History of crimeware?

C’mon, Infoworld, give us a break.

“There are few viable options to combat crimeware’s success in undermining today’s technologies.”

How about “don’t do dangerous stuff”?

“Crimeware: Foundation of today’s telescreens”

I’m sorry, what has “1984″ to do with the use of malware by criminal elements?

“Advancement #1: Form-grabbing for PCs running IE/Windows
Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers.”

Can you say “login trojan”?  I knew you could.  They existed even before PCs did.

“Advancement #2: Anti-detection (also termed stealth)”

Oh, no!  Stealth!  Run!  We’re all gonna die!

Possibly the first piece of malware to use some form of stealth technology to hide itself from detection was a virus.  Perhaps you might have heard of it.  It was called BRAIN, and was written in 1986.

“Advancement #5: Source code availability/release
The source codes for Zeus and SpyEye, among the most sophisticated crimeware, were publicly released in 2010 and 2011, respectively.”

And the source code for Concept, which was, at the time, the most sophisticated macro virus (since it was the only macro virus), was released in 1995, respectively.  But wait!  The source code for the CHRISTMA exec was released in 1988!  Now how terrified are you!

“Crimeware in 2010 deployed the capability to disable anti-malware products”

And malware in 1991 deployed the capability to disable CPAV and MSAV.  With only fourteen bytes of code.  As a matter of fact, that fourteen byte string came to be used as an antivirus signature for a while, since so many viruses were included it.

“Advancement #7: Mobile device support (also termed man-in-the-mobile)”

We’ve got “man in the middle” and “meet in the middle.”  Nobody is using “man in the mobile” except you.

“Advancement #8: Anti-removal (also termed persistence)
As security solutions struggle to detect and remove crimeware from compromised PCs, malware authors are updating their code to permit it to re-emerge on PCs even after its supposed removal.”

I’ve got four words for you: “Robin Hood” and Friar Tuck.”

The author “has served with the National Security Agency, the North Atlantic Treaty Organization, the U.S. Air Force, and two Federal think tanks.”

With friends like this, who needs enemies?

Share

The “Immutable Laws” revisited

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)2 says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

Share

Dumb computer virus story recidivus

A few days ago, I noted a very silly news story about someone getting hit with a computer virus. Well, maybe the administrators don’t know all that much about malware, and maybe a smaller local paper reporter didn’t know all that much about it, either.

But now the story has been taken up by a company that makes security software. A “Microsoft Gold Certified Partner,” according to their Website. A company that makes antivirus software. And their story is just as silly, or even worse.

They say the local admin “stated that, the virus is classified as harmful and they are being quite alert.” I suppose that is all well and good, but then they immediately say that, “[a]ccording to him, the anti-virus firms were not able to recognize it …” So, AV firms don’t know what it is, but it is classified as harmful? Oh, but not to worry, “the good part is that it doesn’t seem to do extensive harm.” So, it’s harmful, but it’s not harmful. Well, of course it’s not harmful. It only “collects information and details, such as bank accounts and passwords …” No possible problem there. (Oh, and, even though nobody knows what it is, it’s Qakbot.)

Right, then. Would you be willing to buy AV software from a firm that can make these kind of mistakes in a simple news story?

Share

Dumb computer virus story

I really don’t know who is more ignorant here, the city authorities “protecting” the computers, or the journalist writing up the story

If you know anything about the technology, this is howlingly funny (or, it would be, if it weren’t so sadly representative …)

“Officials at Nanaimo city hall are desperately working to find out how a virus attacked their computer system Wednesday afternoon.”

(Oh, oh!  Pick me!  I can tell you!  You didn’t tell people NOT TO CLICK ON RANDOM ATTACHMENTS THEY GET IN STRANGE EMAIL MESSAGES AND SUPPOSED E-CARDS!!!)

“Per Kristensen, director of information and technology, said he was shocked by how quickly the virus infected the system.

“The first time anyone anywhere in the world noticed this new virus was on [March 15] and then it hit us on the 16th,” he said Thursday.”

(How many new viruses are “created” every day, these days?)

“People can be assured that all their information is secure. Protection of their personal information is a priority. The city’s system won’t be turned on until we are confident we have this solved,” he said.

(Ummm, how are you going to clean up the computers if they are turned off?)

“Kristensen said the virus is so new, it has no signature that security devices can recognize.”

(Let me guess: a certain antivirus in a yellow box couldn’t recognize it, so you figure that nobody can, right?)

“We’ve got multiple levels of protection and firewalls, but nothing recognizes this.”

(Yeah, firewalls do a GREAT job against viruses …)

“We may have to shut down throughout the weekend and we won’t put the system back up until we know we have this under control. And right now, we don’t know how long that will be.”

(Based on this, I’m not holding my breath …)

Share

RSA APT thoughts

By now people are starting to hear that RSA has been hit with an attack.  Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general.  But I’d like to opine about a few points.

First, we, in the profession of information security, are still not taking malware seriously enough.  Oh, sure, most people are running antivirus software.  But we don’t really study and understand the topic.  Malware gets extremely short shrift in any general security textbook.  Sometimes it isn’t mentioned at all.  Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth.  (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.)  Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment.  It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.

Second, we aren’t taking security awareness seriously enough.  These types of attacks rely primarily on social engineering and malware.  Security awareness works marvelously well as a protection against both.  RSA is a security corporation: they’ve got all kinds of smart people who know about security.  But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines.  For a number of years I have been promoting the idea that corporations should be providing security awareness training.  Not just to their employees, but to the general public.  For free.  I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security.  In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.

(Third, I really hate that “APT” term.  “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on.  Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for "lying"] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself.  It’s so last millennium.  But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)

Share

Shaw and Spamhaus

I seem to be back on the air.

A few observations over this whole affair:

(Sorry, I’ve not had time to put these in particular order, and some of the point may duplicate or relate …)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no “bad reputation” in the specific IP address that I am currently using, only a policy listing showing one of Shaw’s address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw’s spam filtering is for the birds.  Today I got two messages flagged as spam, for no clear reason I could see.  They were from a publisher, asking how to send me a book for review.  The only possible reason I could see was that the publisher copied three of my email addresses on the same message.  A lot of people do that, but it usually doesn’t trip the spam filter.  Today it did.  (Someone else with Shaw “service” tried to send out an announcement to a group.  Since he didn’t have a mailing list server, he just sent out a bunch of messages.  Apparently that got *his* account flagged as spamming.)  I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security.  And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world.  (Oddly, during this period I’ve noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, “live chat,” and Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn’t accept direct messages by default.  (Since I pointed that out to them, they now, apparently accept them from me.)  They sent me public messages on Twitter, and I replied in kind.  Through the Twitter account they also informed me that error 554 is “poor reputation” and is caused by sending too many emails.  They didn’t say how many is too many.  (Testing by someone else indicated something on the order of 50-100 per hour, and I’ve never done anything near that scale.)

5) The “live chat” function installs some software on your (the client) machine.  At least two of the pieces of software failed the digital signature verification …

6) The “information” I got from Shaw was limited.  The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169  If you read the page, the information is almost entirely about the “network” with only a few (and not informative) pieces about the IP address itself.  (I did, separately, confirm that this was my IP address.)  The bulk of the page is a report on addresses that aren’t even in the same range as I am.  About halfway down the right hand side of the page is “DNS-based blocklists.”  If you click the “[Show/Hide all]” link you’ll notice that four out of five think I’m OK.  If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169  At the moment, it shows that I’m completely OK.  At the time I was dealing with Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+  Again, this page showed a single negative entry, and a whole page of positive reports.  The single negative entry, if pursued, went to the same Spamhaus report as detailed above.

8) At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that “This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.”  Again, Shaw’s problem, not mine.  However, that page has a link to allow you to try and have an address removed.  However, it says that the “Removal Procedure” is only to be used “If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database.”  Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/  Again, there you are told “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a ‘direct-to-MX’ email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL.”  This did not refer to my situation.  Unfortunately, THESE TWO PAGES ARE INCORRECT.  If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form  This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form.  It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had “found.”)  Of course, I’ve been in the field for over two decades.  How would the average user (or even a security professional in a non-malware field) even know that there are different types of scanners?  (Let alone the non-signature based tools.)

Share

Shaw Cable security (lack-of) support (2)

Well, multiple scanners say I have no malware, no spyware, and no rootkits.

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+ says I’m clean except for Spamhaus.

Spamhaus shows that http://www.spamhaus.org/query/bl?ip=70.79.166.169 I’m clean and it’s Shaw that’s dirty.

Shaw’s support is as inane as ever:

GoToAssist (11:43:33):
Your representative has arrived.

Stephen – 6685 (11:43:37):
Thank you for choosing Shaw Internet Chat Support, my name is Steve.  I will be happy to help you today.Before continuing, would you please confirm your home telephone number and address so that I can bring up your account information?

[If you don't mind, I've elided this, but it's the only change I've made - rms]

Stephen – 6685 (11:44:57):
Thank you, one moment please
Stephen – 6685 (11:48:07):
from what we see on the notes, it looks like your email is being blocked to due a poor reputation which means its being blocked by spam protection companies,  im just looking into this a little further for you.

Rob Slade (11:49:16):
Do you have any idea of what that means?  When I talked to “Rowell” yesteerday, he did not know anything about anti-spam technology, and just kept handing me bafflegab.  If you do not have any knowledge in thsi area, please hand me to someone who does.
Rob Slade (11:49:46):
I should let you know that I *do* know what I’m talking about: look up “Robert Slade” on Wikipedia.

Stephen – 6685 (11:49:48):
your being blocked by spamhaus
Stephen – 6685 (11:50:02):

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+

Rob Slade (11:50:18):
I’ve written two books on viruses and malware, the first book on software forensics, and a dictionary of information security.
Rob Slade (11:50:38):
I do know what spam is, and I am well aware of antipsam technology.
Rob Slade (11:51:08):
Per looking at senderbase yesterday, my specific IP address has nothing on it.  Just Shaw’s domain range.

Stephen – 6685 (11:52:03):
you would need to go here   http://www.spamhaus.org/lookup.lasso   type in your ip address to lookup, then  click the document it shows under the listed in red, and follow the steps to get it removed from spamhaus

Rob Slade (11:52:29):

http://www.spamhaus.org/query/bl?ip=70.79.166.169

Rob Slade (11:53:04):
See that it is only listed in the PBL, and if you look up the detail on that you will see that it is only the Shaw /22 range, and not my address.
Rob Slade (11:53:49):
Going back to your original list, you will see that it is *only* listed on Spamhaus (and therefore only on the PBL), and that *all* the other sites give me a clean bill of health.
Rob Slade (11:54:19):
In addition, why did I get absolutely no warning or notice from Shaw, just had my ability to send cut off without warning?

Stephen – 6685 (11:54:27):
its not blocked by us
Stephen – 6685 (11:54:31):
thats why we couldnt give warning
Stephen – 6685 (11:54:37):
its blocked by spamhaus

Rob Slade (11:54:49):
It is your SMTP server that refuses the connectionh.
Rob Slade (11:55:00):
You can’t blame Spamhaus.

Stephen – 6685 (11:55:14):
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+   please review this,  it will show you based on a search of your ip address, its listed by spamhaus-zen….

Rob Slade (11:55:52):
That is the same list as before.

Stephen – 6685 (11:56:19):
yes it is

Rob Slade (11:56:36):
As I told you, it gives me a clean bill of health, except for Spamhaus, and Spamhaus only lists the Shaw /22 range in the PBL, not my IP address specifically.

Stephen – 6685 (11:56:37):
if you look at the top.. spamhaus-zen  to the right of that it shows as listed  which means its blocked by them
Stephen – 6685 (11:57:00):
its still being listed by them, otherwise it would come up saying OK  next to spamhaus
Stephen – 6685 (11:57:16):
if you login to webmail  and try sending an email out from there, it will work because its not associated with your computer
Stephen – 6685 (11:57:30):
its not working on your computer because your ip  address is blocked by spamhaus

Rob Slade (11:57:44):
Yes, and if you look at the detail, you will see that I am *not* lsited in the SBL, *not* listed in the CBL, and *only* listed in the PBL, and if you look at the detail for *that* you will see that it is *Shaw* that violates, not me.
Rob Slade (11:58:37):
Here. chew on these: http://is.gd/VbjOIh http://is.gd/ogefIX

Stephen – 6685 (11:59:31):
im not sure what i am suppose to be seeing in those links..   Error establishing a database connection
Stephen – 6685 (12:00:07):
http://www.spamhaus.org/pbl/query/PBL164253  from there, you will need to follow the steps from clicking on remove an ip from pbl

Rob Slade (12:01:20):
In the meantime, I will be writing up more blog posts on how Shaw has inconsitent spam filtering, does not say what kind of spam filtering it does do, has a weird relationship with the blacklisting outfits.
Rob Slade (12:02:09):
Obviously you have not read the page you sent me.  This is the procedure only if you are running an email server (MTA) yourself.  I don’t.  You guys do.

Stephen – 6685 (12:05:15):
yes, from the report, its showing that its being blocked due to not using smpt authentication, that gets addressed from our side, where we communicate with spamhaus to get that resolved, however also by having you follow the link from the remove my ip address can usaully help get it resolved quicker.
Stephen – 6685 (12:06:12):
it is blocked by spamhaus, not us, which is something that will get looked into, if it was just being blocked by us, we could easily resolve it for you, however because its being blocked by a 3rd party, it will take some time, in the meantime you can use webmail to send and receive emails

Rob Slade (12:06:19):
How so?  I don’t run an SMTP server, so I can’t give them full info in filling out that form.
Rob Slade (12:07:06):
Besides, it’s not a static address.
Rob Slade (12:07:45):
Obviously you do not know what you are talkign about.  Are you going to put me through to someone who does?

Stephen – 6685 (12:08:08):
yes i do know what i am talking about Rob

Rob Slade (12:08:45):
Then how come you are asking em to fill out a form when the instructions specifically state not to do it unless this is a static IP address and I am running my own mail server?
Rob Slade (12:09:36):
http://www.spamhaus.org/pbl/removal/ “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server”

Stephen – 6685 (12:09:37):
i am just looking to see what more we can do on this right now, i will be a couple minutes.

Share

Shaw Cable security (lack-of) support

As noted, Shaw is not very helpful with spam.  I’ve been getting spam from Marlin Travel, and from a band of people selling recuriting seminars, for a number of years.  I have been reporting this spam (to Shaw, and their supposedly automated spam filters) on at least a weekly basis for years.  Occasionally they deign to mark one of the messages as spam, but not on anything like a consistent basis.

Spam filtering is not transparent.  You can turn it on, or off.  You can have the spam go to the bit bucket, or get flagged.  There are no other options, and you have no information on how it works (or doesn’t).  (Heck, Vancouver Community Net [formerly Free-Net] does better than that.)

On my non-support call with Shaw, the agent did correctly identify the IP address I am (currently) using.  I have no idea when last it was switched.  Looking it up on senderbase is not supremely informative: there doesn’t seem to be any information on the address itself, other than the fact that it’s not in the SpamHaus Block List (SBL) or the XBL.  It is in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

Meantime I have confirmed that, as I already knew, there is nothing malware or spam related on my machine.  Nothing that MSE detects.  Nothing that Vipre detects.  Nothing that Spybot detects.  At the moment I’m running the Sophos rootkit detector, and F-Secure’s Blacklight.  They haven’t found anything either.  I am, of course, morally certain that Shaw was lying to me about the possibility, but, unlike them, I’m not arrogant enough not to check.  I was right: they are idiots.  And, with their non-support, have cost me a lot of valuable time checking a clean machine.  (Plus not providing the Internet service I’m paying for.)

Share

Shaw spam

I have had Internet access with Shaw Cable for a number of years.  I have been using the same system for at least seven years.  I’m a malware researcher, so I check my machines thoroughly and regularly.

I also know that Shaw has a very bad reputation in terms of spam.  There are a number of  systems that I cannot send email to, since Shaw connected computers, apparently, send a lot of spam and viruses.  I also know that I spend a significant amount of time every day trying to tune Shaw’s very crude spam filtering: identifying and sending them messages they have tagged as spam which are not, and sending them messages they have not tagged which are spam.

Today my wife found she couldn’t send email.  When I tried, I couldn’t either.  We are getting a message from the SMTP server #554, which has something to do with poor reputation.

I did manage to send email through Webmail, and so sent a message to Shaw’s technical support.  (Finding out, when I did so, that they changed the technical support email address in December, without telling anyone.)  They responded about three hours later.  Rowell, the person making the call, blamed everything on senderbase.org.  Rowell denied that this had anything to do with blacklisting.  He also denied that he was saying that my computer was sending any spam.  He said that if I did not send any email for the next two days, that would fix the problem.  He refused to say why there was any indication that my computer was in any way at fault, or offer any evidence that I was sending out spam or viruses.  He also refused to escalate the problem to anyone who was either higher up and could do anything, or anyone who had any technical knowledge about the problem.

Shaw is now in my dirty words file.

Share

Back on the AMTSO wheel

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.

David Harley CITP FBCS CISSP
Small Blue-Green World

Share

REVIEW: “Computer Viruses and Other Malicious Software”, Organization for Economic Co-operation and Development

BKCVAOMS.RVW   20100607

“Computer Viruses and Other Malicious Software”, Organization for
Economic Co-operation and Development, 2009, 978-92-64-05650-3
%A   Organization for Economic Co-operation and Development
%C   2 rue Andre Pascal, 75775 Paris Cedex 16, France
%D   2009
%G   978-92-64-05650-3 92-64-05650-5
%I   OECD Publishing
%O   oecdna@turpin-distribution.com sourceoecd@oecd.org
%O  http://www.amazon.com/exec/obidos/ASIN/9264056505/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/9264056505/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9264056505/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   “Computer Viruses and Other Malicious Software”

The executive summary doesn’t tell us much except that malware is bad, and that this report is seen as a first step in addressing the issue in a global, comprehensive manner.

Part one, entitled “The Scope of Malware,” is intended to provide background to the problem.  Chapter one, as an overview, is a random collection of technical issues, with poor explanations.  Although it is good to see that the malware situation is defined in terms that are more up-to-date than those in all too many security texts, the lack of foundational material provided by the authors will necessarily limit the perception of the issue for those readers who have not done serious research themselves.  Various stories of attacks and payloads (not all related to malware) are listed in an equally disjointed manner in chapter two.  There are numerous errors, including in simple aspects like arithmetic.  (20 million is not “5 times” one million.)   The explanation of why we should be concerned, in chapter three, boils down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware.  Chapter four, while it promises to deal with cybersecurity and economic incentives, merely states that security is hard.  Chapter five does deal with economic factors influencing decisions of key players on the Internet, but does so only on the basis of an opinion survey, rather than any measured costs or benefits.  Descriptions of different types of economic situations are given in chapter six, but a final set of “findings” doesn’t seem to have much background support.

Part three is supposed to contain recommendations about actions to take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on areas of malware to contribute to the literature.  The concept of addressing the economic aspects is interesting, but is not sufficiently fulfilled.  Overall, this text has nothing to add to existing information.

copyright, Robert M. Slade   2010     BKCVAOMS.RVW   20100607

Share

Is SetFsb a Trojan?

This was sent to me by a friend who wanted to stay anonymous:

There’s a utility called SetFSB which tweaks the clock speed for overclocking stuff.
It was written in Japan, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable.
The batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alarm and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

there’s a uility called SetFSB which tweeks the clock speed for overclocking stuff.
It was written by some Jap, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable,
the batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alaram and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

ME>>>

Dear Mr.

Why after exiting SetFsb, it will create a .bat and new .exe
the .bat will loop to try delete the old .exe, and rename the new .exe to old .exe ?

Thanks!

HIM>>>

Hi,

Yes,

abo

ME>>>

Hello.

Yes… good…

but WHY???
is it a VIRUS?

thanks!

HIM>>> (here comes the good part :) )

I do not have a lot of free time too much.
Why do you think that i support you free of charge?

ME>>>

to make viruses?

HIM>>> (this is the original font color and size he used!!!)

I do not have a lot of free time too much!

ME>>> (trying to hack his japanese moralOS v0.99)

Please, dear Abo,

You must understand. People start to be VERY worried about your software,
because it behave like a virus.
If you will not give a good explanation to WHY it behave like this,
then people will stop using it, and stop trusting you forever.
Then your name will become bad, and you will have a lot of shame.
I only try to help you.

I hope you understand!

HIM>>>

It is unnecessary. Please do not use SetFSB if you are worried.

Personally, I’m not sure who’s more weird: my friend, overclocking his computer in 2011, or the Japanese programmer not willing to explain if his downloadble program is a Trojan or not.

Share

New computers – disappointments

Crazy busy, this time of year, isn’t it?  That’s why I haven’t gotten back to this until now.

(Mind you, last Sunday, at church, the kids put on this play, the point of which was that the “busy” parts of Christmas often aren’t the most important aspects.  The tagline to the play was that you should be busy about the right things, not the wrong ones.  And we’ve mostly been busy with the twins.

For example, #2 Daughter was heavily involved in the local Atom hockey tournament, since #3 Grandson was in one of the teams.  So, we pulled extra babysitting time while she had to be running things, and he *didn’t* have to be there.

The famous Coquitlam Atom Boom Boom Puck Jam Hockey tournament was won, Tuesday, by the Coquitlam Chiefs C1 team in an exciting finish.  Tied after regulation time [with full 15 minute periods, rather than the normal Atom 12, with the third period shortened if anything in the game goes overtime], and still tied after five minutes of 4 on 4 sudden death overtime, the final was won in the second-to-last shot of a shoot-out.

Because of conflicting appointments, Grandpa (of #6, right wing forward) had to travel an hour and a half, taking the Skytrain and bus out to the rink, but is still chuffed  :-)

But the disappointments, of which I speak, had to do with computers.  Part of the pain of buying new stuff, is that things you thought you could rely on, well, it turns out you can’t, anymore.

One of them is NOD32.  Eset does make a good product, although it tends to be fairly greedy for cycles, while operating, and a bit arrogant in terms of what it tells you.  So, when a family member was in trouble over an infection (always embarrassing when your own family doesn’t take precautions, isn’t it?) I had no hesitation in applying NOD32 to try and clean it up.  Well, the machine is older, and slow.  And, hasn’t been updated in a while, so I was trying to fix that, too.  NOD32, even after finishing it’s scan, was interfering with the update process.  So much so, that it got to the point where we thought the machine was unrecoverable.

We did get it back in operation.  (And, first thing, removed NOD32.)  But it’s disappointing when a trusted tool bites you.

(Speaking of the which, I’ve spoken before about MSE, and even mentioned some of the performance degradation it can cause in older machines.  I must say, that, in some recent experiences, I’m more and more impressed with it as a means of rescuing computers that have been infected.)

More closely related to the new computers, one of my favourite places to get computer equipment, over the years, has been a western Canadian drugstore chain called London Drugs, similar (for those of you in the States) to Walgreens, although sometimes London Drugs is closer in scale to Target.  For twenty years I have been sending people to them for good advice, knowledgable staff, and decent prices.

Well, one of the computers I bought, this time around, is a Mac.  I’m not familiar with Macs, so I was relying on their advice.  Actually, the advice that I got from one staffer was quite good.  But, when I went to actually buy the machine, I got it home and found that what I had brought home was not what I’d ordered.  Which reminded me that the last time I needed to get a printer cartridge, again, they gave me the wrong one.  (There is also that fact that, in relying on their advice over what I needed, they sold me some completely unnecessary software, when the function I wanted is already built in to the Mac.)
Overall, I think they still are a reasonably decent place to get stuff, but, obviously, they may be victims of their own success.  Getting a bit careless, perhaps.  So, equally obviously, I can’t just rely on them any more, and will have to be careful about who I send there, as well.
Like I  said, a bit of a disappointment …

Share

Stuxnet Guesswork

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Share

REVIEW: “The Myths of Security”, John Viega

BKMTHSEC.RVW   20091221

“The Myths of Security”, John Viega, 2009, 978-0-596-52302-2, U$29.99/C$37.99
%A   John Viega viega@list.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O’Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596523025/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596523025/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596523025/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Myths of Security”

The foreword states that McAfee does a much, much better job of security than other companies.  The preface states that computer security is difficult, that people, particularly computer users, are uninformed about computer security, and that McAfee does a much better job of security than other companies.  The author also notes that it is much more fun to write a book that is simply a collection of your opinions than one which requires work and technical accuracy.

The are forty-eight “chapters” in the book, most only two or three pages long.  As you read through them, you will start to notice that they are not about information security in general, but concentrate very heavily on the antivirus (AV) field.

After an initial point that most technology has a poor user interface, a few more essays list some online dangers.  Viega goes on to note a number of security tools which he does not use, himself.  He then argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV software doesn’t work.  (I’ve been working in the antivirus research field for a lot longer than the author, and I’m certainly very aware that there are problems with all forms of AV: but there are more forms of AV in heaven and earth than are dreamt of in his philosophy.  By the way, John, Fred Cohen listed all the major forms of AV technology more than twenty-*five* years ago.)  The author subsequently jumps from this careless technical assessment to a very deeply technical discussion of the type of hashing or searching algorithms that AV companies should be using.  And thence to semi-technical (but highly opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs have potential problems and therefore should be destroyed.  Eventually all pretence at analysis runs out, and some of the items dwindle down to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work might have value.  Not that you’ll learn anything, but that the biases presented may run counter to your own, and provide a foil to test your own positions.  However, those who are not professionals in the field might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221

Share

Microsoft LNK exploit

The recently discovered LNK exploit; using the way Microsoft parses link or shortcut icons for display in order to get something else executed; may be a tempest in a teapot.  It is technically sophisticated, but so far we don’t appear to have seen it used widely.

Probably a good thing.

This exploit could be used in a wide variety of ways.  You can use it in removeable media, so that any time you shove a CD in a drive, or connect a USB stick/thumb drive (or any other USB device, for that matter) to a computer, it results in an infection or some malicious payload.

And remember that OLE stands for object *LINKING* and embedding.  Since it is trivially easy to embed a virus in any Windows OLE format data file, it should be just as easy to create malicious links in any such files.

Microsoft’s own information on the issue seems to indicate that there is a related, but separate, issue with Microsoft Office components, related to Web based activities.  (By the way, when accessing that site, the information about how to protect against the exploit is hidden under the “Workarounds” link, rather than being explicit on the page.)

Some of the potential effects are discussed by Randy Abrams at http://blog.eset.com/2010/07/19/it-wasn%E2%80%99t-an-army

Share