13 Jun AutoRun. Reloaded Konstantin Markov
06 Jun The most sophisticated Android Trojan Roman Unuchek
03 Jun Security policies: portable applications Kirill Kruglov
03 Jun What are children doing online? Konstantin Ignatev
03 Jun Jumcar. Peruvian navy? Who could be behind it? [Third part] Jorge Mieres
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A few days ago David wrote about ConsumerReports, which created around 5,500 new virus variants in order to test antivirus solutions. Like most antivirus companies, we weren't particularly impressed by this.
Recently a writer for heise.de, probably the best known German IT website, picked up on the topic, criticizing the reaction of antivirus companies: “[they] fail to notice that they sound like Mercedes dealers complaining about the 'elk test' – arguing that there are enough real accidents to analyze the safety measures of their cars.”
This comparison is specious: in the context of antivirus testing, the 'real accident' is a computer or network infected by in the wild malware, and the 'elk test' is controlled testing under laboratory conditions. We've got nothing against controlled testing, as long as it uses malware which exists in the same form in the wild. We're also in favour of testing solutions which have deliberately not been updated - old signatures mean that heuristics and proactive protection technologies can be fully tested.
I can’t see any benefit in using newly created variants of existing malware in tests. And the argument that these new creations won't be made publicly available is irrelevant here. At the end of the day, such tests could lead to an atmosphere of open competition, with the testers attempting to trick as many antivirus solutions as possible by using more new and different malware. Of course, this would all be in the name of security... but it could decrease the amount of effort virus writers have to put in, with the burden ultimately being borne by end users.
We've recently detected yet another new trick being used by spammers.
Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers.
Normally, animated spam has between two and four frames; out of these, only one of them actually contains significant information about the goods or service being promoted. The remaining frames simply act as background, or contain other pictorial elements. The main frame is displayed to the user for up to 10 minutes, while the remaining frames will be displayed for mere tenths of a second.
The screenshot on the left shows the main frame of such a message. On the right is an example of one of the remaining frames (the original message contained three frames in all.)
As far as we can tell, at the moment animation is confined to stock spam (e.g. spam which promotes specific stocks). However, there’s nothing to say that this technique won’t become widespread in the future.
Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn't yet clear. It's true that a lot of spam filters don't analyze the actual graphics in spam. The majority of them analyze the message structure, the text content and so on. Animated spam may well cause serious problems for simple filters which operate purely by analyzing text symbols, and which don’t analyze text in graphical form. However, such filters are ill equipped to cope with any type of graphical spam, animated or not.
On the other hand, although animating the message is a novel trick, better spam filters are able to detect and filter out animated spam.
Sun has released Update 8 for Java Runtime Environment 5.0. This is an extremely important update.
JRE has long been used to install malware as it contains numerous vulnerabilities which allow remote code execution. Another important factor is that JRE works with all web browsers. This means that a vulnerability in JRE will affect all browsers.
In my mind the most serious issue in JRE has finally been fixed. The problem with previous JRE releases was that they didn’t prevent a Java applet from calling earlier JRE versions. As previous JRE versions aren’t uninstalled automatically this creates a very dangerous situation. If machines have the latest version of JRE, but older versions haven’t been manually uninstalled the machines are still vulnerable.
So install the latest update ASAP. Either go to the website or update the program via the control panel.
There have been reports in the past that the updater in the Java Control Panel will say that the latest version is present, even though it's not. So double check that you have the latest version or go to the website.
P.S. If you uninstall all the older versions you’ll probably free up quite a lot of space on your hard disk.
Recently an attempt was made to blow up local trains in Germany. This reignited the discussion about how such threats could be foreseen and averted. In the course of these discussions, the subject of encryption came into the cross-hairs: after all, encryption makes it possible for terrorists to communicate with each other and to protect those communications from prying eyes.
However, not everyone who uses encryption is a terrorist. For your average user (home or business, take your pick), encryption is a method to ensure security, whether it's when transmitting confidential data over the Internet, or simply to ensure that data on a laptop will remain secure if the machine is stolen. Encryption isn't automatically evil - on the contrary, if someone uses encryption, it shows that s/he is both responsible and conscious of security issues.
Some German politicians are calling for encryption to be made illegal; or for it to be legal only if the state is provided with the key used. Such a stance clearly shows how far legislation can be from reality. After all, it’s illegal to blow up trains - but that doesn’t stop terrorists from doing this. Restricting the use of encryption in the name of anti-terrorism is a red herring; it won't stop terrorists, and it will seriously inconvenience home and business users who are taking responsibility for their data security into their own hands.
If it were to be suggested that people shouldn’t lock their front doors on the grounds of security, the media outcry would be huge. However, many politicians, as well as the population at large, seem to be stretching the idea of data security beyond all reasonable limits. This is muddying the waters, and gives rise to the fear that restrictions on encryption may soon find their way onto the statute books.
A couple of days ago we reported on a problem with the MS06-042 patch which was released earlier this month. Microsoft created a hotfix for the problem and announced that the patch would be re-released. However, a couple of days ago, the company announced that the updated patch could only be released once final testing was completed.
Well, now it is. You can find the re-released patch here. This fixes a critical vulnerability, remember, so it's important to download and install the update as soon as possible.
This highlights once again the need for all of us to exercise caution when we're looking for online deals. It's clear that you can pick up a bargain by shopping online, but if something seems too good to be true, it probably is.
Malicious programs for computers have been around for more than 20 years. It was the birth of the Internet which really enabled these digital pests to make a breakthrough.
Until now, gaming consoles have been more or less immune to malware. Yes, there're been Trojans for the Nintendo DS console (Trojan.Nintendo.Taihen.a and .b) and for the Sony Portable Playstation (Trojan.PSP.Brick.a) but the number of victims has been small. This is because the user has to tweak the console in order for so-called homebrew software (i.e. software not certified by the console manufacturer) to run.
There's a Linux distribution available for the Sony Playstation 2 (which will also be available for Playstation 3) which just cries out for programming. However, any programs created will only run on Playstations which have the distribution installed.
Microsoft recently announced that in future, users will be able to purchase a development kit with a $99 a year registration fee - no Linux here. Programs developed using the kit will only run on Xboxes where the user has also paid the registration fee, and they can only be copied to another console as source code. From a security point of view, this is a wise decision.
I hope that things won't change much in the near future. If Sony, Microsoft , Nintendo or hackers made it possible to easily download programs developed by users via the Internet, Pandora's box would be opened. The combination of unprotected gaming consoles, the Internet and the possibility of previously unknown vulnerabilities would lead to gamers who had been immune to malware becoming a target for virus writers.
An organization called ConsumerReports published an article today that suggests it 'created 5,500 new virus variants derived from six categories of known viruses, the kind you'd most likely encounter in real life.'
This is a really unwise thing to do. There are plenty of 'real' viruses, worms and Trojans around without well-meaning organizations generating more of them, for whatever reason.
The premise on which ConsumerReports seems to have based its actions on is this: "We hadn't seen any independent evaluation of antivirus software that measured how well products battle both known and new viruses, so we set out to fill that gap.” In fact, AV-comparatives publishes tests evaluating products' ability to find both known and unknown threats ... and they do this without having to create new viruses. There are also a number of other independent organizations that test the detection capabilities of antivirus products, including AV-Test GmbH, Virus Bulletin, ICSA Labs and West Coast Labs.
And they all make their results public; something that ConsumerReports seems not to have done so far.
It came to our attention today that the website of one of the Dutch TV broadcasters had been defaced. So we contacted them and informed them in case they weren't aware of the issue yet.
I was told on the phone that the station wasn’t aware of the issue and that they would look into ASAP. However, after 15 minutes or so, the site still hadn't been taken down - I started to think that it might be a hoax.
This channel is well known for its attention grabbing tricks, and it occurred to me that this would fit their image nicely. And indeed, the ‘defacement’ turned out to be a (viral) marketing stunt.
As I clearly identified myself as being from a security company, I don't think they were right to withhold this information from me. There are two reasons for this - firstly, I’m well aware of confidentiality issues, and secondly, I could have spent the time researching other, genuine, virus related issues.
De Consumentenbond, which is basically the Dutch version of Consumer Reports, released an interesting press release yesterday. Thanks to this organization, eBay is no longer asking for personal information which could identify the user via email. (More information, in Dutch, can be found here.)
eBay had previously been asking some customers for personal details in order to confirm the customer's credit status. Such requests were for copies of identity cards or passports, recent bank statements and valid phone numbers. Of course such details were juicy bait which phishers could exploit - I’m pleased to hear that eBay will be taking a different approach from now on.
This news also reminded me of some interesting cases I saw some time ago in The Netherlands.
Some big companies had been sending out emails which included no identifiable information whatsoever. Although the ‘from’ address said the email had been sent from company X, company X's mail servers hadn’t been used to send the email. The URLs in these emails also linked to third party domains. So nothing in the email could be attributed to company X.
Pretty amazing if you ask me. Such practices are dangerous. They also make it very difficult for security companies - from a literal point of view, such emails are simply phishing emails. But antivirus companies can’t detect them.
My hat goes off to De Consumentenbond for pushing eBay in the direction of improved security. And I think that in this day and age it wouldn't be a bad idea to make better practice mandatory.
Over the weekend we saw the first malware to exploit MS06-040 - Backdoor.Win32.IRCBot.st.
The interesting thing about this malware is that it uses old exploit code. This old exploit code is (normally) only able to infected Windows 2000 hosts. This is the main reason why the number of infections is not that high.
This case is similar to Bozori - you might remember that Bozori also (normally) only infected Win2K machines. It will be interesting to see if this time round there are similar high profile casualties. However, in comparison to MS05-039, which Bozori exploited, MS06-040 is much easier to exploit successfully on a XP based machine.
There's reason to think that exploit code which could do this has already been created. But at the moment, it’s not widely available. It therefore seems likely that the creators of IRCBot.st are relying on exploit code which is already public.
We will only start seeing the real impact of MS06-040 when fully functional, new exploit code, in the form of a backdoor or worm is released into the wild. Let's hope that doesn’t happen any time soon.
P.S. Don't forget to reboot the machine after you’ve applied the patch. Until you do, your computer remains vulnerable.
It's 25 years today since the arrival of the IBM PC. The PC not only radically changed homes and businesses across the globe, but the way we live our lives, shop, and even interact with each other. Many of the changes have been for the better.
That said, it's hardly surprising that we, as a security company, are also conscious of the flip side of this particular coin. If something can be used, it can be misused. The proliferation of the IBM PC and its many compatibles (some more compatible than others) has made ever increasing numbers of users vulnerable to malicious code. 25 years of the PC, 21 years of malware for the PC!
It's 'patch Tuesday' once again. So this is just a gentle reminder about patching your vulnerable systems ... download the updates and keep the 'bad guys' at bay. Check out the Microsoft Security Bulletin Summary for August, 2006 page for more details.
One of the dark attractions at DefCon is the "Wall of Sheep". The idea is simple - a bunch of people with sniffers sitting together capturing all the unencrypted traffic that flies through the air via the free WiFi connections available at the convention.
HTTP, POP3, FTP and ICQ logins are definitely intercepted, and others may be.
I was quite suprised to see lots of Myspace accounts listed on the Wall of Sheep. It turns out that unlike other community services such as Orkut or LinkedIn, Myspace's login is totally unencrypted and prone to sniffing.
So if you are a MySpace user, I suggest you stay away from your account next time you connect to the Internet by a public WiFi network.
Yesterday Defcon was winding down, the lights were being turned off, and the feeling of electricity among the participants was palpably less than at the beginning of the event. After this grand bash -- now as much a part of Las Vegas as any Comdex ever was -- people are sobering up, and the reason isn't just that the alcohol is starting to wear off. It's also due to a greater realization of just how far-reaching the threat against modern computer systems is.
I attended several sessions on malware and computer-based exploits, and it was clear to me that the bad guys are going to continue to come at our computers with full force. It was equally clear that organized cyber crime exists, with criminal groupings investing the large sums they've already made back in to further ‘product development’.
I’m not talking just about developing new exploit code. According to a panel of several U.S. Federal agents, organized cyber crime rings spend heavily on recruiting and retaining people, who may be geographically remote from each other.
Each person within the group will have a specific skill set which complements the skills of other members. Because in many cases cyber crimes transcends geographical borders, the ringleaders have to invest not only in people, but just as heavily in other key areas: computers and peripherals, telecommunications and other fees, and, in some cases, money-laundering and legal fronting organizations.
If this sounds like a expensive business, it is. And yet the bad guys do it because they know think that they’ll see a good return on their investment. And if it sounds like a risky business, well yes, it is. The good guys claim to remain vigilant in curbing cyber crime. As to who will win - that’s a question that only the future can answer.
As the reported 5000+ attendees can attest to, the conference was about much more than just malware and exploits against computers. There were also lighter - though still on-topic - presentations. From upgrading an airline ticket using old 'skewl' techniques (which drew raucous applause from a delighted audience) to the ever popular Spot the Fed contest (you G-men need to be more watchful - or perhaps less! - of the young female hacker contingent), this 14th Defcon was both a fun and highly informative event.
Last Friday, we came across an interesting site: a message board where stolen credit card numbers have been published since August 2005. The site included over 300 credit card numbers and additional information. On Friday more than 60 numbers were posted, showing that the site is definitely active.
It was clear that the information came from a variety of sources - the entries varied from basic (card number, three digit pin code, validity, name and address of the owner) to comprehensive (all the data above, plus phone number, email address, ATM pin code and account details).
Having looked at the site, we decided to call one of the victims to check that the information was authentic. Once he got over his surprise, he confirmed that the details we'd found were his. And that was the start of our telephonic odyssey.
15.30 - Telephoned the Bundeskriminalamt (German Federal Office of Criminal Investigation)
We were given the names of three people to talk to. After a few unsuccessful attempts to get through, it turned out that these three people were either on holiday, or had already gone home. We were finally told to send an email to firstname.lastname@example.org.
16.00 - Telephoned the Landeskriminalamt (German State Office of Criminal Investigation)
Our last phone call made it seem pretty likely that no-one would read our email (let alone do anything with it) before Monday. So we decided to call the local branch of the criminal investigation office - unfortunately, with the same lack of success. The result: we sent another email.
16.15 Telephoned the credit card companies
The situation wasn’t any better when we called Visa and Mastercard - we couldn’t get through to anybody. As a last resort, we called the customer emergency number:
"We’re calling from Kaspersky Lab, an IT security company; we've found a website which has hundreds of your customers' credit card numbers on. Could you please tell us who in your company we should contact?"
“Er - could you please give me your credit card number, Sir?”
In order not to waste any more time, we got our US local office involved. They contacted the credit card companies and the FBI. Meanwhile, our Russian office started the process of getting the website taken down.
So everything’s been set in motion, but the whole thing still makes me a bit uneasy. If you lose your credit card, you’re obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier. But the story above shows that if, like us, you come across more than 300 stolen numbers, it's going to be a bit more difficult. Yes, all of this happened on Friday afternoon, but criminals don’t take weekends off!
We’ll see how everything develops over the next couple of days and keep you posted. We'll also be publishing a short article about this case, with further details, in the very near future.
The 30 year old head of a Nigerian scam gang has been arrested. This may not seem like big news - after all, as the legislative bodies start to take cyber crime more seriously, we’re seeing more and more scammers and virus writers being apprehended.
However, this case is a bit different. This man was the head of a gang which operated out of Amsterdam, and earlier this year some arrests connected with this case were made in the Netherlands. It seems as though this man, like other 419-ers, went back to Nigeria in order to evade arrest - a tactic which for others.
But his luck ran out, and he was arrested in Lagos.
I think this is a very positive step, and I can only hope we will see more arrests taking place in Nigeria.
Microsoft gave advance notice today of the 12 security patches which will be released on Tuesday: 10 relating to Windows and two relating to Office. This advance notification does not include severity ratings.
Unpatched vulnerabilities continue to be a significant weapon in the armoury of malware writers, and Microsoft has been kept particularly busy releasing patches in recent months.
The last time I attended a BlackHat Conference, somebody tried to break into my computer using a 0-day vulnerability, which I noticed and blocked due to pure luck.
Today, armed with a well sized toolbox of sniffers and packet analysers, I’m in Las Vegas. No, not to gamble my AV researcher salary, but to attend the BlackHat USA Briefings and Trainings, 10th Edition.
One of the most striking things about BlackHat conferences in Las Vegas is the huge number of people that come to listen to the presentations: about database security, rootkits, writing secure code or state of the art hacking. This information was cutting edge about 6 months ago - any respectable hacker is going to keep all the 0-day exploits to him/ herself, and only disclose a few every now and then.
This year there are about 3000 registered participants and about double that number is expected at DefCon, which is starting tomorrow. I think it’s by far the biggest computer security-related conference I have attended.
The first day went pretty smoothly, with talks ranging from US Government officials down to self confessed hackers who are known only by their nicknames. Personally, I find this very interesting – in the antivirus world, you’d never (except under truly exceptional circumstances) see a virus writer coming to a conference such as VB or AVAR to talk about his latest creations. Yet at BlackHat it’s pretty common to see people talking about better ways to evade rootkit detectors or IDS systems to the accompaniment of loud cheers from the crowd.
The packet sniffer that I have set up on my PowerBook has been pretty silent so far except for an insane amount of broadcasted packets (after all, most people here do have a laptop and are using the WiFi connection to … do…things) . But I wouldn’t be surprised if I saw a rerun of the Amsterdam 0-day experience. After all, it is BlackHat.