April Fool’s… Is the Joke on Us?

Conficker, aka Downadup, is a worm that grew to prominence thanks to the vulnerability patched in MS08-067 last October. It’s getting widespread popularity in the media these days and deservedly so; a large botnet is always a source of concern and I wish the media paid more attention to the risks/dangers of malware and the people/organizations behind the criminal activity. But all this April 1st talk…is it hype? I’ve had at least a dozen people ask me, “are you ready for April 1st?” Um…yes.

Yes, Conficker is going to “do something” on April 1st. But if anyone in the mainstream media were to stop and think or at the least ask an insightful question instead of latching on to the latest doom and gloom theme of the day and driving it over the cliff, they might be telling a different story than the one you’re hearing from the various media outlets.

For starters, I recommend F-Secure’s wonderful Questions and Answers: Conficker and April 1st. In a nutshell, computers infected with Conficker.C (a variant of the original worm) are going to “update” themselves. All we know is that it’s going to up the ante from phoning home to a batch of 250 domains a day to 500 out of 50,000 a day, making it much harder to disrupt the phone home communications (which is how infections like this get their updates and commands for actions to perform). But since that’s all we know, that leaves a lot of room for conjecture and imagination.

So let’s think rationally for a minute. The people/organization behind Conficker are VERY sophisticated, highly proficient and professional. We aren’t dealing with a couple kids with a grudge here. The landscape has changed, but mass media doesn’t seem to realize it. The business models that cybercriminals apply these days are inline with modern corporate structures. There are board of directors, hiring managers, developers and sales. What do they sell? Why that would be access to your infected PC. Once infected by a bot your computer is there to do the attacker/owners bidding. If they need processing power to crack a password, they can use your PC. If they want to launch other attacks, they can use your computer. If they are bored and want to watch you on your webcam, they can. More and more these days, botnet rentals have become yet another business model.

Imagine you have a business. You have 2 million customers but if anyone finds out who your customers are you’ll risk losing their business. On April 1st you can sign those customers up to a contract extension. Why would you risk doing anything that would cause you to lose those customers?

I’m not buying it. The press wants you to think all hell is going to break loose because it sells papers. But there’s nothing about this worm that indicates it’s creators are stupid. Why on April 1st when they are deploying an update that is going to ensure their botnet stays strong for months to come would they risk losing it all at the same time.  It doesn’t add up. Yes, there are stupid criminals. But these criminals are smarter than the mainstream media.

The effect of the media’s attention is dangerous and misplaced. Cybercriminals are already taking note of the attention, offering new FakeAV/Rogue malware that pose as Conficker removal tools. But even worse, they’re creating a “boy who cried wolf scenario.” What will the media be saying about Conficker if it just does its updating on April 1st and slips quietly back into cyberspace? I guarantee you there will be more than one news anchor piping a comment about how it obviously wasn’t as big a deal as they thought and shrugging it off. Gee thanks. You just made my job that much harder by lowering the guard.

Cybersecurity isn’t a one-off story every 6 months to a year to fill a news quota or aid a slow news day or to fulfill a producer’s zeal for a doomsday shocker. Accessing the Internet is like walking in a really bad neighborhood at 2 a.m. It’s risky and potentially dangerous; caution, awareness and knowledge are your defenses. That pocket knife in your pocket (aka antivirus software) might help you, but chances are it won’t.

So do us a favor, mainstream media. Use your powers to do good. Keep awareness and understanding of cybercrime on your radar and treat it regularly and consistently. The sky is falling stories only breed skepticism and doubt among users in a world where letting your guard down for one minute can have far more reaching impact than most users would ever expect.

Conficker may do more than just update on April 1st, but I’ll be surprised if it does. I just hope the media doesn’t do more harm than good in their treatment of the results.


Depth in defense is always a priority in securing an environment. For the novice, the notion is that the more layers of defense you have in place the more likely you’ll be able to detect the bad guys and their malicious code. The typical analogy is that of a fortified castle. From the outside-in, a deep and wide moat surrounds the outer wall with a drawbridge and/or portcullis to control and limit access. The inner walls provide an additional layer of protection for the castle, with additional barriers in place around the keep. And lets not forget the men and women who strategize and defend their home. Firewalls, intrusion prevention devices, web gateways, and endpoint protection act as similar layers in the depth in defense model. It’s a good model and if designed, managed and monitored properly it will serve as a well fortified defense system.

What concerns me is less the depth model and more how it’s constructed. I saw a prediction a year or so ago from an executive at one of the big security vendors who predicted that within 5 years there would be roughly 5 vendors who owned just about every security based solution available. The trend continues in that direction. From a marketing standpoint, great for them. They can wrap them all up nicely in a bundle and say they are the single source solution to all your security problems. But is that great for us, the end user?

Sure the solutions they offer for the varying layers differ. A web security gateway isn’t an endpoint or antivirus client. But if the same company provides you that web gateway and the antivirus, do you gain anything running their antivirus on the web gateway? Mixing vendors, bringing in different ways of performing a similar function, is critical if you want to provide the best defense. Antivirus solutions vary greatly in their methodology and detection capabilities. They almost all use some level of signature based detection, which is inherently weak in an age of malicious code that can polymorph or obfuscate by the second. The more layers of various antivirus solutions you can place between the attackers and your hosts the more likely you’ll be able to stop it.

Revisiting the castle analogy, those outer walls by the moat seem like a good place for archers. The drawbridge/portcullis probably would benefit more from foot soldiers and hot oil vats above the entryway. Cavalry to stampede through the narrow lanes as attackers draw near to the inner keep, and your best and finest swordsman and archers defending the castle proper.

Depth is critical, but depth plus width is where you’ll truly improve your chances of defense. You may have to suffer with different front-end management systems for the varying solutions but, honestly, most times you’re going to be better off isolating the administration of the varying layers as opposed to dealing with an all-in-one solution that in reality is a jumbled mess to manage. The majority of monitoring concerns can be handled with some basic alerting, event correlation or security information management.

So next time a vendor tells you they have the answer to all your security needs, think width-in-defense before you sign up for their suite of solutions.

Fake A/V Scamware

I’ve been tracking the rash of fake A/V scamware since last fall and while most of these are probably out of commission, the list below provides a glimpse into the creative (or lack thereof) domain names that are popping up daily. I’ve not had a chance to cross-reference this list with Dancho Danchev’s, but may try if the campaign keeps building steam. I’ve typically been submitting 3-10 copies of the malicious executables a day to Virustotal with disappointing results (3/38 vendors catching them typically). So not only are the domains shifting just enough to inhibit prevention, the payload is as well.

If you’re unfamiliar with the scam, good on you. Typically, you’d be surfing the web and get a pop-up stating that your machine is infected. The browser would then display a page that looks eerily similar to Windows “My Computer” being scanned for infections and infections being detected. The tip off here is that all of this occurs within the browser…so being a little observant would go a long way to keeping your machine clean. If you follow the social engineering attempt, you’ll download an executable which, when run, will install the fake A/V software. It will then make your life a living hell telling you your machine is infected and it must be cleaned…which will require you to register the software. Paying into the scam will not get your machine clean and since you’re providing credit card information to do so, it’s potentially going to cost you a lot more than the $40 or $50 they want initially.

If you see any activity like this while surfing the web, Alt-F4 (close active window shortcut in Windows) is your best friend.

The last numbers I saw were from Panda Security via The Register and estimated it to be a $15 million/month campaign, and that was in August 2008. From the traffic I see, the malicious domains serving the infection have not slowed down since then.


“3D Screensaver” spam

Sunbelt Software has a good write-up on a recent spike in 3d screen saver spam. It’s a free screen saver that comes at a price. The malware has been tracked back to a re-emerging malware gang and is a gift that keeps on giving. Looks like Sunbelt is pursuing them hard, so kudos for their efforts. Always handle attachments and links in an e-mail message with extreme care. If you don’t know how to do that, check out page 12 of the US-CERT’s Common Sense Guide to Cyber Security for Small Businesses or any of the other links in the Resources > Awareness & Education section.

Firewire burns a hole through locked workstations

The Register, among others, reported the release of a tool that allows easy access to a locked workstation. The caveat is that it requires physical access to the Windows computer and is executed by connecting a Linux device to a Windows computer via firewire. The vulnerability has been documented since 2006, but only recently was a tool released to simplify the exploit. As El Reg notes, one wouldn’t think this would be that difficult to repair, but Microsoft has yet to address it. We can argue semantics over whether firewire or the Microsoft implementation of firewire is at fault, but that doesn’t do much for resolving the issue. Due to the need for physical access, I can’t deem this a critical vulnerability, but physical computer security is often as neglected as electronic computer security so it’s still worthy of note.

PayPal bug squashed, but is it dead?

CA has a nice writeup from last month (thanks for the tip Brian) on a jsp vulnerability recently toyed with on the PayPal site. It’s a fine example of good disclosure; identifying a vulnerability, reporting it effectively, receiving prompt resolution and then documenting how it works in an informed and easy to read way. It’s also a scary little hole. If a money changer like PayPal had it and didn’t know about it, chances are others are vulnerable too. Who built your web site and is it using jsp pages? I’ll keep my eyes peeled for any indicators as to how broad this vulnerability may be as I honestly am not sure exactly how utilized jsp pages are these days.

Mining google…

Cult of the Dead Cow (cDc, famous for the backdoor suite Back Orifice) enter the news again bringing attention this time to using Google as a tool for reconnaissance and assessment with the release of Gulag. While this hacking technique isn’t new – Google Hacking has been well documented by the likes of Johnny Long (http://johnny.ihackstuff.com) – the press is.

Some will be angry at a publicized release that simplifies a hacking technique and some will be pleased. Personally, I’m a little torn. I applaud the intent of such a tool; it draws attention to a serious security concern and provides another useful method of assessing your network. And lets face it, the bad guys are using this method already, so giving people a tool that makes it easier to see what is already known to the attackers is a good thing.

If I get around to checking it out any time soon, I’ll post an update.

Hard disk encryption not so secure?

Well, well, well. It will be interesting to see whether businesses will be backing away from desktop encryption. While the hard work of the folks at Princeton University showed nothing is impenetrable, disk based encryption methods can still provide a level of security that surpasses unencrypted filesystems. There is no silver bullet nor is there a single solution that will solve security problems. The only approach is one that involves layered technologies.

A beginning…a prediction

SANS was all over this right after Christmas. I’m glad to see it getting a bit more press and must admit that Deborah Gage’s write-up lacks the confusion we typically see in the media reporting of incidents. (Although I guess the media confusion applies to all subject matter.) If an infection subverts your anti-virus, you’re pretty much guaranteed to be screwed. In this case, you’ve been infected by some attackers that were willing to take more risks than normal in launching the attack; physical access is my greatest fear.

In short, several brands of digital picture frames were purchased in big name stores bearing an unexpected gift (read trojan horse). Simply connecting one of these fine products to your Windows computer would pretty much guarantee you a rootkit. We’ve heard this song before with hard drives and USB drives. This time, according to the article, we’re relatively lucky that the infection is only a keylogger that attempts to steal user names and passwords for select online games…for now.

Between downloaders, self-patching and self-healing malware, I won’t be surprised to see additional functionality from these infections in the coming months. And even if we don’t, we’re still looking at a source of attack that further damages the trust relationship we as consumers have with manufacturers. Lead in children’s toys? Poison in dog food? As much as they think they can, governments can’t effectively regulate everything and attack vectors like this are vulnerable. We have further proof of the need for awareness and caution.

I’m inclined to think this is a well-organized group behind this attack. The attack method is shrewd. You avoid the unreliability of social engineering and spam and eliminate the variables and risk of alluring someone to the infection. The attack is limited in that it will only initially infect consumers who purchase the tainted wares. The supply chain is fraught with opportunity to induce such an infection, from manufacturing to shipping/distribution to the reseller. But let’s imagine for a minute that the picture frame is wireless and displaying pictures of lattes and muffins at a Starbucks full of users enjoying the free wireless access. It starts to get a little scarier, doesn’t it?

So what better way to cap a new beginning than a prediction? In the not too distant future there is going to be another spate of attacks where the source of infection is a product tainted before it reaches the end-user and it will be a more malicious and effective attack than this one. Government will look to enforce some kind of regulation on any type of electronic device that interacts with another device and all the while we’ll be poisoning our animals and watching our kids chew on that shiny and colorful piece of lead.