Month: October 2009

Alex noticed this really good paper this morning and highly recommends it. It’s one of those rare, concise (10 pages) and very well written pieces that come along every once in a while. It gives a good overview of recent advances in malicious code and the strategies that have been developed by the dark side to steal information and money.

The author, David Dittrich, goes into just enough detail about developments in the last decade such as the dropper, social engineering attacks and complex command and control mechanisms. The 14 papers and articles he cites in the footnotes could be a small library on the subject themselves.

His conclusions include:

— Using a form of modal sandboxing to fight droppers that take advantage of users viewing blog posts

— Better mechanisms for policing public domain shareware

— Segregation of personal-use/enterprise-use machines (to make whitelisting easier)

— Attack-specific education and training for users

— A more sophisticated and aggressive approach to combating cyber-crime, acknowledging that it will take time to develop: “We are years away from being able to safely engage in aggressive self-defense on the Internet.” He also suggests that the federal government should assume more responsibility for countering cyber threats. He quotes a December 2008 paper by the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency, “Securing Cyberspace for the 44th Presidency:”

“We have deferred to market forces in the hope they would produce enough security to mitigate national security threats. It is not surprising that this combination of industrial organization and overreliance on the market has not produced success. As a result, there has been immense damage to the national interest.”

Dave Dittrich is an affiliate information security researcher in the University of Washington’s Applied Physics Laboratory.

The full title is: “Malware to crimeware: how far have they gone, and how do we catch up?” It can be found on the University of Washington’s site here (via Schneier).

Tom Kelchner

It’s just really good to see simple, uncomplicated mechanisms that make it easy to put computer security measures in place BEFORE you get hit with some damn malicious thing turns your machine into a spam-spewing bot or steals everything you own.

Quite frankly, Microsoft Patch Tuesday is a great, simple idea and Adobe hitching its security wagon to that was brilliant.

Mozilla just made public another simple-and-sound security device: Firefox Plug-in check (http://www.mozilla.com/en-US/plugincheck/#why-update )

The page presents a list of your plug-ins and a color-coded button that tells you if you need up update one of them.

Plug-ins from third-party applications can be security vulnerabilities when they’re out of date and often they aren’t updated when the application they serve are patched.

Mozilla says it’s planning an automatic plug-in updating function.

Tom Kelchner

Is Family Guy, one of great comedy shows, to be co-opted by Windows 7?

The Microsoft-sponsored variety show, whose working title is “Family Guy Presents: Seth & Alex’s Almost Live Comedy Show,” is a mix of live-action “Family Guy” musical performances, animated shorts and celebrity guest appearances, and is part of an all-Seth MacFarlane night on Fox. The software company wouldn’t elaborate on what exactly the Microsoft integrations would look like or possible scenarios in which Windows 7 could play a starring role, but said Crispin’s copywriter and art director on the Windows campaign were working closely with Mr. MacFarlane and Ms. Borstein.

“You’ll see us deeply integrated into the content … you’ll hear a lot about how Windows 7 can help you simplify your PC — it’s simple, fast and easy to use,” said Gayle Troberman, general manager of consumer engagement and advertising at Microsoft. She went on: “Think about metaphors and examples we might use, talking about how simple things are. We’ll be evoking the cast of ‘Family Guy’ in some interesting ways that integrate the product messages.”

Link here (via GMSV).

Alex Eckelberry

True story, just came in as feedback from a reader of Sunbelt Security News (SSN):

I was reading your latest issue of SSN and the article about scanning iPods reminded me of an incident I had this past Spring. I had purchased (several months prior to this incident) a “refurbished” iPod from a reputable seller and plugged the USB cable into a machine I had just reformatted.

I had everything nicely installed BUT I forgot to disable the USB “auto-play” function. Thankfully I was also trialing VIPRE on this same machine at the time since as soon as I plugged in the cable VIPRE immediately grabbed an autorun.inf file. I had VIPRE scan the entire iPod and it found several traces of a worm. I submitted the files to Virus Total and (thankfully) VIPRE was only one of a handful to detect the malicious autorun.inf file.

So I guess the moral of my story is to remember that iPods can also store files like any other portable USB memory devices and to be careful with “refurbished” memory devices even if they come from a reputable dealer.

Really enjoy reading SSN. Keep up the good work!

Edward

Alex Eckelberry

Two very influential people have made public comments recently that could lead to widespread distrust of the Windows operating system for online banking.

Last week, FBI Director Robert Mueller related in a speech in San Francisco that he had received a phishing email that tried to steal his banking credentials and nearly fell for it. As a consequence, he is not doing his banking on line. (Speech text here.)

This week, Washington Post columnist Brian Krebs, who writes the “Security Fix” column and is among the most influential writers in the computer security space, wrote that businesses should simply stop doing their banking online from machines with the Windows operating system.

He wrote: “The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.”

“…regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim’s Windows computer,” he wrote.

“While there are multiple layers of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu.”

Krebs column here.

Krebs has done a series of columns recently about small and medium-size businesses, non-profit organizations and schools losing tens of thousands of dollars to cyber thieves using banking Trojans to provide access to their bank accounts and transfer funds to money mules.

The implications of this loss of trust have been mentioned by other significant observers in the computer security world. David Kennedy, Manager of Risk Analysis at Verizon Business, wrote in his weekly intelligence summary for his company’s customers: “Reports the FBI director’s spouse refuses to allow on-line banking is a serious indictment of on-line trust and we will be tracking related reports of trust erosion, especially by high-profile individuals, groups and companies.” (Kennedy summary here.)

Tom Kelchner

Reasons to pirate software:

1. it’s free

Reasons not to pirate software:

1. some pirated copies don’t even work correctly.
2. you have a moderate risk of getting malicious code with it.
3. you don’t get updates, you could become a victim of identity theft, your machine will be vulnerable to a lot of malware and will probably become part of a spam-spewing botnet that makes money for organized crime.
4. if you make a large enough collection of pirated software available via P-2-P, the men in blue suits might come knocking on your door and you could get sued for several hundred $K.
5. you’ll be part of a collective of people worldwide who steal almost a trillion dollars each year.

This message comes to you from the Business Software Alliance.

Story here.

BSA report, “Software Piracy on the Internet: A Threat To Your Security,” here.

Tom Kelchner

A large number of web sites devoted to recruiting money mules made their appearance over the weekend.

There were 14 of the 28 with top-level domains in China and seven in the Cocos Islands (Australian territory.)

Lotta financial services firms locating in the Cocos. Yes sir. That place is becoming a real world business hot spot.

ccn-group.cc
ccn-groupco.cc
ccn-groupco.cn
ccn-groupsvc.cn
cronos-group.net
cronos-groupinc.cn
cronos-groupinc.com
cronosgroupsvc.cn
fairline-group.cc
fairline-group.cn
fairline-groupinc.cc
fairline-groupinc.cn
landgroupinc.cn
landgroupinc.net
land-groupsvc.cn
land-groupsvc.com
margin-group.cc
margin-groupco.cc
margin-groupco.cn
margingroupinc.cn
phoenixgroupco.cn
phoenix-groupmain.cn
stargroupinc.cn
star-groupinc.net
star-groupsvc.cn
star-groupsvc.com
summit-groupinc.cc
summit-groupinc.cn

Thanks Alex

Tom Kelchner

A blogger named Dave Kleiman on the SANS blog site just shared a very cool technique for cataloging all the USB devices plugged into a network.

Dave said on the blog that he used Microsoft’s Log Parser (link here) to collect standard registry keys:

HKLMSYSTEMControlSet001EnumUSBSTOR
HKLMSYSTEMControlSet001EnumUSB
HKLMSYSTEMMountedDevices
HKLMSYSTEMControlSet001ControlDeviceClasses{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Log Parser allows an operator to run scripts, which in his case, allowed him to retrieve the registry keys and the host name for each as well as other information.

Blog post here.

Thanks for the tip Alex.

— Tom Kelchner

Britain has 4.2 million closed circuit TV cameras videoing the average citizen 300 times per day. About the only comfort most citizens of Albion have is that nobody has time to watch all those cameras all the time.

But now a group of entrepreneurs has come up with a great scheme to snatch away even that tiny shred of privacy: recruit Internet users (first from the EU, then the world) to compete for cash prizes by watching the live video and report crimes to local camera operators.

The business, called Internet Eyes, is running a trial operation in Stratford-on-Avon and expects to go nationwide in Britain in November.

As background, the UK has seen its violent crime statistics rise in recent years. Conservatives (the Opposition party since 1997) and tabloid newspapers hammer on that. There could be some statistical issues with those numbers (compiled by the Conservatives) since a street fight is logged as a violent crime there, whereas in other countries it’s only considered a violent crime if there is an injury.

Guardian story here.

According to comparative date from the United Nations, the U.S has a homicide rate more than three times higher then the UK (42.8 per 100k in the U.S. and 14.1 per 100k in the UK.)

Numbers here.

Tom Kelchner

In my talk at the University of Florida (video link here) i pointed out how important correct error handling in Emulation/Virtualization is. Today we got new ZBot samples and they are using exactly that to avoid generic emulation / unpacking. I had 5 min time to take a couple of Screenshots and to add some comments to it. So here is a closer look to the tartup-code of these ZBots.

They call the API function “SwitchDesktop” from User32.DLL with wrong Desktophandle on purpose. The Desktophandle is always wrong – see the code at “results in invalid handle”.

Usually this API functions sets it’s return code ( Non-Zero for Success ) in register EAX. So they move this result to the stack and since EAX is 4 bytes (unsigned long) you see there a sub of the stackpointer with 4. Alone that code passage is highly obfuscated code and you won’t see that with normal compilers, because there’s no need to push EAX on the stack if you pop it afterwards without any changes in between.

So, they pop EBX (read: the value in EAX is now in EBX) and compare that with Zero. Remember: This function should return Zero, because it got an invalid handle on purpose. Basically this API must return as “Sorry can’t do that, i don’t know that handle – ERROR”. Most emulation systems using so called “Dummy-API’s”. There they just return always true or always false.

Our Behavior-based Virtualization (MX-V) knows such tricks and decrypts the executable and finds interesting stuff inside the file. For example a mutex that gets created after decryption and right before process enumeration (all done in unicode) that hints that the authors of this malware do know about AVIRA Antivirus. But look for yourself:

[VVS] User32:SwitchDesktop – Desktophandle: 7C910208 ERROR: Unknown Handle!
[VVS] Kernel32:GetPrivateProfileIntA – AppName: KeyName: FileName: ”
[VVS] Kernel32:VirtualAlloc – rtx=130000, va=0, sz=1334F, at=3000, p=40
[VVS] Kernel32:VirtualProtect – lpAddress = 00400000, flNewProtect = 00000040 OK
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
…decompressing here (very simple encrypted)…
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
[VVS] Kernel32:GetUserDefaultUILanguage – is: English, USA
[VVS] advapi32:OpenProcessToken Entry – OK
[VVS] [ApiDef]: LookupPrivilegeValueW
[VVS] Advapi32:AdjustTokenPrivileges – OK
[VVS] close_emu_handle: 00420000
[VVS] [ApiDef]: GetUserNameW – OK
[VVS] Kernel32:GetCommandLineA – OK
[VVS] Kernel32:CreateMutexW – creates mutex named ‘_AVIRA_21099‘ OK
[VVS] Kernel32:CreateToolhelp32Snapshot – OK, flags: 2, procId: 0
[VVS] [ApiDef]: Process32FirstW NumParams:2 STD_CALL
…process enumeration and continue…

Michael St. Neitzel

Scammers peddling rogue security products have apparently mastered search engine optimization (SEO) techniques in order to move their malicious sites to the top of the list when users search for top news stories.

The rapid rise of malicious URLs in search results during the recent flurry of news stories about the Samoa earthquake and tsunami drew the attention of Roger Thompson, chief research officer for anti-virus specialists AVG.

Thompson said “When we looked, we found [attackers] had five or six of the top ten results on the Google search results page, well above even places like CNN and The Guardian on queries like Samoan Tsunami.

This is growing larger on the threat landscape. It means we’ll all need to look twice at URLs when we search for current news topics and keep in mind the possibility of malicious links even from the big search engines like Google and Yahoo.

Story here.

Tom Kelchner

Michael St. Neitzel, Sunbelt VP of threat research and technology, described VIPRE MX-V at the University of Florida Information Technology Security Awareness (ITSA) Day this week. It was the first public demonstration of the MX-V behavioral detection technology used inside Sunbelt’s VIPRE Antivirus + Antispyware.

ITSA in Gainesville was attended by professional IT workers from the University Florida as well as those from education government and business in the area.

Video here.

Video editing by Alex

Tom Kelchner

Comcast has begun an experimental program in the Denver area to warn customers whose PCs have been turned into spam-spewing bots. The infected ones will see a browser pop-up warning them that their machine contains malware.

I don’t want to sound like a whiner, but why didn’t ISPs start doing this, oh, say, four years ago when the number of bots in the wild exploded?

This is really terrific, Comcast should be commended and I hope other ISP (ALL ISPs) do something similar, but why did it take this long? Spam email, and a whole load of it is from botnets, is now estimated to be near 90 percent of email traffic.

The story on the CNET news site says: “For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.”

See story here.

Tom Kelchner

Oct. 9 Update:

Brian Krebs, in his Washington Post column “Security Fix” today dug into more details of the Comcast plan, including the possibility of fake warnings. He reported:

“The primary challenge to this program, aside from actually helping customers rid their PCs of bot infections and keep them clean, may come from the criminals themselves. One of the most persistent threats to Internet users today are rogue anti-virus programs that use fake security alerts to trick consumers into downloading malicious programs or at the very least paying for worthless software.

“(Jay) Opperman (Comcast senior director of security and privacy) said Comcast is attempting to combat this potential scam by including a link in the banner alert that explains “How do I know this notice is from Comcast?” Among the answers they will list is that Comcast will be sending affected users an e-mail alert at their primary account at the same time as the browser alert is displayed.”

See story here.

Kara here (she runs our separate Rogue blog) posted a bunch of screen shots here.

Alex Eckelberry

Microsoft Office Help’s ad-supported model is getting more intrusive.

This is help.  For the program you purchased. 

Hello!

Alex Eckelberry

 

Sunbelt Software hired an independent test lab recently to compare the performance of VIPRE Enterprise against the enterprise products two leading competitors, Symantec and McAfee. We were very pleased with the results.

The test found that VIPRE Enterprise significantly outperformed the competing products, with its lower system resource usage and faster scanning speed. The test included antivirus scanning performance and system resource utilization.

See Sunbelt news release here.

Tom Kelchner

A Sunbelt researcher today found a ThreatNet scan result from a machine with six identifiable malware threats on it. One of them Trojan.Brontok, had 102,793 traces. That was on one machine!

Alert for things that might be going wrong, he emailed several other analysts:
“Just trying to understand, how is that possible?”

Yep it was possible. Even old threats can overrun a PC if it doesn’t have proper malware protection.

ThreatNet is an early warning system made up of tens of thousands of VIPRE and CounterSpy users who have set their machines to send Sunbelt a record of malcode that they detect. ThreatNet helps us detect virus outbreaks.

Trojan.Brontok is a detection for a group of mass-mailing worms that spreads by sending copies of themselves via e-mail attachments. It gathers e-mail addresses from infected machines in order to propagate.

It disables security applications, spreads through USB drives and has been used in denial of service attacks.

Thanks to Eric Howes and Adam Thomas

Tom Kelchner

The Federal Trade Commission commissioners unanimously approved guidelines that require bloggers to reveal that they’ve been paid or otherwise compensated for writing product reviews (read: have conflicts of interest.)

The new rules, which will go into effect Dec. 1, carry penalties of $11,000 for each violation.

Blogging product reviews has become a major cottage industry. If a blogger gets several free cases of disposable diapers or a $10,000 firewall appliance in exchange for a review, it might just be a good idea if readers were made aware of that fact.

The FTC guidelines on endorsements and testimonials haven’t been updated since 1980.

Story here.

Tom Kelchner

Nice work guys.  Link here.

Alex Eckelberry

One more reason to be careful with the information you share on social networking sites.

Thanks Alex.

Thanks Patrick.

Tom Kelchner