Malware

Monday, 15 March 2010

Defending Against the Zeus E-Banking Attacks

Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user's bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on "to control what the user sees on his or her browser."

One is left to ask, is there is no "inline" defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?

It appears that the best choices at present are:

  • Use a dedicated PC, preferably one that boots from a CD, to do your online banking
  • Depend on your bank to:
    • Use behavior anomaly detection systems to catch/stop fraudulent transactions
    • Refund fraudulent transactions after the fact

Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?

In addition, the bank could add another step to the "add a payee process" where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.

Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.

Posted at 08:03 PM in Botnets, Breaches, Funds Transfer Fraud, Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 13 March 2010

Latest Zeus Trojan software release added hardware-based anti-piracy control

The Register reports:

The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and additional features can fetch as much as $10,000. The new feature is designed to prevent what Microsoft refers to as "casual copying" by ensuring that only one computer can run a licensed version of the program. After it is installed, users must obtain a key that's good for just that one machine.

To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing. 

In addition The Register reported:

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg. But the authors are already busy working on version 1.4, which is being beta tested. It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

No information was provided as to where you could submit your feature requests.

Posted at 07:46 PM in Botnets, Innovation, Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

The most overrated security technologies and what to do about them

CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.

Anti-Virus - signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.

Firewalls - The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.

IAM and multi-factor authentication - Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups - clearly an administrative and operational nightmare  I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.

NAC - The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.

At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.

A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.

Posted at 05:58 PM in Authentication, Malware, Network Security, Next Generation Firewalls, Theory vs. Practice | | Comments (0) | TrackBack (0)

Technorati Tags:

Tuesday, 26 January 2010

Operation Aurora analysis

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management

Posted at 08:17 AM in Advanced Persistent Threat (APT), Breaches, Data Loss Prevention, Database Activity Monitoring, Malware, Next Generation Firewalls, Phishing, Secure Browsing, Security Information and Event Management (SIEM) | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 16 January 2010

Google discloses breach and new threat type from China - Advanced Persistent Threats

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and any espionage attack) lies with the tether that connects the victim with the attacker. Advanced Persistent Threats (APT), like their bigger and more visible brother “botnets”, are meaningless without that tether – which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.


Posted at 08:43 PM in Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft | | Comments (0) | TrackBack (0)

Technorati Tags:

Tuesday, 05 January 2010

Adobe PDF exploit detected by only four of 41 anti-virus vendors

The Register is reporting on an "unusually sophisticated attack" on the well known Adobe PDF vulnerability that is caught by only four of 41 anti-virus vendors tested by Virus Total.

As Computerworld and others reported in mid-December, Adobe chose to release the patch to this vulnerability in its normal cycle on January 12, 2010 instead of rushing it out as soon as it was ready.

Posted at 08:40 AM in Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

More details on the security risks of IDNs

A few days ago I wrote about the risks of non-ASCII domain names, i.e. International Domain Names (IDNs). Trend Micro's security research group, TrendLabs, has just released a detailed analysis of the security risks of IDNs.

Posted at 08:19 AM in Malware, Phishing | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 02 January 2010

RAM Scraping - new attack vector

RAM Scraping is a new type of malware being tracked by the security forensics team at Verizon Business. Good article describing it here.

RAM Scraping attacks were first seen targeting Point-of-Sales terminals as a way to get credit card information. However, as users increase the use of password managers to mitigate the risks of phishing and keyloggers, I can see RAM Scraping attacks increasing in popularity.

Posted at 02:37 PM in Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

Thursday, 31 December 2009

Good guys bring down a botnet. Or did they?

Earlier this week PC World reported that a security researcher at FireEye took down a major botnet, Mega-D. However, LonerVamp weighed in with a more objective analysis of what FireEye accomplished.

Posted at 03:38 PM in Botnets, Malware, Network Security | | Comments (0) | TrackBack (0)

Sunday, 06 December 2009

Koobface launches new Christmas message attack on Facebook

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

Posted at 01:40 PM in Application Security, Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy, User Activity Monitoring | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Next »

About

Recent Posts

Subscribe to this blog's feed

My Favorite Books on Risk and IT Security