Nasty little Twitter hack

Something our friend Lance James came up with: 

Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a worm on the microblogging service.

The attack, posted online Thursday by researchers at Secure Science is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm, said Lance James, chief scientist with Secure Science.

“You can couple an attack with our code and it would just tear the crap out of Twitter,” he said.

Link here.

Alex Eckelberry

SMM exploit POC code published

As mentioned earlier today, Rafal Wojtczuk and Joanna Rutkowska have published a new paper on using cache poisoning to exploit the Systems Management Mode (SMM) in Intel 386 and above chipsets.

Some interesting snippets:

System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of “Ring -2”, as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in “Ring -1”.

…Interestingly the very same cache poisoning problem we abuse in our attack against SMM has been identified a few years ago by Intel employees, who even decided to describe it in at least two different patent applications [3] [1]. We haven’t been aware of the patents before we discovered the attack — we never thought a vendor might describe weaknesses in its own products and apply for a patent on how to fix them, and still not implement those fixes for a few years2… The patents turned out, however, to be easily “googlable” and it would be surprising that nobody else before us, and Loic Duflot, have created working exploits for this vulnerability.

…We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code3.

and finally:

Intel has informed us that they have been working on a solution to prevent caching attacks on SMM memory for quite a while and have also engaged with OEMs/BIOS vendors to implement certain new mechanisms that are supposed to prevent the attack. According to Intel, many new systems are protected against the attack. We have found out, however, that some of the Intel ‘s recent motherboards, like e.g. the popular DQ35, are still vulnerable to the attack. Additionally the workarounds that Intel has mentioned to us are not yet officially documented, but Intel told us that they will be updating the CPU documentation shortly (In particular the vol. 3a of [4]).

The paper is here (pdf).

Alex Eckelberry

Interesting Conficker C analysis published

The folks over at SRI have published an interesting additional information on Conficker.C.  Worth reading. Link here.

In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers.   In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis.   Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.

Alex Eckelberry

An alternative to “free” credit reports

For years, we’ve been hearing ads from freecreditreport. com.  As you probably know, it’s not true — the service is not free. 

The FTC has launched an educational campaign, pushing the actual free credit report service, AnnualCreditReport.com.  I’ve used it a number of times myself and it’s a great (and free) site.

Ed Dickson has written much more on the subject here.

It’s important to keep up on your credit report, for obvious reasons.  But you don’t need to pay.  You also don’t need to pay for all other services, like Lifelock, when you can easily do it yourself — for free.

Alex Eckelberry

Should be an interesting news day for security

Joanna claims she’ll be releasing exploit code later today (12 noon EDT, 16:00 UTC) for a new nasty rootkit, that embeds itself into Intel chipsets through SMMI (Systems Management Mode, a little-known feature that allows hardware vendors to manage certain chip functions, like power management, using software).  James Heary has more here.

Then, I expect some more interesting new research to be published on Conficker later today, which I’ll be publishing on this here blog.

Alex Eckelberry

Symantec changes tack on Ask relationship

Follow-up from a prior post on the subject, Rowan Trollope, Symantec senior veep posted something on the subject:

Safe Search update

I’ve seen the negative feedback here in the forum regarding Norton Safe Search, and have been carefully listening over the last couple weeks, and working with my team on the best course of action.

While we believe Safe Search is a valuable feature, many of you were surprised by the addition of the search box to the Norton toolbar, and expressed concern over not being given the choice of whether or not to install it.

Given your response, we’ve taken immediate action. Moving forward, Norton Internet Security and Norton 360 will now ship with the search box disabled by default. Norton Safe Web site ratings will still be available to users. We are starting this process immediately and will be rolling out updates over the next few weeks.

Also, I want to clearly convey that this is not an Ask toolbar. It is part of the Norton browser integration and it is easily disabled. Also, to be clear, there is no Ask code running on your computer – it is all Norton code. There is no separate component to uninstall or remove. Once disabled, it is completely shut off and inactive. When enabled, the only information we are sending to Ask.com is the actual search query.

Customers who already have the search box enabled will not be affected, but still have the option to disable it manually via the Norton Toolbar menu.

My team and I have worked very hard to deliver security products with superior speed and performance, and I want every aspect of our customers’ experience to be positive. The last thing we want to do is cause any frustration with our loyal, technical users.

We want our customers to have an outstanding user experience and are revisiting Safe Search to determine how we might deliver this feature in a more positive way in the future. There are customers who are currently using and benefiting from this feature and ultimately, we do want to offer this, but make sure we do it in the right way.

Thanks, as always, for your candid feedback here in the forums.

Regards,
Rowan Trollope
Senior Vice President

Alex Eckelberry
(Via Donna)

The BBC botnet debacle

There is an active thread over at Funsec on a very interesting subject:  The BBC’s recent use of a botnet for a televised story.

The BBC wanted to show how botnets work.  Unfortunately, they took control of a real live botnet.  Real people’s computers.  To send spam to a couple of web email accounts they had set up. 

They then put a desktop wallpaper on the infected systems, telling them that they were infected, and then they disabled the botnet.

This is wrong on so many levels.  And it sets a dangerous precedent.

Larry Seltzer at eWeek has written an excellent piece on the subject

I can expound a bit, Yes, it’s illegal.  You can parse it any way you want, but you do not take control of other systems without the permission of the users.  Period.  

But the legal argument is only one part of it. It’s unethical.

Malware researchers routinely deal with botnets for analysis purposes.  It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for “testing” purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea.  You don’t know what accidental harm you may cause.  You don’t really know what’s on the user’s system that will simply restart the whole process.  

You just don’t get involved, because it’s not only wrong, there are too many unintended consequences that can occur.  You’re playing with fire.  Report it to the ISP, report it to the relevant authorities, but don’t play with live ammo like this. 

To have a TV show use a botnet, to “prove a point”,  is beyond the pale — particularly since the point could have easily been proven it in other ways.  

The company that helped the BBC should have put the brakes on this idea.  However, it was the BBC reporter that ultimately pulled the trigger.

Graham Cluley (a rising star in the security blogging world) has done the work so I don’t have to, and you can read more at his blog post here; and Dave Harley has done some good writing as well here.

Alex Eckelberry

More Facebook malware…

If you’re invited to watch a movie on Facebook, realize that downloading a “special codec” or “media player” is ill-advised. It’s malware.

Example running right now:

Messages from Your Friends on Facebook, March 11, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 13, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.completeserv.personalid-5ihg4wefb.based.867player com/home.htm?/tools/application=e1q3flwixa7lkef

Message ID: FB-7n1cqla9sgguzde
2009 Facebook community, Message Center.

Facebook123888

When you try to view the “video”, you’re asked to download and run a “media player”. That’s the malware part.

This has been reported to Facebook.

Alex Eckelberry

MX-Virtualization announced

Today, we announced MX-Virtualization, our new detection technology which analyses potential malware based on behavior.  I mentioned this in a blog post a while back, and now it’s official.

If you’re running VIPRE or CounterSpy (enterprise and consumer versions), you already have MX-V.  It started shipping with the definition series 5000.

MX-V is really quite powerful.  We’ll be talking more more about it in the coming weeks.

You can read more about it in our official company hype, here.

Alex Eckelberry

Heuristics are dead?

Some people in the security industry may be baffled by a video presented by Richard Steinnon with Amrit Williams, Martin McKeay and Mike Murray.

The discussion is going along predictably and with some good points (like whitelisting isn’t practical), but at the 17:45 minute mark, the odd statement is made the heuristics and behavioral detections don’t work.

This statement directly contradicts fact.

Many of the leading AV engines are, in fact, relying heavily on generic detections and heuristics (some that come to mind include Sophos, Avira, Symantec, and one of the great users of heuristics, ESET). Go ahead and grab a piece of malware, submit it to Virustotal, and see how many detections are things like “trojan.gen”, “delphi.gen”, “troj.heur.downloader”, or “trojan.packed.gen” . These are generic or heuristic detections. And there’s a lot of them.

As far as I’m concerned, just about the only thing an AV company can do these days is to lean heavily on heuristics or behavioral detections. When you’re processing over 30,000 pieces of malware daily, there’s not much choice.

We’re certainly pushing in that direction. As an example, some preliminary test results of our upcoming MX-V virtualization technology (which is almost purely behavioral) are showing detections of almost a quarter of our entire malware repository. That’s pretty powerful, and this is a behavioral system. There are no signficant issues with false positives, either.

Similarly lambasted in the video is Host Intrusion Prevention (HIPS). Well, it’s not very relevant in a 64–bit world, but in a 32–bit world, one thing HIPS can do is block an attempt by an application to write to a place in memory where it’s not supposed to (a buffer overflow). Seems like a good idea to me. Or IDS, which relies on rules that are the writer’s best approximation of a means to detect a certain type of network event.

As my good friend Randy Abrams over at ESET said:

A battle for the industry is that customers want names for the things that are detected. It isn’t feasible anymore to maintain names for all of the threats. The entire industry has been forced to adopt heuristic approaches that preclude naming each threat…In many cases heuristics are being called signatures. Generic signatures are a type of heuristic and are used with reasonably good success. When the storm worm was at its peak it was being dynamically repackaged every 5 minutes. Generic signatures were able to protect against these threats without the need for a unique signature for each variant.

I invite the curious to spend some time in an AV lab. Fair warning, however: As in legislation and sausages, you might not want to watch the process.

Alex Eckelberry

(I may get called on this by someone, so I might as well get it out of the way: My statements partially depend upon the definition of signature, heuristic and behavior detections. Generic detection, which has typically been a detection for a family, has in practice broadened to include practically any detection that matches various attributes or file types (like blacklisting a packer). But to some, a heuristic must have at least two qualifying flags to qualify. To me, it’s simple: if you’re doing an exact match of a file hash, a string, etc., it’s a signature. You can tell a customer exactly what the file is, and you have certainty when removing it from a system. However, if you’re guessing based on entry points, file types, attributes, etc., it’s a heuristic. And if you’re detecting based on behavior, well, it’s behavioral.)