Space, the final frontier for Malware

By now, we are all aware that malware respects no boundaries. A reminder of this comes from NASA. They confirmed that laptops used on the International Space Station have been infected with a worm.

The malware in question here is W32.TGammina.AG. This is a worm that steals passwords for various online games. The worm spreads by copying itself onto removable media devices e.g. USB sticks. A ‘number’ of laptops were found to have been infected, so the worm clearly did manage to be effective. The laptops were not being used for mission critical purposes, but nevertheless, it is both worrying and embarrassing.

We have noted upon and cautioned, about the presence of worms and USB storage devices. It is a hark-back to the early days, prior to the ubiquitous presence of the internet, when malware was transmitted via physical means, most notably floppy-disks. There is an interesting juxtaposition here:  we see one of the most high-profile examples of technology being afflicted by one of the oldest infection methods in the book.

August 27, 2008 | Filed Under Security | Leave a Comment 

Beware of the ‘antivirus’

As we approach this time of year, many security vendors refresh their products.  We are in the process of finishing the BETA of our Norton Antivirus 2009 and Norton Internet Security 2009 products and getting ready to release them to market. Many of our fellow competitors have launched, or are, launching their new products. So, in turn this starts to get people thinking about ‘new’ security products.

The last few days have seen reports of ‘malvertizements’ that ultimately lead to fraudulent products. Newsweek.com is one of several high-profile websites suspected of running rogue banner ads that try and trick visitors into installing fraudulent anti-malware programmes. This opens up an interesting dimension. People implicitly expect and trust that the web sites owners have checked into the people who have placed ads on their sites. The web site owners do, but incidents like this point out that they are not infallible and need to do more.

The trick of the bad guys pretending to be an anti-malware utility or antivirus product has been around for a some time. However, in recent weeks we have seen a number of examples of this resurface.  Symantec’s security response blog has written about this.

What we have observed is a combination of attack elements being used in concert. First a spam email, with an Olympic led fake new story. The user is encouraged to click on a link, the link in turns asks the user to ‘get_flash_update.exe ’ or get_flash_codec.exe. These files then host a number of variants, one of which is a fake antivirus product: ‘Antivirus XP 2008’. A cursory glance would lead you to believe that it looks legitimate: it is far from that.  Once it is installed, ‘Antivirus XP 2008’ basically gives false reports on the security of a system, claiming it has multiple threats running. The software interrupts the user constantly by popup messages, balloon reminders and such, asking the user to register to remediate the threats. The victim’s desktop background is changed to show a virus warning message. The goal of this threat is to get the victim to pay for what they think is a fully-functional legitimate security product, which of course it isn’t.

Now, you will think this blog to be pretty self serving – guilty as charged! With many new (legitimate) antivirus products making their way onto the market, you need to be mindful. If you see something about some new product from someone you have not heard of, then do your homework: ensure they really are who they say they are.

August 20, 2008 | Filed Under Security, Spam, Uncategorized | Leave a Comment 

A new front opens up in Georgia: Cyberspace

It would appear that the conflict between Georgia and Russia is not confined to the ‘real’ world. There are reports that another front has opened up: Cyberspace.

It would appear that a significant Distributed Denial of Service attack has been visited upon various Georgian Government sites and other Georgian internet servers.  A variety of Government sites have been targeted, the Ministry of Foreign Affairs, the Ministry of Defense, and the country’s president, Mikhail Saakashvili, have been blocked completely, or traffic to and from those sites’ servers have been redirected to servers actually located in Russia and Turkey.

The speculation is that infamous Russian Business Network (RBN)is behind these attacks. The RBN is a notorious malware and criminal hosting network, albeit there actual involvement is yet to be proven.

There is a trend here. Going back to April 2007, we witnessed a DDoS on Estonia that took out parts of the internet infrastructure for some days.  The attacks coincided with a dispute between Estonia and Russian nationalists about the relocation of WWII era monuments.

I am sure that as part of any countries preparations for War now, include plans and preparations as to how they can protect and defend their internet infrastructure.

August 11, 2008 | Filed Under Events, Security | Leave a Comment 

Be alert to the ‘CNN Alert’!

Many of you may have received a SPAM email with the subject line, “CNN Alerts: My Custom Alert”.   This turned up in  my personal email folder. It was a very authentic looking email.  I thought it clever as, whilst I do not use the CNN site on a regular basis, I have used it now and again.  The interesting thing about this SPAM was that it did have a link to a legitimate CNN story about the discovery of the World’s smallest snake. Clicking on this would have given the email that feel of credibility.  The malicious link still exists in the e-mail but you must click the FULL STORY link to get there. 

The ‘FULL STORY’ link leads to a botnet of compromised machines which host a page prompting the user to download an updated version of Video ActiveX Object. If agreed to, you’ll download ‘adobe_flash.exe’ which is detected by us here at Symantec as ‘Downloader’.

August 11, 2008 | Filed Under Security, Spam | Leave a Comment 

On your marks!

The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint. 

In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network.  It will be interesting to see (or maybe not) what the strain will be on your ISP as well. 

Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not. 

So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.

August 7, 2008 | Filed Under Events, Identity theft, Security, Spam, Uncategorized | Leave a Comment 

Farewell Neosploit?

The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks  has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.

Neosploit allowed a budding ‘hacker’ to launch their own exploits  and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:

 “Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That  got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.

Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.

So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’. 

July 31, 2008 | Filed Under Security, Spam, Technology | Leave a Comment 

You do not want this package

This month has seen a new twist on an old scam.  There have been mass Spam mailings with fake invoices.  One version purports to inform you that you have a package, from one of the very pick next-day-delivery companies, that could not be delivered and was returned.  There is a zip file attached, you are asked to download it, print it out and then collect your parcel from your local office.

When you download and unzip the file, the malware is copied onto the system, replacing a Windows file that manages explorer, the user interface and some other important processes. Additionally, it establishes a connection with a domain, which has been used on some occasions by banker Trojans. From this domain it will redirect the request to another domain in order to download a rootkit and a rogue antivirus.

So, you get a ‘package’ but not one you want nor expect!

July 31, 2008 | Filed Under Security, Spam | Leave a Comment 

Storms in July – who would have thought it?

So, even now 17 months down the line the ‘Storm Worm’ still is morphing and reinventing itself to keep itself alive and ‘out there’. The chronology of ‘storm’ is interesting as it shows just how the intersection of social engineering, and news events, allow the bad-guys to continue to use and repurpose this attack. More of this in a future blog.

The tactic that is being used this time round is to hide the Storm malware within fake news stories about the FBI and Facebook.  As usual, you are directed to a fake web site, a site is hosted on an infected Storm web proxy. If you follow the lure and click the link you will end up with an executable named “fbi_facebook.exe”. This is the malware.  The web site you link to not only hosts the download attachment, but the site also launches a set of browser exploits at you.

July 30, 2008 | Filed Under Security | Leave a Comment 

No ‘Summer of Love’ in San Francisco

San Francisco city officials are currently wrestling with a difficult issue, namely, they cannot access their FiberWAN network after a disgruntled system administrator deleted admin passwords. All administrators are locked out except, for Terry Childs, the unhappy and now ex-employee, who is refusing to divulge his access codes.

He is now facing criminal charges and is due in court tomorrow. However, the stand-off continues, with Childs not prepared to disclose his passwords. Engineers from Cisco have been brought in to try and gain access.  The Mayor of San Francisco has gone to pains to reassure people that the network is working fine: the only issue being if it crashes and there being no way to go into it and fix it.

All very unsatisfactory and embarrassing for the City of San Francisco. It brings into focus the need to be careful as to who has admin rights to your network and the background of people who you give access to. It turns out, that going back, Terry Childs, has a conviction from aggravated burglary.

There is a lesson from all of this for our own home networks. Our research shows that the majority of us use the default names and passwords that come with our routers at home. The bad-guys know all of these default names and passwords. So, if you do not want to have your own version of what is happening in San Francisco, make sure you change your router name and password to something unique to you. Also, be sure to also change the default password on the config/setup for the router as well.

July 17, 2008 | Filed Under Security | 1 Comment 

NAV and NIS 2009 Public BETA

We have released Public BETA versions of Norton AntiVirus and Norton Internet Security 2009, If you follow this link it will take you to the download page. We would really like for people to download it and let us know what they think.

We plan some very bold things with our 2009 releases. We are aware that customers want security products that do not overwhelm there system resources. Our 2009 products provide strong protection whilst being light on system resources.  We have implemented a new architecture for the 2009 products to reduce boot time, scan times, memory usage and install time.

There is a lot of new stuff, so go ahead and download it!

July 15, 2008 | Filed Under Announcements, Security | Leave a Comment 

Next Page »