malware

Vobfus malware steals 25,000 student social security numbers

Eric Vanderburg

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.┬á The warning informed them that information for over 25,000 persons including social security numbers had been breached.┬á The breach was caused when malware, identified as Vobfus, infected the universityÔÇÖs human resources database.

Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.┬á Malware gets behind the organizationÔÇÖs perimeter and it can act with the credentials of legitimate users including administrators.┬á Just because a system is behind a firewall or in a demilitarized zone doesnÔÇÖt mean it is safe as threats from the inside are just as virulent as those from the outside.┬á Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions and retailers.

Antivirus software is essential but it is only the first step in protecting against malware.  New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones.  Understand what normal traffic looks like on your network so that abnormalities can be quickly identified.  Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions.  Lastly, know what to do and who to call if there is a data breach

POS vulnerabilities via Dexter malware

Eric Vanderburg

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.

Eradicate the Bots in the Belfry

Eric Vanderburg

At the upcoming Information Security Summit, I will be presenting on the topic, “Eradicate the Bots in the Belfry.”┬á Bots are used for a variety of malicious activities including sending spam and conducing DDoS (Distributed Denial of Service) attacks such as those recently in the news.┬á Ymy network is probably hosting bots right now.┬á A recent study showed that 40 percent of computers have one or more pieces of malware on them and this malware could be attacking other companies or disclosing important company or customer data.

So how can you immunize your business against this threat?  First, obtain a baseline of the activity on business computers so that unusual activity can be identified.  Set up monitoring and metrics to alert you to unusual activity and create an incident response plan to handle infections and data breaches.  Attend the summit for more information on how to protect business and others.

Risks of cloud adoption and what it means for you

Eric Vanderburg

Public clouds have been greatly promoted as an approach for organizations to reduce information technology (IT) costs and increase technology flexibility and scalability.  Cloud computing allows smaller organizations to employ IT services that would previously have been too expensive to implement due to high up-front infrastructure costs.  Companies can implement IT solutions faster in a public cloud because they do not have to spend time creating and configuring the technology environment.   Larger organizations, already familiar with remote computing operations, gain flexibility and scalability by utilizing cloud services or implementing private clouds to consolidate IT resources.

A public cloud, sometimes known as Infrastructure as a Service (IaaS), provides computing resources such as processing power, memory and storage to clients in the form of a virtual machine.┬á The details on the infrastructure hosting this virtual machine may be a ÔÇ£black boxÔÇØ to the customer similar to the Internet.┬á When you sign up for Internet access, you are provided with a line and bandwidth but you do not know how that service is provided to you, what route your data may take, and so forth.┬á Similarly, when renting public cloud space, you are provided with a virtual machine but you do not know the specifics of what is involved in providing it to you.

It may be difficult and somewhat unsettling to provide one organization with control over data and systems that are critical to another organizationÔÇÖs success.┬á Nonetheless, there is constant pressure to reduce IT costs by moving to public cloud services while still exercising due diligence in selecting a secure and reliable cloud provider. With the emergence of large companies like Microsoft and Amazon entering the public cloud marketplace, many major companies have felt more comfortable moving to the cloud.

However, the security of the public cloud is still passionately debated.  Recently, concerns of public cloud security arose with the release of findings from an investigation into fmy cloud service providers, Amazon, Gigenet, Rackspace and VPS.  Revelations of the above findings have focused on the following issues.

Intra-server security and vulnerabilities

Cloud computing offers customers computing resources generally in the form of virtual machines for rent at generally lower costs than the organization would incur by hosting the servers in-house.  Companies can achieve considerable savings through economies of scale.  The rented computing resources are just a portion of the available resources hosted by the provider as much of the infrastructure is shared between clients of the provider.  This model presents potential security risks to cloud computing clients if the rented space is not adequately separated from other customers.  Inadequate separation could give an attacker, who has compromised one client in the cloud, access to other clients.  Attackers could also rent space in the cloud and then use that space as a base of attack on neighboring clients.

Location concerns

Another risk of sharing cloud space is that the actions of shared clients on a public cloud could indirectly impact fellow users if servers that host multiple clients are blacklisted, thus, causing unavailability to multiple clients due to the actions of one in the cloud. In addition to this potential problem are the concerns about where the servers are actually located geographically.  The laws in one country may differ greatly and the cloud network may be subject to international laws.   There may be limitations on whether data can or should cross international boundaries and contract terms may be less enforceable in another country.

Data backups, restoration, and portability

Backup protocols may also present challenges to businesses moving their IT structure to a public cloud.  Backup sets, rotations and off-site storage are all managed by the cloud provider. Thus it becomes important to understand how the backups work, how reliable the service is, and how long restores are expected to take.  Recovery time is extremely important when essential data is missing from a production system.  It is also important to understand whether backup sets can be moved to another provider or to in-house operations if the contract with the cloud provider is terminated.  Backup operations are often conducted across many clients at once so it may not be possible to extract historical backup data for a specific client from the cloud.

The report found intra-server vulnerabilities – that data on other clientsÔÇÖ storage was accessible through shared disks and networks. The study was able to access other clientsÔÇÖ virtual disk drives which should have been inaccessible as well as access data from other client systems on the network.┬á These providers did not adequately secure the storage of data and networking resources offered to their clients, thus, leaving them open to a data breach or attack. ┬á┬áThe virtual machines were housed on systems running outdated hypervisor software that was vulnerable to attack.

Evaluating a Public Cloud Provider

When evaluating a public cloud provider, consideration of the following security concerns may be utilized to determine if a potential vendor has the essential cloud security measures in place.

  • How soon are patches applied to hypervisors after they are released?
  • How often are vulnerability scans initiated on cloud equipment?┬á What is the average vulnerability remediation time frame?
  • Are systems periodically audited?┬á What were the results of the last audit report?
  • Is an intrusion prevention system in place?
  • Has an incident response plan been created and are response team members familiar with incident response procedures?
  • Are access requests to resources logged and monitored?
  • How are viruses and malware prevented?
  • Is server hardening performed on virtual servers before being issued to customers?
  • Are firewalls implemented between customers?
  • Is hard drive encryption available?
  • With which security standards such as ISO27000, PCI or HIPAA does the potential client comply?
  • What data recovery procedures are in place for client systems and what is the recovery time objective?
  • What method is provided for client management of servers?┬á How is access to the management interface authenticated and controlled?

In addition to the above questions, consider running a security audit on the virtual node prior to using it to verify that the above questions are sufficiently answered.  The selection of a cloud provider should be based on the security parameters that are provided and the implementation of necessary security controls.  The recent study demonstrated that security cannot be assumed even when large, reputable companies are involved.  Therefore, it is important to ensure that a cloud provider has these security controls in place by asking questions such as the ones in this article.

For further reading

Assessing Cloud Node Security White Paper

 

The Bot stops here: Removing the BotNet threat | Public and Higher Education Sector Security Summit

Eric Vanderburg

Academia is a potential breeding ground for botnets but donÔÇÖt despair. Take back your network. This presentation will examine the botnet life cycle and history of botnets leading into techniques for detecting and disrupting botnets in your network.┬á It was presented at the 2012 Public and Higher Education sector security summit.┬á This summit features a full day of talks, presentations, and workshops dedicated to information technology and IT security professionals serving in this economically and socially important sector.┬á We will also present a vendor trade show featuring technology and consulting solution providers.┬á All attendees and vendors are invited to attend an evening reception at the end of the Summit.

This yearÔÇÖs theme is: ÔÇ£IT Means Business in Government and Higher EducationÔÇØ and will include sessions on IT, IT Security, IT Business Management, Compliance, and Legal issues.┬á The Summit will take place Wednesday, April 25, 2012 at LaCentre in Westlake, Ohio. LaCentre is located at 25777 Detroit Road, between Canterbury and Columbia Roads.┬á The facility is easily accessible from Interstate 90.

 

Malware security awareness primer

Eric Vanderburg

We have worked hard to educate users of the need for computer hygiene, using anti-spyware, multiple browsers, data backups, and antivirus programs. Unfortunately, users are getting fooled into installing fake antivirus programs through clever pop-ups that work off the fear users have of viruses. These programs install themselves and trick users into paying for bogus services or they gather private information on user activities and send it off to spammers and thieves.

These malicious antivirus programs are extremely common. Google has identified over 11 thousand sites distributing fake antivirus code.

It is important to take the next step and teach users how to differentiate between legitimate programs and fakes. Ymy company probably has a standard antivirus program that is used on all machines. Users should be made aware that this program will protect them from viruses and that they have no need of other programs.

Unfortunately, even clicking no or what appears to be a close button on a pop-up can result in the program being installed. Users need to be taught how to close out of windows properly to avoid activating the malicious code they contain. One method is to press [Alt] + F4 to close the current window. If that does not work, pressing [ctrl] + [alt] + [esc] in Windows or [option] + [apple] + [esc] in MacOS will open the task manager/force quit applications window where Internet Explorer (iexplore.exe), Firefox (firefox.exe), or Safari can be closed.

Once a fake antivirus program is installed, it will appear to scan the hard drive. It will tell you it has identified viruses and then clean them but it does nothing of the sort. Usually users will notice a performance decrease. They may also find that their browser has been hijacked or they will begin to see many pop-ups and advertisements on their screen. Users should be made aware of what follows the installation of a fake antivirus program so that IT can resolve the situation. The sooner IT knows of it the better because these programs continue to do their dirty work even to the point of filling up a hard drive or making a computer completely unusable.

Spyware can also generate fake antivirus alerts. Make sure that anti-malware programs are up to date and that they scan programs in memory and programs on the hard drive and removable drives as soon as they are added. Corporate applications usually have the ability to report back to a central monitoring station when a workstation is infected with a virus or a malicious application. Train your administrators to make use of such consoles and to stay on top of any infections. When a machine is infected and not treated, it is not long before it turns into an epidemic.

Take the time to educate your users because it will save them a lot of grief and your IT staff a lot of time cleaning machines. Stay up to date on the latest fake programs and consider creating a security portal where your users can get information on fake programs and other security tips.

 

To get you started, Microsoft has compiled a list of 114 fake antivirus programs. See http://www.microsoft.com/downloads/en/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en for details.

For further reading

Threat of Fake Antivirus Software Grows

Protect Yourself from Fake Anti-Virus Software

Security awareness for mobile apps

Eric Vanderburg

Smartphones are replacing traditional phones. These handheld devices offer users more than just the ability to make calls; smartphones such as the iPhone, Google Android, or Blackberry let owners browse the Internet, check email, and run applications. In many ways, the modern smartphone is a merger of the computer and the phone into one small pocket sized device delivering information to you anytime, anywhere. But what else is your smartphone up to? With all its similarities to the PC, smartphones also share one of the PCs less desired attributesmalware.

All three vendors, Google, Apple, and RIM maintain a directory of applications, or apps, allowing developers to publish applications to a directory for downloading. Some of those applications contained malicious code allowing phones to be converted into ÔÇ£zombiesÔÇØ for launching attacks or giving attackers access to data on smartphones such as contacts, emails, attachments, browsing history, or passwords. Some applications made calls to 900 numbers or premium texting services that you could be billed for. Both Google and Apple have identified and removed malicious apps from their directory and Google has implemented measures to remotely remove malicious apps from usersÔÇÖ phones. However, even this fact is disturbing because it demonstrates that Google has backdoor access to the Android phone. This system that today is used to remove malware, could one day be used to deploy it.

So you may be asking what you can do to protect yourself from smartphone malware. Here are some recommendations. First, download apps from trusted sites. The best controlled sites are those operated by Google, Apple, and RIM. These apps are reviewed prior to being added to their directory. It should be noted that Apple and RIM have a more stringent review process for apps published to their directory so Google Android users may have a little more difficulty finding malware free applications when using the directory. Directories are still not completely safe so users will need to exercise caution when downloading apps.

Second, you should be aware of the correct name of an application. If someone tells you to get the Facebook app, make sure you get the official application rather than Facebook Notifier or Facebook Express or some other variation. Next, make sure the spelling of the application is correct. Malicious apps masquerade as legitimate apps with a similar name. If you misspell Facebook as Facebok, an application may be available with that name but it is probably that the application in the form of malware.

Third, do not hack your phone or operating system. Many users are tempted to hack their phone by applying unauthorized firmware versions or making software modifications so that their phones will perform actions not intended by the manufacturer. Such modifications can disable vital security features of the device allowing malware to infect the machine or applications to perform unwanted actions on your phone.

Lastly, consider using anti-malware applications on your phone if you run lots of apps. iPhone users may have difficulty locating an anti-malware app for the iPhone because the iPhone OS does not allow applications to run in the background. Apple claims anti-malware applications are not needed in their operating system because of this and because all applications run in a sandbox where they are prohibited from interacting with other apps or with the system directly. However, similar techniques have been used with standard computer operating systems and such techniques have been circumvented.

To sum it up and answer the question posed at the beginning, ÔÇ£does one bad app spoil the bunch?ÔÇØ, use your smartphone with caution. Download only the apps you need and download them from a trusted source. If you utilize many applications, consider anti-malware software for your phone and do not hack your smartphone because doing so may disable security features of the phone. The threat of malicious apps on smartphones is real but you can go a long way in protecting yourself by following these guidelines.

For more information

Google purges tainted apps from Android phones

5 ways to protect your Android phone from malware

Antivirus for Smartphones?

Antirootkit Rootkit

Eric Vanderburg
Rootkits, if you are not familiar with them, are programs that, when on a machine, place themselves in between the user and the operating system.  This program intercepts input and output from the system to you the user, concealing running processes, files and system data.  Log files and other processes used to show what is running and happening on a machine are also altered by the rootkit.  For example, when you request to see all files on the hard drive, that command is changed to "give me all files on the hard drive except those owned by the rootkit".  Rootkits can be very hard to detect but there are some programs that can detect them.  A bigger problem, however, is removing them.  Once a rootkit is installed on a machine, the usual removal method is formatting the machine.

I pondered this problem for a while and did not come up with a solution, only thoughts.  Here is one.  What if I detect a rootkit by placing rootkit associated files on a system.  If the rootkit is installed, it should see its files and hide them from the user.  If my files magically disappear, I know that I have that specific rootkit on the system.  The next step would be to place rootkit files that the rootkit would accept and take ownership of on the system but these files would be modified to undo what the rootkit does.  How would I undo the rootkit actions?  Well, once I figure out how the rootkit operates, I can counter it.  For research purposes, I would need to log the actions of the rootkit from this file I place on the system.  Think of it as if I are placing a trojan horse on my own machine that gives us a back door into the realm of the rootkit.

There is also the possibility of accessing the system remotely or accessing the drives of a system through a removable hard drive kit or forensics kit.  This would allow you to scan the data on the drive with a system that has not been comprimised.  If this approach was successful, I could set up agents that act as a buddy system scanning the nodes around them to ensure that they have not been comprimised and rejecting communication from those that have been comprimised.  The agent could be included in antivirus software or as yet another package. 

More thoughts for you.  I welcome comments on them. 

Mac Viruses

Eric Vanderburg
Apple’s recent ads talk about how there are no viruses written for
Mac. That statement is not entirely true. Viruses are released for
Mac. in 2005, 143 viruses targeted Macintosh computers. Compare this
with the 150,000 written for PCs and it does not sound bad but the
statement is still incorrect. By the way, if you want to view the new
Macintosh ads, go here.
http://www.apple.com/getamac/ads/