use of PDFs for malicious purposes over the past two years. During this time, we have tracked the growth and usage and have been constantly improving our detections to handle the different evolutions of these threats. We see new vulnerabilities related to PDF readers discovered on a regular basis, often being exploited in-the-wild before a patch is available.”
  • Adobe patches under-attack Reader bug (Computerworld/Gregg Keizer)  “The more notable flaw fixed in Reader 9.4.1 for Windows and Mac OS X was a bug that hackers have been leveraging since late October using malicious PDF documents. Those attacks have taken advantage of a flaw in Reader’s ‘authplay’ component. Authplay is the interpreter that renders Flash content embedded within PDF files. Successful attacks have dropped a Trojan horse and other malware on victimized Windows PCs.”
  • OMG WTF PDF: What you didn’t know about Acrobat (27th Chaos Communication Congress/Julia Wolf)  “PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V [antivirus] technology is extraordinarily poor at detecting these.”
  • 27C3: danger lurks in PDF documents (The H Security/Stefan Krempl)  “According to Wolf, however, the PDF standard has long had too many functions that can be exploited to launch attacks and wreak other havoc. These functions range from database connections without security features to options that can blindly trigger the execution of arbitrary programs in Acrobat Reader. The researcher said that other risks are generated through the support of inherently insecure script languages such as JavaScript, formats such as XML, RFID tags and digital rights management (DRM) technologies.”

Common sense fact:
Developers of PDF reader software are constantly changing their software to combat vulnerabilities. The wise computer user keeps her/his software up to date.