Secureview 4 - 2010
0 likes74 views
The document is the 4th quarter 2010 issue of SecureView magazine. It contains several articles on current cybersecurity topics, such as vulnerabilities in the BitTorrent protocol that could allow deanonymizing users, a new method for generating cryptographically secure random numbers based on quantum physics principles, and an optical system for secret key distribution claimed to be potentially uncrackable. It also previews upcoming articles on smartphone security issues, rogue antivirus programs, using artificial intelligence for malware detection, and changes in cybercriminal methods and targets. The editor's letter discusses ensuring companies have adequate security policies and protections for devices and data outside the office.
![4th
quarter 2010 SECUREVIEW |23www.secureviewmag.com
| Analytics
other [legitimate] companies. Of course,
the table shows supposed shortfalls in
products from the legitimate companies
• a list of bogus awards to highlight the
exceptional characteristics of ‘AV’
• confirming users’ fears about system
infections through such statements
as ‘System warnings are frequent’
or ‘Pop-ups interrupt web surfing.’It is
obvious that rogue antivirus solutions
display such warnings so that users will
react promptly to them
• the website is divided into several
sections such as: ‘Members’, ’Support’,
‘Download’ and ’Home’ to make them
appear more credible
Compromising
the system
Rogue antivirus programs may infect
a system in various ways. However, each
of them involves social engineering and the
manipulation of human beings. Fear often
turns out to be the best motivation for
people to act. It is usually fear that rogue
antivirus solutions exploit so successfully,
hence their alternative name – scareware.
Programs, plug-ins, codecs
The oldest method of infecting
computers with scareware is by
the use of Trojans. Once they have
infected a system, these Trojans then
download rogue antivirus programs.
To persuade users to download such a file
a cybercriminal spreads a link to websites
with interesting films or add-ons e.g. for
a browser. After entering the website
it turns out that the film cannot be played
because the system lacks a certain codec
or the latest version of Flash Player has
not been installed. The same website then
suggests downloading a file which will solve
the problem. Naturally, this file is nothing
more than a malicious program.
The still widespread network worm Kido
(Conficker) is an example of such malware,
among whose many functions is the
downloading of rogue antivirus programs
which are supposed to help remove viruses
and Trojans. The user is informed about
threats which in reality do not exist and
of the necessity to pay for the program
to activate its full functionality.
Online antimalware scanners
This form of system infection is effective
in situations where a user suspects
that their computer has been infected
with a malicious program. When your
operating system becomes slow, looking
for files takes you longer than usual and
the processor’s activity is noticeably
high, you know something is wrong and
start to look for a solution. One of which
may be to scan your computer using an
online scanner to find out whether the
source of your problems is indeed a virus.
The Internet is full of websites offering disc
scanning, but unfortunately, some of them
deliberately show false results. They are
designed to persuade users to download the
cybercriminals’ own program which will then
‘solve the problem’.
As a result, once a user enters the
website the script is launched which
supposedly shows the progress of the
hard drive scanning process. This is
an obvious deception and has nothing
to do with your operating system (often
even the names of folders and partitions
differ from those that you have, which
should be the first warning signal).
To remove all infections you need to click
‘Erase Infected’, download the program and
then pay $49,99 for the full version. The
whole scanning process naturally takes
place in the browser window.
Search Engine Optimization (SEO)
Basically, this method of computer
infection is similar to the previous one,
it even uses similar mechanisms. However,
I think it is reasonable to treat them
separately. SEO is a system of positioning
websites in Internet search engines
according to appropriate key words. Thus,
it is quite often used to increase the
positioning of websites containing false
antivirus scanners, but not always. As we
see more and more often, cybercriminals
react very quickly to frequently searched
phrases. They create a website that is
related to popular questions and position
Rogue antivirus programs may infect a system in various ways
Find three differences between these products and a real Kaspersky Anti-Virus box
Rogue Antivirus Solutions | Analytics](https://image.slidesharecdn.com/secureview4smallweb-200423184706/85/Secureview-4-2010-23-320.jpg)
![26 |SECUREVIEW 4th
quarter 2010 www.secureviewmag.com
Technology |Technology | Cyber Expert
The main task facing artificial intelligence [AI]
researchers at present is to create an autonomous,
AI device fully capable of learning, making informed
decisions and modifying its own behavioral patterns
in response to external stimuli. It is possible to build
highly specialized bespoke systems; it is possible
to build more universal and complex AI, however,
such systems are always based upon experience
and knowledge provided by humans in the form of
behavioral examples, rules or algorithms.
Why is it so difficult to create autonomous artificial
intelligence? It is difficult because a machine does
not possess such human qualities as animated
thought, intuition, an ability to differentiate between
important and minor, and most importantly, it lacks
the thirst for new knowledge. All of these qualities
endow mankind with the ability to arrive at solutions
to problems, even when those problems are not
linear. In order to do proper work, AI currently
requires algorithms that have been predetermined
by humans. Nevertheless, attempts to reach the holy
grail of true AI are constantly being made and some
of them are showing signs of success.
Manual labor expenses
The process of malware detection and the
restoration of normal operating parameters
on a computer involve three main steps. That rule
applies regardless of whom or what undertakes
each step, be it a man or a machine. The first
step is the collection of objective data about the
computer under investigation and the programs it
is running. This is best achieved by the use of high-
speed, automated equipment capable of producing
machine-readable reports and operating without
human intervention.
The second step involves subjecting the collected
data to detailed scrutiny. For example, if a report
shows that a suspicious object has been detected,
that object must be quarantined and thoroughly
analyzed to determine its level of threat and a decision
taken regarding what further actions are required.
The third step is the actual procedure
of treating the problem, for which a special
scripting language can be used. This contains
the commands required for the removal of any
malware files and the restoration of the normal
operating parameters of the computer.
Generally speaking, just a few years ago steps
two and three were performed by analysts working
for IT security companies and experts on specialized
forums using almost no automation. However,
with an increase in the number of users becoming
malware victims and subsequently needing help,
this led to a number of problems, namely:
• When protocols and quarantine files are
being processed manually, a virus expert is
Artificial Intelligence
in the realm of IT security
Oleg joined Kaspersky Lab
in 2007 as a Developer
in the Complex Threat
Analysis Group. He was
promoted to Technology
Expert in November 2008
and is responsible for
carrying out research
into new detection and
disinfection technologies,
investigating and
disinfecting remote
systems and analyzing the
behavior of malware.
Article by
Oleg Zaitsev
Chief Technology Expert
at Kaspersky Lab
Is it possible to define human intelligence so precisely as to be able
to then simulate it with the aid of machines? That is still very much a
bone of contention among the scientific community. Developers who
are trying to create artificial intelligence use widely varying approaches.
Some of them believe that artificial neural networks are the way
forward, others the manipulation of the symbols. As things stand today,
no device containing artificial intelligence has successfully passed the
Turing test. The famous British computer scientist Alan Turing stated
that in order for a machine to be classed as truly intelligent in its own
right, a user should be completely unable to distinguish if they are
interacting with a machine or another human being. One potential
application of autonomous artificial intelligence is in the field of
computer virology and the provision of remote computer maintenance](https://image.slidesharecdn.com/secureview4smallweb-200423184706/85/Secureview-4-2010-26-320.jpg)
Secureview 4 - 2010
- 1. 4th quarter 2010 WEAK LINKS: Changes in the methods and targets of the cybercriminals’ attacks DESPERATE JAILBREAKERS Is it actually safe to jailbreak an iPhone? THE ENEMY AT THE GATE Rogue AVs are rapidly becoming one of the biggest threats to users ARTIFICIAL INTELLIGENCE IN THE REALM OF IT SECURITY Autonomous systems that treat infections THE EXPERT COMMENT BUSINESSES UNDER ATTACK How to protect your company from cybercriminals
- 3. Contents News Breakthroughs and trends in the IT security industry 4-9 Report Black Hat USA 2010: News and trends from Black Hat USA 2010 10-11 Top Story Businesses under attack: Everything you should know about corporate threats 12-17 Analytics Desperate Jailbreakers: Recent smartphone security issues 18-21 The enemy at the gate: Rogue antivirus programs on the rise 22-25 Technology Artificial Intelligence in the realm of IT security: Cyber Helper – an autonomous system that treats infections 26-29 Under control: Analyzing application activities 30-31 Forecasts Weak links: Changes in the methods and targets of the cybercriminals’ attacks 32-33 Interview Keeping pace with viruses: Current malware sample processing techniques with Nikita Shvetsov 34 A word from the Editor Dear Readers, I am sure that the majority of you reading this work for a company of one sort or another. Ten to one your company has its own Internet site, communicates with its clients and partners over email, and possibly even uses Instant Messaging too. Often, many of you will take some work home with you, burning the midnight oil on yet another important document. Just the thought of working without a computer and the Internet, or not being able to complete an urgent job at home when you need to, would seem utterly strange for a lot of people these days. So where is this all leading you may ask? Well, working in an office, you can’t have failed to notice that there is a security solution installed on your computer. A similar solution should be installed on your company’s servers where their office is located. If that it is not the case, then it is very unfortunate indeed, but let’s put that dismal scenario aside for now and move on. Antivirus, or more complex security package installed by your company’s systems administrators are designed to protect your computer from attack by criminals, but…are you sure that your company has a complex security policy in place? If the system administrator does not regularly install updates for the operating systems and any third-party software installed on the users’ computers, there can be no guarantee that a determined cybercriminal won’t find an unpatched vulnerability in the system and use it to their advantage. Are you sure that your smartphone, which you rely on for daily business communications, or the notebook that you or your boss are working on at home or in the office are protected from such a banal thing as loss? After all, if the notebook that you lost or had stolen at the airport ended up in the hands of specialist crooks, all of your confidential information would be right there in front of them. At least, that would be the case if your device didn’t happen to have a suitable encryption solution installed and a complex login and password security program. However, let’s not get ahead of ourselves for the moment. Just read this issue’s Top Story and consider carefully whether you have closed all of the loopholes through which a cybercriminal might attack your company, and while we are talking about threats, do you and your colleagues know enough about rogue antivirus programs and how they can penetrate your computer? See you next issue! Alexander Ivanyuk Editor-in-Chief Alexander Ivanyuk SECUREVIEW SECUREVIEW Magazine 4TH Quarter 2010 Editor-in-Chief: Alexander Ivanyuk Editor: Darya Skilyazhneva Design: Svetlana Shatalova, Roman Mironov Production Assistants: Rano Kravchenko Editorial matters: editorial@secureviewmag.com http:// www.secureviewmag.com © 1997 - 2010 Kaspersky Lab ZAO. All Rights Reserved. Industry-leading Antivirus Software The opinion of the Editor may not necessarily agree with that of the author. SECUREVIEW Magazine can be freely distributed in the form of the original, unmodified PDF document. Distribution of any modified versions of SECUREVIEW Magazine content is strictly prohibited without explicit permission from the editor. Reprinting is prohibited unless with the consent of the editorial staff.
- 4. News www.secureviewmag.com4 |SECUREVIEW 4th quarter 2010 Vulnerabilities Encryption Research by the I.N.R.I.A (The French National Institute for Research into Computer Science and Control) has shown that there are serious vulnerabilities in the BitTorrent peer-to-peer protocol. The vulnerabilities allow BitTorrent users to be spied on. An attacker might be able to deanonymize a user even behind an anonymizing network such as Tor. Tor operates on the basis of the construction of chains of proxies, as well as multilayered traffic encryption. The researchers propose three methods of attack to deanonymize BitTorrent users on Tor. The first method of attack consists of inspecting the payload of some of the BitTorrent control messages and searching for the public IP address of the user. In particular, the announcement messages that a client sends to the tracker in order to collect a list of peers distributing content, and the extended handshake. Messages sent by some clients immediately after the application handshake occasionally contain the public IP address of the user. The second method of attack consists of rewriting the list of peers returned by the tracker in order to include the IP address of a controlled peer. As the user will then connect directly to the peer controlled by the attacker, the latter can deanonymize the user by inspecting the IP header. Whereas this hijacking attack is accurate, it only works when the user relies on Tor alone to connect to the tracker. The third and final method of attack consists of exploiting the DHT (Distributed Hash Table) to search for the public IP address of a user. Indeed, whereas Tor does not support UDP, BitTorrent’s DHT uses UDP for transport and when a BitTorrent client fails to contact the DHT using its Tor interface; it reverts to its public interface, hence publishing its public IP address in the DHT. As the content identifier and the port number of a client transit through the exit node, and port numbers are uniformly distributed, an attacker can use this information to identify a BitTorrent user in the DHT. This DHT attack is very accurate and works even when the peer uses Tor to connect to other peers. Using the hijacking and DHT attacks, researchers deanonymized and profiled close to 9,000 public IP addresses of BitTorrent users on Tor. In particular, they have exploited the multiplexing of streams from different applications into the same circuit to profile the web browsing habits of the BitTorrent users on Tor. Researchers have devised a new kind of random number generator for encrypted communications and other uses that is cryptographically secure, inherently private and certified random by the laws of physics. Although the events around us can seem arbitrary, none of them is genuinely random in the sense that they could not be predicted given sufficient knowledge. Indeed, true randomness is almost impossible to come by. That situation is a source of persistent concern to cryptographers who need to encrypt valuable data and messages employing a long string of random numbers that form a key to encode and decode the message. For practical purposes, encoders typically employ various mathematical algorithms called “pseudo-random number generators” to approximate the ideal. However, they can never be completely certain that the system is invulnerable to adversaries or that a seemingly random sequence is not, in fact, predictable in some manner. Now though, Stefano Pironio and Serge Massar from the Université Libre de Bruxelles (ULB), in partnership with European and American quantum information scientists, have demonstrated a method for producing a certifiably random string of numbers based on the principles of quantum physics. Their solution relies on a discovery made by physicist John Bell in 1964: two objects can be in an exotic condition called “entanglement” in which their states become so utterly interdependent that if a measurement is performed to determine a property of one, the corresponding property of the other is instantly determined as well, even if the two objects are separated by large distances. Bell showed mathematically that if the objects were not entangled, their correlations would have to be smaller than a certain value, expressed as an “inequality.” If they were entangled, however, the correlation rate could be higher, “violating” the inequality. “The important point is that the violation of a Bell inequality is possible only if we are measuring genuine quantum systems”, says Pironio. “Therefore if we verify a Bell inequality violation between isolated systems, we can be sure that our device has produced true randomness independently of any experimental imperfection or technical detail. But to build something concrete out of this initial intuition, we had to quantify how much randomness is actually produced and whether it is secure in a cryptographic setting.” Deanonymizing anonymizers Random numbers certified by Bell’s theorem Source: http://arxiv.org/PS_cache/arxiv/pdf/1004/1004.1267v1.pdf Source: www.physorg.com/pdf190468321.pdf
- 5. News www.secureviewmag.com 4th quarter 2010 SECUREVIEW |5 Dr. Jacob Scheuer from Tel Aviv University has developed a unique optical system of secret cryptographic key distribution. The researcher claimed that his system is potentially uncrackable. Transmitting binary lock- and-key information in the form of light pulses, his device ensures that a shared key code can be unlocked by the sender and receiver and absolutely nobody else. Dr. Scheuer has found a way to secure the transmitted ones and zeros using light and lasers. “The trick,” says Dr. Scheuer, “is for those at either end of the fiber optic link to send different laser signals they can distinguish between, but which look identical to an eavesdropper.” “Rather than developing the lock or the key, we’ve developed a system which acts as a type of key bearer,” the researcher explains. antivirus Testing The experts comment Recently, I was sitting around with a number of colleagues from Kaspersky Lab, discussing everybody’s favorite subject: the state of AV testing these days. During the chat, somebody brought up the name of a new, obscure testing organization in the Far East. Nobody else had ever heard of them and so my colleague, Aleks Gostev, jokingly called them a “rogue Andreas Marx”. It then occurred to us that some of these new testing labs that have recently appeared mimic the tactics of Rogue AV products. What exactly do I mean? Well, as we know the rogue AV business model is based on selling a false sense of security; we professionals know it is fake, but the victims don’t. People buy a Rogue AV program hoping that it will solve their security problems, but at best the products do nothing and at worst, they install additional malware. Rogue AV testers are somehow similar in behavior. In their case, the business model is no longer based on a false sense of security, but instead, on a false sense of insecurity. So, how do they operate? Well, it seems to start with a number of tests which look legitimate and mimic real world conditions. Then, the tests slowly become more ‘complicated’ and security products do worse and worse. Sometimes, the product that did best in the previous test suddenly becomes the worst in the group. In other cases, all products fail miserably. Finally, the main idea emerges: that all security products are bad and utterly useless. Hence, the false sense of insecurity is promoted through the tests: you are insecure, your money was misspent – beware! Going further, the rogue AV testers use various techniques such as not disclosing product names in published test results and attempting to sell these results for serious amounts of money. Here are some of the characteristics we identified as being specific to rogue AV testers and can help you to spot them: 1. They are not affiliated with any serious testing organization, such as AMTSO. Sometimes, the Rogue AV testers could also show fake affiliations or even falsely display (say) the AMTSO logo on their website, in order to remove suspicion and doubt. 2. They publish free public reports, but charge money for the ‘full’ reports. In general, the public reports should look as bad as possible for all the tested products, to maximize the profits from selling the full reports. 3. The public reports are full of charts that look complicated and intelligent, but sometimes reveal amusing mistakes. 4. They claim all AV (or security) products are useless. This is the foundation stone of any business based on the ‘false sense of insecurity’. 5. They charge for samples and methodologies, usually very large sums of money, to make sure the flawed methodology and samples cannot be reviewed externally. Reputable testers will make samples and methodologies freely available to the developers of the products that they test, and instead, charge for the rights to publish the results in magazines or for the permission to use the results in marketing materials. Charging money for samples is a clear indication that something wrong is going on. There are other characteristics, but I think everybody has got the point by now. Just like the explosion in Rogue AV products, making them one of the most profitable crimeware categories, I suspect Rogue AV testers will follow and in the process, they will also become an extremely profitable category. Of course, the worst thing is that they will provide a strong, negative value to the entire IT security industry. So, if you are trying to compare security solutions, I recommend sticking to established testing organizations such as Virus Bulletin, AV-TEST.ORG and AV- COMPARATIVES or reputable magazines with a good history behind them. If in doubt, ask for AMTSO affiliations and finally, do not forget about the list of hints that can help you to spot Rogue AV testing behavior. Do not become a victim of the Rogue AV testers! The Rise of the Rogue AV Testers Costin Raiu is the Director of Kaspersky Lab’s Global Research Analysis Team Cryptography Laser key Source: http://www.sciencedaily.com/releases/2010/03/100323121834.htm
- 6. News www.secureviewmag.com6 |SECUREVIEW 4th quarter 2010 Social Networks A group of researchers have demonstrated the fundamental limits of privacy in social networks with personalized recommendations. The recommendations cannot be made without disclosing sensitive links between users. Facebook recommends new contacts based on the pattern of connections between existing users, whilst Amazon recommends books and other products based on purchase histories and Netflix recommends movies based on historical ratings. To be sure, these sites produce helpful results for users that in turn can dramatically increase sales for the merchant, but they can also compromise privacy. For example, a social network recommendation might reveal that one person has been in email contact with another, or that an individual has bought a certain product or watched a specific film. It may even be a breach of privacy to discover that your friend doesn’t trust your judgment in books. Today, researchers say that privacy breaches are inevitable when networks are exploited in this way. In fact, they’ve worked out a fundamental limit to the level of privacy that is possible when social networks are mined for recommendations. The scientists’ approach is to consider a general graph consisting of various nodes and the links between them. This may be a network in which the nodes are books, say, and a link between two nodes represents the purchase of one book by the owner of another. The team considers all these links to be private information. Then researchers consider an attacker who wants to work out the existence of a link in the graph from a particular recommendation. So given the knowledge that people who bought book X also bought book Y, is it possible to determine a purchase decision made by a specific individual? To do this, scientists define the privacy differential as the ratio of the likelihoods that the website makes such a recommendation both with the private purchase decision in question and without it. The question they then ask is to what extent recommendations can be made while preserving this privacy differential. It turns out that there is a tradeoff between the accuracy of the recommendation and the privacy of the network. So a loss of privacy is inevitable for a good recommendation engine. Fundamental privacy limits of recommendations Source: http://www.technologyreview.com/blog/arxiv/25146/ Amazon recommends books and other products based on purchase histories Online Services Threats An international research team has demonstrated the possibility of hijacking Google services and reconstructing users’ search histories. Firstly, with the exception of a few services that can only be accessed over HTTPs (e.g. Gmail), researchers found that many Google services are still vulnerable to simple session hijacking. Next they presented the Historiographer, a novel attack that reconstructs the web search histories of Google users, i.e. Google’s Web History, even though such a service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer implements a reconstruction technique that rebuilds the search history based on inferences received from the personalized suggestions fed to it by the Google search engine. The attack was based on the fact that Google’s users receive personalized suggestions for their search queries based on previously searched keywords. The researchers showed that almost one third of monitored users were signed in to their Google accounts, and of those, half had their Web History enabled, thus leaving themselves vulnerable to this type of attack. The attacks demonstrated are general and highlight concerns about the privacy of mixed architectures using both secure and insecure connections. The research data was sent to Google and the company has decided to temporarily suspend search suggestions from Search History in addition to offering Google Web History pages over secure protocol HTTPs only. Hijacking Google services Source: http://arxiv.org/PS_cache/arxiv/pdf/1003/1003.3242v3.pdf
- 7. News www.secureviewmag.com 4th quarter 2010 SECUREVIEW |7 Researcher Stephan Chenette has released a Firefox plug-in called FireShark designed to build visual diagrams of criminal connections as well as schemes for the malicious distribution of code. The plug-in allows the capturing of web traffic from a browser, the logging of events and the downloading of content to disk for post-processing analysis. The software has the potential to become a very powerful forensics and antimalware tool. The plugin can be downloaded free of charge from the author’s site. Encryption Toshiba Research Europe’s Cambridge lab has announced an important breakthrough in quantum encryption. The researchers have succeeded in demonstrating the continuous operation of quantum key distribution with a secure bit rate exceeding 1 megabit per second over 50 km of fiber for the first time. Averaged over a 24 hour period, this is 100–1000 times higher than anything reported previously for a 50 km link. It was achieved using two innovations: a novel light detector for high bit rates and a feedback system which maintains a high bit rate at all times and requires no manual set-up or adjustment. Significantly, the breakthrough will enable the everyday use of “one- time pad” encryption, a method that is, in theory, perfectly secret. Although ultra-secure, the application of one-time pad encryption has been restricted in the past as it requires the transmission of very long secret keys – the same length as the data itself. For this reason it has only been used for short messages in situations requiring very high security, for example by the military and security services. The achieved bit rate breakthrough will extend the application of this ultra-secure communication method for everyday use. Record in quantum key bit rate Source: http://www.toshiba-europe.com/research/crl/qig/Press2010-04-19- qcbreakthrough.html Quantum Computations A new scheme for making quantum money could lead to cash that cannot be counterfeited. Just like ordinary cash, quantum cash would be exchanged in lieu of goods. It would be sent and received over the Internet without the need to involve third parties such as banks and credit card companies. That would make transactions anonymous and difficult to trace, unlike today’s online transactions which always leave an electronic paper trail. That’s one big advantage over today’s money. Another is that quantum states cannot be copied, so quantum cash cannot be forged. But quantum cash must have another property: anybody needs to be able to check that the money is authentic. That turns out to be hard because the measurement of quantum states tends to destroy them. It’s like testing regular dollar bills by seeing whether they burn. But there is a way around this based on the ideas behind public-key encryption. The idea here is to find a mathematical process that is easy to do in one direction but hard in the opposite direction. Multiplication is the famous example. It’s easy to multiply two numbers together to get a third but hard to start with the third number and work out which two factors created it. The question for quantum money gurus is whether a similarly asymmetric process will provide similar security assurances for quantum cash. A research group led by Edward Farhi has developed secure quantum cash based on a new kind of asymmetry. The scientists took their inspiration from knot theory, a branch of topology that deals with knots and links. The purported security of the proposed quantum money scheme is based on the assumption that given two different looking but equivalent knots, it is difficult to explicitly find a transformation that turns one into the other. Uncounterfeitable currency Source: http://www.technologyreview.com/blog/arxiv/25135/ Visualizing the malicious web Source: http://www.fireshark.org/ For example, FireShark makes it easy to see compromised legitimate sites redirecting users to malicious domains
- 8. News www.secureviewmag.com8 |SECUREVIEW 4th quarter 2010 Egyptian researchers have proposed a mutual authentication protocol that prevents attacks on low-cost RFID tags. RFID systems are vulnerable to a broad range of malicious attacks ranging from passive eavesdropping to active interference. Unlike in wired networks where computing systems typically have both centralized and host- based defenses such as firewalls, attacks against RFID networks can target decentralized parts of the system infrastructure, since RFID readers and RFID tags operate in an inherently unstable and potentially noisy environment. RFID tags may pose a considerable security and privacy risk to the organizations and individuals using them. Since a typical tag provides its ID to any reader and the returned ID is always the same, an attacker can easily hack the system by reading a tag’s data and duplicating it in the form of bogus tags. Unprotected tags may be vulnerable to eavesdropping, location privacy, spoofing, or denial of service attacks. Low-cost RFID tags like Electronic Product Codes (EPC) are poised to become the most pervasive devices in history. There are already billions of RFID tags on the market being used for applications like supply- chain management, inventory monitoring, access control and payment systems. When designing a really lightweight authentication protocol for low cost RFID tags, a number of challenges arise due to the extremely limited computational, storage and communication abilities of such devices. The scientists have proposed modifications to the Gossamer mutual authentication protocol used by the tags. The proposed protocol prevents passive attacks, as active attacks are discounted when designing a protocol to meet the RFID tags’ requirements. The analysis of the protocol shows that the added modifications increase the security level of Gossamer and prevent eavesdropping on public messages between reader and tag. However, the modifications do not affect the computational, storage or communication cost of Gossamer. Source: http://airccse.org/journal/nsa/0410ijnsa3.pdf Wireless Security Securing RFID Encryption Security-conscious organizations evaluate a large number of developmental technologies for building websites. The question often asked is, “What is the most secure programming language or development framework available?” WhiteHat Security has issued a report which highlights the answer. The report’s Top-10 key findings are: • Empirically, programming languages/frameworks do not have similar security postures when deployed in the field. They are shown to have moderately different vulnerabilities, with different frequencies of occurrence, which are fixed in different amounts of time. • The size of a web application’s attack surface alone does not necessarily correlate to the volume and type of issues identified. For example Microsoft’s .NET and Apache Struts, with near-average attack surfaces, turned in the two lowest historical vulnerability averages. • Perl had the highest average number of vulnerabilities found historically by a wide margin, at 44.8 per website and also the largest number currently at 11.8. • Struts edged out Microsoft’s. NET for the lowest average number of currently open vulnerabilities per website at 5.5 versus 6.2. • Cold Fusion had the second highest average number of vulnerabilities per website historically at 34.4, but has the lowest likelihood of having a single serious unresolved vulnerability if currently managed under WhiteHat Sentinel (54%). Closely following was Microsoft ASP Classic, which at 57% beat its successor Microsoft .NET by a single point. • Perl, Cold Fusion, JSP, and PHP websites were the most likely to have at least one serious vulnerability, at roughly 80% of the time. The other languages / frameworks were only within ten percentage points. • Among websites containing URLs with Microsoft’s. NET extensions, 36% of their vulnerabilities had Microsoft ASP Classic extensions. Conversely, 11% of the vulnerabilities on ASP websites had Microsoft’s .NET extensions. • 37% of Cold Fusion websites had SQL Injection vulnerabilities, the highest of all measured, while Struts and JSP had the lowest with 14% and 15%. • At an average of 44 days, SQL Injection vulnerabilities were fixed the fastest on Microsoft ASP Classic websites, just ahead of Perl (PL) at 45 days. • 79% of “Urgent” Severity SQL Injection vulnerabilities were fixed on Struts websites, the most of the field. This is followed by Microsoft’s .NET at 71%, Perl at 71% and the remainder between 58% and 70% Apercent. The report is based on data from 1,659 websites What web programming language is the most secure? Source: http://www.whitehatsec.com/home/resource/stats.html
- 9. News www.secureviewmag.com 4th quarter 2010 SECUREVIEW |9 One of the major threats to virtualization and cloud computing is malicious software that enables computer viruses or other malware that have compromised one customer’s system to spread to the underlying hypervisor, and ultimately, to the systems of other customers. In short, a key concern is that one cloud computing customer could download a virus – such as one that steals user data – and then spread that virus to the systems of all the other customers. “If this sort of attack is feasible, it undermines consumer confidence in cloud computing since consumers couldn’t trust that their information would remain confidential,” said Xuxian Jiang, Assistant Professor of Computer Science at North Carolina State University. For instance, in Blue Pill attacks, as demonstrated by Polish security researcher Joanna Rutkowska, a rootkit bypasses the digital signature protection for kernel mode drivers and intercepts the operating system calls. But Jiang and his Ph.D. student Zhi Wang have now developed a piece of software called HyperSafe that leverages existing hardware features to secure hypervisors against such attacks. “We can guarantee the integrity of the underlying hypervisor by protecting it from being compromised by any malware downloaded by an individual user,” Jiang says. “By doing so, we can ensure the hypervisor’s isolation.” For malware to affect a hypervisor, it typically needs to run its own code in the hypervisor. HyperSafe utilizes two components to prevent that from happening. First, the HyperSafe program “has a technique called ‘non-bypassable memory lockdown’, which explicitly and reliably bars the introduction of new code by anyone other than the hypervisor administrator,” Jiang says. “This also prevents attempts to modify existing hypervisor code by external users.” Secondly, HyperSafe uses a technique called ‘restricted pointer indexing’. This technique “initially characterizes the hypervisor’s normal behavior and then prevents any deviation from that profile,” Jiang says. “Only the hypervisor administrators themselves can introduce changes to the hypervisor code.” Cyber Security Technology An international team of researchers has published a report about global cyber espionage systems titled “Shadows in the Cloud”. The report contains the results of their investigations into a complex cyber espionage ecosystem that as the authors say, “Systematically compromised government, business, academic and other computer network systems in India, the offices of the Dalai Lama, the United Nations and several other countries”. The report also contains an analysis of data stolen from politically sensitive targets and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms and free web hosting services. The following is a summary of the report’s main findings: • The cyber espionage network is complex • The theft of classified and sensitive documents is rife • There is evidence of collateral compromise • The command-and-control infrastructure leverages cloud-based social media services • There are links to the Chinese hacking community Researchers are proposing a paradigm-shifting solution to trusted computing that offers better security and authentication. The European RE- TRUST project (http://re-trust.dit. unitn.it/) promotes a technology that ensures remote, real-time entrusting on an untrusted machine via the network. Remote entrusting provides continuous entrustment for the execution of a software component by a remote machine, even though the software component is running within an untrusted environment. The proposed technology provides both software-only and hardware- assisted remote entrusting. Whereas hardware-assisted entrusting requires a special chip either on the computer’s motherboard or inserted into a USB drive, RE-TRUST uses logical components on an untrusted machine to enable a remote entrusting component to authenticate – via the network – the untrusted machine’s operation during runtime. This means it ensures that the software is running properly and that the code integrity is maintained, thus almost completely guaranteeing security. Investigating global cyber espionage Better remote entrusting Source: http://Shadows-in-the-Cloud.net Source: http://www.sciencedaily.com/releases/2010/04/100413131939.htm Concentrations of non-unique IP addresses of compromised hosts (from the report “Shadows in the Cloud”) Entrusting by remote software authentication during execution Security Threats Protecting hypervisors Source: http://www.scientificcomputing.com/news-HPC-New-Security-for- Virtualization-Cloud-Computing-050310.aspx
- 10. Report | Black Hat USA 2010 www.secureviewmag.com10 |SECUREVIEW 4th quarter 2010 Stefan is a Senior Security Researcher for Kaspersky Lab. He specializes in web applicationsecurity,web-based threatsandmalware2.0.Stefan isinvolvedinseveralinnovative researchprojects,ranging frommalwaredatabasesor honeypots,towebcrawlers which continuously scan the Internet to identify and neutralize the latest threats. As a member of the Global Research and Analysis Team, Stefan publishes analyses of hot information security topics on threatpost.com and securelist.com, the Kaspersky Lab information and education portals on viruses, hackers and spam. Stefan is also frequently invited to speak at major international security conferences such as Virus Bulletin, RSA and AVAR. Article by Stefan Tanase Black Hat is the place where IT and computer security happens. Now in its 13th year, researchers’ latest findings are published during presentations spread over 11 conference tracks and two days. The two opening keynotes this year were delivered by Jane Holl Lute, the current Deputy Secretary of Homeland Security, and Michael Vincent Hayden, former Director of both the National Security Agency and the Central Intelligence Agency. This doesn’t come as a surprise, especially after Jeff Moss, the founder of the Black Hat and DEF CON conferences was sworn in to the Homeland Security Advisory Council of the Barack Obama administration. This year’s event featured more than 200 speakers discussing their latest research around essential security topics ranging from infrastructure, reverse- Las Vegas – The Security Researchers’ Oasis Each year, the entire security industry waits for the Black Hat Briefings in the sweltering Las Vegas desert. This year was no different, with more than 6,000 people interested in security gathered from all over the world at Caesars Palace, Las Vegas, Nevada – the place where the conference is traditionally held. From private companies and government agencies through to security researchers, system administrators and law enforcement officers - everybody was there. “Security researchers from all over the world come to Black Hat to identify security threats and work collectively to create solutions. The Black Hat community is one of the greatest assets we have for defending the safety and security of the Internet,” said Jeff Moss, founder of Black Hat. Caesars Palace – the place to be for Black Hat
- 11. Black Hat USA 2010 | Report www.secureviewmag.com 4th quarter 2010 SECUREVIEW |11 engineering, malware +, fingerprinting and exploitation, to the latest topics in IT technology - cloud/virtualization and cyber war and peace. Jackpotting ATMs One of the most highly anticipated talks at Black Hat USA 2010 was delivered by Barnaby Jack, Director of Research at IOActive Labs. Barnaby discussed two types of attacks against automated teller machines (ATMs) running Windows CE: the first one was a physical attack using a master key which can be purchased on the Internet and a USB stick to overwrite the machine’s firmware with a custom-built rootkit; the second one was a remote attack exploiting a vulnerability in the ATMs remote administration authentication mechanism which allowed the attacker to remotely rewrite the firmware. The talk itself was eye-opening and disappointing at the same time. It was amazing to see the depth that Barnaby had achieved when reverse-engineering the ATMs and building a custom software tool called ‘Dillinger’ to overwrite the machine’s operating system, take complete control of the ATM and send commands which remotely instructed the ATM to start dispensing cash. Incidentally, ‘Dillinger’ is named after the famous bank robber. The disappointing part from an avid researcher’s point of view was that he only focused on Windows CE-based ATMs, an old operating system which is not widely used in other regions of the world. For instance, the two attacks that Barnaby demonstrated, the physical and the remote attack, would not be possible in most European countries, but it’s a whole different story in the United States. All in all, seeing such progress being made in ATM security research definitely makes you think twice about using ATMs, especially when traveling. In fact, with the amount of skimming going on anyway, why not avoid using ATMs altogether? The Client-Side Boogaloo Nicholas Percoco and Jibran Ilyas, Members of Trustwave’s SpiderLabs team, presented Malware Freak Show 2010, a talk that extended their initial Malware Freak Show presentation delivered at DEFCON 17 in 2009. This year’s talk explored four of the most interesting new pieces of malware that were obtained during more than 200 investigations they conducted in 2009. An interesting fact which emerged as a result of combining intelligence from cases they were both involved in was that attackers spend an average of 156 days exploring a victim network before getting caught. This is an alarmingly high number which confirms how low the general level of security awareness and education is among businesses. The presentation included the anatomy of a successful malware attack, a profile on each sample and victim and a live demonstration of each piece of malware discussed: a memory rootkit, a Windows credentials stealer, a network sniffer rootkit and a targeted attack malware program that uploads documents to an FTP server. Tracking Cyber Spies and Digital Criminals Greg Hoglund, who literally wrote the book on Windows rootkits, presented some techniques to track down the origins of malware samples. Malware attribution, which is defined by Greg as “Finding the humans behind the malware,” aims to know more about the people who create malicious files. This type of information can be very useful during forensic investigations. His basic premise is that software is not easy to write and programmers adhere to the “if it ain’t broke, don’t fix it” principle. Once a programmer has written a piece of code which works, they are not going to rewrite it, but instead will most likely reuse it at every opportunity. Each cybercriminal or cybercrime group normally reuses the code that they create. To prove this, Greg performed a case study on a Chinese RAT (Remote Administration Tool) called ‘gh0st RAT’. He showed the audience how he discovered that malware samples from 2010 are still using code from 2005 – making it possible to link five-year- old samples together. These techniques are very developer-specific. In his conclusion, Greg called on the security community to understand that generally it is better to focus on identifying the authors behind the malware than the malware itself. Attacking Phone Privacy Cryptography researcher Karsten Nohl presented vulnerabilities, tricks and ideas which he used to successfully crack A5/1, the encryption system used to protect GSM calls. One of the biggest breakthroughs that helped him with his research was the fact that some GSM packets, the keep-alive ones, are predictable in the stream of different packets. The fix for this vulnerability was released two years ago, but none of the GSM networks have implemented the patch yet, even though the patch is rather simple. It is much easier to intercept the part of the call that is coming from the tower to the mobile phone, rather than the one going from the mobile phone to the tower. This is due to the fact that mobile phones dynamically adjust the output power of their signal to save battery power and can be on the move in areas surrounded by buildings, while the towers are transmitting high power signals, are stationary and are located in high areas. So, the majority of GSM networks nowadays are quite unsafe. They are either using very insecure encryption, or in countries like China and India, none at all. A mitigation technique to this threat would be to switch your phone to UMTS-only mode, although not every phone supports this and 3G coverage is not available in remote areas. Until Next Year There were many other interesting presentations, as you can see from the Black Hat online archive: http://www.blackhat.com/ html/bh-us-10/bh-us-10-archives.html. As usually happens when thousands of security researchers gather in the same place, there were several incidents that made this year’s Black Hat very memorable – for example, the live stream got hacked by a security researcher at Mozilla who responsibly disclosed the vulnerabilities found to the third party company which was providing the streaming service. This and other things make attending Black Hat a thrill and a challenge at the same time. RE Barnaby Jack shows how jackpotting works on vulnerable ATMs
- 12. Top story | Corporate threats www.secureviewmag.com12 |SECUREVIEW 4th quarter 2010 Article by Joerg Geiger Chief Technology Expert at Kaspersky Lab Today’s computers store and process all types of official information; they generate business activity reports, they perform economic analyses and undertake planning and they are used for technical modeling and design. Companies advertise their products via the Internet and communicate with society in general using computers. Goods are readily bought and sold through the medium of electronic trading and Internet shops. In the course of everyday business activity, computers and smartphones have become an indispensable communications tool for workers, clients and company managers alike. The burgeoning capabilities of today’s IT equipment mean that companies can now benefit from a whole new world of commercial possibilities. Such companies rely heavily on stable IT infrastructure to maintain their business processes and competitive advantage. As mentioned previously, the presence of financial or confidential information attracts the shadier elements of society who wish to nefariously grab a slice of the pie for themselves, and in addition, it should be remembered that companies can and do suffer enormous losses due to the availability of confidential information to insiders. Serious security incidents can incur punishment by the state – in most countries, violation of security standards is a prosecutable offence carrying criminal responsibility, and where applicable, the withdrawal of state-issued and other licenses. The incentive to hack corporate networks grows as commercial information becomes more and more valuable and as business processes are automated. The tendency is for business IT to not only develop automated management and recording systems, but technological processes as well – IT is already a major player not only in accountancy, warehousing and HR, but in manufacturing and production as well. Today it is completely unacceptable to leave corporate IT systems under-protected, or worse still, unprotected. A Businesses under attack Joerg Geiger has 11 years experience in IT-Journalism. Having completed his Diploma in Computer Science, Joerg worked as a Senior Editor for a number of different printed and online magazines. For the last 3 years, Joerg has been a freelance contributor to German newspapers, websites and various IT companies and specializes in operating systems, IT- Security and mobile IT. Modern companies cannot survive without information and computer technologies. IT has become an inseparable part of any commercial venture, state-run enterprise or worldwide business system. However, IT has also developed into a potent source of problems and threats which companies must face. With the help of malware, hackers are able to steal confidential information from computers which in turn can lead to damaged commercial reputations, the collapse of business deals and the infringement of intellectual property rights. Under the control of hackers, corporate computer networks can spread spam and malware, not only locally, but to the computers of trusted clients and partners as well. Software and hardware failures lead to unwanted downtime, the interruption of important business processes and the loss of working time by personnel. This is only a small part of the modern corporate threatscape which we will look at in more detail within this article. The Internet has long since been used for the majority of corporate financial transactions
- 13. Corporate threats | Top story www.secureviewmag.com 4th quarter 2010 SECUREVIEW |13 company’s IT infrastructure must include reliable and comprehensive protection against computer threats. Goals and tasks It is interesting to note that malware specifically designed to target corporate information systems does not exist. The tools of the hackers’ trade remain the same regardless of whether the target is a private individual or a company, the only real difference is the scale of damage, so companies have to pay particular attention to their own protective measures. The cybercriminals are far more interested in attacking companies than private individuals as the potential rewards from such attacks are considerably higher. It is very rare indeed for a hacker or virus writer to work for nothing. Usually when they feel the need to put their professional abilities to the test they try to ensure that their efforts are duly remunerated. Hackers that attack companies generally do so for the following reasons: • To steal confidential information, including financial, with a view to profiting from its usage or resale, for example, databases belonging to financial organizations • To disable a company’s IT infrastructure with a view to extorting money from that company for returning its IT infrastructure to operational condition. Additionally, a hacker may want to do damage to a company’s reputation or interrupt their business processes by the use of DDOS attacks • To use the IT resources of one company for the purpose of attacking other companies Those who order hacking attacks are usually dishonest competitors, financial fraudsters or people involved in industrial espionage. For example, it may be that on the day that a company is due to launch a new product, hackers acting on behalf of a competitor take down that company’s website, thereby depriving the company of a lot of potential customers who would have otherwise visited it. Another common example is a competitor acquiring detailed information concerning an important business deal from a rival company’s computer system and the deal subsequently being undermined. Then there is always the scenario in which financial information is stolen by an insider in order to initiate an illegal transaction. In the most dangerous cases, vital social infrastructure can be put out of operation if the company responsible for maintaining it becomes the subject of a hacker’s attack. Methods of attack How do cybercriminals gain access to corporate information? What vectors of attack do they choose? First of all, the particular attributes of corporate networks play right into the hands of the cybercriminals, such networks are typically: large-scale, distributed across geographical sub-divisions, hierarchic in composition with heterogeneity of the component parts, carrying high levels of traffic and supporting a significant number of users. Networks belonging to large enterprises with geographically diverse subdivisions have equipment located in different towns and sometimes even different countries, as well as hundreds of kilometers of communications cables. All this makes it very difficult to prevent unauthorized network access or the interception of confidential information transmitted over the network. An attacker can surreptitiously connect to some part of the network and secretly monitor the channel traffic without alerting anyone to their presence, or masquerade as an authorized user and send requests for information and messages in the name of a legitimate user. Hacking can occur on both private and publicly accessible sections of a network – usually the Internet. In such a case, the cybercriminal does not need to Cybercriminals do not have to attack a whole organization to get their hands on financial or confidential information. It is much simpler to carry out an attack by targeting an individual victim in an administration or HR department where the level of computer literacy is usually fairly low A hacker does not usually need direct access to the target computer within an organization: these days attacks are carried out remotely via the Internet
- 14. Top story | Corporate threats www.secureviewmag.com14 |SECUREVIEW 4th quarter 2010 be physically near the hacked channel, using hackers tools and methods available on the Internet it is possible to hack a network remotely. Probably the most popular method for infecting computers is via the use of programs called Trojans which infiltrate a target machine through malware links in spam, instant messaging, drive-by downloads and the exploitation of vulnerabilities in different software applications. Of all of the abovementioned methods of infection, it is the vulnerabilities in software that is one of the biggest problems within the corporate environment. Large corporate networks are made up of a huge number of component parts: workstations, servers, laptops, smartphones, all of which may operate under the control of a different operating system. The situation gets even more complex when the functional diversity of the component parts of a large corporate network are factored in also; the hardware will service different subdivisions, perform different tasks and differ from unit to unit, not to mention that it is often produced by different manufacturers. It is almost impossible to keep track of all the programs installed on all of the systems and devices mentioned. IT administrators need to constantly update programs and install patches for the entire system’s resources, but it is a complex task, made more difficult by the fact that an administrator may have to wait a significant amount time for a much-needed patch while the manufacturer creates and distributes it. As a result, a corporate network can remain susceptible to attack by cybercriminals who can exploit a vulnerability, for example, by installing malware in an old version of Adobe Reader, with ensuing dire consequences for the computers on the corporate network. In such a case, even technical specialists may suspect nothing if they do not keep themselves up to date regarding the latest detected vulnerabilities in application- dependent software. Another loophole used by the criminals is the multiplicity of staff and the resulting multiplicity of computer network users and access points. The larger the numbers of end-users and nodes, the more chance there is of an accidental oversight in security procedures or an intentional violation of security policy. It is more difficult for the administrators to determine users’ loyalties, especially as users could typically be both staff members and for instance, clients. Therefore it is more difficult to control them – today, simple methods of recording user information are no longer suitable, more complex methods like authentication, authorization and auditing are required. Modern corporate IT systems need to be able to do much more than just allow or disallow a user access to something, they need to have the flexibility to provide degrees of access, taking into consideration factors such as - time, group membership, editing rights etc. Nowadays a corporate user has a wider range of services available to them; very often they have Internet access, which is awash with malware, a mobile connection which has become unsafe and remote access from home which makes it difficult for the employer to check whether passwords to access the corporate servers are stored in a secure manner. Unfortunately, companies rarely do have all-encompassing security policies in place, thus the cybercriminals continue to actively abuse the situation and commit targeted attacks. Education One of the keys to successfully minimizing corporate attacks is to educate staff on a constant basis, and not just technical staff, but administrative staff too. It is more often than not the latter group who are responsible for the large numbers of successful attacks carried out using social engineering techniques. Obviously, when a user has no real knowledge of the basic rules of computer security there can be no guarantee that hackers won’t be able to enter the corporate network; regardless of whether or not a highly qualified administrator has implemented the most stringent security settings. Teach your staff not to react to emails and IM messages of a dubious nature, which may well contain malicious hyperlinks in the body of the message. Explain to them that a letter or SMS message from a friend can be The Structure of a typical corporate network is usually much more complex than the one displayed in the picture
- 15. Corporate threats | Top story www.secureviewmag.com 4th quarter 2010 SECUREVIEW |15 compromised and that it is always better to think twice and check before clicking on any messages received. Remind your staff again and again that “There is no such thing as a free lunch”; banks and social networks will never ask you about your login or password simply because they have problems with their infrastructure, or their database of users is being updated. It is imperative to teach your staff to think twice and remain cautious. Complexity So, what can be done within the framework of corporate security to prevent the criminals from gaining the upper hand? The most important thing is to understand that protection of the corporate network needs to be complex and multilayered. Before the design and installation of a secure network can take place it is necessary to consider all of the possible threats to the integrity and confidentiality of the information that it will contain, as well as to think about how the network could be penetrated, for example, via external media and software vulnerabilities. The measures taken to counter any threats must be complex and should include organizational and technical methods. Organizational means of protection should include a set of company procedures and a structured approach to working with documentation and information. A company’s management has to clearly understand what information is considered confidential, which staff can have access to such information and how to arrange a system so that a breach of those access rules cannot occur. Technical means of protection can include all kinds of equipment for nullifying electromagnetic radiation and avoiding electronic eavesdropping, access control mechanisms, encryption systems, antivirus programs, firewalls, etc. One should remember that within the realms of complex technical procedures, it is very important to restrict the use of external media such as flash drives and portable hard disks; it is also recommended that the possibility of recording data to CD-ROMs is removed or otherwise controlled. This is achievable through technical means, for example, by closing ports at the BIOS level to which an ordinary user would not have access. Additionally, most corporate antivirus solutions have inbuilt If the use of portable storage media is not strictly managed, then the protection of confidential information can be forgotten Modules allowing the centralized management of corporate network protection are present in every major business IT security solution
- 16. Top story | Corporate threats www.secureviewmag.com16 |SECUREVIEW 4th quarter 2010 functionality that provides control over USB and other peripheral ports. Those staff members whose work regularly entails the use of portable storage media must be provided with, and made to use, an automatic encryption system that will protect any information stored on it in the event of the theft or loss of the media. Other similarly important measures, which are quite often overlooked by companies, include the protection of wireless access points and data transmission channels. If you have protected the whole infrastructure, but left your WiFi networks without WEP encryption and not implemented a monthly password changing policy, then you have protected nothing. Generally speaking, the use of WiFi inside a company should be as limited as possible. It is necessary to regulate the distance that the signal can travel by adjusting the radiated power of the transmitter, provide users with temporary passwords, define which WiFi networks guests can connect to and limit access to internal resources, etc. Centrality Protection of a corporate network is a round-the-clock, yearlong process and should embrace the entire information lifecycle - from its arrival at the company through to its destruction, loss of value or downgraded level of confidentiality. Reliable protection means real time control over all the important events and occurrences that may influence security. It is very important to implement the centralized management of a security system. This approach allows the speedy acquisition of a complete picture of network events from a single access point and provides a centralized approach to the resolution of tasks; it is a method for checking and effectively resisting generic threats. At the same time, the application of different security policies across the various subdivisions, as well as an individualized approach to the resolution of tasks should not be excluded. The centralized management of network security via a single interface has the advantage that system administrators do not have to spend a lot of time familiarizing themselves with several different security solutions. Modern corporate antivirus solutions offer companies precisely this level of control. As a rule, such solutions will contain some sort of centralized management system that allows adjustment of the many different security-related software modules that control; the antivirus system setting, the setting up of individual and group application parameters, access to different resources, database updates and the continuous monitoring of the network status and dynamic response in the event of critical situations. Sufficiency Any security system has to be sufficiently robust. This means that it should provide the maximum level of protection, availability and resiliency. To do this, a security system must have a reserve of hardware and software to cope in situations where a component of one or the other type fails. Additionally, the system has to employ effective technologies that can cope with existing threats and are able to combat new attacks thanks to imbedded ‘extra’ capabilities such as heuristics and enhanced signature detection processes. Heuristics analyzers, as well as script emulators and file execution emulators, are used when a program sample is not present in antivirus databases and allows program execution to be emulated inside an isolated, virtual environment. This is absolutely safe and allows all of the program’s actions to be analyzed in advance, so that its potential to cause harm can be estimated with a high probability prior to real world execution. In this way, new threats are being detected before they become known to virus analysts and their signatures can be included into antivirus databases accordingly. Taking care to ensure that a system is sufficiently robust prolongs its usefulness as a means of defense. Reasonable balance It is always the case that a reasonable balance needs to be struck between the capabilities of a security system and its level of resource-intensity. The more options and functions a solution has, the more computer, human and other resources that are consumed. This is unacceptable for a corporate network as it will generally have high enough working loads already - it must simultaneously serve a large number of users, search vast databases, transmit big volumes of traffic and do all of the above precisely and quickly. Manufacturers of antivirus products pay a great deal of attention to the balance between productivity and protection of systems. For this reason there are parameters that can be set to run system scans only at times when nobody is working on a computer, i.e., when a computer is locked or its screensaver is on. This allows, for example, a deep heuristic analysis to take place during an antivirus scan without interference to the work of the staff. Additionally, modern antivirus products include technologies that can significantly increase the operating speed of an antivirus application through always-on protection and on-demand scanning. Speed is also gained by excluding the multiple checking of files that have been scanned already, provided that this does not pose a threat of infection. By complimenting each other, such technologies can greatly reduce the time and resource- intensity required for the antivirus scanning of different objects, files and operating systems. It is necessary to encrypt not only the data that the phone contains, but also the data stored on any accompanying memory card in the event that important information is stored on that too
- 17. Corporate threats | Top story www.secureviewmag.com 4th quarter 2010 SECUREVIEW |17 Flexibility A security system should also be flexible and scalable, in other words it should be adaptable to a wide range of tasks, working conditions and quantitative characteristics of a corporate network. Today’s computer networks can expand, contract and change their configuration very quickly. Threats are also changing with alarming rapidity and security system should be ready for it. To meet this requirement, high quality security solutions need the means to update practically all of their program components - for example, malware protection solutions should update not only their antivirus signature databases, but also their malware behavior pattern recognition capabilities and their own operating algorithms. Interactivity Another important requirement is interactivity. The security system has to be able to interact with an experienced user, system and network administrator. It has to provide a user with sufficient information upon which to base operational decisions and be able to warn a user about potential errors. It is preferable that the system’s settings and security modules are understandable to a layman who has no specific knowledge in the field of information security. This allows corporations to quickly train their own specialists and means that medium and small business can have a protected system without the need to employ security administrators or even IT specialists. In order to do this, antivirus solution developers pay increased attention to their product interfaces, trying to make it as simple and straightforward as possible. Special significance is given to the provision of notifications when the security of the system is under threat. The system must inform an administrator of what actions should be performed in order to restore normal defensive levels. The interface must also allow the administrator to quickly jump between tasks such as virus scanning, antivirus database updating, etc. Compatibility and heterogeneity Compatibility is a definitive requirement of a security system – it must be able to fully operate in a complex, heterogenic corporate network without any negative impact on the other components. Any corporate antivirus system has to be able to function with a range of different devices. Modern computer systems can consist not only of workstation computers, file servers and mail servers, but notebooks and smartphones too. Smartphones are commonly synchronized with computers, and if a user opens a malware link on their telephone, there is a real chance of transferring that virus to the corporate network during the process of synchronizing mail or calendar items with the networked computer. Whilst on the subject of smartphones, it is worth comparing them to portable information storage devices – all messages and mail correspondence, as well as the contents of flash memory and memory cards which are used for the additional storage of information should be compulsorily encrypted. Only then it is possible to guarantee the integrity of the stored information in the event of the loss of a device. When choosing a protective solution for mobile devices, close attention should be paid to ensuring that it has the capability to block a lost smartphone, even if the SIM card is changed by a thief. Otherwise the criminal will be able to drop off the radars of those seeking to retrieve the device, and having removed the SIM card from the phone, will be able to do anything they wish with the phone and the valuable information it contains. Also, it is worth remembering that when a company uses machines with different operating systems, all of them should be protected, as if only one of the systems is secure, it means none of them are safe. If an administrator thinks that there are not many viruses for the Mac OS X out there so the risk to the company is negligible and therefore it is not critical to protect Macintoshes - they would be absolutely wrong. It is through just such an open gate to the world of Windows computers that the most harmful malware threats may come, for example, by way of a malware link which becomes active once inside a Microsoft environment. Another route is the Trojan program which automatically copies itself to a flash memory card on a computer running under the Mac OS X and is later inserted into a different workstation running under Windows management. Resume New threats and vulnerabilities in the world of computer security are growing as never before and there are no indications that the situation is going to improve any time soon. Nevertheless, if you as a company administrator or security specialist provide proper protection on all fronts, then there is a good chance that your company’s business will prosper. Educate your staff about computer safety on a regular basis. Distributed security policies and access rights should be compulsory and provide protection solutions for all nodes on the network, from the gateways to the endpoints - and don’t omit the bosses smartphones or notebooks. Remember; economize just once on network protection and it is possible that the whole of the company’s business could be lost as a result. RE Kaspersky Lab’s products for corporate users are complex solutions for heterogenic, distributed networks and that is very important at the present time. Our solutions for Windows, Linux, Mac, Novell NetWare and mobile operating systems are simple to install and use. Kaspersky Lab’s solutions provide protection for all types of network nodes – from mobile devices to servers. They can control all incoming and outgoing data flows, from email and Internet traffic to internal network interactions and they also provide powerful management tools too. All of Kaspersky Lab’s solutions include the Kaspersky Administration Kit management console which allows the centralized organization and control of network protection for the whole company, integrating all the different levels of protection into one system. The solutions provide scalability, notification of the status of the network’s antivirus protection, control over the use of external devices, special security policies for mobile users, support for network access control technologies and customized reporting, allowing administrators to manage the system in an effective way via a straightforward interface. Nikolay Grebennikov Chief Technology Officer at Kaspersky Lab Expert Comments
- 18. Analytics | www.secureviewmag.com18 |SECUREVIEW 4th quarter 2010 Analytics | Smartphone Security The exploit, embedded in the website jailbreakme.com, was intended to provide a simple way for iPhone and iPad users to jailbreak their phones – a process that allows the installation of third-party applications that are not expressly approved by Apple. Yet, security experts were instantly drawn to the much darker potential for this exploit to be abused to install malicious programs on all of these devices – and not just those belonging to jailbreakers. The hackers who discovered the flaw soon released a patch to block future attacks against jailbreakers, and Apple issued an official fix to protect regular iPhone users a few days later. Still, the incident has thrown a spotlight on the simmering, high-stakes tension between security and usability in the mobile computing market. While technically speaking all jailbreaks exploit security vulnerabilities or configuration weaknesses in the underlying operating system, nearly all previous jailbreak exploits required the user to connect their iPhones to his or her computer with a USB cable. If you were lucky, the jailbreak would work; otherwise, you might be the proud owner of a very expensive paperweight. All of that changed on 01 Aug, with the debut of a powerful and highly reliable new iPhone exploit embedded in jailbreakme.com, which allowed iPhone users – even those on the most recent 4.0 iOS – to jailbreak merely by visiting the site with the iPhone's Safari web browser and dragging the slider bar across the device's touchscreen. Instantly, the process of jailbreaking became more akin to casual web surfing and less like patching and praying. At the same time, tens of millions of people were exposed to a powerful, remote exploit that criminals could use to install malware just by convincing an iPhone or iPad user to browse a hacked or malicious website. Desperate Jailbreakers It was late July, and Apple was still reeling from an uncharacteristic backlash by the media and its typically adoring customer base over a design flaw in the antenna of its much-vaunted new iPhone 4.0 that effectively wiped out wireless reception for many users. Then, at the beginning of August, hackers published a remotely exploitable security vulnerability in the device that left tens of millions of iPhone users exposed to malicious drive-by downloads. Brian Krebs is editor of krebsonsecurity.com, a daily blog dedicated to in-depth Internet security news and investigation. Until recently, Krebs was a reporter for The Washington Post, where he covered Internet security, cybercrime and privacy issues for the newspaper and the website. Krebs got his start in journalism at The Post in 1995, and has been writing about computer security, privacy and cybercrime for more than a decade.. Article by Brian Krebs Now to unblock an iPhone, iPod touch or iPad, it’s enough just to visit a special website
- 19. | Analytics www.secureviewmag.com 4th quarter 2010 SECUREVIEW |19 My grandma doesn't know what jailbreaking is and never had to worry about what jailbreakers were up to because if she wanted to jailbreak her phone she had to plug it into a computer, download some special tools, and then it might work, said Charlie Miller, a renowned iPhone hacker and researcher with the Baltimore, Md. based firm Independent Security Evaluators. But now, here was something that could radically change your phone just by visiting a webpage, all of a sudden this meant instead of doing something fun and friendly like jailbreaking the phone, it could do something evil, where grandma goes to some site and the same vulnerability is used to download code to the phone. Patch wars Four days after jailbreakme.com went live, Apple announced it would soon be releasing a patch it had developed to protect users. Almost immediately, jailbreaking advocates lit up Twitter.com and other social media sites, warning people not to download the Apple patch because it would un-jailbreak those devices, or possibly worse. That advice struck some security experts as a scary sign of things to come. Mikko Hypponnen, Chief Research Officer for Finnish computer security firm F-Secure Corp., was among those who publicly chastized the team for telling people not to apply the patch. Imagine if this would have happened with Microsoft Windows, where someone creates a zero-day exploit, doesn't report it to Microsoft, then publishes the exploit, and when Microsoft responds with a patch there are thousands of people telling the world not to patch it, Hypponen said. If they want to give that kind of advice to people who have jailbroken their phones, that's great. But now they've made everyone vulnerable – because these exploits are out there affecting everyone – and even people who haven't jailbroken their phones are getting the advice not to upgrade, when in fact they should. Within days of releasing its exploit, the crew responsible for creating the web-based jailbreak –a group called the iPhone Dev Team, along with a developer known by the screen name Comex, - released PDF Warner, a tool that jailbreakers could install to receive a warning if a website tried to use the jailbreak flaw to install malicious software. The Dev Team even released its own unofficial patch for those who had jailbroken their phones, which went further in protecting jailbroken users than did the official patch from Apple, which does nothing to fix the flaw in iPhone devices older than iPhone 2.x versions. Will Strafach, an independent software developer from Connecticut who helped test the exploit used on jailbreakme. com, acknowledged that the unofficial patch took a bit longer than expected, and that it is still not installed by default after people use jailbreakme.com. Still, he noted that neither this exploit nor a similar, remotely exploitable jailbreakme. com exploit released back in November 2007 resulted in any malicious attacks. Not much detail will be released about how the exploits work until after Apple has issued their patch, so…there has never to date been a malicious payload I have seen for the two jailbreakme.com exploits, Strafach said. Strafach is technically correct. Then again, the only real threats to emerge against the iPhone have worked only against jailbroken device, by exploiting default settings left behind during the jailbreaking process. In November 2009, the relatively harmless Ikee worm spread rapidly among iPhone users who had jailbroken their phones but neglected to change the default SSH password. The Ikee worm was more an annoyance than a threat: It Rickrolled less cautious jailbroken iPhone users by changing the wallpaper on their devices to a picture of 80s pop singer Rick Astley. But a second, less publicized version of Ikee, introduced the first known banking Trojan for the iPhone. Unceremoniously dubbed Ikee.b, the worm modified the hosts file on the iPhone – adding a single entry so that anyone trying to visit the website of ING Bank in the Netherlands (www.ing.nl) with an infected iPhone was redirected to a counterfeit ING website hosted in Tokyo and designed to phish the victim's online banking credentials. That attack received little attention in the news media, probably because it affected such a miniscule subset of iPhone users: Those in the Netherlands who had insecure jailbroken iPhones that they used for online banking. What's more, Hypponen said, the fake ING site was only online for a short time before being taken down. The overall point is that the more time passes, the more exploits like this we will see for the iPhone and other mobile platforms, and the more likely we'll start to see moneymaking attacks on mobile phones, he said. Attack of the killer apps? Of course, security vulnerabiltiies aren't the only way intruders can break into mobile phones. Malicious applications or apps designed for use on smartphones can hide malicious software, or turn from benign to Smartphone Security | Analytics Looking at the Ikee.b source code, it’s easy to spot the default password ‘Alpine’ that opens the door for the malware to walk through
- 20. www.secureviewmag.com20 |SECUREVIEW 4th quarter 2010 Analytics | malicious via an update after a user has already trusted and downloaded it to their phone. About the same time that jailbreakme. com debuted this latest remote root exploit for the iPhone, security experts were unraveling the secrets of a questionable app designed for Google's Android phone users. According to San Francisco-based mobile security firm Lookout, the app – an apparently innocent program that offered free wallpapers and was downloaded more than a million times - collected users' phone numbers, subscriber information and voicemail numbers, and sent the information off to a server in China. Then, on 09 Aug, Kaspersky Lab said it had discovered the first malicious program for the Google Android platform: A Trojan disguised as a media player app that uses the victim's phone to send expensive text messages to premium rate numbers without the user's consent. Unlike Apple's tightly controlled App Store, the Google platform allows developers to upload applications for other users. Interestingly though, while the ability to install unapproved apps is the main reason people jailbreak their phones, not a single malicious third-party app has been reported for jailbroken iPhones. Lookout co-founder John Hering said the two models represent the classic tug-of-war between security and useability. But, he said, one isn't necessarily more secure or better than the other. Rather, the mobile providers need to focus on reacting quickly when problems are spotted. It's the classic balance of security and openness at odds with one another, said Hering. So far, both providers have shown they have the ability to respond to these incidents very quickly. The jailbreakme.com vulnerability drew an unusually speedy response from Apple, which has long been criticized for taking its time in fixing many security flaws. For example, Apple maintains its own version of Java and has been shown to lag up to six months behind implementing the same security updates that Sun/Oracle released for versions of Java on other platforms. The company has also been known to fix bugs in its Safari web browser on the Mac and yet leave those same bugs unpatched on the iPhone for months at a time (it's notable that the jailbreakme. com exploit– which leveraged a vulnerability in the way iPhones render PDF documents – was used via Safari). Apple's defenders say if the company fails to rush out emergency patches each week, it's probably in part because the computing platform simply isn't constantly under siege by cybercriminals - unlike a certain dominant operating system made by Microsoft. Rich Mogull, a security analyst at Phoenix-based Securosis, says Apple is right to react differently to potent threats against its mobile devices. Mogull notes that Apple's mobile operating system – which shares much of the same code base as the OS that powers Mac desktop and laptop computers - has the potential to make an end-run around the traditional flame-war inducing, long-running debate: Whether Macs are safer due to the way they are designed or because there are fewer users relative to the Windows PC community? Indeed, with more than 100 million Apple mobile devices sold so far, there are now vastly more iPhone, iPad and iTouch users than traditional Mac users. In addition, consumers are increasingly using their mobile phones for a variety of sensitive transactions, such as online banking, shopping and confidential communications. Everyone talks about market share questions, but we're not going to get the answer to that question on general purpose computers, we're going to get the answer to that question from these devices, Mogull said. Looking forward That answer may not come immediately. For one thing, exploits like the one stitched into jailbreakme.com don't grow on trees. Strafach said the Dev-Team and Comex stated that the exploit went through three weeks of development and a week of testing before going live. The exploit was so difficult to find and refine that it may be quite some time before another remote jailbreak flaw is found, Strafach said, although he stressed that the Dev Team never discusses ongoing research. The first harmful program for Android masquerades as a legitimate Movie Player Analytics | Smartphone Security
- 21. | Analytics www.secureviewmag.com 4th quarter 2010 SECUREVIEW |21 To unlock an iPhone, one movement of the finger is all that is required Yeah, I kind of agree is raises the bar for jailbreaking in a way that may be difficult to replicate”, Strafach said. Comex really outdid himself. Safari isn't an easy thing at all to exploit because of the strong sandbox restrictions. Also, vulnerabilities that allow remote jailbreaking tend to be useful for far less time than those that require tethering the phone to the computer, as Apple patches them far more quickly. Apple has a group of people called the Red Team whose specific task it is to fix exploits from jailbreaks, because as you have probably seen, it gives them bad press when hackers are running around with remote root exploits in Apple's most iconic product”, Strafach said. According to Mogull, “In recent weeks, some antivirus firms have been making noises about these new threats being an indicator that Apple should open up its platform to traditional desktop security vendors. But doing so would be a mistake at this point, as so far at least, its systems have been self-correcting.” Sure, if device makers don't do a good job of keeping those platforms secure and locking them down, then people may need to look at third party stuff, Mogull said. There's going to be less margin for error if anything big starts to happen. For example, if you can't make a phone call or summon the emergency services because you have a virus on your phone, I guarantee that will get congressional hearings faster than your not being able to browse porn because you have a virus on your desktop. RE Smartphone Security | Analytics Thetopic of iPhonesecurity, as well as that of other Appledevices running theiOS operating system (iPod Touch and iPad) is always important. As one might expect, this topic encompasses theeternal question of balance between usability and security, an issuethat comes up time andtimeagain. In many cases, Apple has successfully managed to tread the fine line between the two: 1. The huge popularity of iOS-based devices all over the world proves this 2. In the 3 years since the first iPhone appeared, only two malware programs have beendetected.However,eventhosetwoare capable of operating only on devices that have been exposed to ‘jailbreak’. Apple’s model for the distribution of its applications has proved itself many times over: thousands of designers create purchasable and free applications which undergo extensive checks before ending up in the Apple Store. Millions of people buy and install these applications and everyone is happy… aren’t they? Well, it’s not possible to be 100% sure of that just yet: 1. Malware applications disguised as legitimate software have never appeared in the Apple Store 2. The iOS operating system does not contain any undetected critical vulnerabilities Let’s look at both of those statements in more detail. Considering that as yet thereis noindication that malwareapplications havebeen detected in AppleStoresoftware, it appears that the checking system forcandidate programs tobe addedtothecatalogueis operating efficiently enough. Without reliable information regarding thechecking process of new applications, it is only possible tohypothesizeabout the mechanisms involved. In any case, no matter what theprocedure, thepossibility of a mistakecannot beexcluded, which in the worst case, will lead toa pieceof malware entering theAppleStore. Given thefact that users consider programs distributed via the AppleStoretobetrustworthy and harmless, thepotential for a virus epidemic is huge. The second statement regarding the iOS containing no undetected and thus unpatched critical vulnerabilities is even more questionable. Given the balance of probabilities, it is fair to assume that it must contain at least one. In the event that such a vulnerability were detected by Apple themselves, or by a person or company who notifies Apple privately and without fuss, a patch for the vulnerability would have to be launched. However in such a case, how quickly could the patch be developed and distributed? Would not any delay in its distribution result in word spreading publically about the vulnerability’s existence? Nowfortheworstcasescenario:imaginejust suchacriticalvulnerabilitybeingdiscovered bycriminals.Ifthishappened;onecanonly guesshowitwouldbeused. Ofthefactthat criminalswouldtrytomakeuseofitonewayor another,therecanbenodoubtatall,especially ifthevulnerabilitywaspresentinnotjustone particularversionoftheoperatingsystem, butallofthem.Againwecanonlyimaginethe consequencesofamassvirusinfectionof thousandsofdevicesrunningoniOS. We could continue talking about iOS and other mobile platform security indefinitely. These questions are of vital importance today. Mobile devices such as smartphones, regular mobiles and other “smart” devices are being equipped with more and more functionality. With their increased processing capabilities, mobile devices have become practically as powerful as the desktop computers upon which we perform numerous different tasks. Mobile devices are a direct line to a user’s money and personal data, and that is something that the criminals simply can’t ignore. They are more than ready to take advantage of a user’s lack of knowledge about, or indifference to, mobile security protection issues. That is why it is not possible to pay too much attention to the security issues surrounding smartphones and other similar devices, which if ignored, can lead to the direst of dire consequences. If we were to talk specifically about devices running iOS, then: 1. As mentioned previously, the possible appearance of malware for jailbroken smartphones cannot be excluded. How to protect such devices against infection is still very much an open question. 2. Again, as we have discussed already, the possible appearance of unknown critical vulnerabilities cannot be excluded either. How can this threat be negated? Only by prompt notification from the manufacturer and the rapid development and distribution of suitable updates. Denis Maslennikov Senior Malware Analyst, Mobile Research Group Manager Expert Comments
- 22. Analytics | www.secureviewmag.com22 |SECUREVIEW 4th quarter 2010 An antivirus program is currently the basic element of any security policy for fighting viruses and other broadly recognised malicious applications. It constitutes a user’s first line of defence against increasingly sophisticated malware designed to penetrate their systems. For years, antivirus companies have built up their reputations, gaining recognition and trust among their users. Despite this, in the last few years we have encountered more and more cybercriminal attacks based upon exploiting that trust, as well as on human naivety, fear and lack of knowledge. Rogue antivirus solutions, as per the subject of my article, are becoming an increasing plague not only for corporations, but also, and most importantly, for users unaware of the threat. What are rogue antivirus solutions? Rogue antivirus solutions are applications that employ various methods to persuade a user that their system is infected and the only way to remove the threat is to buy an appropriate licence for the application. One of the methods used is to frequently display irritating, fictitious messages, altering a start page or changing the wallpaper. There are many reasons why cybercriminals prefer this method. First of all, a user who is frightened by frequently appearing messages about a threat on their computer will be more inclined to pay for a solution to the problem. Secondly, if a user downloads an application of this type on their own they will probably agree to the installation, which makes it easier to get around security systems such as the Windows UAC (User Account Control). Thirdly, along with a rogue antivirus solution, an attacker can install spyware, keyloggers and other malware onto the victim’s disks. In this way, the cybercriminal not only receives money for a licence, but can later steal the victims’ data. The application itself is very obtrusive, as every now and then it floods a user with information about new threats and the necessity of buying a full version of the application to remove those threats. Fearing data loss, a desperate user will take a shortcut, believing that after purchasing the application their system will not only be disinfected, but the application will protect their system against other threats too. Why are such programs so successful? There are many reasons, but the most important of all is social engineering. The whole business is based upon it. Social engineering is the art of manipulating a human being, affecting them in such a way that they become vulnerable to the suggestions of others. Everything boils down to making a convincing presentation of the facts, in this case an alleged infection, and controlling a particular person for personal gain. The outcome being that the victim is persuaded to purchase an expensive licence. At the beginning of the article I mentioned that cybercriminals try to make their ’products’ appear similar to those offered by legitimate antivirus market giants. Naturally, this similarity begins and ends with copying the graphical interface style of a real program. There is no borrowing of any useful features in copied applications. The aim is to mislead users, to convince them that what they have is a reputable program. It is easy to see that the website of the antivirus program called ‘Antivirus and Security’ was modelled entirely on a Kaspersky Lab product. The similarities include: the box, logo, colours, and even the window of the installed program that can be seen on the screen. Kaspersky Lab is not the only company to be exploited in this way. The same happens to Symantec, Avast, Avira, AVG and McAfee. Though the cybercriminals make their programs resemble products from these companies, the name of the rogue antivirus solution remains unchanged – ‘Antivirus and Security. It is also worth noting that a similarity to known brands is not the only way of convincing users to buy a rogue antivirus solution. Other methods include: • a table which purportedly allows a user to compare the level of protection offered by ‘Antivirus Security’ against solutions from The enemy at the gate “The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, be the cause of costly repairs, or even worse, lead to identity theft. The messages contain scareware, or rogue antivirus software that looks authentic… The FBI estimates scareware has cost victims more than $150 million.” www.fbi.gov Maciej joined Kaspersky Lab in 2008. Before joining Kaspersky Lab, Maciej wrote for Internet websites and worked at the Information Centre of the Nicolaus Copernicus University in Torun, Poland, the same university from which he received his Bachelor’s Degree in Archival Science and Documentation Management. Maciej is currently studying Computer Science at the Wyzsza Szkola Informatyki in Bydgoszcz, Poland. His interests include cryptography, wireless network security and social engineering. Article by Maciej Ziarek Security Evangelist at Kaspersky Lab Analytics | Rogue Antivirus Solutions
- 23. 4th quarter 2010 SECUREVIEW |23www.secureviewmag.com | Analytics other [legitimate] companies. Of course, the table shows supposed shortfalls in products from the legitimate companies • a list of bogus awards to highlight the exceptional characteristics of ‘AV’ • confirming users’ fears about system infections through such statements as ‘System warnings are frequent’ or ‘Pop-ups interrupt web surfing.’It is obvious that rogue antivirus solutions display such warnings so that users will react promptly to them • the website is divided into several sections such as: ‘Members’, ’Support’, ‘Download’ and ’Home’ to make them appear more credible Compromising the system Rogue antivirus programs may infect a system in various ways. However, each of them involves social engineering and the manipulation of human beings. Fear often turns out to be the best motivation for people to act. It is usually fear that rogue antivirus solutions exploit so successfully, hence their alternative name – scareware. Programs, plug-ins, codecs The oldest method of infecting computers with scareware is by the use of Trojans. Once they have infected a system, these Trojans then download rogue antivirus programs. To persuade users to download such a file a cybercriminal spreads a link to websites with interesting films or add-ons e.g. for a browser. After entering the website it turns out that the film cannot be played because the system lacks a certain codec or the latest version of Flash Player has not been installed. The same website then suggests downloading a file which will solve the problem. Naturally, this file is nothing more than a malicious program. The still widespread network worm Kido (Conficker) is an example of such malware, among whose many functions is the downloading of rogue antivirus programs which are supposed to help remove viruses and Trojans. The user is informed about threats which in reality do not exist and of the necessity to pay for the program to activate its full functionality. Online antimalware scanners This form of system infection is effective in situations where a user suspects that their computer has been infected with a malicious program. When your operating system becomes slow, looking for files takes you longer than usual and the processor’s activity is noticeably high, you know something is wrong and start to look for a solution. One of which may be to scan your computer using an online scanner to find out whether the source of your problems is indeed a virus. The Internet is full of websites offering disc scanning, but unfortunately, some of them deliberately show false results. They are designed to persuade users to download the cybercriminals’ own program which will then ‘solve the problem’. As a result, once a user enters the website the script is launched which supposedly shows the progress of the hard drive scanning process. This is an obvious deception and has nothing to do with your operating system (often even the names of folders and partitions differ from those that you have, which should be the first warning signal). To remove all infections you need to click ‘Erase Infected’, download the program and then pay $49,99 for the full version. The whole scanning process naturally takes place in the browser window. Search Engine Optimization (SEO) Basically, this method of computer infection is similar to the previous one, it even uses similar mechanisms. However, I think it is reasonable to treat them separately. SEO is a system of positioning websites in Internet search engines according to appropriate key words. Thus, it is quite often used to increase the positioning of websites containing false antivirus scanners, but not always. As we see more and more often, cybercriminals react very quickly to frequently searched phrases. They create a website that is related to popular questions and position Rogue antivirus programs may infect a system in various ways Find three differences between these products and a real Kaspersky Anti-Virus box Rogue Antivirus Solutions | Analytics
- 24. www.secureviewmag.com24 |SECUREVIEW 4th quarter 2010 Analytics | it in such a way that it appears on the first page of search engine results. Visiting such a website will end with either malware being downloaded, or as in the example above, the false scanning of a hard drive. Usually cybercriminals play upon hot news topics. For example, after the plane crash with the Polish president on board on 10 April, 2010, websites quickly appeared which allegedly revealed unknown details of the tragedy. Unfortunately, once the site was entered information about the necessity of scanning the user’s computer was displayed. Attacks using ‘iframe’ One method that is particularly difficult for a user to detect is an attack using hidden iframes. This can be achieved by adding the appropriate code to a website: iframe src=www.sample.xyz width=1 height=1 style=visibility: hidden/iframe Such an iframe will be invisible and the user will be redirected to www.sample.xyz from which the downloading of a malicious program can be started. A user is frequently unaware of what is going on. The code can be injected after stealing the login and FTP account on the computer of a person responsible for a website’s content. Gloomy statistics There are many types of malicious programs designed to scare people into buying a licence for a worthless program. Their names may differ depending on the functionality and the way of packing/compressing the binary files. Thus, rogue antivirus programs may be contained in, among other examples, the following signatures: not-a-virus:FraudTool (this program is ascribed to the ‘not a virus’ category due to the lack of a malicious payload, apart from its attempts to persuade users to pay money for a non- functioning application), Trojan.Win32.RogueAV, Trojan.Win32.FraudPack or Trojan-Downloader. Win32.Agent. The diagram refers to FraudTool signatures and shows the Top10 rogue antivirus programs. The data comes from the period March 2010 to mid-June 2010 and was generated by KSN (Kaspersky Security Network). Due to the huge number of signatures it is difficult to tell for sure just by the name whether a A fake scanner based on Javascript looks quite genuine to an inexperienced user A bogus YouTube website. A false message informs the user that it is necessary to update their copy of Flash Player. Cybercriminals often covertly insert malicious programs into a user’s system by this method, any one of which may be a rogue antivirus solution Costin Raiu Director of the Global Research Analysis Team at Kaspersky Lab Why are rogue AV programs so effective? “Ithinkthereareanumberof differentreasonsforthat,ofwhichI willnamethethreemostimportant. Firstofall,thecomputersbelonging to peoplethatdonotusesecurity solutionssoonbecomeinfected. Whentheyrealisethattheyhavean infection,theythenstartsearching forsolutionsandveryoftenendup onblackSEOpagesthatpromote RogueAVtools.Secondly,many oftheseRogueAVprograms getdeliveredthroughzeroday exploits,includingfromlegitimate websitesthathavebeeninjected withiframesor otherwisesimilarly compromised.Thisismainly becauseit’salmostimpossible nowadaystokeepupwithallof thepatchesfromallofthevendors withoutsomekindofspecialized tooltohelpyou.Finally,many RogueAVprogramsgetinstalled byothermalware,whichoriginally infectedthesystemthroughsocial engineeringtricks.Afterall,the humanlinkisstilloneof themajor weaknessesinthesecuritychain. ThatiswhytheRogueAVmodelis sohighlysuccessful.Itisbasedon theconceptof sellingsomething whichisnotentirelyillegalin every country.Manyusers,oncethey discoverthey’vebeendeceived, askthebankfora reimbursement. Still,manywillnotrealizethey’ve beenthevictimsofafraudscheme andtaketheblamethemselves.For thisreason,I’msurethatRogueAV programsareheretostayfora while.Ishouldalsosaythatthe socialengineeringbehindRogueAV programsis prettystandardandis basedontwomainconcepts:fear andreward.In alloftheseattacks, thecybercriminalstryto scarethe userintoinstallingtheirproducts, or promiserewardsifheorshe doesit.Thenumberofvariations basedonthesetwomainconcepts isveryhighandnewideasappear almosteveryday,however,Ithink thatinthefuture,thetrendswill continuetogravitatetowardsfear andreward.” Expert Comments Analytics | Rogue Antivirus Solutions
- 25. 4th quarter 2010 SECUREVIEW |25www.secureviewmag.com | Analytics particular malicious program represents a group of rogue antivirus solutions or not. Based on the above data a diagram was created showing which countries had the largest number of FraudTool.Win32 infections up to June 2010. First place goes to Vietnam with over 120,000 cases of infection. In total, there were 266,090 victims of FraudTool.Win32 in all of the countries monitored. The last graph shows the number of malicious programs detected on particular days for the period from March to June. From mid-March, the number of infections has systematically decreased. In March, there were 192,000 infections in total, in April 150,000, in May 135,000 and between 01 and 17 June 58,000 infections, which indicates that the number of infections in June will probably be even smaller than in May. However this fact only proves that like everyone everywhere, cybercriminals also like to take their vacations in summer. As with other malware distribution, scareware peaks in spring, autumn and before New Year. Summary Rogue antivirus programs are quite successful, which seems to be confirmed by the fact that cybercriminals look for new methods to entrap unwary users. Cybercriminals are getting better and better at making their products similar to known security applications. As a result, companies lose the trust of their customers, whilst the customers themselves, quite apart from money, can lose passwords and logins to bank and email accounts, social networks, etc. This means that the identity of the victim is under threat. We can easily predict what will happen next. With a new ID, a cybercriminal can open a bank account in somebody else’s name and use it with impunity, as it is the victim that will be responsible for the cybercriminal’s actions. Microsoft as the biggest software vendor is engaged in a campaign against this type of fraud also. Its website informs visitors how to remove an unwanted program and how to tell the difference between a false version of Windows Defender and the real one, which is built into the Windows system. RE The KSN Top 10 rogue antivirus programs from March 2010 to mid-June 2010, Information courtesy of Kaspersky Lab The number of malicious programs detected on particular days for the period from March to June 2010 How to avoid these threats Well, first of all you should have an updated antivirus program installed on your computer that regularly scans the discs. If you want to download security updates, do it only from known and trusted websites or directly from the website of a particular solution’s manufacturer. If you enter a website offering computer scanning, it is best to close the window using the alt+F4 key combination, as clicking any place in the window often brings the same result – initiation of the downloading/ scanning system. The Windows system never warns about infections in an intrusive way (change of a start page, wallpaper etc.). If new icons or applications appear, you should immediately scan the whole computer using an antivirus program downloaded from one of the mainstream computer security providers’ websites and it is also worth installing script blocking add-ons for the browser. Do not use the option of remembering passwords to an FTP account (especially important in the case of webmasters), use automatic updating of the system and programs installed on it. Also, work via a user account with limited rights for day-to-day tasks and enable UAC. However, the most important thing is to show common sense and not to click on links thoughtlessly. Although speed is an important element of security as the reaction to threats should be as quick as possible, a user should think twice before approving an operation or entering a suspicious website. Rogue Antivirus Solutions | Analytics
- 26. 26 |SECUREVIEW 4th quarter 2010 www.secureviewmag.com Technology |Technology | Cyber Expert The main task facing artificial intelligence [AI] researchers at present is to create an autonomous, AI device fully capable of learning, making informed decisions and modifying its own behavioral patterns in response to external stimuli. It is possible to build highly specialized bespoke systems; it is possible to build more universal and complex AI, however, such systems are always based upon experience and knowledge provided by humans in the form of behavioral examples, rules or algorithms. Why is it so difficult to create autonomous artificial intelligence? It is difficult because a machine does not possess such human qualities as animated thought, intuition, an ability to differentiate between important and minor, and most importantly, it lacks the thirst for new knowledge. All of these qualities endow mankind with the ability to arrive at solutions to problems, even when those problems are not linear. In order to do proper work, AI currently requires algorithms that have been predetermined by humans. Nevertheless, attempts to reach the holy grail of true AI are constantly being made and some of them are showing signs of success. Manual labor expenses The process of malware detection and the restoration of normal operating parameters on a computer involve three main steps. That rule applies regardless of whom or what undertakes each step, be it a man or a machine. The first step is the collection of objective data about the computer under investigation and the programs it is running. This is best achieved by the use of high- speed, automated equipment capable of producing machine-readable reports and operating without human intervention. The second step involves subjecting the collected data to detailed scrutiny. For example, if a report shows that a suspicious object has been detected, that object must be quarantined and thoroughly analyzed to determine its level of threat and a decision taken regarding what further actions are required. The third step is the actual procedure of treating the problem, for which a special scripting language can be used. This contains the commands required for the removal of any malware files and the restoration of the normal operating parameters of the computer. Generally speaking, just a few years ago steps two and three were performed by analysts working for IT security companies and experts on specialized forums using almost no automation. However, with an increase in the number of users becoming malware victims and subsequently needing help, this led to a number of problems, namely: • When protocols and quarantine files are being processed manually, a virus expert is Artificial Intelligence in the realm of IT security Oleg joined Kaspersky Lab in 2007 as a Developer in the Complex Threat Analysis Group. He was promoted to Technology Expert in November 2008 and is responsible for carrying out research into new detection and disinfection technologies, investigating and disinfecting remote systems and analyzing the behavior of malware. Article by Oleg Zaitsev Chief Technology Expert at Kaspersky Lab Is it possible to define human intelligence so precisely as to be able to then simulate it with the aid of machines? That is still very much a bone of contention among the scientific community. Developers who are trying to create artificial intelligence use widely varying approaches. Some of them believe that artificial neural networks are the way forward, others the manipulation of the symbols. As things stand today, no device containing artificial intelligence has successfully passed the Turing test. The famous British computer scientist Alan Turing stated that in order for a machine to be classed as truly intelligent in its own right, a user should be completely unable to distinguish if they are interacting with a machine or another human being. One potential application of autonomous artificial intelligence is in the field of computer virology and the provision of remote computer maintenance
- 27. www.secureviewmag.com 4th quarter 2010 SECUREVIEW |27www.secureviewmag.com faced with huge volumes of continually changing information that needs to be absorbed and fully understood, a process which is never fast. • A human being has natural psychological and physiological limits. Any specialist can get tired or make a mistake; the more complex the task, the higher the chances are of making a mistake. For example, an overburdened virus expert may not notice a malware program, or conversely, may delete a legitimate application. • The analysis of quarantined files is a very time-consuming operation because of the fact that the expert needs to consider the unique features of each sample – i.e., where and how it appeared and what is suspect about it. The abovementioned problems can only be resolved by fully automating the analysis and treatment of computer malware, however, numerous attempts do this by the use of different algorithms have so far yielded no positive results. The main reason of this failure lies in the fact that malware is constantly developing and that every day, dozens of new malware programs with ever more sophisticated methods of imbedding and disguising themselves appear on the Internet. As a result, detection algorithms need to be ultra-complex and worse still, become outdated very rapidly and need to be kept constantly up to date and debugged. Another problem, of course, is that the effectiveness of any algorithm is naturally limited by the ability of its creators. The utilization of expert systems in virus ‘catching’ appears to be a little more effective. Developers of expert antivirus systems face similar problems – the effectiveness of a system depends upon the quality of the rules and knowledge bases that it uses. Additionally, these knowledge bases have to be constantly updated and once again that means spending out on human resources. General principles of operation of the Cyber Helper system Despite the difficulties, over the course of time experiments in this field have led to some success – the Cyber Helper system was created – a successful attempt at getting nearer to employing true autonomous AI in the battle against malware. The majority of Cyber Helper’s autonomous subsystems are able to synchronize, exchange data and work in unison with one another. Naturally they contain some ‘hard’ algorithms and rules like conventional programs do, but for the most part they operate using fuzzy logic and independently define their own behavior as they go about solving different tasks. At the heart of the Cyber Helper system is a utility called AVZ that was created by the author in 2004. AVZ was especially designed to automatically collect data from suspect computers and malware and store it in machine-readable form for use by other subsystems. The utility constructs reports of its examination of a computer system in HTML format for human consumption and XML for machine analysis. From 2008 onwards, the core AVZ program has been integrated into Kaspersky Lab’s antivirus solutions. The system’s operating algorithm consists of six steps. During the first step, the core AVZ program performs an antivirus scan on the infected computer and transfers the results it receives in XML format to the other Cyber Helper subsystems for analysis. The system analyzer studies the received protocol based on the enormous volumes of data already available relating to familiar malware programs, any previously performed remedial actions undertaken on similar cases, as well as other factors besides. In this respect, Cyber Helper resembles a living, working human brain, which in order to be productive must accumulate knowledge about its surrounding environment; especially during the period that it is establishing itself. In order for children to become fully developed it is vital that they are continually aware of what is happening in their world and that they can readily communicate with other people. Here the machine has the advantage over man as it is able to store, extract and process much larger volumes of information than people can in a given time span. Cyber Expert | Technology The Cyber Helper system’s general operation algorithm steps 1 to 6 When a request for treatment is made it is important to provide answers to all the questions concerning the system Users' PC Subsystem 1 System analyzer 1 Subsystem N System analyzer N System's AI Cyber Helper Experts - analysts System analyzers 1 2 5 4 3 6 6
- 28. 28 |SECUREVIEW 4th quarter 2010 www.secureviewmag.com Technology | One more similarity between Cyber Helper and human beings is that Cyber Helper is able to independently and with almost no prompting, undertake the process of protocol analysis and constantly teach itself in an ever-changing environment. When it comes to self learning, the main difficulties for Cyber Helper concern the following three problems: mistakes made by human experts that the machine is not intuitive enough to resolve; incompleteness and inconsistency of program information and the multiple refining of data and delays in data entry. Let’s look at them in more detail. The complexity of realization Experts processing protocols and quarantine files can make mistakes or perform actions that cannot be logically explained from a machine’s perspective. Here’s a typical example: when a specialist sees an unknown file in a protocol with the characteristics of a malware program called %System32%ntos.exe, the specialist deletes such a file without quarantining it and analyzing it further based on their experience and intuition. Thus the details of the actions performed by the specialists and how they arrive at their conclusions cannot always be transferred directly into something that the machine can be taught. On many occasions, incomplete and contradictory treatment information is encountered. For example, before seeking the specialized assistance of an expert, a user may have tried to remedy his or her computer and deleted only a part of a malware program – restoring infected program files and not cleaning the registry in the process. Finally the third typical problem: during the protocol analysis procedure, only metadata from a suspect object is available, whilst after analysis of the quarantined file, only initial information about the suspect objects is available. Then the categorization of an object takes place - the outcome being that it either represents a malware program or a ’clean’ program. Such information is usually only available after repeated refinement and some considerable time, from minutes up to months even. The defining process may take place both externally in an analytical services laboratory, as well as inside Cyber Helper’s own subsystems. Let’s look at a typical example: an analyzer checks a file but finds nothing dangerous in the file’s behavior and passes this information on to Cyber Helper. After a while the analyzer is upgraded and repeats its analysis of the suspect file that it examined earlier, only this time it returns the opposite verdict to that which it issued previously. The same problem can occur in relation to the conclusions drawn by specialist virus analysts for those programs with an arguable classification, for example, programs for remote management systems, or utilities that cover a user’s tracks – their classification may change from one version to the next. The peculiarity mentioned above – the volatility and ambiguity of the analyzed programs’ parameters, has resulted in any decisions taken by Cyber Helper being based on more than fifty different independent analyses. The priorities in every type of research and the significance of its results are constantly changing, along with the process of self learning for the intelligent system. On the basis of information available at the present time, the Cyber Helper analyzer provides a number of hypotheses with regard to which of Once a request has been formulated the system once again displays it to the operator so that the operator can check that all of the input data is correct An example of an instruction and script for treatment/quarantine written by the Cyber Helper system without any human participation Technology | Cyber Expert
- 29. www.secureviewmag.com 4th quarter 2010 SECUREVIEW |29www.secureviewmag.com | Technology the objects present in a protocol may constitute a threat and which can be added to the database of ‘clean’ files. On the basis of these hypotheses, AVZ automatically writes scripts for the quarantining of suspicious objects. The script is then transferred to the user’s machine for execution. (Step 2 of the Cyber Helper system’s general operation algorithm). At the stage at which the script is written it may be that the intelligent system has detected data that is clearly nefarious. In this case, the script can include the delete commands for known malware programs or call for special procedures to restore known system damage. Such situations happen quite often and are due to the fact that Cyber Helper simultaneously processes hundreds of requests; this is typical in situations where several users have suffered at the hands of the same malware program and their machines are requesting assistance. Having received and analyzed the required samples from one of the users’ machines, Cyber Helper is able to provide other users with the treatment scripts, omitting the quarantine stage completely and thereby saving users’ time and data traffic. Objects received from the user are analyzed under the control of Cyber Helper and the results enlarge the Cyber Helper knowledge base regardless of the outcome. That way the intelligent machine can check any hypotheses arrived at in step 1 of the general operation algorithm, consequently providing confirmation, or otherwise, of the outcome. Cyber Helper’s technical subsystems Cyber Helper’s main subsystems are autonomous entities that analyze program files for content and behavior. Their presence allows Cyber Helper to analyze malware programs and teach itself from the results of its endeavors. If the analysis clearly confirms that an object is malevolent, that object is passed to the antivirus laboratory with a high priority recommendation to include it into the antivirus databases; a treatment script is then written for the user (step 5 of the general algorithm). It is important to note that despite analyzing an object, Cyber Helper cannot always make a categorical decision regarding the nature of the object. When such a situation occurs, all of the initial data and results collected are passed on to an expert for analysis (Step 6). The expert will then provide the required treatment solution. Cyber Helper is not involved with the process, but continues to study the received quarantines and protocols, generating reports for the expert and thereby freeing them from the lion’s share of routine work. At the same time, the AI systems’ ‘non- intervention policy’ regarding the expert’s work is not always applied; dozens of cases are known in which the intelligent machine has discovered mistakes in the actions of humans by referring to the experience it has accumulated and the results of its own analysis of an object. In such cases, the machine may start by interrupting the analytical and decision- making process and send a warning to the expert before going on to block the scripts that are to be sent to the user, which from the machine’s perspective could harm the user’s system. The machine carries out much the same control over its own actions. While the treatment scripts are being developed, another subsystem simultaneously evaluates them, preventing any mistakes that may occur. The simplest example of such a mistake might be when a malware program substitutes an important system component. On the one hand it is necessary to destroy the malware program, while on the other; to do so may result in irrecoverable system damage. These days, Cyber Helper is successfully integrated into the http://virusinfo.info/ index.php?page=homeenglangid=1 antivirus portal and forms the basis of the experimental 911 system http://virusinfo.info/911test/ . In the ‘911 system’, Cyber Helper communicates directly with the user: requesting protocols, analyzing them, writing scripts for the initial scan and performing quarantine file analysis. In accordance with the results of its analysis, the machine is permitted to carry out treatment of the infected computer. Furthermore, Cyber Helper assists the work of the experts by finding and suppressing any dangerous mistakes, carrying out initial analyses of all the files placed in quarantine by the experts and processing the quarantined data before adding it to the database of ‘clean’ files. The technology behind Cyber Helper and its principle of operation are protected by Kaspersky Lab patents. Conclusion Modern malware programs act and propagate extremely fast. In order to respond immediately, the intelligent processing of large volumes of non- standard data is required. Artificial intelligence is ideally suited to this task; it can process data far in excess of the speed of human thought. Cyber Helper is one of only a handful of successful attempts to get closer to the creation of autonomous artificial intelligence. Like an intelligent creature, Cyber Helper is able to self learn and define its own actions in an independent manner. Virus analysts and intelligent machines complement one another extremely well by working together more effectively and providing users with more reliable protection. RE The 911 services available on the VirusInfo website can be used by anyone who wants to Cyber Expert | Technology
- 30. 30 |SECUREVIEW 4th quarter 2010 www.secureviewmag.com Technology | The traditional approach to malware protection has always been to firstly analyze the specific characteristics of each piece of malware, create a database of such features that is as comprehensive as possible and then to block those programs that display any of the recorded malware characteristics . The main drawback to such signature-based methods is that they only provide protection against known threats and information about each threat has to be collected separately. As a result, it is only possible to get a very limited idea of what is going on with the computer system as a whole, whereas to achieve a good level of security it is necessary to have as precise a picture as possible of the ever-changing threatscape and system anomalies. System monitoring: a new level of protection System monitors record every important change to the system, including destructive changes, for example, unwanted entries to the system registry and unauthorized file modifications. Destructive behavior is the most characteristic, precise and identifying feature of malware and that is true for both known and as yet unknown varieties, which is why system monitoring is universal; it is effective against any software that behaves as malware. Once legitimate parameters and events have been defined for a given system, it is possible to detect everything that occurs outside these limits, including unknown anomalies. In many cases this approach is simpler than trying to conceive of every type of threat in advance in order to devise and implement suitable protective strategies accordingly. System monitoring is especially valuable if one considers that new malware attacks and threats are constantly being developed and perfected. For example, it allows new threats and anomalies to be detected that may be based on new methods of penetrating a system and obfuscating malware. System monitoring provides flexible protection. It is possible to draw an analogy between whitelisting and blacklisting software technologies. Blacklists contain malware and destroy everything that is not on the list, whilst whitelists contain legitimate programs and allow only those programs on the list to have access to the necessary system resources. In both cases, reliable protection would only be achieved if the lists were kept fully up-to- date; which is an impossible task given the sheer volume of new malware and legitimate programs appearing daily. That is why the most reasonable and flexible approach is to involve both types of list: white and black. What’s important is that system monitoring, if implemented correctly, makes it possible to roll back the activity of malicious programs and restore the computer’s normal operating parameters. Analysis of system events Dependable system monitoring capabilities can be achieved by the integration of the system monitoring software with a high quality, intellectual system of threat analysis. It is not enough to simply collect information about system events; it is necessary to correctly define the sources of such events, as well as their interconnections and influences on the system’s security. The monitoring system’s functionality must be flexible and its methodology can differ depending upon its aims. When threats are detected, a comparison with known models of malware behavior is used. When unknown anomalies are detected, system events and statuses need to be analyzed as a whole and deviations from the norm identified in order to trigger an appropriate response. To achieve full system protection using system monitoring techniques, the monitoring software has to be able to analyze events in real time in order to be able to block and roll back destructive actions immediately. Under controlSecurity systems are constantly being perfected and if the traditional signature-based technologies are only able to handle known threats, the solutions for monitoring system events that have appeared recently can detect threats and anomalous behavior in computer systems that virus analysts are as yet completely unfamiliar with. Elmar Török has been working in the IT-Industry since 1989. He became an author and technical journalist in 1993 while studying electrical engineering in Munich and Kempten. Since then he has written hundreds of articles for just about every major computer and networking publication in Germany. Elmar specializes in IT-Security and storage issues, has a solid knowledge of server-related topics and knows his way around virtualization. He is the Editor-in- Chief of the security periodical “Infodienst IT-Grundschutz” and is involved in the final acceptance process of new material for the IT- Grundschutz Catalogues of the Federal Office for Information Security. Article by Elmar Török Technology | Analysis of application activities
- 31. | Technology www.secureviewmag.com 4th quarter 2010 SECUREVIEW |31 Conclusion Modern threats are constantly mutating, demanding new and more effective methods of protection against them. System event monitors meet these requirements by providing the maximum amount of information about system activities to analytical modules that can decide what, if any, response is needed. Using an analogy, the traditional signature- based technologies can be compared with the identification of criminals by their fingerprints, but if the fingerprint database is not complete, then system monitoring can be employed and this is like establishing total control over a protected territory and monitoring the situation so closely that criminals cannot help but be identified as soon as they set out to do something nefarious. RE Analysis of application activities | Technology The latest version of Kaspersky Internet Security 2011 makes it possible to control the activities of applications Modern antivirus solutions must include system monitoring software. Kaspersky Lab was one of the first companies to recognize the end user benefits of this technology and introduced it into Kaspersky Internet Security2010. This has since been followed by its integration into the 2011versions of Kaspersky Anti- Virus and Kaspersky Internet Security. In the 2011solutions, the monitoring software is a separate module and is known as ‘System Watcher’. In Kaspersky Lab’s solutions, System Watcher monitors and records information about the creation and modification of files, changes to the registry, operating system calls and the transfer of data to and from the Internet. The data collection process is automatic and requires no input from the user. Most importantly, System Watcher allows any potential changes caused by malware to be rolled back. We have not only implemented System Watcher, but integrated it with several analytical modules. Based upon the data that it collects, System Watcher is able to make a decision about the potential malignancy of a program using its ‘Behavior Stream Signatures’ module. System Watcher can also actively exchange information with the other modules used to analyze program behavior such as: the proactive protection module, the attack prevention system, the antivirus engine and the Internet screen. Nikolay Grebennikov Chief Technology Officer at Kaspersky Lab Expert Comments A general overview of a typical application activity analysis system
- 32. www.secureviewmag.com32 |SECUREVIEW 4th quarter 2010 forecasts | Changes in the methods and targets of attacks the main threat Currently however, the majority of cases of virus infection occur while the user goes about their business on the Internet. The now ubiquitous ‘drive- by download’ virus technology has pushed the threat up to new levels – despite the name, the user doesn’t even have to actually download any files from the Internet, but may at any time visit a malware site or a legitimate site that has been compromised by an exploit and end up with an infected computer as a result. The exploitation of vulnerabilities has become an even more effective means of proliferating viruses than ’social engineering’ techniques – and that is something that the information security industry has still not got used to yet. Many software development companies that produce programs containing vulnerabilities appear to struggle when it comes to restructuring their processes — not just from the point of view of reducing the number of vulnerabilities, but also in how efficient they are at addressing the problem. The situation whereby unpatched threats are actively proliferating across the Internet is, quite worryingly, starting to become the norm rather than the exception. As I sit here writing this article, I know of a minimum of three critical vulnerabilities in popular products that have, as yet, not been addressed by their developers. It would not be a great surprise if they remain unaddressed for some time after this article is published. The security aspects relating to the business of the creation of other popular Internet resources, primarily social networks, is equally woeful. XSS- vulnerabilities are being detected in some of the most popular resources with alarming frequency, which adds yet another layer of threats to the already sizeable problem being considered. Thus the exploitation of vulnerabilities in order to spread malware and steal information is now extremely commonplace and not at all the rarity that it once was. Right now, even cybercriminals without any proper knowledge of programming are able to use ready-made ’exploit packs’ to distribute their Trojan programs. This provides them with the ability to reach a vastly bigger number of computers than they could ever have hoped to reach through the use of social engineering alone. It has to be acknowledged that the danger presented by software vulnerabilities is growing by the day. Until recent times, the antivirus industry as a whole has been reactive rather than proactive in its approach to detecting exploits and /or informing users about vulnerable applications on their computers. Antivirus software companies are only just taking the first steps towards the development of multilayered protection systems to combat threats of this type with the introduction of basic tools that can identify and protect against such vulnerabilities. Obviously this is not enough, but the process of creating the required new technologies, their development and their implementation is time consuming. However, even if we are able to turn the tide and make the exploitation of vulnerabilities as rare an event as it was 10 years ago – the notorious ‘human factor’ will always remain. Industrial espionage The existence of multiple ‘zero-day’ vulnerabilities opens up many new possibilities for the cybercriminals, not least in the area of attacking companies, research institutes and governmental organizations. Whereas previously one of the main problems experienced by these entities was the human factor, usually involving insider action or staff negligence, today’s threats mean that such companies and organizations have had to completely redefine their corporate protection strategies. The most prolific example of the new type of threat is the Stuxnet worm that was first detected during the summer of 2010. Its target was to gain access and information from the systems that manage production of Siemens Simatic Weak linksOur forecasts regarding the development of threats usually look closely at any new methods by which viruses proliferate, new platforms upon which threats may appear and aspects of the cybercriminals existence from the point of view of their income. However, the principle factor lying at the root of the problem has always been, and will remain, the human factor. Aleks led the Global Research Analysis Team from 2008, before moving to his current position as Chief Security Expert with the team in 2010. Aleks specializes in all aspects of information security, including mobile malware. His responsibilities include the detection and analysis of new malware. Aleks’ research and analytical articles are published both on dedicated IT sites and in the mass media. Article by Aleks Gostev Chief Security Expert at Kaspersky Lab
- 33. www.secureviewmag.com 4th quarter 2010 SECUREVIEW |33 Changes in the methods and targets of attacks | forecasts WinCC and which work on the SCADA platform. Apart its unusual functionality, the worm exploited a zero-day vulnerability in Windows for the purposes of self- proliferation. This vulnerability was known to the cybercriminals at least half a year before security experts managed to detect it, so we can only guess who has been using it and for what purpose. What is even more alarming is that a conflict of interests between the cybercriminals and governmental institutions can be expected in the field of industrial espionage. Previously, the scope of the cybercriminals attacks was limited to harassing the everyday user en masse and only rarely did they carry out successful attacks on financial organizations, payment systems and online shops. Back then the criminals’ main aim was to gain access to user accounts. However, during the course of its evolution, the world of cybercriminality performed a spiral maneuver which has seen it return to the same point from which it started, but on a new and higher level. That starting point that we are talking about here is the realization of the value of information in today’s society. Often, a successful attack on a company’s infrastructure will net the cybercriminals a far more significant profits than they would otherwise receive through the mass viral infection of home users’ computers. The development of information processes and the involvement in this sphere of new areas of human activity leads to a situation where information previously unavailable to the remote attacker is now accessible to them. At the same time, the range of information that is of interest to the criminals has become even wider. If in times gone by it was financial information and users’ personal data that was the target of the hacker, it is now more often than not technical data and research information they are after. Alternative methods of entry As we have stated above, an attack via a user’s web browser is the most common method by which a threat will infiltrate a computer. At the same time, however, it is worth remembering that there are many other ways to access a user’s system and those other means are currently receiving a great deal of attention from the cybercriminals and are under constant development. File sharing networks have become the most rapidly growing threat from the point of view of the distribution of malware. To illustrate the level of the problem we can look to the Mariposa botnet saga whose authors and owners were arrested in Spain and Slovenia just this summer. According to information from the FBI report, during the time of its existence the botnet contained some 12 million computers located across 190 countries of the world. The main method by which the botnet spread was P2P networks. Christopher Davis, CEO of Defense Intelligence, who first discovered the Mariposa botnet, explains: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than a long list of those who were.” During the first half of 2010, practically every noteworthy release of a pirated version of a popular game or software application contained a Trojan component within it that was spread by the pirates’ distributive over file sharing networks. In July, Microsoft announced that they had detected several viruses in unlicensed copies of the game Star Craft 2. With the growth in the quality of protection against browser attacks, the vector of entry will doubtless be shifted more and more strongly towards file sharing networks. Antivirus clouds Practically all of the major antivirus companies have started using in-the-cloud technologies or are planning to use them in the nearest future. Despite the undoubted advantage with regard to the struggle against attacks, in-the-cloud technologies are themselves sure to be a prime target for the cybercriminals. The eternal conflict between virus and antivirus has, up to the present moment, been largely going on at the level of files and processes on the end users’ machines. Malware programs have been trying to destroy the antivirus system by different means or attempting to persuade the user to switch it off themselves. With the beginning of cloud- technology detection and categorization, a new front has opened up in this war. Malware programs, or to be more precise – their authors, will have to solve the problem of attacking the cloud. Although technologically it is practically impossible to destroy the cloud, direct mass DDoS attacks aside, it is quite vulnerable in terms of its own functionality - receiving, processing and sending information to and from the end users. Problems within the very architecture of the majority of antivirus clouds will be actively used by the cybercriminals, and the first examples of such actions can be seen already. The most widespread and simple method of disabling cloud technologies is to block computer access to the cloud. More complex methods include the substitution of data –with the aim of ‘trashing’ the cloud with false information, as well as modification of the data received from the cloud. Such ‘trashing’ is probably the most dangerous threat. Blocking access to the cloud or the modification of responses from the cloud specifically affects only infected users, but inputting false data into the cloud will influence every single user. This would bring with it not only an absence of detection, but also to a more serious problem – false positives, which would lead to a general decline in the level of trust in cloud-based technologies and to the necessity to revise or alter their performance algorithms. With the increase in the number of antivirus technologies that operate using in-the-cloud technologies, there will be a constant quantified and qualified growth in the number of attacks upon them from malware programs on clients’ computers, and additionally with the help of special services, supported by the cybercriminals. RE The approximate percentage ratio of virus infections caused by the human factor (blue), compared to software vulnerabilities (red) for the period 2000 -2005 The approximate percentage ratio of virus infections caused by the human factor (blue), compared to software vulnerabilities (red) for the period 2009-2010
- 34. Interview | Malware processing www.secureviewmag.com34 |SECUREVIEW 4th quarter 2010 SV: Lately we have seen an enormous growth in the quantity of malware. What is it connected with – the cybercriminals thirst for profit? N: Let’s start from the fact that there is no single system of counting these programs. It‘s no secret that modern solutions are developed along the lines of advanced behavioral analyzers, and that the enhanced behavioral template HEUR:Worm.32.Generic blocks million of different files per day. So, how to count this? Kaspersky Lab has long since gone from abstract evaluation of the volume of detected viruses to hard statistics concerning virus infections and prevented attacks. Such statistics are received online from the users of our products. We operate by knowing the amount of virus infections per day and the amount of machines infected, and can thus reliably track the spread of any ongoing epidemics. In absolute figures, it is the same millions of unique files, but occurring on a daily basis. However, where do so many files come from? Virology has become heavily commercialized and the field of systems programming, which a while ago was interesting because of its nontrivial approach, has now become a method of income for the cybercriminals. Then, as in any industry, there has been a transformation from backstreet workshops to well organized factories with the distinct separation of work. Clients are generally unwilling to pay tens of thousands of dollars for the creation of a new version of a Trojan-based botnet. It is much simpler to buy a package that has been developed for you, and to buy it with support, which means that if the package is detected – you are simply provided with a new one. This is a prime source of malware file growth. As one of our colleagues says: “everything that is new – is in fact something old, neatly repackaged”. Either the malware developers were very lazy or the antivirus solutions manufacturers have raised the speed at which they create protective signatures, but the idea has undergone further development. Tools responsible for obfuscation are being placed actually on the web server from where the malware is downloaded. Each time a user follows the malware link, the server provides a new, unique file. This is called server side polymorphism. Each time that the link is used, a different file with identical functionality is received. The development projects of virus programs with open source code of the Pinch BlackEnergy variety also played a significant role in the growth of the number of detected program variants. Anyone with no respect for the law can find the initial texts of these programs, upgrade them to suit their own purposes and begin to distribute them. SV: In connection with this, how has the approach to malware processing changed from the side of the antivirus companies? N: First of all, the incoming flow of malware data has increased to such an extent that we have encountered electrical supply capacity issues regarding the connection of new server equipment in our headquarters. We receive hundreds of thousands of files per day and to process them manually we would need to retain more than 1,000 staff. That is why the approach has changed radically. Our aim is to minimize the flow of files reaching our virus analysts. People should be given the opportunity to do what they enjoy doing – to think about and analyze new samples, which cannot be dealt with by automatic means. Routine work – that’s the robots’ task. We even joke about our robots fighting the robots from the other side. We are also enhancing our regional capabilities. For a start, we have opened the antivirus laboratory in Beijing, and currently we are opening another laboratory in Seattle, in the USA. This allows Kaspersky Lab to cover all the time zones, and possibly in the future, to eliminate the need for our Moscow-based virus analysts to have to do shift work. SV: How do you receive new versions of malware programs? N: Of course, we have significantly changed our approach to obtaining new malware samples. Whilst before we received suspicious files sent to us by users of our products and other interested parties via our newvirus@kaspersky.com email box, now the emphasis is on proactively seeking out malware files. Our robots are out there crawling Internet pages, receiving and ‘reading’ spam and imitating users of IM clients - they can even hold a conversation! This is very engaging. Also, we readily share information about detected threats with our colleagues from other companies, and they reciprocate. SV: In the future, will it be possible to completely automate the entire process so that virus analysts will no longer be needed? N: Completely removing humans from the process, particularly virus analysts, is hugely unlikely. The quality of such an automated system would seriously degrade pretty quickly. It is more likely that the virus analysts’ role will be to configure different robots with the aim of adding to their algorithms the means to combat new vectors of attack. Even then, there is always incomplete or contradicting data that a robot is simply not able to handle, or false positives which really only humans can deal with. RE Keeping pace with viruses Creators of viruses obviously set out to make as much profit as possible from their activities. To achieve it they distribute as many malware programs as they can, hiding them from antivirus detectors with the help of many tricks. Nikita Shvetsov, Kaspersky Lab’s Head of Antivirus Research tells us how the virus analysts manage the processing of huge numbers of these malware samples.