Recently in Malware Category

Malware hits London hospitals

| 1 Comment
| More
It's interesting to speculate how three seperate hospital computer systems have managed to simultaneously fall victim to malware. See Given that the rest of us have not today fallen victim to anything new, and that other hospitals appear to still be functioning, it looks like a highly targeted attack. The Register reports that it might be a case of the Mytob worm however, I'm dubious: Mytob is more nuisance malware rather than disruptive, it's signature is well known, and I doubt it would result in the networks of three hospitals being so thoroughly disrupted. If it were a new variant evading the anti-malware protection, then we'd all be seeing it.

Threat reports threats to credibility

| More
What do you think the outcome would be if you put security experts from Symantec, McAfee, ISS, Secure Computing, and SPI Dynamics into the same room and asked them each what they'd like to see written into a report telling the world what the latest Cyber Security Threats are? The result is the GTISC Cyber Threats Report, a report with about as much credibility as if they'd held a seance or read palms in order to decide what to write.

Oh look, just by coincidence between them all the experts present sell solutions for most of the problems being described. Now there's a thing!

The report has also been picked up by the BBC who see fit to publish this piece of FUD for consumption by the general public.

The industry is full of threat reports, statistics, white papers and experts galore employed by vendors to tell us what the threats are and what we need to be doing about them. "Buy more stuff - preferably our stuff. If you don't buy our stuff then don't be surprised to find you're stuffed!" The difficulty is not in deciphering what all this information is telling us but what it is not telling us. A salesman is hardly going to be telling you what his product doesn't do.

Expert opinion such as that presented by the GTISC Cyber Threats Report is a waste of ink and paper. Want a decent opinion on what's important in security? Here's a few links for you

IT Security: The view from here

Mike Rothman's Security Incite:

Jeremiah Grossman:

Info Security Advisor:

David Lacey:

Learning from the lessons learnt the hard way by others

| More
I don't harbour any illusion that the misfortune of others, frequently commented on within this blog, couldn't end up also occuring to me within my own organisation. It would be foolish to think otherwise. Some of the incidents listed on resources such as The Breach Blog strike pretty close to home and serve as lessons fortunately learnt the hard way by others so that we can take note.

Luckily, none of the incidents experienced within the organisation I work for over the past couple of years have resulted in data breaches, but there have been some near misses and one or two outright clangers. One that will stick in my mind happened very soon after I took up my current job. A web hosting environment was becoming unreliable, needing frequent restarts of services to recover from outages. I suggested running a number of tests to look for the presence of malware, and lo, it appeared that the web servers themselves had been compromised. A third party consultant was called in to do some further investigation and the full extent of the mess was revealed: rootkits and strange port numbers being utilised by goodness knows only what.

The servers were taken away to be destroyed in the firey pits of hell and replaced but clearly we needed to know how they had been so marvellously hacked. Being ever the bright spark, I asked for the IPS logs to be reviewed. Nothing in them. And I don't mean that they simply revealed no useful information. There were no logs. Tumbleweed rolled through the empty space where the logs should have been. A journey to the dark, dank, bowels of the data centre revealed why. The device was plugged in, switched on, and running normally but plugged into the wrong interface and thus offering our now distraught and broken web server all the protection of an umbrella against a nuclear blast.

Lessons learnt #1: change control procedures had not been followed and nobody had checked. Assumptions had been made that the devices were correctly configured but without any resource available to review logs on a regular basis the errors were not noticed and consequently the attacks had not been blocked. Lessons learnt #2: leave a vulnerable web server online and it will be hacked. Total cost of the incident was two web servers, the costs of an external consultant, and a good deal of grief from groups within the organisation reliant upon the servers in question.

Small beer maybe but such incidents serve as valuable reminders and also as a good kick up the arse. I'll excuse myself from this particular one because I'd only recently started in the job, but it highlighted deficiencies in general IT processes and helped me to prioritise where to focus my efforts over the next few months.

There's little to be gained from feeling smug about incidents happening to other organisations. Interestingly, three times as many people read my blog last Friday when I commented rather sarcastically about the latest mishap at EDS than I would expect on any other day of the week. There but for the grace of god go the rest of us too....

Best Western and lessons for us all

| 1 Comment
| More

The actual scope of the Best Western data breach is open to speculation. The Sunday Herald scoop was that "stolen login details were..put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia... Once the information was online, experts estimate that it would take less than an hour to write and run a software bot..capable of harvesting every record on Best Western's European reservation system". However, this has been refuted with the company claiming there was "some evidence" of unauthorized access to customer data by someone using a valid employee username and password. But the compromise was limited to just one property..adding that the total number of potentially affected customers was 115.

There are some messages for all of us to take home from this incident.

- The press and blogging community will be quick to latch onto speculation about data breaches. News will spread fast. Having a good incident response and communication plan is essential. The messages that do come out from your organisation will be analysed and pulled apart. For instance - how can they be sure only 115 records were compromised? It's a very precise number.

- The reported fact that an account was compromised because of malware on a PC has not been refuted. It's a good opportunity to remind company employees to be vigilant and for network teams to double-check that all servers, devices and desktops are patched and up to date. Use this incident as an example of what can go wrong.

- We obviously don't know how the Trojan code got onto the compromised device. Perhaps the malware signatures weren't up to date, it may have been unknown malware for an unknown vulnerability, or it may have been deliberately installed by a malicious company employee.

- Don't down play the value of the data your own business holds. Given the opportunity, criminals will steal it and trade it.

Whether or not Best Western have been the subject of one of the most audacious cyber-crimes ever this incident serves as a timely reminder that hackers are still after our systems.


AV industry sucks

| More

So says the CEO of Trend Micro, Eva Chen, in this new interview where she describes how a cloud-client architecture is the solution to stop malware.

It's good to finally see one of the large anti-malware vendors sticking its neck out and trying to address the problem at source.  Chen says "For me for the last three years I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?"

Read the full story here.

Anti-Malware Testing Standards Organization

| More

More than 40 security software technologists and anti-malware testers from around the world recently met in Bilbao, Spain to formalize the charter of the Anti-Malware Testing Standards Organization, or AMTSO. The formation of AMTSO has been driven by industry-wide concern about the increasing mismatch between what anti-malware technologies actually do, and the testing methodologies used to evaluate them.

Read more about this new organisation here:

Malware - continuing threat (Pt. 2)

| More

In research performed during 2005, Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy of the Department of Computer Science & Engineering at the University of Washington where 18 million URLs were crawled, spyware was found in 13.4% of the 21,100 executables discovered, and scripted "drive-by-downloads" in 5.9% of web pages processed. You can read the research paper, entitled "A Crawler-based Study of Spyware on the Web" on the web here:

Interestingly their research noted a reduction in drive-by-downloads when they ran the same tests again 6 months later however, they still found that "14% of the spyware contained potentially malicious functions, such as Trojan downloaders and dialers." I'd be interested to see what the results would be of performing a similar web crawl now. I suspect they would find a higher percentage of both malicious spyware and drive-by's. Research performed by Provos, McNamee et al in their 2007 paper "The Ghost In The Browser, Analysis of Web-based Malware" would seem to support this, stating that 450,000 out of 4.5million sampled URL's "that were successfully launching drive-by-downloads of malware binaries and
another 700, 000 URLs that seemed malicous but had lower confidence."

More worrying is the conclusion that malware binaries frequently change to "thwart detection by anti-virus engines." Simply stated, this means that if you're relying solely on anti-virus software for protection, then you are not protected.

Malware - continuing threat (Pt. 1)

| More

I asked the other day if "we no longer perceive malware as being such a high priority?"

According to the 2007 CSI Computer Crime & Security Survey, virus attacks impacted 52% of survey respondents during the last 12 months and accounted for over US$8.3million worth of losses. That was still only a third of the amount lost to financial fraud, but more than the losses credited to theft of confidential data.

So, malware is definately still an issue. Conversely, 98% of the respondents in the survey use anti-virus software, 97% firewalls, and 80% use anti-spyware software. So why are 52% suffering the consequences of malware on their systems?

Unfortunately the survey doesn't tell us what type of systems the malware affected.

There are numerous reasons why systems that are supposedly hardened and defended still become infected. For instance, change control processes not being adhered to or patches not being applied in a timely enough manner. There is also the fact that many of our defences rely upon signatures to detect malware, which is no protection at all against zero-day attacks.

Malware is also evolving. The latest Symantec Internet Threat Report describes threats affecting virtual worlds, automated evasion processes, and other advanced threats. For instance, Symantec "believes that attackers will use (persistent virutal worlds) and (massively multiplayer online games) to trick victims into installing malicious software under the pretense that the software improves functionality in the virtual world. For example, virtual worlds have embraced the concept of scripted bots that serve, entertain, and protect avatars within the virtual environment. This could provide attackers with an opportunity to compromise the environment itself."

The report goes on to describe new techniques being used to distribute malware over the internet:

Some of the new techniques center on the distribution point, the point where the malicious code is hosted, such as a Web server. With the significant decline of network-based worms over the past several years, current malicious code frequently relies
on the exploitation of client-side vulnerabilities. These exploits often use the staged downloader model in which an initial Trojan is installed on the machine and then downloads the most up-to-date version of the malicious code from a distribution point.
There are more emerging malware threats relevant to mobile devices. With smartphones being able to synchronisation with PC's as standard part of device ownership, malware writers can now create code that transfers itself from the PC to smartphone (or vice versa). By placing a virus on the smartphone, an attacker has the ability to compromise a PC, and vice versa (see "The future of mobile malware" by Shane Coursen).

Lastly, for now, it's worth mentioning that malware is a growing commercial concern for some of those writing the code. There is a whole underground economy where time on botnets, zero-day exploits, and other code can be brought and sold.

How does all this translate into action items for the business? We have to remain vigilant and deploy defence in depth controls. Symantec put it thus: Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. This however, is only a small part of the total threat we face and the countermeasures that can be deployed. Over the next couple of blogs I'll go into more detail...