Malicious software links

Click the banner for the site map of NoticeBored.com, the information security awareness service

General malware links

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Ligh, Steven Adair, Blake Hartstein and Matthew Richard (~US$38 from Amazon) is a five-star rated computer forensics guide to analyzing malware incidents. The book is accompanied by a DVD-ROM of software tools.

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System by Reverend Bill Blunden (~US$29 from Amazon) is a five-star ‘full disclosure’ exposé of rootkit techniques.

Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser (~US$37 from Amazon) gets five stars from readers. Ed Skoudis is well known author and lecturer on information security topics, and contributor to the SANS Internet Storm Center, one of the first places for news of malware outbreaks.

Despite the title, Bug Free Computing: Stop Viruses, Squash Worms, and Smash Trojan Horses by Ken Dwight (~US$15 from Amazon) is primarily about viruses rather than, say, software bugs. It is a short, non-technical book.

The Art of Computer Virus Research and Defense by Peter Szor (~US$31 from Amazon) is highly recommended as a well-written and good value 700 page textbook that builds a comprehensive picture of the evolution of viruses, worms and other malware over the last 20 years or so.

SP 800-83 is NIST’s excellent Guide to Malware Incident Handling and Prevention. “This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones...”

The Global Threat Report by McAfee is one of many similar reports by the antivirus companies. While they clearly have a vested commercial interest in talking-up the malware threat, they also have the benefit of a lot of inside knowledge plus data from their ongoing research into malware.

“A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.” Krebs On Security.

“More private computers were commandeered by hackers for malicious purposes in China in the last quarter of 2009 than in any other country, including the United States, according to a new study by an Internet security company ... The company ... said that in the last three months of 2009, about 1,095,000 computers in China and 1,057,000 in the United States were infected. Those numbers are in addition to 10 million or so previously infected computers in each country” Washington Post

An article in CSO Magazine pointed out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms. Antivirus is dead. Long live antivirus.

The Administrator Guide to Email Protection is a free eBook mostly, in fact, covering malware protection for Exchange and Outlook. [Download requires registration].

Send your virus-infected email to VirusTotal.com and they will scan it with a broad range of antivirus products, showing their differing effectiveness. Jotti and Sunbelt Sandbox are two more in the same vein.

eWeek traced the history of malware back to a 1982 proof-of-concept virus called Elk Cloner on Apple II systems. The SCA virus and Brain infected IBM PC compatibles and Amigas in the late 1980s, followed by the Morris Worm, the first documented “in the wild” network worm.

A cyber security tip from US CERT concerns what to do if, despite the controls, your system is infected with a virus, worm, Trojan or other malicious software. The tip includes actions to minimize the chances of re-infection. Other CERT cyber security tips are listed here.

Microsoft’s advice for home users on viruses, worms and Trojans is one of the few sites to discuss Instant Message security issues.

CERT’s incident note concerns the increasing rate of spread of malware and some of the reasons behind it. They recommend multilayer defenses, not just antivirus software but firewalls and access controls etc. as well. Their home network security page carries a lot of advice for ordinary users.

The Register carries lots of topical news on viruses, worms etc., tinged (or tainted, depending on your perspective) with the usual cynical British humour.

Viruses and worms

“Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach … Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.” The Wall Street Journal.

The News reported “A computer virus has attacked the communications network of almost the entire Royal Navy fleet, knocking out e-mails and the internet.”

A US-CERT Cyber Security Tip explains how antivirus software protects your system against viruses, worms etc. CERT also offers simple advice on how to recover from a virus or Trojan infection ... which makes the point that you will almost certainly need to restore programs and/or data from backups. Are your backups up-to-date?

Antivirus software vendors all provide information about malware, not just about their own products. If you are curious to find out how antivirus products compare, AV-Comparatives regularly tests a reasonable selection of products against an up-to-date ‘zoo’ containing a million malware examples, while AVtest.org have been tracking and comparing the average release times for signature updates from all the main antivirus vendors.

The Advisory Council recommends clarifying rules such as “Don’t disable antivirus software”. Perhaps one might circulate malawareness materials with the message <ahem> “Don’t disable antivirus software!”

PDAs and hand-held PCs can suffer viruses and, more importantly, can introduce viruses into the corporate networks. This VNUnet story gives an overview.

The Wild List is a monthly-updated list of viruses in circulation, verified by correlating reports from multiple sources. The website supports the need for frequent antivirus signature updates. Viruslist claims to be the biggest virus encyclopedia.

Originally known as the European Institute for Computer Antivirus Research, EICAR is the source of the EICAR antivirus test sequence, a useful and safe way to check whether your antivirus software is actually doing anything, short of picking up a genuine virus infection.

The Virus Bulletin is targeted at antivirus professionals.

Here is a salutary lesson about an information security department that spent hundreds of man-hours eradicating a worm from a network they thought was protected.

Worm library covers worms discovered in the wild. Many of them are in fact blended threats e.g. worms that install backdoors or SMTP spam mailers.

Trojans

Symantec’s latest update to their Stuxnet dossier makes fascinating reading if you can cope with the highly technical content. Reading between the lines, there are important lessons for management concerning the increasing sophistication of modern malware. Malware has always been an issue. Now, it’s serious. Well-intentioned but relatively naive security advice may help with malawareness but falls well short of what’s truly needed to address malware risks.

Stuxnet is not the first malware to have been used as a military weapon. It is alleged that the Americans used Trojans to sabotage Russia’s trans-Siberian gas pipeline, while we wonder just how much of the $500m being sought for ‘cyber-defenses’ by the Pentagon might end up in malware R&D.

Trojans, Worms, and Spyware: A Computer Security Professional's Guide to Malicious Code by Michael Erbschloe (~US$45 from Amazon) combines step-by-step instructions on what to do in an incident with case studies.

Here’s an impressive list of functions available remotely to someone who controls systems infected with the Phatbot Trojan. Read the list to understand what it really means if your system is pwn3d by a Trojan such as Phatbot.

“The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide” says Krebs on Security.

“[The Google hackers] used a clever technique … to exploit the natural trust shared by people who work together in organizations. After taking over one computer, intruders insert into an e-mail conversation a message containing a digital attachment carrying malware that is highly likely to be opened by the second victim. The attached malware makes it possible … to take over the target computer.” New York Times.

“The crisis began when college basketball fans downloaded a free March Madness application to their smart phones . The app hid spyware that stole passwords, intercepted e-mails and created havoc. Soon 60 million cellphones were dead. The Internet crashed, finance and commerce collapsed, and most of the nation's electric grid went dark . White House aides discussed putting the Army in American cities. That, spiced up with bombs and hurricanes, formed the doomsday scenario when 10 former White House advisors and other top officials joined forces Tuesday in a rare public cyber war game designed to highlight the potential vulnerability of the nation's digital infrastructure to crippling attack. The results were hardly reassuring.” Los Angeles Times.

The Heartland credit card data breach, probably the world’s biggest to date, was blamed on malware, presumably a Trojan. “A piece of malicious software planted on the company's payment processing network recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.”

The Washington Post reported that some copies of Apple's iWork productivity software downloaded from peer-to-peer (P2P) file-sharing networks were infected with a Mac-specific Trojan.

RSS feeds can evidently be used to deliver Trojans (or indeed other forms of malware) as well as news - just another example of the criminal creativity, or is that creative criminality of Vxers.

A Manchester nurse has been hackmailed, possibly the first victim of so-called ransomware in the UK. A somewhat confusing BBC news report indicates that hackers got onto her PC, encrypted some of her files and then blackmailed her to decrypt them.

“Spear phishers” use phishing emails to target specific individuals or groups, typically installing Trojans or other malware on victims’ systems. British MPs have been targeted.

Stories about hackers secretly snooping on people through their own PCs may sound like urban myths but a few reported cases have enough information to be credible. A teenager and her mother in Houston describe how a hacker would sometimes take over their keyboard, typing disturbing messages on the screen as they watched in horror. Words spoken in the room would appear character-by-character, transcribed by the hacker as he listened on the webcam’s microphone. It looks as if the PC had been infected by a remote-access Trojan, giving the hacker complete control of the system’s functions through the Internet. [Remember this little story next time you pick your nose or worse in front of your webcam!]

Where there’s smoke there’s mirrors: the truth about Trojan horses on the Internet is a comprehensive paper about Trojans, starting with Greek mythology. The legendary “Trojan horse” was a wooden horse used by the Greeks to sneak soldiers into Troy. Would a similar trick work today? It seems in Australia, the answer is yes.

Other malware issues

Wired reports that “A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week, prosecutors say.” In a separate incident, a sacked worker planted malware on his former employer's computer network in a revenge attack.

An interview with an adware author is quite revealing, if only for his self-serving rationalization when trying to explain/justify why he did it.

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway.

Find out why you should beware rootkits on your systems. Rootkits modify operating system files to hide themselves. A technical presentation and white paper by F-Secure explains kernel-mode rootkits. “Virtual Machine Based Rootkits” (VMBRs), rootkits that install themselves at boot time and then install a virtual machine environment to boot and compromise the normal operating system, are the subject of a fascinating research paper.

A US CERT CyberSecurity tip explains ‘hidden threats’ such as rootkits and botnets and another explains how to recognize, prevent and remove spyware or adware from your PC. Yet another covers the risks associated with P2P (peer-to-peer) file sharing, including malware, disclosure of confidential information and denial of service.

If your system is compromised by a rootkit and assuming you discover the infection, you might as well just “waste the system entirely,” said a program manager from Microsoft’s security solutions group.

SecurityFocus brought up the possibility of rootkits infecting the computer’s BIOS.

Spycar comprises a suite of routines designed to mimic the tricks used by various forms of spyware to install themselves (in a benign fashion, of course) and thereby test your anti-spyware tools.

Keyloggers have some supposedly legitimate as well as illegitimate uses e.g. keeping an eye on what your children are getting up to online. Admittedly, this is a bit like claiming that beer is merely a refreshing drink.

General malware links

Viruses and worms

Trojans

Other malware issues

Related NoticeBored links collections