05/20/2010

What's with the "Earthquake" Exploit, KHOBE?

Earlier this month, security researchers at Matousec released details of research they've done that, they claim, bypasses 100% of antivirus software.

As you might imagine, there's quite a bit of concern about this, particularly among business users, particularly because mainstream media has started discussing the so-called, KHOBE attack.

Let's dig into this a bit and see what's behind the hype.

What is KHOBE

It's an acronym for:

Kernel
HOOK
Bypassing
Engine

Put another way, it's a way for attackers to trick antivirus software. ZDNet's writer, Adrian Kingsley-Hughes, does a great job describing how this works here,

The attack is a clever 'bait-and-switch' style move.

"Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code.

"The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.

Kingsley-Hughes goes on to say, Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.

OK, now this is starting to sound like a pretty big deal.

Mitigating Factors with KHOBE

Here's where things *do* start to become more positive though:

  Mitigating Factor What It Means
1. Requires a lot of code. Makes it less-than-ideal for most attacks to work.

Since this code has to somehow be transferred to your machine, its current size makes it more difficult to use as a mechanism to bypass security software.
2. The software has to already be on your computer.

Wha? Yes, that's right. From what the antivirus software vendors can tell thus far, the software doesn't actually bypass their software (at least the ones we've heard from) unless it's already there to begin with.

This could be because you're installing their software after you've been infected with this code or because you disabled your antivirus program.
3. There aren't any known exploits--or exploit kits--that rely on this technique.

(At least not yet.)
The chances of encountering this in the real world are still very, very minimal.
4. It only affects antivirus software that uses the System Service Descriptor Table (SSDT), which is being used less-and-less frequently than it once was. Antivirus companies are moving (or have already moved) away from the use of the SSDT since Windows Vista. Windows XP seems to be the last Microsoft Windows OS where the security vendors commonly relied on the SSDT for their antivirus software.

This means if you're running Windows Vista or 7, chances are your antivirus or Internet security software is already immune to this exploit.

Antivirus maker Sophos says, Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all.

VIPRE Antivirus' maker, Sunbelt Software, says, ...it would affect antivirus programs that use SSDT. We don't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
5. It's difficult to make work. The code works, yes, but given the many things that are required for it to work, even if you were to encounter it "in the wild," there's still no guarantee your computer will be infected.

Antivirus Vendor Responses

Sophos and Sunbelt aren't the only antivirus companies refuting the claims, security company F-Secure says,

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

"And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Our Take on KHOBE

This is true not just for F-Secure, but for all Internet security software vendors.

If there were real-world exploits using this attack that they'd encountered, adding signatures for those attacks should be able to defeat the attack pretty easily.

Regardless of the outcome of the debate about this particular exploit, there are still a couple of take-away points as far as we're concerned,

  1. Run the best antivirus software you can afford.
  2. Keep it updated--frequently.
  3. Even if you're updated and protected against known threats, it's critical to regularly backup your system so that if something does get by your defenses, at least you can restore your system to a point before the infection.

12/29/2009

Mega-D Spam Botnet Disabled

Score 1 for the good guys!

PCWorld bring news of how security company FireEye brought down the Mega-D Botnet, one of the most notorious spam spewing botnets to date.

Atif Mushtaq, a FireEye researcher, spent two years working to keep their clients' networks free of the dreaded malware, and in doing so,

"...he learned how its controllers operated it.

"Last June, he began publishing his findings online.

"In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down."

Obviously, taking on something of this scope isn't a small task, and according to the piece at PCWorld, Mushtaq and two colleagues began their efforts by going after the Mega-D command infrastructure in an effort to prevent the botnet from getting--or issuing--further instructions to the PCs that had been infected with their malware.

The story of how these guys took on Mega-D really is pretty incredible. They began by contacting the ISPs that hosted the botnet servers. It's easy for some to blame the ISPs hosting the servers, but the reality is that in large ISPs and datacenters, the datacenters know little about what happens on their servers. How can they?

As far as most datacenter owners are concerned, their customers are good customers, hosting legitimate websites. Setting up a legitimate website--or many--is easy cover for the malware operators: show the datacenter staff the legit sites and then secretly also host your bad stuff at the same place.

It's not rocket science.

So, having contacted the ISPs, which Mushtaq's research showed were mostly based in the United States, with one in Turkey and another in Israel.

For unknown reasons the foreign ISPs declined to take down the servers, but those in the U.S. complied.

Given the lack of cooperation from the foreign ISPs, they took another approach and contacted the domain registrars, which agreed to point Mega-D's existing domain names to nowhere.

Given that most registrars remain neutral in things like this, this was quite a win, and it meant,

"By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down."

The last part was getting the rest of the domains that Mega-D had queued to use, which the registrars then pointed to FireEye's servers so the good guys could then assume control of the botnet's last-ditch command-and-control efforts.

According to logs setup on the FireEye servers, they estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

As for what this all means in the big picture, it means a few things:

  1. Botnets aren't impervious to being taken down
  2. Cooperation from ISPs, and ultimately domain registrars, too, can be a critial component in shutting down these botnets
  3. Wresting control from the malware operators is a tough job, and even given their diligent efforts, it was a long, hard task to do
  4. In addition to keeping your PC and your software patched, there's no substitute for having the best antivirus firewall software installed and running, since Internet security suites can prevent many infections in the first place and clean-up your computer if you're already infected.

And, as for what it means to've taken down Mega-D,

"MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had 'consistently been in the top 10 spam bots' for the previous year (find.pcworld.com/64165).

"The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.

"Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says."

All-in-all, it's good news--and a good day--for those of us who hate spam and for those of us who're trying to keep our PCs free of viruses, trojans, worms, and any other malware.

12/03/2009

Cameroon Domains (.cm) Most Likely to Host Malware

An interesting post yesterday on malware statistics at The Register caught my eye: more than one in three (36.7 per cent) of domains registered in the West African country hosting viruses or malicious code.

Cameroon domains are those that end in .cm and are easily arrived at as keyboard typos.

Imagine you've just meant to go to: www.example.com

Instead though, you've just typed: www.example.cm

That missing 'o' in .com in millions of domain names will take you to a different site than what you intended, and in this case, the .cm domain extension belongs to domains that are supposed to be site in and of Cameroon.

This little typo, according to a report called, "Mapping the Mal Web, The World's Riskiest Domains," [.pdf] by McAfee, Inc., makers of McAfee Antivirus,

"may explain why cybercriminals have set up fake typo-squatting sites that lead to malicious downloads or spyware under the country's domain."

It doesn't take a rocket scientist to figure this one out. With such an easy typo and a country not known for Internet security is all it takes to ensnare many unsuspecting computer users.

By setting up a bogus site at domains ending in .cm, the malware and virus writers are easily able to get people to visit their servers that host scripts that can automatically infect your computer with a virus, trojan, keylogger, or other malware.

Unless you're highly technically competent and can setup your own DNS server, the only practical solutions for most consumers is to do all of the following:

1. Keep your computer patched.
A PC with the latest Microsoft Windows updates is significantly harder to infect than an unpatched computer.

2. Don't run as Administrator (or with Administrator privileges.)
By running with a user account with lower permissions, it makes it harder for some viruses and malware to infect your machine.

In contrast, when you run with Admin privileges, you're giving the edge to the viruses, as your account has all the permissions they need to infect your machine, hide themselves, and become even harder to remove.

3. Check your web browser's security settings.
Sometimes, regardless of if you're running Internet Explorer, Firefox, or Opera, when you're web surfing, the default permissions can get in the way of you doing what you need to.

Because of this, you may have altered the default permissions to looser ones than can make it easier--or even enable--these types of malware attacks.

4. Run antivirus firewall software.
Internet security software, including a firewall, antivirus software, and antispyware can help prevent the malware scripts from infecting your machine.

The piece did have some positive news... it looks like Hong Kong is taking things seriously on the virus and malware front:

"Hong Kong (.hk) websites have successfully managed to purge themselves of malware threats – droppings from the most risky domain last year, to a mid-table (34th) position next year.

"This year only 1.1 per cent of .hk sites pose a risk, compared to one in five .hk Web sites setting off warning bells in McAfee's equivalent report last year.

"McAfee credits 'aggressive measures' from .hk’s domain managers in clamping down on dodgy registrations for the drop."

Hats off to the domain registrars in Hong Kong.

Top 10 Riskiest Top Level Domain Extensions1
Rank Country / Name Extension
1 Cameroon .cm
2 Commerical .com
3 China .cn
4 Samoa .ws
5 Information .info
6 Phillipines .ph
7 Network .net
8 Former Soviet Union .su
9 Russia .ru
10 Singapore .sg
1 Data originally published in McAfee's "Mapping the Mal Web, The World's Riskiest Domains," [.pdf]

11/05/2009

Critical Security Vulnerabilities in Adobe Shockwave Player

Let's cut to the chase: patch your Adobe Shockwave. There are four different critical vulnerabilities in the Adobe Shockwave Player that lets an attacker remotely execute the code of their choosing on your PC.

Download Adobe Shockwave

  Vulnerability Cause Why It Matters
  an invalid index when handling certain Shockwave content could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page
  an invalid pointer when processing certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. same
  an invalid pointer when handling certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. same
  a memory corruption related to string processing, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. same



It isn't clear how much these threats can be mitigated by Internet security software, but typically the best antivirus firewalls do help mitigate these types of attacks.

Whatever the case though please take a minute now and update your Shockwave player. It's worth the time to eliminate this simple to exploit attack vector.

09/30/2009

9% of Enterprise Computers are Bot-Infected

One of the most common misconceptions about computers in a business environment is that somehow, perhaps because of corporate firewalls, perhaps because of the presence of IT professionals in an office, office computers there are immune to virus, bot, worm, and other malware infection.

There's very much a mistaken attitude of, "It's not like *my* office could get a virus!"

In fact, because office machines are typically connected via high-speed (or even very high speed) Internet connection, they may actually be more prone to these types of infections. Why?

High-speed connections are more desirable for those running the botnets and malware than a single machine on its own cable modem or DSL. Furthermore, once one of these machines that is behind a firewall, even very, very good ones, it's much easier for worms and the like to spread because once their behind the firewall, leaping from machine to machine is far easier than trying to penetrate through the firewall to get to them.

Put another way, once they're in, they're in.

A very interesting article on botnets on darkREADING.com discusses how things are shifting to target enterprises. According to the piece Up to 9% of machines in an enterprise are bot-infected.

What's even more interesting is how the new bots are actually being targeted towards the enterprise.

"The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

"And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well.

'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets.'"

That's just the start, too. What it appears these new botnets are doing often is acting to steal information from the organization.

The article goes on to say, quoting Gunter Ollman further, is

"'I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment.

"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. '

"Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.'

One of the key things from this piece is that these botnets are actually using users' credentials--their usernames and passwords--on the networks to further penetrate the network and get what they're after.

 While we're definitely fans of firewalls--harware and software--it's clear that there's still need for running the best antivirus software and antispyware that your company can afford to help prevent and ferret out these botnet infestations.

Furthermore, while the article is specifically about hand-crafted bots, there's still risk from traditional garden-variety botnets and other malware threats, and here again, good antivirus firewall software can often serve as a last line of defense, even in the presence of a robust enterprise-grade firewall.

08/26/2009

New Precautions from Banks about Online Banking

It goes without saying that the cybercriminals are getting smarter... a lot smarter, and they're writing more and more sophisticated trojans, viruses, and all forms of other malware to get at your computer and ultimately your data and personal information.

What this has led to is a banking industry group, Financial Services Information Sharing and Analysis Center, to recommend their member banks notify their customers (i.e. businesses who do online banking) to take much more stringent means to ensure secure communications between their business and the banks.

According to the Washington Post's Security Fix blog which has a post, Tighter Security Urged for Businesses Banking Online on this very topic,

"The group recommends that commercial banking customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.'"

What this means is: have one computer that does absolutely nothing but talk to the bank, get Windows updates, and (in our view, of course, antivirus updates).

This raises a couple of questions:

  1. Is this practical?
  2. If it's recommended for businesses, why not for consumers, too?

As to the question of practicality, it may or may not be. For a company where there's more than one person doing the bookkeeping and banking, perhaps a couple of additional computers might be a small cost to absorb.

For a large company, this just isn't practical; however, there may be other alternatives like a Linux "LiveCD"

As for it being practical for consumers, that isn't likely either.

How many people have the space and money to have a computer just for banking--not to mention the time to set it up and keep it updated, though running a good, modern antivirus product can certainly help reduce the likelihood of an infection in the first place.

Lastly, lest it go unsaid, use your head when you're doing online banking! Make sure you're on an https page when you connect, and if you know the website address of your bank, which you should, bookmark the link.

This way you can be much more aware that you're going to the right URL and not accidentally going to a fake (but very real looking!) version of your banks website.

08/17/2009

Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • ALWIL
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)


  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.

    12/15/2008

    NoScript: A tool for securing your computer against web browser-based attacks

    For those of you that haven't (yet) switched from Internet Explorer to Firefox, there's a tool to significantly improve computer security. It's called: NoScript.

    The beauty of NoScript is that it allows you to completely disable javascript, java, flash, shockwave, silverlight, and any other scripts on a site-by-site basis.

    "What's the significance of that?" you ask? "Don't I just need an Internet security suite with a good firewall?"

    Um, no. Many of today's attacks are able to "pierce" firewalls. Antivirus software is a must. A good firewall is a must. But that's just the beginning.

    NoScript is part if the package. It means you can choose the scripts you want to allow to run on a given web page. The beauty of it is that you get the same net effect as completely disabling javascript in Firefox without the pain. Let's face it, if you disable javascript in your browser altogether, it can make surfing the web a total chore.

    What's the big deal with javacript (and other scripts, too, for that matter)?

    As Swa Frantzen of Sans.org discusses in his post on javascript security from over a year ago, that's still very valid:

    "Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example alert('XSS') (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.).

    Keyloggers aren't impossible either and making you unknowingly upload files from your hard disk to malicious websites etc. is all quite possible in javascript."

    Long story short:

    1. We recommend Firefox.
    2. We recommend NoScript for Firefox.

    Interested in learning more? Here are links for more information:

    Download Firefox   Download NoScript



    11/20/2008

    10 IT Security Companies worth Watching

    Network World, long one of our favorite magazines / sites for all things network and security related, has a 5-page piece on a few of the many interesting computer security companies.

    Each company tries to tackle different challenges many of us face in computer and network security. All-in-all it's an interesting read, but given the nature of Network World, it's really aimed at enterprise security and not so much at the average consumer / home PC user.

    An interesting read no less.

    Security Company... Noteworthy premise...
    1 Behavioral Recognition Systems Takes digital video streams and analyzes them for potential threat information.
    2 CoreTrace Keeps track of just the programs that are supposed to be running on a computer rather than trying to catch everything that isn't.
    3 Envysion Provides managed video surveillance services including the installation of cameras in business locations.
    4 Guardian Analytics Helps banks prevent fraud by analyzing customers accounts to look for suspicious behavior
    5 Metaforic Prevents software tampering, piracy and theft. Can shut the program off or take other protective steps.
    6 nexTier Networks Monitors and blocks sensitive (i.e. confidential) content in transmission across networks with a data-leak prevention network appliance.
    7 NovaShield Detects / blocks so-called "drive-by" downloads. Designed to stop malware not ordinarily detected.
    8 Packet Analytics Analyze traffic between computers on a network by looking at the logfiles from those computers to make profiling and analysis easier for network engineers.
    9 Purewire Protects enterprise users from malicious-code attacks while surfing the Web online.
    10 Rohati Controls user access to applications through access-control lists done at the network level.