Saturday, March 20, 2010

Malawareness

Malware, an old favorite, is the security awareness topic for this month's NoticeBored module. One of the issues noted in the awareness materials is that of user PCs picking up infections simply by visiting infectious websites ... like for example a 'bargain shopping' site in Australia that had evidently been exploited by hackers. According to the news report, certain browsers warned users when they visited the site and hopefully, if the users were aware enough to take note of the warnings and not override the technical controls, that would have significantly reduced the risk of being infected. On top of that, the malware was probably recognized by normal antivirus software, further reducing the risk. However, unaware users without these controls may well have drawn the short straw, and to make matters worse they may still be blissfully ignorant of the infection.

Labels: ,

Blogged 09:38 0 comments

Links to this post:

Create a Link

Friday, August 07, 2009

Office comms risks and controls

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary.

This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).

Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.

Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:
  • Incident notification and specific response procedures covering these kinds of incident;
  • Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
  • "Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
  • Disciplinary procedures taking account of incidents of this nature, typically using examples.

[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]

Labels: , , , ,

Blogged 09:06 1 comments

Links to this post:

Create a Link

Thursday, March 19, 2009

Worming the Internet

Unprecedented collaboration between ICANN, antivirus vendors, other malware security professionals and domain name registrars in US, China and elsewhere is seeking to neutralize the Conficker/Downadup worm. The worm's authors evidently intended the worm to download payloads from any of a long list of domains, so the security community has been busily registering or regaining control of those domains to prevent them being abused.

Microsoft has offered $250k for information leading to the arrest and prosecution of those behind Conficker/Downadup, a sign that Internet security issues are bad for all Internet users, not least the big businesses that depend on it.

Meanwhile, a third variant of the worm has been detected with a trigger date of April 1st. This could be big.

Labels: ,

Blogged 12:49 0 comments

Links to this post:

Create a Link

Friday, February 20, 2009

Military systems not immune to civil (or for that matter military) malware

News of the Conficker/Downadup worm rumble on. Britain's Daily Telegraph is relaying news from a French newspaper that a French naval network was infected, disrupting communications and hence military opertions as the network was isolated for disinfection. The same piece reports that a "report in the military review Defense Tech revealed that in the first days of January 2009 the British Defence Ministry had been attacked by a hybrid of the virus that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal."

While the journalists and military PR people are typically at pains to point out that such events affect only unclassified or lowly-classified networks, the impacts sometimes appear to indicate otherwise - unless that is the French navy is in the habit of passing military orders over unclassified networks, which I doubt.

The reality of modern life is that most organizations are connected to the global Internet, and therefore they rely on network security controls to prevent "unauthorized traffic", including malware and hackers. Even those with no Internet connections remain vulnerable to malware infections by other routes, such as USB memory sticks in the French navy case. If even the highly controlled and well funded military are vulnerable to such nasties, what hope is there for other organizations, particularly large or diverse organizations with limited control over their IT systems and networks? I'm very conscious that our own small business remains vulnerable, despite the firewalls, antivirus software, network monitoring and so on, but at least we have security awareness on our side!

Labels:

Blogged 14:21 0 comments

Links to this post:

Create a Link

Tuesday, February 03, 2009

Alleged Fannie Mae logic bomber denies charges

Reuters says:

"A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..."

While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.

Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.

What controls would be useful to guard against this sort of situation? There's a wide choice including:
  • Management oversight - bosses keeping an eye on what their staff are doing (not so easy to arrange if the boss is the trouble maker and other bosses are incompetent to oversee or are simply unaware!);
  • Divisions of responsibility such that a lone cowboy cannot easily take advantage of his access (tricky again if he has system privileges and access to information, systems and processes that permit him to bypass or undermine standard access controls);
  • Laws, regulations, policies, standards, procedures and guidelines, not just to influence potential logic bombers (who, by their very nature, are unlikely to respect the rules) but also to establish and mandate the supporting/compensating procedural, technical and physical security controls;
  • Audits, whether periodic/planned/pre-notified or ad hoc/unannounced/surprise visits, plus management reviews and similar checkpoints, particularly when scoped and panned specifically to address this issue and performed by experts with prior experience in this area;
  • Technology-related controls such as air-tight change and configuration management processes; scans for unauthorized or inappropriate source code, malware and hacker tools on production systems; logical access controls as a whole; trustworthy backups; network intrusion detection and content management systems etc.;
  • Slick incident management processes to identify and respond rapidly and efficiently to potential incidents and thus limit the damage;
  • Liabilities on those responsible, whether employees or third parties, that are legally defined and practically enforceable in employment or service contracts (an after-the-fact contingency or corrective control);
  • Whistleblowers' hotline - a facility to encourage peers and co-workers (including managers and HR people dealing with clearly disgruntled staff) to report their concerns or suspicions in confidence for independent review;
  • Security awareness, training and educational activities, for instance promoting the whistleblower's hotline and policies, and training those who oversee IT operations in the symptoms of insider attack to watch out for (e.g. when logic bombers develop and test their evil schemes prior to the Big One);
  • Pre- and para-employment screening of employees in an attempt to locate and drop the bad apples, assuming that they can be identified as such (some believe that bad apples can be psychologically profiled but this practice is probably more art than science - merely being a social misfit or square-peg-in-a-round-hole is not in itself sufficient cause to track or sack somone, and such people can be extremely beneficial and creative if somewhat difficult to manage employees);
  • Sensible termination procedures, designed to remove possible hitches from a leaver's last few days or weeks on site (e.g. arranging for an "understudy" to shadow a leaver, both to pick up important new skills and to watch out for inappropriate activities);
  • Keeping employees gruntled, not disgruntled (!). Seriously, maintaining good employer-employee relations is a general baseline control against many forms of insider threat, and a particular challenge for management in an economic downturn. Procedural controls are particularly likely to suffer when people have other things on their mind than the organinization's best interests.

Labels: , , ,

Blogged 10:31 0 comments

Links to this post:

Create a Link

Botnets to watch in 2009

A news item about botnets from Secureworks includes some useful information about how botnets are used and protected. They are used to distribute spam (including money mule come-ons, fake pharmaceuticals, enlargement products, loans and more) and malware.

The estimated sizes of the botnets range up to about 175,000 compromised machines, with most being a few tens of thousands, well short of the millions that lurid mainstream news headlines sometimes claim. Still tens of thousands of broadband connected computers can do a lot of damage.

Labels: ,

Blogged 08:36 0 comments

Links to this post:

Create a Link

Thursday, January 29, 2009

Malwareness


Hi there!

We've just released an updated, refreshed and extended awareness module on malware, one of those enduring "core topics" that we have covered several times in the six years or so since we launched NoticeBored, and yet the threat is subtly different every year. As with the previous awareness topic, hacking, the most noticeable change lately has been the increasing use of malware for criminal purposes such as identity theft, spamming and industrial espionage. The days of viruses displaying funny graphics and playing silly tunes are long gone. It’s become much more serious, both for individuals and for organizations on the receiving end.

Malware authors are constantly exploring different modes of infection, creating new payloads and inventing novel criminal activities. Some malware modifies its own code in order to try to escape detection by pattern-matching antivirus software, or picks up new component parts through the Internet as the infection progresses (Malware As A Service!). Read more about the malware scourge in this month’s awareness module and newsletter.

Labels: ,

Blogged 11:51 0 comments

Links to this post:

Create a Link

Friday, October 10, 2008

Malicious 'M$ update' attachment

Here's a crude attempt to get me to install malware, fresh from my inbox:
Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.
Doh!

I wonder how many non-infosec professionals would fall for it though.

Labels: ,

Blogged 19:02 0 comments

Links to this post:

Create a Link

Thursday, October 02, 2008

Dual use IT

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!

The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?

[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].

That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.

Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.

Of course, thieves will see things differently.

Labels: , ,

Blogged 18:09 1 comments

Links to this post:

Create a Link

Friday, April 04, 2008

BT uses spyware to audit broadband use

BT has admitted to secretly using spyware to monitor the web surfing habits of tens of thousands of its British broadband customers. According to BT, this was merely a technical trial. Allegedly no personal data were collected since machines were identified "by anonymous code numbers" (presumably IP addresses - hardly anonymous) and content keywords were recorded, not website addresses (so what? It's still unethical and possibly illegal inteception in my book).

Labels: ,

Blogged 16:09 0 comments

Links to this post:

Create a Link

Tuesday, April 01, 2008

Malware blamed for supermarket data breach

A supermarket security breach late last year/earlier this compromised over 4 million credit/debit cards and led to thousands of fraudulent transactions. The breach has been blamed on malware on the store's servers. The fact that the store systems were PCI DSS compliant, apparently, doesn't exactly inspire confidence in the system of independent security audits but on the other hand it's a reminder that malware is an omnipresent threat.

Labels: ,

Blogged 11:25 0 comments

Links to this post:

Create a Link

Saturday, March 22, 2008

10,000 infected pages

McAfee has been warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia is a useful tool to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when your system falls behind.

Labels:

Blogged 13:39 0 comments

Links to this post:

Create a Link

Thursday, March 20, 2008

Signature based AV is dead. Long live sig AV!

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms, given the escalating rate of release of new/variant malware and its inability to block data theft (which is what Data Leak Prevention is all about: personally, I never expected AV software to do this so that is a rather curious point).

The demise of signature-based AV detection has been predicted many times before but it stubbornly remains a relatively effective and inexpensive control, on the whole. I'm worried about bespoke malware, custom-written to infiltrate specific target organizations, but there other techniques come into play, DLP and checksumming being two of them. So called "heuristic scanning" has a bad press for generating too many false positives, but that's another piece of the defense-in-depth puzzle, along with prompt patching and (of course) security awareness. There's no need to detect avoided malware.

Labels:

Blogged 09:52 0 comments

Links to this post:

Create a Link

CERT malware tips

CERT has re-issued a Cybertip on malware.

Labels:

Blogged 09:49 0 comments

Links to this post:

Create a Link

Tuesday, March 18, 2008

Addressing the growing botnet threat

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

Labels: ,

Blogged 13:41 0 comments

Links to this post:

Create a Link

Sunday, March 16, 2008

Spyware impacts productivity

single spyware infection on a work computer can impact the productivity of the typical small business employee for two-and-a-half days, according to research commissioned by the Computing Technology Industry Association (CompTIA).

A survey of employees at businesses with 10 to 200 computer users found that more than one in four computer users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware inflections.


Definitions of spyware vary but the take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

Labels:

Blogged 08:15 0 comments

Links to this post:

Create a Link

Friday, March 14, 2008

Drive-by malware alert

McAfee is warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

Labels: ,

Blogged 14:03 0 comments

Links to this post:

Create a Link

Friday, February 29, 2008

Targeted malware

A helpful if rather technical explanation of targeted malware attacks takes a look at some remote control Trojans. These open the victim's machine to powerful local commands submitted by a remote hacker over a control channel. Clever stuff. The piece is a little light on the infection part of such attacks and the mechanisms used to target specific organizations or individuals, although it does outline some of the potential controls against this kind of attack and provides references for further reading.

Labels:

Blogged 16:44 0 comments

Links to this post:

Create a Link

Monday, February 25, 2008

Malware awareness module released


We have updated and reissued the NoticeBored security awareness module on malware, one of our 'core modules' covering a topic that features heavily in all security awareness programs.

As part of the research to update the module, I've been reading lately about 'virtual malware' or, more accurately, rootkits that target not just the operating system kernel but the underlying hypervisor software used on virtualization systems. To those without a technical background, this may seem like angels dancing on a pinhead but to us nerdy geeky types, virtualization is cool and virtual malware is uber cool.

By coincidence, an article on The Register discusses a vulnerability in VMware, one of the virtualization systems. This could be Big News for anyone using VMware in a production environment, such as many ISPs for example. Various technical security bloggers are deep in discussion.

Labels:

Blogged 19:24 0 comments

Links to this post:

Create a Link

Thursday, January 10, 2008

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

Labels: , , , , , , , , ,

Blogged 18:13 0 comments

Links to this post:

Create a Link

Saturday, December 22, 2007

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

Labels: , , , ,

Blogged 13:13 2 comments

Links to this post:

Create a Link

Wednesday, December 12, 2007

Why HTML email is BAD

Click here for a full size screenshotThe screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness.
What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malware, thank you very much.

Labels: , ,

Blogged 14:30 0 comments

Links to this post:

Create a Link

Wednesday, August 29, 2007

Beware free l(a)unches

Skimming through my inbox and spam box today, I've seen a few phisher emails like the following example:

Phisher example

The emails vary slightly in the names of the "beta software" (e.g. Investment Developer, Cooking Helper, Home Reno Planner etc.) and of course the senders and subject lines vary.

They all seem to point to an executable file at a numeric IP address, which is most likely another Trojan dropper.

This looks to me like another generation of the STORM worm.

Labels: ,

Blogged 14:43 0 comments

Links to this post:

Create a Link

Wednesday, August 22, 2007

Malware spam spewed forth

Click for a larger image
We've received loads of similar malware spams today, all basically the same structure with minor differences and spelling mistakes (see above).

The links vary but we understand that one (at least) attempts to infect visitors' PCs with a downloader Trojan. Good up to date antivirus software should trap it but do not rely on this as your sole control: it is not recognized by all antivirus programs.

A quick search of my spam/deleted box for emails containing the string "account number" reveals a whole bunch of em received so far today.

Senders include
Bartenders Guide
Cat Lovers
Cool Pics
Dog Lovers
Downloader Heaven
Entertaining Pros
Free Web Tools
Fun World
Funny Files
Game Connect
Internet Dating
Job Search Pros
Joke-A-Day
Mobile Fun
MP3 World
Net Gambler
Net-Jokes
Office Antics
Online Gamers
Online Hook-Up
Poker World
Pet World
Resume Hunters
Ringtone World
Web Connects
Web Cooking
Wine Lovers


Subject lines include
Dated confirmation
Internal Support
Internal Verification
Internet Techincal Support [sic]
Login info
Login information
Login Verification
Member Confirm
Member Details
Membership Details
Membership support
New member confirmation
New User Details
New User Letter
New User Support
Registration confirmation
Registration Details
Tech Department
Thank you for joining
User Info
User services
User Verification
Welcome new member


There are other variants in circulation too.

The spams are believed to be the result of a new mutant of the Storm worm that has been very active for weeks. SANS Internet Storm Centre has some technical info on it and there's more on F-Secure's blog.

The usual advice "Don't click on dubious links" applies here. Now might be a good time for your security awareness person to inform your fellow employees in calm, helpful tones about the threat. PLEASE do not add to the problem by circulating wild warning emails with "Please tell everyone you know!" or similar - leave the job to the professionals and the news media. Oh and don't forget to check that your antivirus software is updating itself regularly.

*UPDATE* Download a security awareness 'alert' about this, suitable for circulating to your fellow employees. NoticeBored customers: please contact us for the editable MS Word version.

Labels: , ,

Blogged 19:02 0 comments

Links to this post:

Create a Link

Thursday, July 19, 2007

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."


The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

Labels: , , ,

Blogged 14:02 0 comments

Links to this post:

Create a Link

Friday, June 15, 2007

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Labels: , , , , , ,

Blogged 10:29 0 comments

Links to this post:

Create a Link

Tuesday, April 03, 2007

Microsoft animated cursor fix

A bug in Windows' handling of animated cursor files is being actively exploited by The Dark Side. Those of us on the Light Side are advised to deploy an emergency patch just released by Microsoft ... or consider moving to an alternative, less bug-ridden operating system sharpish, assuming such a beast exists.

More network security resources

Labels: , ,

Blogged 18:51 0 comments

Links to this post:

Create a Link

Saturday, March 31, 2007

SME Achilles heel = Well connected salesmen

IT Pro, reporting on a study by Vanson Bourne, points out that salemen's dependence on electronic communications makes them more vulnerable than most to targeted phishing attacks. Such attacks typically deliver Trojans in office files sent as email attachments. The problem is especially acute in SMEs (Small to Medium Sized Enterprises - also known as SMBs ...Businesses). The author emphasises that SMEs need security awareness but offers no suggestions on how this might actually be achieved in practice.

More security awareness and malware links

Labels: ,

Blogged 10:36 0 comments

Links to this post:

Create a Link

Friday, March 23, 2007

Forensic analysis of a Russian Trojan

The techoes at SecureWorks describe the painstaking forensic analysis of "Gozi", a Trojan horse program on a customer's PC. The Trojan (which was not at first recognized by antivirus packages) was found to be stealing sensitive data (prior to it being encrypted and sent to SSL websites by IE or Javascript) and secretly sending it to a remote server. From there, the stolen information was put up for sale on the black market, along with associated hacking services.

The description, like the Trojan, is complex and technical but makes fascinating reading for IT professionals. The analysts used virtual machines, Safe Mode, a debugger and tools from SysInternals and Wireshark/Ethereal to dissect the beast. Luckily the antivirus companies' tech gurus have the patience and skills to do this kind of analysis on our behalf.

More malware links

Labels:

Blogged 13:52 0 comments

Links to this post:

Create a Link

Monday, March 19, 2007

The State of Malware

The State of Malware is not, in fact, the name of some obscure far-off land where computers misbehave but the title of a free SANS webcast on Wednesday March 21st,1:00 PM EDT (1700 UTC).

Over the course of the past two years, information technology has seen
some amazing advances. Unfortunately, malware authors are keeping pace
with the industry. This webcast will reveal what's really going on "out
there" - from sophisticated phishing "worms" to a disturbing increase
in Trojans, extensive bot networks and new polymorphic viruses. Methods
of distribution are changing, too. For example, new Web technologies
are making it easier than ever to disseminate malware. So what can we
do? The webcast will also cover methods of detection and prevention,
including behavioral analysis and site reputation.


You need a free SANS portal account and either Real Audio Player or Windows Media Player to access this SANS webcast and the archive of past webcasts.

More malware links

Labels:

Blogged 14:00 0 comments

Links to this post:

Create a Link

Thursday, March 15, 2007

CERT cybertip on antivirus software

The latest update US CERT Cybertip covers antivirus software. As always, the tip sheet explains the basics in simple language, aiming at a non-technical audience. It is covered by a copyright license stating "You are permitted to reproduce and distribute documents on this web site in whole or in part, without changing the text you use, provided that you include the copyright statement or "produced by" statement and use the document for noncommercial or internal purposes.", in other words you can reproduce and distribute it within your organization with attribution to CERT but you (and we!) may not sell it on.

More malware links

Labels:

Blogged 13:19 0 comments

Links to this post:

Create a Link

Tuesday, March 13, 2007

Malware trends on mobile devices

Antivirus vendors have been talking-up the malware threat to mobile devices such as smart phones and PDAs for a few years now. Naturally, those who offer antivirus software for such devices tend to be more vociferous about the problem but there comes a point when it's time to take their warnings seriously.

Kaspersky's summary of current mobile malware risks identifies trends during 2006 that point to the possibility of this getting serious before too long. The number of mobile viruses increased steadily from ~120 to ~180 in the year, still way short of the epidemic virus numbers seen on PC platforms. Of more interest is a perceived change in the nature of the threat, namely more emphasis on stealing money rather than simply annoying users. If true, that observation mirrors what others are saying about identity theft and other criminal activities in general in relation to information security incidents.

[That said, I feel pretty safe out here in the depths of rural New Zealand, several miles outside mobile coverage. We use jungle drums not cellphones.]

More malware links

Labels:

Blogged 17:46 0 comments

Links to this post:

Create a Link

Thursday, March 08, 2007

Polymorphism gone bonkers

Over the past few months, the "Storm" worm has taken the idea of polymorphism to new extremes. To understand the context, here's a little history.

Once upon a time long long ago, cunning virus authors discovered they cold fool the early antivirus programs simply by making insignificant changes in their code. Adding the odd "null command", pointless loops or whatever was enough to make 'variants' that escaped detection, for a while anyway until the equally cunning antivirus analysts caught on, figuring out how to unravel the variations and find the common factors to make reliable virus signatures. Virus variants emerged every few months or weeks.

Next, even more cunning authors of automated virus generating engines added the ability to create variant or "polymorphic" viruses at will. A whole industry of polymoprphic cunningness developed, adding tricks such as self-modifying code, obfuscation and encryption to the pot and spewing out variants by the bucket-load. The antivirus wizz-kids spent their days searching through the layers of obfuscation for invariant code sequences such as the decryption routines, and toyed with the idea of "heuristic scanning" for "virus-like activity". Variants emerged every few weeks or days.

The author of "Storm" took the game to a new level. He/she released a few hundred worm variants simply to test the waters, then an absolute avalance of thousands or tens of thousands of variants all at once, seeded from tens or hundreds of thousands of compromised 'bot' machines all over the net. The worms use highly variable subject lines and code and through sheer numbers alone threaten to overload even the most assiduous antivirus team.

The next chapter in this thriling story is likely to be rather unpleasant.

More malware links

Labels:

Blogged 21:49 0 comments

Links to this post:

Create a Link

Antivirus product comparison

If you are curious to find out how antivirus products compare, AV-Comparatives.org regularly tests a reasonable selection of products against an up-to-date 'zoo' containing a million malware examples. Their February 2007 report is here.

The top three products in the latest assessment are AVK, TrustPort and AVIRA.

To be fair, most of the top products score very similarly.

More malware links

Labels:

Blogged 10:13 0 comments

Links to this post:

Create a Link

Tuesday, March 06, 2007

Malware videos

Scott Pinzon and colleagues at Watchguard have produced and released some outstanding malware-related security awareness videos. The content is fairly technical but well presented and engaging.

Drive-by downloads demonstrates how simply browsing a malicious or compromised website may infect an inadequately-secured PC. Using Firefox with the NoScript add-in makes this kind of attack less likely compared to a standard Internet Exploder configuration.

Rootkits are explained in three parts (part 1 part 2 part 3). Avoidance tips in part 3 hint at the issues well-concealed rootkits can create even for security geeks.

More malware links

Labels: ,

Blogged 13:31 0 comments

Links to this post:

Create a Link

Saturday, March 03, 2007

Bot wars

A family of worms known variously as SDBOT, RINBOT, LOXBOT and DELBOT makes rude references in the code to the information security and antivirus companies trying to stamp it out. They spread by guessing/brute forcing simplistic passwords on network shares, or via Instant Messaging. The payload is a backdoor that allows hackers to remote-control compromised machines using IRC (Internet Relay Chat), generally to launch Distributed Denial of Service attacks.

Despite claims of novelty by CNN, these worms have been around for years.

More malware links

Labels:

Blogged 16:56 0 comments

Links to this post:

Create a Link

Thursday, March 01, 2007

Sun Telnet daemon worm in the wild

Sun Microsystems warns that a worm exploiting a security flaw in their Telnet daemon is 'in the wild' i.e. currently infecting Sun systems. Sun has evidently issued a patch but a better solution is, um, not to use Telnet, especially across the Internet. SSH is a simple, much more secure replacement in most situations, using SSL to encrypt the network traffic.

More network security links to follow next month

Labels: ,

Blogged 20:19 0 comments

Links to this post:

Create a Link

Monday, February 26, 2007

Malware security awareness module released

Latex gloves optional
If you know someone who thinks antivirus software makes them immune to malware, perhaps our latest awareness module will help you change their mind. There is more to malware than viruses, and antivirus software only partially addresses one class of malware threats.

Since we last put out this core module a year ago, spyware, rootkits and Trojan have become increasingly prominent and problematic while viruses and worms are fading gradually into the background cosmic noise of the Internet (... of course, that could be 'famous last words'! There is still no shortage of widespread security vulnerabilities and zero day exploits to worry about).

We're counting on you. Good luck Jim.

Labels: ,

Blogged 15:46 0 comments

Links to this post:

Create a Link

Saturday, December 23, 2006

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

Labels: , , , ,

Blogged 11:16 0 comments

Links to this post:

Create a Link

Wednesday, December 20, 2006

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

Labels: , , , ,

Blogged 18:15 0 comments

Links to this post:

Create a Link

Tuesday, December 19, 2006

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

Labels: , , , , ,

Blogged 09:00 0 comments

Links to this post:

Create a Link

Friday, December 15, 2006

Spear phishing case study

In Spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. "Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read "Urgent - employment issue," and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site." The article seems a little confused about the distinction between spammers and fraudsters but is basically sound. Other local hospitals were reportedly targeted so it is possible that this was in fact simply an ordinary spam, but the potential for delivery of keyloggers, rootkits and other malware is plain to see.
More malware, email and social engineering links

Labels: , ,

Blogged 09:02 0 comments

Links to this post:

Create a Link

Sunday, December 10, 2006

You've got infected mail!

Attackers are actively exploiting an MS Word zero-day vulnerability by tricking users into opening malicious Word files using a form of social engineering. Infected files may arrive as email attachments from people you know and trust, as well as from those you’ve never heard of. It’s not yet clear whether Microsoft will release a patch on Tuesday: if not the fix may slip to January unless M$ releases an interim emergency patch. It all depends on the quality of their coding and the speed of their QA and release processes. Meanwhile take extra care with email attachments, even from friends and colleagues, and make sure your antivirus software is bang up to date. We'll be releasing an updated malware module early in the new year and a new module on application security shortly afterwards: don't let your organization become a statistic or case study!
More social engineering, incident management, bugs!, secure software development and malware links

Labels: , , , ,

Blogged 09:37 1 comments

Links to this post:

Create a Link

Friday, October 06, 2006

Laptop security is a top priority

ZDnet reported "The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain." I would of course agree that loss or theft of data on laptops is important ... along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

More portable IT security and wireless networking links

Labels: , ,

Blogged 16:36 0 comments

Links to this post:

Create a Link

Thursday, September 28, 2006

Being born yesterday

Hackers are so desperate to exploit vulnerabilities such as the VML bug, they are becoming quite incoherent in their excitement. Here's the text of an email I just received:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).


Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service


Needless to say, I didn't open the attachment (which had already been quarantined by the antivirus software, in any case). Phew, that was a close one!
More Bugs! and malware links

Labels: , , , ,

Blogged 14:08 0 comments

Links to this post:

Create a Link

Wednesday, September 06, 2006

NIST guide to email security

A new draft Special Publication from NIST addresses email security. SP 800-45A has the depth and breadth we have come to expect from NIST with over 140 pages covering security breaches such as the following examples:
- Since exchanging email with the outside world is a requirement for most organizations, email is allowed through their network perimeter defenses. Because of this, attackers are increasingly using email as a vector for their attacks. At a basic level, viruses and other types of malware may be distributed throughout an organization via email. Increasingly, however, attackers are getting more sophisticated and are using email to deliver targeted zero-day attacks to users in an attempt to compromise their workstations. If successful, the attackers will then have an attack platform within the organization’s internal network.
- Given email’s nature of human to human communication, it can be used as a social engineering vehicle. Email can allow an attacker to exploit an organization’s users to gather information or get the users to perform actions that further an attack.
- Flaws in the mail server application may be used as the means of compromising the underlying server and hence the attached network. Examples of this unauthorized access include gaining access to files or folders that were not meant to be publicly accessible, and being able to execute commands and/or install software on the mail server.
- Denial of service (DoS) attacks may be directed to the mail server or its support network infrastructure, denying or hindering valid users from using the mail server.
- Sensitive information on the mail server may be read by unauthorized individuals or changed in an unauthorized manner.
- Sensitive information transmitted unencrypted between mail server and client may be intercepted. All popular email communication standards default to sending usernames, passwords, and email messages unencrypted.
- Information within email messages may be altered at some point between the sender and recipient.
- Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the mail server. For example, once the mail server is compromised, an attacker could retrieve users’ passwords, which may grant the attacker access to other hosts on the organization’s network.
- Malicious entities may attack external organizations from a successful attack on a mail server host.
- Misconfiguration may allow malicious entities to use the organization’s mail server to send email-based advertisements (i.e., spam).
- Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal action.
Comments on the draft are welcome before October 6th.
More email security resources

Labels: ,

Blogged 15:50 0 comments

Links to this post:

Create a Link

Laptop hacking step-by-step

In a piece ostensibly in the same vein as Catch Me If You Can, Spies Among Us or Know Your Enemy, the author of Laptop hacking step-by-step invites us to consider how data thieves or hackers might break into laptops in order to identify necessary security controls. The laptop security vulnerability assessment is rather narrowly focused, highlighting certain issues (such as missing or weak passwords) and controls (such as disk encryption) but compeltely missing many other issues (such as lost data or malware) and controls (such as backups and antivirus).
More on mobile security

Labels: ,

Blogged 11:01 1 comments

Links to this post:

Create a Link

Sunday, June 18, 2006

Zero-day exploits follow M$ patches

It is presumably just a coincidence that a zero-day Microsoft Excel vulnerability was acknowledged by Microsoft just a few days after this month's MS Patch Tuesday. It is conceivable, though, that major MS exploits might be released deliberately to coincide with Patch Tuesday since patches are unlikely to be released for at least another month. who knows? I'd say it is more likely that the black hats hope their exploits will remain just below the radar for as long as possible so the release timing is irrelevant.
Perhaps not such a coincidence: Symantec is reporting that a PowerPoint zero-day exploit was released just after July's M$ patch Tuesday.
More malware links

Labels:

Blogged 10:20 0 comments

Links to this post:

Create a Link

Saturday, June 10, 2006

On finding a lost USB drive

Social Engineering, the USB Way is a rather worrying report into a successful penetration test using a mixture of social engineering and malware techniques. One morning before work, the testers scattered USB thumb drives containing Trojans in the parking lot and smokers' corners outside their target credit union premises. The workers duly discovered the 'lost' drives, took them in, plugged them in and compromised their systems security. The worrying part is the success rate, the potential impact and the likelihood of success elsewhere. Possible controls include security awareness training, antivirus tools, IDS and USB blocking software.
More social engineering and malware links

Labels: , ,

Blogged 22:40 0 comments

Links to this post:

Create a Link

Monday, June 05, 2006

British nurse hackmailed

A Manchester nurse has been hackmailed, possibly the first victim of so-called Ransomware in the UK. A somewhat confusing BBC news report indicates that hackers got onto her PC, encrypted some of her files and then blackmailed her to decrypt them. The article also mentions a virus called Archiveus, which F-secure in fact lists as a Trojan called MayArchive.B. Victims are evidently told to buy pharmaceuticals from a Russian Internet company. Ransomware is also the name of a licensing scheme to raise a certain amount of money from software before releasing it to the Open Source community, so I prefer the term "hackmail".
A blog entry from September 2005 notes variants on the theme, using Distributed Denial of Service for example to extort money from victims. Whereas DDOS attacks have generally targeted online businesses such as gambling companies and, of course, Blue Security, it's possible the nurse story is an example of increasing criminal interest in targeting individual people. Cybercriminals have traditional hacking, malware, social engineering and spam in their toolboxes and identity theft is another lucrative con against individuals. The Internet provides many opportunities for criminals to hide their own identities and launder funds. It's the World's Wild West.
More malware links

Labels:

Blogged 12:55 0 comments

Links to this post:

Create a Link

Friday, June 02, 2006

Email security awareness


June's NoticeBored security awareness module covers email security, one of our "core topics" that practically all security awareness programs are bound to cover. We look beyond the obvious issues such as spam, malware and phishing to aspects such as libel, harrassment and unauthorized contracts.
Email security links

Labels: , ,

Blogged 22:30 0 comments

Links to this post:

Create a Link

Saturday, May 20, 2006

MS Word zero day exploit in the wild

Alerts are circulating about a zero-day attack exploiting a buffer overflow vulnerability in Word XP and Word 2003 (not the free Word document reader, nor Word 2000). The attack seen, to date, appears to have been targeted against a specific organization, dropping a "Trojan with rootkit features" (i.e. it conceals its presence). As usual in these circumstances, the initial information is somewhat vague, mostly third-hand reports, but when SANS ISC and various antivirus vendors pipe up, there's enough smoke to indicate a probable fire. Microsoft's security team confirmed they are on the case through a blog entry, with a patch anticipated on patch Tuesday in June. Meanwhile, our advice for now would be to avoid opening Word documents attached to emails unless the sender is known to you and the content was expected. Also, for good measure, avoid opening Word documents downloaded from web pages on dubious websites - not a bad idea in itself.
More malware resources

Labels:

Blogged 13:05 0 comments

Links to this post:

Create a Link

Saturday, May 06, 2006

Spycar anti-spyware tester

Spycar comprises a suite of routines designed to mimic various forms of spyware (in a benign fashion, of course) and thereby test your anti-spyware tools. The sequence completes with a scoring and clean-up tool that politely reverts the test changes. Having been created by Ed Skoudis of Counter-Hack fame and colleagues from the SANS ISC, one can be reasonably confident that the tests are both effective and safe. The Spycar name is a tip-o'-the-hat towards the EICAR anti-virus test sequence, an old but still useful means of confirming that your antivirus tools are working. Ed, if you're watching, how about phishcar and Troycar too?
More (anti-)malware links

Labels: ,

Blogged 08:38 0 comments

Links to this post:

Create a Link

Wednesday, April 12, 2006

Microsoft exec warns: Beware rootkits

If your system gets infiltrated by a rootkit, you might as well just “waste the system entirely,” said a program manager from Microsoft's security solutions group. The point is that rootkits are deliberately constructed to conceal themselves, making it extremely difficult to (a) detect that your system has been rootkitted (compromised with a rootkit), and then (b) remove said rootkit and revert the system to its uninfected state. An active rootkit has full access to your machine. By taking control of the system hardware before the operating system loads, it has the potential to mediate calls to the network and hard drives, and can intercept keyboard and mouse commands. Your have no secrets from a rootkit.
More links on keeping secrets and malware

Labels: ,

Blogged 20:35 0 comments

Links to this post:

Create a Link

Tuesday, March 21, 2006

Trojan author and wife convicted

An Israeli couple have been convicted in connection with writing and selling a Trojan horse program to private investigator customers to spy on others. They are expected to face jail time.
More malware links

Labels:

Blogged 21:47 0 comments

Links to this post:

Create a Link

Monday, March 06, 2006

Keeping Up with the Phishers

Phishing has been described in several NoticeBored modules. It is still hot news. Spear phishing - the targeting of specific individuals such as executives of a particular organization using hand-crafted email lures - remains a serious threat. Read Keeping Up with the Phishers for an excellent description of the problem.
More malware and authentication resources

Labels: , , ,

Blogged 21:27 0 comments

Links to this post:

Create a Link

Friday, February 03, 2006

F-Secure phished

Finnish antivirus vendor F-Secure has published an advisory about fake emails sent out in its name that contain malware. The emails contain the line: "I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue." The attachment (presumably) contains not a screenshot but a new variant of the Breplibot worm. This is essentially the same phishing technique often used to send keylogging Trojans to bank customers. The email uses social engineering techniques to fool recipients into doing something silly, in this case opening the attachment.
More malware, social engineering and authentication links

Labels: , , , ,

Blogged 19:29 0 comments

Links to this post:

Create a Link

Thursday, January 26, 2006

Hidden threats - rootkits and botnets

A new US CERT Cybertip covers 'hidden threats' such as Rootkits and Botnets. The Cybertips neatly summarize common information security issues for ordinary computer users - not geeks.
More "virus" links

Labels:

Blogged 20:10 0 comments

Links to this post:

Create a Link

Tuesday, January 24, 2006

Spear phishing for MPs

The Guardian newspaper reports that British Members of Parliament were specifically targeted in what looks like a spear-phishing attack. Thankfully, the Parliamentary security systems seem to have foiled the attack but other victims may not have the same level of protection. What's interesting about spear-phishing is that the classic pattern-matching antivirus tools may prove ineffective if the attackers create or use virgin never-before-in-the-wild malware specifically for these attacks. The implications are horrific.
More malware links here

Labels: ,

Blogged 22:20 0 comments

Links to this post:

Create a Link

Monday, August 15, 2005

F-Secure Computer Virus Information Pages: Zotob.A

The Zotob.A worm exploits a Plug-and-Play vulnerability, targeting unpatched Windows machines by scanning port 445 and downloading a virus using ftp. The worm was released within just 5 days of Microsoft releasing August’s security patches. HAVE YOU PATCHED ALL YOUR WINDOWS SYSTEMS YET?
More change management and malware resources

Labels:

Blogged 01:12 0 comments

Links to this post:

Create a Link

Wednesday, August 10, 2005

The value of currency

Microsoft's HoneyMonkeys project is using XP PCs with various levels of patching to search for malicious download sites. If an original unpatched XP PC is affected by malware on visiting a website, an XP SP1 machine is sent to the same site to see whether the SP1 patch fixed the vulnerability. If that fails, an SP2 machine is tried, and so on up to the most recent fully-patched version of XP. If the latest version is still vulnerable, they are presumably facing a 'zero day' exploit, worth further examination. The project confirms the importance of maintaining version currency to minimize the level of known vulnerabilities.
More change management resources

Labels: ,

Blogged 21:37 0 comments

Links to this post:

Create a Link

Thursday, July 21, 2005

"Underground" websites

Perusing this list of 100 "underground" websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples. [Warning: take great care if visiting or downloading “useful tools” from dubious websites. Some of them may exploit security vulnerabilities in your system or indeed yourself to install Trojans and other malware.]
More anti-hacking and malware resources

Labels: ,

Blogged 21:35 0 comments

Links to this post:

Create a Link

Monday, July 11, 2005

'London bombing' Trojan

The day after London was bombed, a 'London bombing' Trojan started circulating. "Virus writers have created a Trojan which poses as London terrorist attack news footage. Infected emails harbouring the Trojan pose as a CNN Newsletter which asks recipients to 'See attachments for unique amateur video shots'." Shameless.
More malware, anti-hacking and crisis management links

Labels: , ,

Blogged 22:07 0 comments

Links to this post:

Create a Link

Saturday, July 09, 2005

Targeted Trojan emails

The threat of targeted malware attacks was discussed a few months ago in the NoticeBored Classic awareness module on malware. US-CERT Technical Cyber Security Alert is now warning of the increased threat of Trojans that (a) elude conventional protective measures such as antivirus software and firewalls, and (b) are emailed to specific targeted recipients. External disclosure (exfiltration or stealing) of data appears to be the primary purpose, for example using port 80 like normal web traffic, passing straight through the perimeter firewalls.
More anti-hacking and malware resources

Labels: , ,

Blogged 20:08 0 comments

Links to this post:

Create a Link

Tuesday, June 28, 2005

Targeted attacks pose new security challenge

Computerworld reports that "'We're clearly seeing a trend away from broadcast attacks to much more targeted and much more sophisticated types of attacks,' said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a drug maker in Basel, Switzerland. 'Dealing with it is much tougher.' That's because 'the cons in the attacks are so much better customized' for the specific companies they target, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry. 'The chances of them being successful are much higher' than in large-scale attacks, he said." The potential for malware attacks targeting specific companies, or even individuals, looks clear to us, and we're not just talking about phishing/pharming type attacks. We can forsee worms, for instance, that are slow spreading, benign and cryptic (thereby largely evading the interest of the antivirus community) unless/until they find themselves inside the target organization whereupon they spring to life with devastating concequences. A senior manager at antivirus supplier Sophos with whom we discussed this very point three months ago did not see this as a serious threat but we beg to differ.
More email and malware resources

Labels: ,

Blogged 21:18 0 comments

Links to this post:

Create a Link

Friday, June 17, 2005

UK agency warns about emails bearing gifts

"Employees are tricked into installing the malicious programs by cleverly-crafted e-mails loaded with infected documents. In some cases, the attackers download publicly-available documents off the Internet, load the documents with the Trojan horse, then e-mail them to carefully-selected employees who would be likely to open such a file. To make the notes even more realistic, the e-mail appears to come from a co-worker." So says the UK's NISCC (National Infrastructure Security Coordination Centre - home of the UK WARPs) in a generic public warning.
More email security and malware links.

Labels: ,

Blogged 22:35 0 comments

Links to this post:

Create a Link

Tuesday, June 07, 2005

Bin Laden email Trojan

According to CNET News and The Register, a Trojan attached to an email promising pictures of the capture of Bin Laden has been contained, presumably by effective antivirus software.
More malware links and email security links

Labels: ,

Blogged 20:56 0 comments

Links to this post:

Create a Link

Monday, May 30, 2005

Trojan used for industrial espionage

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

Labels: , , , ,

Blogged 05:37 0 comments

Links to this post:

Create a Link

Thursday, May 19, 2005

Malware threats converge

Various infosec professionals have been commenting on the threat posed by new forms of malware used to install cryptic rootkits or spyware without alerting the user to their presence. It seems not all antivirus and antispyware software can detect these. There is a distinct possibility that a very specifically targeted chunk of malware could infect an organization or even an individual person, perhaps to wreak havoc with their systems or to disclose sensitive information. Call me paranoid if you like but the pieces are falling into place.
More malware links and risk management links.

Labels: ,

Blogged 05:44 0 comments

Links to this post:

Create a Link

Thursday, March 31, 2005

Risks of file-sharing

US-CERT Cyber Security Tip ST05-007 explains the risks associated with P2P (peer-to-peer) file sharing, including threats such as malware, disclosure of confidential information and denial of service.
This is the latest of around 30 Cyber Security Tips released by CERT, each one addressing a single everyday aspect of information security. Mindi McDowell, the main author, has a beautifully clear, largely non-technical writing style and provides straightforward advice for ordinary computer users.
More malware links here

Labels: ,

Blogged 18:24 0 comments

Links to this post:

Create a Link

Tuesday, March 29, 2005

Prevent malware and data leakage via USB sticks

GFI LANguard Portable Storage Control is an example of a software product to control the use of USB memory sticks, smartphones, MP3 devices etc. It can help avoid the introduction of malware as well as preventing the removal of confidential data.
More malware and confidentiality resources

Labels: , ,

Blogged 04:02 0 comments

Links to this post:

Create a Link

Monday, March 28, 2005

$100k malware incident

Serious networking problems at a law firm were traced to a malware-infected screensaver circulated by highly qualified and bright (but evidently naive) staff. Nonproductive downtime and recovery costs are estimated to have cost $100,000.
More malware links here

Labels: ,

Blogged 20:32 0 comments

Links to this post:

Create a Link

Monday, March 21, 2005

DTI security advice

The UK Department of Trade and Industry publishes a range of basic good advice for businesses, including a set of awareness materials on information security topics. The link above takes you to an index page with access to all sorts of goodies on malware, internet security, physical security etc. plus a new overview publication Information Security: Hard Facts.
More malware links here

Labels: , ,

Blogged 23:33 0 comments

Links to this post:

Create a Link

Saturday, March 19, 2005

eRobbery foiled

Hackers attempting to steal £220m (around $400m) from Sumitomo bank in London have been stopped by, presumably, concerted effort from the bank's internal information security systems/processes and the British National High Tech Crime Unit. The gang used keyloggers - whether hardware or software versions has not been made public.
More on malware here

Labels:

Blogged 05:33 0 comments

Links to this post:

Create a Link

Thursday, March 17, 2005

CERT cyber security tip: recovering from malware

The latest snippet of end-user advice from US CERT concerns what to do if, despite the controls, your system is infected with a virus, worm, Trojan or other malicious software. The tip includes actions to minimize the chances of re-infection.
Other CERT cyber security tips listed here
Other malware links here

Labels:

Blogged 21:09 0 comments

Links to this post:

Create a Link

Tuesday, March 15, 2005

Antivirus software response times

Curious about which antivirus products react first to new malware outbreaks? Then take a look at AVtest.org. The research team have been tracking and comparing the average release times for signature updates from all the main antivirus vendors. According to their presentation of the results in September 2004, Bitdefender and Kaspersky were the speediest firms.
More malware links here

Labels:

Blogged 00:14 0 comments

Links to this post:

Create a Link

Saturday, March 12, 2005

Worm library

Where earthworms go to read? No, it's someone's blog outlining worms discovered in the wild this year.
More malware links here

Labels:

Blogged 07:34 0 comments

Links to this post:

Create a Link

Friday, March 11, 2005

Internet Storm Center report on worms and phish

The SANS Internet Storm Center maintains a watching brief on current network security issues. This is a fairly typical page from the handler's diary discussing a worm targetting PHP bulletin boards, phishing attacks and spyware. Dismiss the thought that these are purely theoretical threats.
More malware links here

Labels: , ,

Blogged 03:37 0 comments

Links to this post:

Create a Link

Viruses explained - Sophos booklet

Antivirus vendor Sophos offers a neat little 64-page booklet explaining viruses and other forms of malware in simple terms. It is a useful document for non-technical users - not a sales glossy - and includes practical advice for reducing the risk of infection.
More malware links here

Labels: ,

Blogged 02:38 0 comments

Links to this post:

Create a Link

Wednesday, March 09, 2005

Anti-phishing Act of 2005

Senator Patrick Leahy has (re-)introduced his Anti-Phishing Act to the U.S. Senate. The act outlaws phishing (emails that mislead victims into visiting fake websites) and pharming (attacks that redirect visitors' attempted connections to a legitimate website, sending them to a fake website). "The Anti-Phishing Act of 2005 would enter two new crimes into the U.S. Code. The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft."
More malware links here and more IT fraud links here

Labels: , ,

Blogged 02:57 0 comments

Links to this post:

Create a Link

Monday, March 07, 2005

Spyware advice and awareness video from Microsoft

Microsoft is promoting its own anti-spyware software, currently on Beta release and hence probably unsuitable for Production use . Microsoft's short awareness video is a great way to outline the spyware problem to computer users and gives clear advice on how to reduce the risk of infection.
More malware links here

Labels: ,

Blogged 22:14 0 comments

Links to this post:

Create a Link

Friday, March 04, 2005

Bill Cheswick presentation

Bill Cheswick gave a fabulous presentation at the N.I.T.E.S conference in Dublin on March 1st entitled “My dad’s computer”. Ches’s dad’s PC was unprotected against malware and hence was chock-a-block with viruses, Trojans, spam and other digital detritus. Ches made the point that his dad has virtually no interest in or understanding of the technology and security implications, he simply wants to use his system in peace. Bill’s dad is all around us. Ches went on to describe his approach to securing his own systems with a heavy emphasis on hardening them by removing all unnecessary network services - ideally hard enough that firewalls are unnecessary. Thanks Ches!
More malware links here

Labels: ,

Blogged 23:33 0 comments

Links to this post:

Create a Link

Analysis of the functions in Phatbot Trojan

Amazing list of functions available remotely to someone who controls systems infected with the Phatbot Trojan. Read the list to understand what it really means if your system is "0wn3d" using Phatbot.
More malware links here

Labels:

Blogged 22:49 0 comments

Links to this post:

Create a Link

Flaw in Trend Micro AntiVirus Library

A heap overflow in a Trend Micro library can be triggered by a specially-crafted ARJ file, presumably leading to the dreaded 'execution of arbitrary code' (i.e. game over - your system is 0wn3d). It seems the library is used by a number of other antivirus packages so this is not just an issue for Trend Micro AV users.
More malware links here

Labels:

Blogged 04:44 0 comments

Links to this post:

Create a Link

Three more Bagles on the loose

Three more Bagle variants are on the loose. There have been so many Bagle variants that the antivirus people have had to use two-character extensions to distinguish them: the latest one is called Bagle BE.
More malware links here.

Labels:

Blogged 00:34 0 comments

Links to this post:

Create a Link

Tuesday, March 01, 2005

Malware awareness module released

The latest awareness module on malware to be sent to NoticeBored customers this evening comprises more than 15 separate editable items and around 9Mb of data. The read-only newsletter will also be distributed overnight to those on our mailing list. Enjoy!
Updated malware links here

Labels: ,

Blogged 10:06 0 comments

Links to this post:

Create a Link

Monday, February 28, 2005

Security at Home: Viruses & Worms

Microsoft's increased emphasis on information security encouraged them to release a number of security tools and information such as this page of advice for home users on viruses, worms and Trojans. It is one of the few sites to discuss Instant Messenger security issues.
More malware links here

Labels:

Blogged 21:44 0 comments

Links to this post:

Create a Link

Sunday, February 27, 2005

Great website for vulnerabilities and threats

A recent Secunia alert warns about the Bropia.M worm that is spreading a Trojan inside a PIF carrier file using MSN Messager i.e. an example of a blended threat. Secunia’s website carries a vast amount of news on newly discovered information security threats and vulnerabilities and is well worth an occasional browse, if not signing-up for their email alerts.
Click here for more malware links

Labels: ,

Blogged 22:21 0 comments

Links to this post:

Create a Link