05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
03 Dec PasswordsCon in Bergen Marco
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Messages like this have become a common sight in our ICQ spamtraps:
If you are wondering, the cost to DDoS a website can range between 100$ and several thousand US Dollars. For www.viruslist.com it would be around $3000 per day. Apparently, there are even special discounts for "DDoS multiple sites" packs - "buy two, DDoS the third for free!". They even offer different methods to DDoS a website - for instance, syn flood or heavy traffic. This is because some ISPs charge by traffic, and several hundred GBs of extra traffic can cost the website owner a lot more than the DDoS attack.
Faced with a massive DDoS attack, many companies simply remove their websites from the net until is attack is over. Others pay up the ransom, if there is one. The best thing to do is to work with the ISP and companies specializing in blocking DDoS attacks. Please don't pay the ransom, it only encourages the bad guys to carry on.
Although it's maybe better know known for its extreme location and beautiful landscapes, Chile has been recently making the news for hacker arrest stories. Carlos Amigo (aka SSH-2) and Leonardo Hernandez (aka Nettoxic) from the ''Byond Team'' have recently been freed from jail while their case is still being investigated. Along with two other members from their group, they've been responsible for breaking into allegedly more than 8000 websites around the world, including the 'Holy Grail' of hacking - nasa.gov. YouTube has a video from the Chilean TV station 'TVN' on the arrest.
Across the ocean, in Spain, four people have been arrested for various charges including credit card theft and malware writing. Two of them are minors and were caught writing trojans which allowed them to capture embarassing webcam feeds that were later used to blackmail the victims.
Unfortunately, despite the number of computer crime related arrests that has been going up recently, the amount of crimeware that we have been receiving during the past months is on a constant up. These arrests are probably just the tip of the iceberg. Even so, they are most welcome.
I've been thinking about the publicity that Jim Allchin attracted with his comments about Vista and Security.
I want to stress again that he didn't say that Vista doesn't need anti-virus. He said that Vista has more security barriers - and that's true. He also gave the example of his seven year old son who uses Vista with limited Internet abilities - and that is really secure (as long as his son isn't using email).
Following his example, I think I'll buy and install Vista on my 65 year old mother's computer. She'll use a very limited number of Web pages and a few email addresses to send/read messages - and I'll sleep better... until hackers find a Vista-compatible vulnerability and use it to infect remote machines :)
But what about my 15 and 18 year old sons, who are very active on the Internet, sending lots of emails, browsing the Web, using search engines, and chatting on ICQ? I’m not sure how much Vista is really going to offer them in the way of enhanced security.
As one journalist said “it would be extremely rash to think that Vista will be bullet-proof on release". No matter how advanced Microsoft’s Defense-in-Depth programming is, there will be virus writers and hackers looking for holes - and they will find them. Which brings us back to the vicious cycle of vulnerability-exploit-patch that we know so well.
Yesterday Microsoft published its regular monthly security bulletins. One of them (MS06-066) addresses a vulnerability rated 'Important'; the others (MS06-067 through MS06-071) fix a series of vulnerabilities rated 'Critical'.
Further details can be found at http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx.
As usual, make sure you patch your system(s) as soon as possible, to minimise your exposure to malicious code.
Microsoft's advance notification of this month's patches include one security bulletin for Microsoft XML Core Services, and five security bulletins for Microsoft Windows. The highest severity rating is 'Critical'. So get ready to patch your systems tomorrow to limit exposure to possible exploits.
Yesterday, we added detection for Virus.Win64.Abul.a to our antivirus databases.
In addition to being the third Win64 virus we've seen (following on from Virus.Win64.Rugrat.a and Virus.Win64.Shruggle.a) Abul has got some neat points. It's written in C, is a very compact 3700 bytes in size, and uses operating system functions to compress part of infected files, so that the file size doesn’t change.
Apart from this, however, there's nothing really outstanding about Abul. It uses classic file infection methods which have been widely used to infect Win32 platforms.
It injects itself into the CSRSS.EXE and Winlogon.exe processes, and attempts to recursively infect all executable files on the hard disk. If it can't compress a section of a file so that there's space to add its code, the file will remain uninfected.
So this latest creation shows that virus writers are still using tried and trusted methods to infect new platforms, with only minor modifications. It’ll probably be a while before we start to see anything truly new for Win64, but then again, in the world of viruses, you never quite know what's round the next corner.
We've been receiving a number of new samples of Trojan-Downloader.Win32.Delf.awg from users. It looks like this program, which will download Email-Worm.Win32.Scano, Trojan-Proxy.Win32.Xorpix and Trojan-PSW.Win32.LdPinch, has been widely spammed.
Delf.awg hides its network activity from firewalls by invading the svchost.exe process. The Trojan creates its own thread and uses it to download the malware, thus avoiding firewalls, which naturally allow network activity for svchost.exe.
The bad news is that you always need to be careful, and never open suspicious attachments. The good news is that KAV 6.0 and KIS detect these new modifications of Delf proactively. So even if you haven't managed to update recently, you're still protected.
Day 2 of Mobile Business Expo was just as enjoyable as the first. Today I threw caution to the wind, took off my anti-virus researcher hat and locked my habitual suspicion away. Today I simply soaked up what the future has to offer in the way of mobility.
It's a future that's awe-inspiring, particularly when you consider (as one presenter pointed out) that the current generation only really knows mobile devices. It’s a generation that’s aware of desktops, but which shuns them in favour of modern smartphones and their prodigious communication functions.
There were a lot of predictions of increased smartphone use in the U.S. and the convergence of as-yet-unstandardized data transmission techniques. These will ultimately complement each other to provide better coverage and higher bandwidth capabilities for 3G and so-called 4G mobile devices.
A representative from Palm included some interesting statistics in her presentation: 65% of the U.S. workforce is mobile, and therefore equipped with a range of mobile devices, including laptops. And another statistic: 744 million smartphones in operation worldwide, with 104 million of them in the U.S. Far fewer than one might expect given how much of the workforce is considered mobile. I think these numbers show we can expect to see a significant rise in the numbers of mobile devices used in the U.S. for work purposes.
I put my anti-virus researcher hat back on to consider these statistics. With numbers like these, how long will it take before we reach the "critical mass" of mobile devices that gets talked about so often? And how long will it take before we see a corresponding rise in the number of mobile malware attacks?
I'm here at the Mobile Business Expo in Chicago. For anyone who’s been to Chicago, the great Windy City is certainly living up to its name this November.
So far, I’ve had the opportunity to sit on a panel on Best Practices in Smartphone and Laptop Security, which included representatives from NetMotion, Hewlett Packard, Good Technology and Unisys. A good mix of industry interests, and we got to share perspectives on where we currently stand on mobile device security.
There’s optimism because new technologies are being developed to detect and prevent threats to the mobile computing environment. The down side is that attackers will continue to develop methods to counteract the best-practice security measures that we put in place.
I explained to the audience that today, security awareness has to be practiced on a psychological and a technical level. Neither approach is enough on its own. There are times when only a human will be able to detect a social engineering trick, just as there are times that only a firewall will detect that data is being exfiltrated.
Although the plain truth is that things will get worse, the war against malware writers isn’t being lost. The landscape is simply changing. At the end of the day, common sense and a healthy dose of suspicion will go a long way towards ensuring security when using mobile devices.
Roel recently posted about user education. Last week I co-moderated a discussion workgroup at Net Focus UK on 'Building and managing an effective IT security training and awareness program'. I thought I'd share some of the key points that came out of the discussions on the subject of staff awareness as part of an overall security strategy.
As regular readers of viruslist will have noticed, we've been tracking the evolution of mobile malware with interest. This, naturally, includes collecting statistical data on the prevalence of individual threats. Of course, malicious code for mobile devices is relatively new, and there’s been a lot of discussion about whether or not it poses a real threat.
Data we've collected shows some interesting trends. For instance, the number of infected MMS messages is already close to the amount of malicious code found in mail traffic: 0.5% - 1.5% of MMS traffic is made up of infected messages.
Of course, it's difficult to monitor mail traffic for malicious code across the whole web. In contrast, scanning mobile traffic for malicious content can make a real difference.
Six months ago, BeeLine, the biggest Russian mobile network operator, implemented protection for MMS messages. Since then, the number of infected messages has fallen from 1.46% of MMS traffic to a record low of 0.46% at the end of October.
It’s also been interesting to track the ups and downs in the number of infected MMSs - for instance, at the end of the summer holidays, there was a sharp, though shortlived, rise in the number of infected messages to 1.72%, following by an equally sharp drop.
It’s clear from these statistics that mobile malware is a real threat. It’s equally clear that it's a threat that can be tackled successfully.