Cold Cyber War
About the abuse of sensational catchwords
When I think of the word ‘war’, I think of a situation where two or more sides attack one another. And the attacks lead to casualties. This should also be the case in a so called cyber war. And something like that, has not yet been seen. And quite frankly, I don’t think we will see one materializing soon.
Happy New malware Year
A turbulent beginning of 2013
We can determine threats on two major fronts: Ruby on Rails, Java and Microsoft’s Internet Explorer form the first one – all web-related. And then there are flaws in Foxit Reader and Microsoft’s Windows RT, which also got in the line of fire.
Make updates! Restart your computer!
Pornography alarm or reboot?
But there is another pitfall: Most computer users do not realize that many software updates do not only need to be installed, but the computer needs to be restarted for the updates and patches to take effect. The combination of ignorance, impatience and laziness is fatal in this sense.
The safety of the PC stands and falls with the combination of your security software, the updates of the OS and other software and especially of your own behavior. Very often, the Achilles heel of PC security is human ‘procrastination’.
Users often don’t want to turn the PC or laptop off completely, because the startup takes too long. The endlessly used method to simply closing the laptop or choosing hibernation state of the PC is a phenomenon that most readers will be familiar with. The use of tablet computers even made it worse: those devices are ready to be used in an instant and therefore have made us even more impatient.
(more…)
Windows 8: Malware-free?
We always loved Microsoft’s operating systems as most of them are adopted very well in the whole world and security has been improving since years. The new incarnation of Windows 8 is somewhat different to the former ones as the interface underwent some notably big changes.
Windows 8 offers the same interface on many devices: Xbox, via desktop to tablet PCs and smart phones. Microsoft tries to make a user experience that is almost universal. Nevertheless, it appears that the app functionalities under Windows RT (the one for ARM tablets) and the program of the desktop version are not always the same.
You might think that having a very similar interface on the different devices enables you to do the same things on different hardware, but that doesn’t seem to be true in all the cases. Sometimes, the decision to change the user experience and the usability is a matter of security, and that is to be welcomed, but all in all, it creates confusion for the user.
A good example is Skype, from Microsoft. You can use it on any Windows device, but it is impossible to send over files under Windows RT – most possibly because of the security restrictions, due to the sandboxing approach. That is an ambiguous feature, from a user’s point of view. And that’s not the only critical view we have.
The AVAR conference 2012 in Hangzhou, China
IT security specialists discuss and shape their industry’s future
This year’s AVAR Conference is covering a lot of trending topics ranging from mobile malware to botnets. Seji Murakami, Chairman of AVAR, traditionally opened the conference with a warm welcome speech. This year, the keynote speeches were focused on Android security product testing (AV-Test), preventive actions concerning malware in China (CERT China) and malware trends (Microsoft).
IT security specialists now gathered for the 15th edition of the conference and it always tried to highlight the specific problems related to Asian malware. One of the main topics over here is “working all together against cybercrime” which is, unfortunately, not always an easy thing to do.
If you are interested in the agenda and information about the other topics discussed, you can find a lot of information on the AVAR Conference 2012 website. Furthermore, more info about the next conference’s venue and future topics will also follow on the official AVAR homepage.
This article can be found also on the G Data Blog.
The lack of basic security and good consultancy in a world dominated by an economical crisis
Why basic antivirus is not failing.
So, several companies and the general public were claiming that we all were too late in stopping these threats. Looking at the case of Flame the AV industry found out that we already had some samples of it when the news became public, but we were not aware of it. The samples have never been verified as being malicious before. Also Stuxnet went undetected for over a year after it was found.
So, the question might be the following: Is the anti-virus industry ready for the next battle? Can we all, with our tight consumer antivirus industry related budgets, be up against targeted malware or APT’s created by organizations with a lot of money?
This website is 17 years old!
Back in 1995 at the end of August I started this website as one of the first anti-virus and security sites in the world. Today I nearly forgot this anniversary. The reason for this is that the speed of news and amounts of malware related problems has been growing like hell. The amounts of data and malware we see these days are excessive. I am personally involved with all this stuff much more (24/24 7 days a week) these days compared to 1989 when it all started for me. The hacks we see these days are worrying. The mentality of people seems to be changed dramatically and hacking (read ‘cracking’) seems to be as normal as having dinner these days. Cyberwarfare, cybersabotage and cyberespionage are now also part of the problem. I wish I could say over 17 years: ‘Yes we’ve done it, we (the AV and security industry) solved the malware problem’ but I’m now sure that this is probably wishful thinking and never will be the case. However this battle isn’t over yet. Malware writers, hackers and other cybercriminals be prepared that also the laws are changing, maybe you could start thinking about finally turning you’re skills into the good direction. I hope nations will think twice when writing nation-state driven malware or even thinking of hacking back the hackers. An eye for an eye makes the whole world blind (Mahatma Gandhi).
Three importants AV industry events in a row
EICAR
While the EICAR conference 2011 was dominated by the buzzword cyberwar, the 2012 EICAR conference, actually the 21st, was focusing on ‘Cyber Attacks – Myths and Reality in Contemporary Context’. The conference took place at the Marriott Hotel in Lisbon.
The recent past brought a considerable shift in the underground malware authors’ mentality; a swing from the thrill-seeking geek striving for flame or glory to the professional culprit methodologies and, even more importantly, the inadequate expertise of the average user, for monetary gain. The next contemporary threat scenario calls for an adaptation of the technology and the defense methodologies. Even if scientific research would provide the baseline for some innovations, we still need to have a more holistic approach on the implementation of new innovations. This conference therefore invited researchers to address some of these issues in their papers.
This year’s event was another great one and we are already looking forward to the next one, including some new initiatives from EICAR which should appear soon on the EICAR’s website. If things turn out as planned, the EICAR 2013 conference will be held in Cologne, Germany, 9-11 June 2013. (more…)
Several important events in one month
4 fruitful meetings and thriving events: G Data at AMTSO, RSA , CeBIT and Infosecurity Belgium
The end of February and March have always been dedicated to several traditionally important security industry events of the year. This year, it started with an AMTSO Meeting and was followed by the RSA conference, the biggest IT security conference in the US, in the beautiful city of San Francisco. CeBIT, is still one of the most important events in the world for the digital industry, held in Hannover, Germany. The RSA conference and CeBIT traditionally have a lot of other, minor security related meetings where we also participated in.
The good and the bad about AV multi scanner services
Online AV multi scanners are used quite often these days. However, not every user is aware of these sites and what their possibilities and limits are. Using the public online multi scanner services can be useful, but the analysis results don’t allow straightforward conclusions.
It is common for malware samples to remain undetectable for hours or even days. G Data has got comprehensive and fast detection rates for malware through our cloud technology. But still, some users might want to know more about a particular suspicious file or even analyze it themselves.
One of the easiest ways to accumulate a minimum of the desired information is provided by using online AV multi scanners. There is an interesting concept behind that: when you found a suspicious file on your pc, you can easily upload it to the service and have an immediate result as the file itself will be scanned with various up to date virus scan engines. This principle has been around for years now and gives you some immediate insight into a suspicious file. And there are indeed several of these scan service sites around. The most popular possibly is VirusTotal but you have several other ones like Jotti, NoVirusThanks, Metascan or Virscan, to name only some of them.
How does it work?
Let’s have a look at one of the most popular services, VirusTotal. You can submit your sample on a website but you could also use an email submission feature – whatever suits your needs. Online, you can even use some hash value searching, meaning that you can search their existing database of scanned files based on a sha1, sha256 or md5 hash. This feature is handy if you don’t have an actual file but know the hash value of it.
Bug bounty initiatives: a summer approach against cyberthreats?
(This blog article has been published at the G Data Security Blog over here.)
The summer season has always been a mixture of holidays and launching new intiatives against cyberthreats if you look back at the past months. One of the new initiatives is brought to us by Microsoft with what they call the Blue Hat Prize. It is a contest that wants to generate new defensive approaches in the field of computer security. By launching this initiative, MS wants to develop new solutions to resolve security threats. And there are interesting prizes for the participants, ranging from $10,000 to $200,000.
It is known that MS also has some internal research conferences, but this new program will focus on new technology and defense against memory safety vulnerabilities especially. Microsoft clearly wants to encourage researchers to think about new ways of defeating entire classes of bugs instead of MS paying for individual bugs only, like some other companies are doing.
Mobile and in-the-cloud OSes: Moving to the cloud, moving to different threats?
Lots of companies and home users “have their head in the clouds” moving their services, servers and data to the cloud without realizing they are using the cloud since a decade already and they have never given any thought about security of using services from the cloud. Even now, with financial incentives, they do not consider or look at the security implications at all.
Where does a network stop these days? Where does the business network stop? This is not easily definable anymore. Today, networks lacks clear crisp boundaries and it becomes more and more difficult to define what the real inside and outside of the corporate network is. It even becomes more and more difficult for normal users to protect themselves and to detect the real risks behind every part of the network.
Mobile Payments, DroidDream and a Reactive Policy Add up to Major Headaches
Malware writers are entrepreneurs who are always looking for the best return on investment. The Android operating system, combined with the Google Wallet Service, will offer a record-setting ROI if current policies continue. Let’s look at why.
According to Gartner and IDC, Android is the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can easily be spread through apps, which makes it an attractive target. Not only did the beginning of 2011 see the emergence of this trend, but soon Android will take the lead as the most targeted mobile operating systems in terms of malware.
A lot of problems result from the fact that apps can be distributed via different online shops and channels. And nobody, except for security experts, is looking for malware inside the apps.
The first proof of the official Android Market being interesting for cybercriminals was reported in March 2011, called DroidDream, a family of malware which uses a pair of exploits to gain root access on vulnerable Android devices. A large number of Android applications was reported to be infected and all were pulled from the Android Market after it was reported to Google. All of the applications were versions of legitimate programs that were Trojan-ised and rebuilt by the malware authors, loaded with malicious code. DroidDream sends a collection of information like IMEI, IMSI, OS version, etc. to the attacker and then attempts to download additional software and payloads.
AMTSO, CARO and EICAR – conferences and events – an overview
The beginning of May was dedicated to three traditionally important security industry events of the year. It started with an AMTSO Meeting, then the CARO Workshop followed and it ended with the EICAR Conference. I participated for G Data in all of them!
You can find the original posting of this article at the G Data Security blog.
G Data is one of the members of AMTSO (www.amtso.org), an organization currently comprised of around 40 members, representing testers, vendors, academics and publishers involved in anti-malware research. I was at the last AMTSO members’ meeting which was held in Prague. As always, a lot of work was done during the workshops: The document “AMTSO Guidelines on Facilitating Testability” was initiated at the suggestion of testers and developed jointly by testers and vendors. The new paper is the latest in a succession of guidelines and best practice documents already published. The AMTSO members also agreed to expand the range of documentation the organization produces to include more educational material. They also introduced changes to the voting procedure to ensure that documents cannot be approved by the members unless a majority of testers agree that the content is up to standard. This step mentioned last is designed to avoid any possibility of bias in favor of any group within the organization.
The Rise of the Targattacks*: Cyber espionage and sabotage: the new way
*Abbr.: targeted attacks
During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:
- The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
- German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
- Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
- G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
- RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
- EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
- Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.
And this list is still not complete.
It never stays quiet on the internet: The Lizamoon attack, the update problem?
It never stays quiet on the internet and new attacks or malware are seen every day. The last week however we saw an interesting mass SQL injection attack, referred to as Lizamoon, which was spreading and has infected several millions of URLs last week (March 29 until April 4). Even after a week, thousands of comprised websites don’t seem to be cleaned up, yet.
What are we talking about?
The mentioned attack uses SQL injection techniques to insert rogue code into the databases of websites. SQL injection is a code injection technique that misuses available functionality that is not filtered away properly. In other words: The vulnerability is present when user input is not correctly filtered for escape characters embedded in SQL statements or if the input is not strongly typed and by this unexpectedly executed (cf.: Wikipedia).
The following code was injected into a large number of websites:
<script src=hxxp://lizamoon . com / ur . php >
CeBIT 2011 and G Data
CeBIT starts on March 1st in Hannover, showcasing the latest developments in the IT industry. G Data is using the largest IT trade show in the world this year to launch the next generation of security for businesses and home users. G Data presents this year’s trade fair highlight: Generation 11 of its network solutions, equipped with a powerful backup module in all Enterprise versions. Also being revealed is G Data MobileSecurity, a security solution for Android phones. Mobile phone owners will thus be able to effectively secure their mobiles against malware. Another first that will be announced in Hannover is G Data CloudSecurity. This free browser plug-in blocks infected websites,making surfing the internet more secure. Besides presenting these innovations, the provider from Bochum, Germany is also offering a comprehensive programme in the G Data Arena, Hall 11, Booth D35.
I personally will take part in the Global Conferences during a panel session about the importance of security which is detailed below. It’s an interesting line up of experienced speakers, CEO’s or VP’s which will be sitting next to me. I will be available for interviews and chats the whole week (minus Saturday) at our booth. By the way I like my new title: Global Security Officer. ;-)
Upcoming meetings and events like AMTSO, RSA, CeBIT, etc …
It seems that my busy months are coming up with a lot of travelling. Very soon you can see me speaking at some national and international events.
Close to my home you can find me at ‘This is IT’ in the Netherlands www.apeldoorn-it.nl/congres (3 February 2011). The week afterwards I will teach the teachers at the ICT day for teachers in Belgium http://www.ictdag.be/ (7 February 2011). After this I will be travelling to San Francisco for AMTSO and the RSA conference (14-18 February 2011). The AMTSO members’ meeting will be held at San Mateo, California, on the 10th-11th February, just before RSA. I’m pretty sure that everybody will find some interesting material coming out of the organization in the next few weeks. There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.
And don’t forget CeBIT (1-5 March 2011). This year G Data will take an active part in the very famous CeBIT Global Conferences in Hannover. Dr. Dirk Hochstrate will attend the IT-Security panel on Wednesday, 2 March. On the Global Conferences only the top spokesmen of the IT branch are invited to discuss new trends and their visions for the future. At the same moment you can go to our English press conference where you will see me in front of the room.
I will give you more info about our upcoming CeBIT events soon.
New interesting moves from AMTSO during the last meeting in Munich, Germany
This is a copy from the original posting at the G Data Security Blog.
G Data is one of the members of AMTSO (www.amtso.org), an organisation currently comprised of 37 members, representing testers, vendors, academics and publishers involved in anti-malware research. Last week I was at the last AMTSO members’ meeting which was held in Munich. As always, a lot of work was done during the workshops.
First of all, some guidelines about testing for false positives (FP) were adopted. The False Positive issue is a common problem and the security industry dedicates a lot of resources to ensuring the highest quality and to reduce False Positives heavily. We welcome the new joint guidelines related to testing of false positives and we are hoping that in the light provided by these new guidelines, the FPs from all security products will be much more fairly assessed. The new documents can be found at www.amtso.org/documents.html.
A critical look at the major takedown of BredoLab by the Dutch High Tech Crime Unit: More International Cybercrime laws needed!
Yesterday, 25 October 2010, The Dutch High Tech Crime Unit of the KLPD announced a major takedown of a large botnet, known as Bredolab.
You can find more and a copy of this blog entry at the original G Data posting page.
Bredolab is a big family of polymorphic Trojans and has been thought to install parts of the Cutwail botnet in the past. The botnet has spread through drive-by-downloads and email. Bredolab is known to send out large email spam campaigns and the installation of fake security products. The Dutch company LeaseWeb was hosting this botnet, without their knowledge. After the company was informed about this fact, they gave full cooperation to the authorities to take the botnet down.
Even though this was the largest operation against cyber crime in the Netherlands so far, it was not unique. It has been done in serveral other countries before, like the US, Spain and even in the Netherlands. The striking point is how things will be handled from here. The High Tech Crime unit will use the existing botnet infrastructure to send a program to all infected machines, showing them a warning : “Users of computers with viruses from this network will receive a notice at the time of next login with information on the degree of infection.” This screen is shown in a video. Click the following direct link to see it: http://teamhightechcrime.nationale-recherche.nl/nl_infected.php
New website and the start of my world tour
You possibly already found out by now that I refurbished my personal website otherwise you weren’t reading this.
I really hope you like the new look of this site which took us several weeks to come up with. It was really necessary after a long period of silence I think.
With this new look I’m also starting my world tour where I sometimes will attend some conferences and sometimes will speak at these events.
Just finished with our G Data’s press tour in the Benelux I’m ready for the next events:
- BruCon Conference: Brussels, Belgium (attending)
- Virus Bulletin Conference: Vancouver, Canada (speaking together with Righard Zwienenberg(Norman) about internal attacks and problems in the cloud)
- Infosecurity NL: Utrecht, The Netherlands (attending)
- AAVAR Conference: Bali (speaking together with David Harley(Eset) and Lysa Myers(Westcoast Labs) about product evaluation and malware simulation)
- G Data Japan Press Tour: Tokyo (speaking)
And this is just the beginning … more trips are planned even during the writing of this piece.
One trip could be very interesting but it’s still undecided if I will participate …. but stay tuned as I could meet some VIPS of the world. ;-)
Could the DLL-hijacking problem be underestimated?
This is a small copy of the official G Data Blog
Find the full and official version at www.gdatasoftware.com
Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.
After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.
There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won’t. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.
The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…
Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.
The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).
The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.
