BT uses spyware to audit broadband use

BT has admitted to secretly using spyware to monitor the web surfing habits of tens of thousands of its British broadband customers. According to BT, this was merely a technical trial. Allegedly no personal data were collected since machines were identified "by anonymous code numbers" (presumably IP addresses - hardly anonymous) and content keywords were recorded, not website addresses (so what? It's still unethical and possibly illegal inteception in my book).

Malware blamed for supermarket data breach

A supermarket security breach late last year/earlier this compromised over 4 million credit/debit cards and led to thousands of fraudulent transactions. The breach has been blamed on malware on the store's servers. The fact that the store systems were PCI DSS compliant, apparently, doesn't exactly inspire confidence in the system of independent security audits but on the other hand it's a reminder that malware is an omnipresent threat.

10,000 infected pages

McAfee has been warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia is a useful tool to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when your system falls behind.

Signature based AV is dead. Long live sig AV!

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms, given the escalating rate of release of new/variant malware and its inability to block data theft (which is what Data Leak Prevention is all about: personally, I never expected AV software to do this so that is a rather curious point).

The demise of signature-based AV detection has been predicted many times before but it stubbornly remains a relatively effective and inexpensive control, on the whole. I'm worried about bespoke malware, custom-written to infiltrate specific target organizations, but there other techniques come into play, DLP and checksumming being two of them. So called "heuristic scanning" has a bad press for generating too many false positives, but that's another piece of the defense-in-depth puzzle, along with prompt patching and (of course) security awareness. There's no need to detect avoided malware.

CERT malware tips

CERT has re-issued a Cybertip on malware.

Addressing the growing botnet threat

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

Spyware impacts productivity

single spyware infection on a work computer can impact the productivity of the typical small business employee for two-and-a-half days, according to research commissioned by the Computing Technology Industry Association (CompTIA).

A survey of employees at businesses with 10 to 200 computer users found that more than one in four computer users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware inflections.

Definitions of spyware vary but the take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

Drive-by malware alert

McAfee is warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

Targeted malware

A helpful if rather technical explanation of targeted malware attacks takes a look at some remote control Trojans. These open the victim's machine to powerful local commands submitted by a remote hacker over a control channel. Clever stuff. The piece is a little light on the infection part of such attacks and the mechanisms used to target specific organizations or individuals, although it does outline some of the potential controls against this kind of attack and provides references for further reading.

Malware awareness module released

We have updated and reissued the NoticeBored security awareness module on malware, one of our 'core modules' covering a topic that features heavily in all security awareness programs.

As part of the research to update the module, I've been reading lately about 'virtual malware' or, more accurately, rootkits that target not just the operating system kernel but the underlying hypervisor software used on virtualization systems. To those without a technical background, this may seem like angels dancing on a pinhead but to us nerdy geeky types, virtualization is cool and virtual malware is uber cool.

By coincidence, an article on The Register discusses a vulnerability in VMware, one of the virtualization systems. This could be Big News for anyone using VMware in a production environment, such as many ISPs for example. Various technical security bloggers are deep in discussion.

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

Why HTML email is BAD

Click here for a full size screenshotThe screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness.
What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malware, thank you very much.

Beware free l(a)unches

Skimming through my inbox and spam box today, I've seen a few phisher emails like the following example:



The emails vary slightly in the names of the "beta software" (e.g. Investment Developer, Cooking Helper, Home Reno Planner etc.) and of course the senders and subject lines vary.

They all seem to point to an executable file at a numeric IP address, which is most likely another Trojan dropper.

This looks to me like another generation of the STORM worm.

Malware spam spewed forth

We've received loads of similar malware spams today, all basically the same structure with minor differences and spelling mistakes (see above).

The links vary but we understand that one (at least) attempts to infect visitors' PCs with a downloader Trojan. Good up to date antivirus software should trap it but do not rely on this as your sole control: it is not recognized by all antivirus programs.

A quick search of my spam/deleted box for emails containing the string "account number" reveals a whole bunch of em received so far today.

Senders include

Bartenders Guide
Cat Lovers
Cool Pics
Dog Lovers
Downloader Heaven
Entertaining Pros
Free Web Tools
Fun World
Funny Files
Game Connect
Internet Dating
Job Search Pros
Joke-A-Day
Mobile Fun
MP3 World
Net Gambler
Net-Jokes
Office Antics
Online Gamers
Online Hook-Up
Poker World
Pet World
Resume Hunters
Ringtone World
Web Connects
Web Cooking
Wine Lovers

Subject lines include

Dated confirmation
Internal Support
Internal Verification
Internet Techincal Support [sic]
Login info
Login information
Login Verification
Member Confirm
Member Details
Membership Details
Membership support
New member confirmation
New User Details
New User Letter
New User Support
Registration confirmation
Registration Details
Tech Department
Thank you for joining
User Info
User services
User Verification
Welcome new member

There are other variants in circulation too.

The spams are believed to be the result of a new mutant of the Storm worm that has been very active for weeks. SANS Internet Storm Centre has some technical info on it and there's more on F-Secure's blog.

The usual advice "Don't click on dubious links" applies here. Now might be a good time for your security awareness person to inform your fellow employees in calm, helpful tones about the threat. PLEASE do not add to the problem by circulating wild warning emails with "Please tell everyone you know!" or similar - leave the job to the professionals and the news media. Oh and don't forget to check that your antivirus software is updating itself regularly.

*UPDATE* Download a security awareness 'alert' about this, suitable for circulating to your fellow employees. NoticeBored customers: please contact us for the editable MS Word version.

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."

The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Microsoft animated cursor fix

A bug in Windows' handling of animated cursor files is being actively exploited by The Dark Side. Those of us on the Light Side are advised to deploy an emergency patch just released by Microsoft ... or consider moving to an alternative, less bug-ridden operating system sharpish, assuming such a beast exists.

More network security resources

SME Achilles heel = Well connected salesmen

IT Pro, reporting on a study by Vanson Bourne, points out that salemen's dependence on electronic communications makes them more vulnerable than most to targeted phishing attacks. Such attacks typically deliver Trojans in office files sent as email attachments. The problem is especially acute in SMEs (Small to Medium Sized Enterprises - also known as SMBs ...Businesses). The author emphasises that SMEs need security awareness but offers no suggestions on how this might actually be achieved in practice.

More security awareness and malware links

Forensic analysis of a Russian Trojan

The techoes at SecureWorks describe the painstaking forensic analysis of "Gozi", a Trojan horse program on a customer's PC. The Trojan (which was not at first recognized by antivirus packages) was found to be stealing sensitive data (prior to it being encrypted and sent to SSL websites by IE or Javascript) and secretly sending it to a remote server. From there, the stolen information was put up for sale on the black market, along with associated hacking services.

The description, like the Trojan, is complex and technical but makes fascinating reading for IT professionals. The analysts used virtual machines, Safe Mode, a debugger and tools from SysInternals and Wireshark/Ethereal to dissect the beast. Luckily the antivirus companies' tech gurus have the patience and skills to do this kind of analysis on our behalf.

More malware links

The State of Malware

The State of Malware is not, in fact, the name of some obscure far-off land where computers misbehave but the title of a free SANS webcast on Wednesday March 21st,1:00 PM EDT (1700 UTC).

Over the course of the past two years, information technology has seen
some amazing advances. Unfortunately, malware authors are keeping pace
with the industry. This webcast will reveal what's really going on "out
there" - from sophisticated phishing "worms" to a disturbing increase
in Trojans, extensive bot networks and new polymorphic viruses. Methods
of distribution are changing, too. For example, new Web technologies
are making it easier than ever to disseminate malware. So what can we
do? The webcast will also cover methods of detection and prevention,
including behavioral analysis and site reputation.

You need a free SANS portal account and either Real Audio Player or Windows Media Player to access this SANS webcast and the archive of past webcasts.

More malware links

CERT cybertip on antivirus software

The latest update US CERT Cybertip covers antivirus software. As always, the tip sheet explains the basics in simple language, aiming at a non-technical audience. It is covered by a copyright license stating "You are permitted to reproduce and distribute documents on this web site in whole or in part, without changing the text you use, provided that you include the copyright statement or "produced by" statement and use the document for noncommercial or internal purposes.", in other words you can reproduce and distribute it within your organization with attribution to CERT but you (and we!) may not sell it on.

More malware links

Malware trends on mobile devices

Antivirus vendors have been talking-up the malware threat to mobile devices such as smart phones and PDAs for a few years now. Naturally, those who offer antivirus software for such devices tend to be more vociferous about the problem but there comes a point when it's time to take their warnings seriously.

Kaspersky's summary of current mobile malware risks identifies trends during 2006 that point to the possibility of this getting serious before too long. The number of mobile viruses increased steadily from ~120 to ~180 in the year, still way short of the epidemic virus numbers seen on PC platforms. Of more interest is a perceived change in the nature of the threat, namely more emphasis on stealing money rather than simply annoying users. If true, that observation mirrors what others are saying about identity theft and other criminal activities in general in relation to information security incidents.

[That said, I feel pretty safe out here in the depths of rural New Zealand, several miles outside mobile coverage. We use jungle drums not cellphones.]

More malware links

Polymorphism gone bonkers

Over the past few months, the "Storm" worm has taken the idea of polymorphism to new extremes. To understand the context, here's a little history.

Once upon a time long long ago, cunning virus authors discovered they cold fool the early antivirus programs simply by making insignificant changes in their code. Adding the odd "null command", pointless loops or whatever was enough to make 'variants' that escaped detection, for a while anyway until the equally cunning antivirus analysts caught on, figuring out how to unravel the variations and find the common factors to make reliable virus signatures. Virus variants emerged every few months or weeks.

Next, even more cunning authors of automated virus generating engines added the ability to create variant or "polymorphic" viruses at will. A whole industry of polymoprphic cunningness developed, adding tricks such as self-modifying code, obfuscation and encryption to the pot and spewing out variants by the bucket-load. The antivirus wizz-kids spent their days searching through the layers of obfuscation for invariant code sequences such as the decryption routines, and toyed with the idea of "heuristic scanning" for "virus-like activity". Variants emerged every few weeks or days.

The author of "Storm" took the game to a new level. He/she released a few hundred worm variants simply to test the waters, then an absolute avalance of thousands or tens of thousands of variants all at once, seeded from tens or hundreds of thousands of compromised 'bot' machines all over the net. The worms use highly variable subject lines and code and through sheer numbers alone threaten to overload even the most assiduous antivirus team.

The next chapter in this thriling story is likely to be rather unpleasant.

More malware links

Antivirus product comparison

If you are curious to find out how antivirus products compare, AV-Comparatives.org regularly tests a reasonable selection of products against an up-to-date 'zoo' containing a million malware examples. Their February 2007 report is here.

The top three products in the latest assessment are AVK, TrustPort and AVIRA.

To be fair, most of the top products score very similarly.

More malware links