Malware

Sunday, 06 June 2010

The End of Malware? Hardly.

Slate recently published an article entitled, "The End of Malware?" The sub-title is, "How Android, Chrome, and the iPad are shielding us from dastardly programs." The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application's access to operating system resources.

While this may be a good thing, it is hardly the "end of malware." Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people's bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.

Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.

If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:

In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named "09Droid" and claimed to offer access to accounts at many of the world's banks. Google said it pulled the apps because they violated its trademark policy.

The apps were more useless than malicious, but could have been updated to capture customers' banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. "It is becoming easier for the bad guys to use the app stores," Mr. Hering said.

And on Apple:

Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users' contact lists to the game maker's servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.

In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.

Posted at 06:10 PM in Malware | | Comments (0) | TrackBack (0)

Massive iPhone Security Issue

ReadWriteEnterprise is reporting that:

Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.

Read the whole article here.

Posted at 06:08 PM in Malware | | Comments (0) | TrackBack (0)

Tuesday, 25 May 2010

Tabnabbing - a new variation on phishing

Aza Raskin, the Creative Lead for Firefox, (via Ajaxian) describes a new variation on phishing called "tabnabbing," the "process of replacing the entire contents of a page while it's on a background tab." This is another example of malicious Javascript in action. Does your Secure Web Gateway vendor block this attack?

Posted at 05:26 PM in Malware, Phishing | | Comments (0) | TrackBack (0)

Technorati Tags:

Wednesday, 12 May 2010

Simplistic attacks still work some of the time

Sunbelt has a detailed blog post of a ridiculously simple and obvious social engineering attack on Facebook users. The good news is that only 0.05% of Facebook users fell for it. The bad news is that the actual number of Facebook users is 191,372. Given the ease of creating these attacks and the rewards to the attackers, they are not going to stop anytime soon.

Posted at 08:13 AM in Malware, Social Engineering | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 10 May 2010

New attack bypasses all tested anti-virus products

Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows - System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary.

My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses.

Second, how and how quickly will Microsoft and the anti-virus vendors react? 

Third, what are the implications for Intel's vPro technology?

Fourth, is there an anti-virus vendor out there that does not use SSDT to integrate with Windows?

Posted at 08:45 AM in Innovation, Malware, Research | | Comments (1) | TrackBack (0)

Technorati Tags:

Wednesday, 28 April 2010

Blippy's security/privacy strategy - do they deserve to survive?

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our services in a manner that does or is intended to mislead, confuse, deceive, or harass others.

Serial Accounts: You may not create serial accounts or relationships in order to evade the block tools or to otherwise disrupt the Services.

Name Squatting:You may not engage in name-squatting (creating accounts for the purpose of preventing others from using those account names or for the purpose of selling those accounts). Accounts that are inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link to malicious content intended to damage or disrupt another user.s browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a variety of ways for users to interact with one another. You may not abuse these tools for the purpose of spamming users. Some of the behaviors we look at when determining whether an account is spamming include:

  • The user has followed and unfollowed people in a short time period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

Posted at 08:58 PM in Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management | | Comments (0) | TrackBack (0)

Sunday, 11 April 2010

More PDF exploits - time to stop downloading PDFs

It seems like there is a constant flow of PDF vulnerabilities. Two new ones are highlighted here.

It's time to stop using PC-based PDF readers.I've switched to a browser plug-in called gPDF which works with IE, Firefox, and Chrome.It opens the PDF file in Google Docs. Google Docs gives you the ability to print it without downloading it. The one issue I have is, there is no apparent way to save the document in Google Docs for future reference. So for that, I save the link in Delicious.

I'm done with downloading PDF's for now - just not worth the risk.

Posted at 06:49 PM in Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

Spotlighting the Botnet business model

TrendLabs has a nice article on the botnet business model. It features an illustration showing the relationships between different botnets including CUTWAIL, BREDO, KOOBFACE, ZEUS, WALEDEC, and others.

The level of cooperation and coordination is stunning. If you are not monitoring for and blocking botnet activity in your organization, you are exposing your organization to serious risks. If you are seeing no botnet activity in your organization, you are not using the right tools.

Posted at 05:55 PM in Malware, Network Security | | Comments (0) | TrackBack (0)

Technorati Tags:

Sunday, 21 March 2010

Vulnerability-based Signatures Are Needed To Defend Against Operation Aurora Variations

NSS Labs recently tested seven anti-malware products against the actual and variations of the Operation Aurora attack which was successful against Google, Adobe, and as many as 100 other companies. Six out of seven were successful against the specific attack, but only one provided protection against the variations.

NSS Labs points out that only "vulnerability-based" protection can protect against variations of a specific attack. Here are their key findings:

  • Endpoint security products need to focus more on vulnerability protection. Rather than reactively blocking individual attacks, security product vendors should minimize their customers' risk of exposure by insulating them from the vulnerability.
  • An approach based on preventing specific exploits or malware is less desirable due to the reactive nature of identifying exploits and malicious payloads, as well as the nearly infinite methods to evade detection. Only one of the seven endpoint security products tested demonstrated a focus on the vulnerability and blocked more than one exploit variant.

The report provides a comprehensive description of the vulnerability, the Operation Aurora attack, and specific descriptions of exploit-based vs. vulnerability-based signatures.

Click here to read the whole report and find out which vendor has vulnerability-based signature(s) that were able to cope with Operation Aurora variations.

Posted at 09:24 PM in Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 15 March 2010

Defending Against the Zeus E-Banking Attacks

Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user's bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on "to control what the user sees on his or her browser."

One is left to ask, is there is no "inline" defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?

It appears that the best choices at present are:

  • Use a dedicated PC, preferably one that boots from a CD, to do your online banking
  • Depend on your bank to:
    • Use behavior anomaly detection systems to catch/stop fraudulent transactions
    • Refund fraudulent transactions after the fact

Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?

In addition, the bank could add another step to the "add a payee process" where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.

Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.

Posted at 08:03 PM in Botnets, Breaches, Funds Transfer Fraud, Malware | | Comments (2) | TrackBack (0)

Technorati Tags:

Next »

About

Subscribe to this blog's feed

Recent Posts