Mouse Traps?

Wired reported on a blog entry by Netragard detailing a wonderfully clever social engineering attack that should open some eyes. I’m not sure it will, but it should. For the unaware, social engineering is the art of manipulating a person into doing something you want, in this case inserting a USB device into their work computer.

Fearing the awareness levels around USB flash drives and malware were too high, they opted for a different USB device…a mouse. Carefully disassembling the mouse, they added a mini USB hub to which they attached a mini flash drive. When the user plugs in the mouse, they get the added bonus of a free flash drive with malware. After reassembly, they repackaged the mouse and sent it on it’s way. Are you surprised that within three days of sending it to their target the malware phoned home?

It’s a truly brilliant attack and they are to be commended for their creative thinking. I would think with most targets this attack or a variant thereof (free printers anyone?) would have a 100% success rate. I’d also like to thank them for sharing the story. While it sounds like to the stuff of spy movies, it’s real. And if good guys can think up these kinds of attacks you can bet the bad guys can to.

Which gets me thinking about risk. Does risk matter at all when the reality is you’re faced with attacks like this? Lesser attacks are just as effective, like targeted spear phishing. At one point does risk just become a way of measuring security through obscurity? Or is it there already? We already assume a lot of risk. Have we crossed a threshold?

It does confirm what I’m reading a lot of lately, especially from the likes of Richard Bejtlich of TaoSecurity and Mandiant CSO. The future of defense is a balance between prevention AND detection, trust AND distrust. The new model is not foreign to us. It’s the same castle and inner-keep concept. The difference is we’ve been lulled by security vendors into thinking we can prevent attacks while all along we watch virus detection rates fluctuate but never striking anywhere near 100%. In fact,’s most recent tests of “proactive on-demand detection” topped out at 61% back in May.

The key to defense is in knowing where your sensitive data lives and building your architecture around protecting that data. It’s your Fort Knox. Guard it, monitor it, trend it, know it. Inbound and outbound access should be locked down to required use only. This is your inner-keep. If it falls, game over.

That doesn’t mean your people milling around inside the castle’s walls get left for the vikings. But you can never know everyone and everything going on out there. Focus on what you need to protect, position it so it can be protected and closely monitored and defend the rest to the best of your abilities. But always, always watch the keep.

SMBs take heed as you’ll likely have greater agility in adapting this approach. If you have a server, a point of sale host and one or more daily operations hosts, do they all need to talk? Isolate the server and the point of sale host. Those machines that get used mostly for surfing the web for research, lookups or entertainment? Keep them away from your server and point of sale. And keep casual use away from sensitive systems.

If you don’t try to protect your company’s data, no one will.


I happened to catch a @TheHackerNews tweet that linked to an article at titled “Facebook Now Helping Governments Spy On And Arrest Peaceful Activists.” An interesting read and probably less conspiracy theory than truth. I thought it worthy to share on Facebook.

After pasting the URL ( and typing up a little comment, I was ready to unleash this gem of knowledge to my friends and family.

I hovered over the “Share” button for a moment, then clicked.


Huh? WTF FB?

Zuckerberg, you’re scaring me.

Tough Love, End Users

Next time you get infected, take a few minutes and learn from the experience.

You get infected and luckily your antivirus detects it and tells you as much in a nifty little pop up window. (In a majority of cases, that’s about the only way you’ll know you got infected or came in contact with malware.) What do you do? Do you thank your antivirus software and carry on? Do you wonder whether it caught everything? Or if it will come back? Do you get curious about how or why? Do you care?

I’ll answer the last question. You better. Your computer holds keys to your financial data, whether you’ve ever logged on to an online banking or financial site from it. It contains information about you that can be used fraudulently and to gain more information about you. It can also reveal information about your friends, family and co-workers, thanks to the boom in social networking. Carelessness puts not only you, but everyone you interact with online at risk.

If your computer gets 0wned (fully controlled by an attacker) the attacker has more control over your computer than you do, because they know how to use it in ways you likely haven’t imagined. For example, at work, you might not have access to personally identifiable information (PII), but your actions can lead to a compromised host and an internal launching point for deeper attacks that will. The PII could be ex-filtrated without ever coming in contact with your computer. Scary, eh? Potentially very damaging to all involved too.

What can you do? Endpoint security software (firewalls, antivirus and IPS) can do a moderately effective job of protecting your host. In most cases, the fault of an infection isn’t that the security vendors “missed” it. They catch a lot and work hard at getting better and stopping more. Harder than you do I bet. Eh? Computers have software and hardware that can help detect and prevent malicious attacks. What do you use?

From the keyboard to the chair is your responsibility. Be responsible! Educate yourself. Learn to defend yourself and identify attacks on you. As long as you aren’t willing to put in some effort to learn about how you can be attacked, how you can identify those attacks, and how you can avoid them in the future, you are the biggest unpatchable vulnerability affecting your computer.

If you still don’t care, then thanks for stopping by and may your fortunes be secure. If you do care, then lets talk a little about attacks and defenses.

You’ve likely heard about phishing emails and spam containing malicious attachments or links. Some of these are very sophisticated and seem very trustworthy. Trust nothing when computing. Any email, attachment, or link you encounter via email or social networking should be considered untrustworthy until you’ve ascertained the source is valid and the source intended the information for you. Think about whether the person who posted that link on your Facebook profile is the type who would have validated the information. If there is even the slightest doubt about whether it’s secure, consider it insecure until you have verbally spoken with the sender and taken measures to identify if the link or file is malicious. (Virustotal allows you to submit potentially malicious files for scanning by more than 35 a/v vendors and gives you a good idea if the file is good or bad. They also have a URL scanner if you’re unsure about a link. Neither of these are 100% assurances however, so you start to see how this is about reducing risk, not eliminating it.)

Sometimes even the wisest are fooled if the scam is good enough or they are caught with their guard down. And sometimes the completely innocent are victimized. Drive by downloads take advantage of browsing-related vulnerabilities to exploit a computer without the user doing anything other than browsing to the wrong site at the wrong time. Malvertisements use social engineering to entice users to run a program, such as the Fake A/V attacks. And those of us who like Macs need to get over the false notion that Mac OS X is more secure. It’s binary code written by humans and potentially vulnerable to being exploited by humans. Mac’s are gaining popularity and with that will come attention and attacks.

A familiarity with what your programs are supposed to look like can help you identify anomalous behavior. Know what your antivirus alerts look like so when you see a fake one it’s obvious you’re being attacked. Patching is another solid defense. At the bare minimum always patch operating systems, browsers, and the Adobe products Flash, Shockwave, Reader and Acrobat as soon as patches become available…on all platforms.

I highly recommend Secunia PSI for Windows users. It’s free for home use and will monitor your computer for updates specific to your hardware and the software installed. It provides assistance with remediation as well, providing links to patches or details on how to close the gaps.

I bet you’d be hard pressed to find anyone who has used the Internet for more than a year who hasn’t run into something malicious, whether they are aware of it or not. People cling to guns for self-defense from an enemy they’ll likely never encounter. Yet they’ll pay no attention to a virus detection or the fact that their computer “might” be infected. I realize education and awareness aren’t as exciting as guns, but they’ll protect you from a whole lot more than a gun probably ever will.

Educate yourself.

IE Zero Day Coming Your Way

Symantec, and subsequently Microsoft, released information about a new zero day vulnerability in Internet Explorer being exploited in the wild. This first salvo was targeted and appears to have been contained with the malicious payload servers in Poland taken down, but exploit code is available. Which is more than can be said about the patch. Internet Explorer 6 and 7 are currently the most vulnerable.

Microsoft Out of Band Patch Released – Patch Now!

Microsoft released two out of band patches today. MS09-034 resolves an issue that crept up as a zero-day threat just before Patch Tuesday a few weeks back. And apparently in trying to fix that vulnerability either 1) a light bulb went off somewhere or 2) someone showed them the light, because the bonus patch was MS09-035 affecting a component of Visual Studio products, the Active Template Library (ATL). These are absolutely critical vulnerabilities, potentially worse than Conficker/Downadup and MS08-067.

Why are these so dangerous? MS09-034 was a zero-day release, meaning it was being exploited in the wild before the vulnerability had been disclosed publicly. Zero-days are dangerous depending on the availability and ease of exploit. In this case, it’s a critical vulnerability. I’d rush to get it out on any system that hits the web. But MS09-035 has potentially far reaching implications. I’m still searching out information, but there are already indications that the ATL vulnerability may effect a fair number of 3rd party applications. In other words, the ripple effect of this one may last a long time.

Virus Detected?

If you’re running antivirus software and you see the dreaded virus detection notice, take heed and be paranoid. Many drive-by infections will throw a host of exploits at a possible victim in their attempts to optimize the ratio of “visitors” and successful infections. With malware variants, polymorphism and obfuscation, antivirus is only going to go so far in it’s ability to detect and prevent and typically that’s not far enough.

So next time your antivirus software tells you a virus was detected, consider it a warning, not a notification. There’s a good chance something malicious has landed on your machine and your antivirus is clueless to the fact. If antivirus detects one infection and misses another it’s a tie.

And in the attacker/victim game of life, tie goes to the attacker.

April Fool’s… Is the Joke on Us?

Conficker, aka Downadup, is a worm that grew to prominence thanks to the vulnerability patched in MS08-067 last October. It’s getting widespread popularity in the media these days and deservedly so; a large botnet is always a source of concern and I wish the media paid more attention to the risks/dangers of malware and the people/organizations behind the criminal activity. But all this April 1st talk…is it hype? I’ve had at least a dozen people ask me, “are you ready for April 1st?” Um…yes.

Yes, Conficker is going to “do something” on April 1st. But if anyone in the mainstream media were to stop and think or at the least ask an insightful question instead of latching on to the latest doom and gloom theme of the day and driving it over the cliff, they might be telling a different story than the one you’re hearing from the various media outlets.

For starters, I recommend F-Secure’s wonderful Questions and Answers: Conficker and April 1st. In a nutshell, computers infected with Conficker.C (a variant of the original worm) are going to “update” themselves. All we know is that it’s going to up the ante from phoning home to a batch of 250 domains a day to 500 out of 50,000 a day, making it much harder to disrupt the phone home communications (which is how infections like this get their updates and commands for actions to perform). But since that’s all we know, that leaves a lot of room for conjecture and imagination.

So let’s think rationally for a minute. The people/organization behind Conficker are VERY sophisticated, highly proficient and professional. We aren’t dealing with a couple kids with a grudge here. The landscape has changed, but mass media doesn’t seem to realize it. The business models that cybercriminals apply these days are inline with modern corporate structures. There are board of directors, hiring managers, developers and sales. What do they sell? Why that would be access to your infected PC. Once infected by a bot your computer is there to do the attacker/owners bidding. If they need processing power to crack a password, they can use your PC. If they want to launch other attacks, they can use your computer. If they are bored and want to watch you on your webcam, they can. More and more these days, botnet rentals have become yet another business model.

Imagine you have a business. You have 2 million customers but if anyone finds out who your customers are you’ll risk losing their business. On April 1st you can sign those customers up to a contract extension. Why would you risk doing anything that would cause you to lose those customers?

I’m not buying it. The press wants you to think all hell is going to break loose because it sells papers. But there’s nothing about this worm that indicates it’s creators are stupid. Why on April 1st when they are deploying an update that is going to ensure their botnet stays strong for months to come would they risk losing it all at the same time.  It doesn’t add up. Yes, there are stupid criminals. But these criminals are smarter than the mainstream media.

The effect of the media’s attention is dangerous and misplaced. Cybercriminals are already taking note of the attention, offering new FakeAV/Rogue malware that pose as Conficker removal tools. But even worse, they’re creating a “boy who cried wolf scenario.” What will the media be saying about Conficker if it just does its updating on April 1st and slips quietly back into cyberspace? I guarantee you there will be more than one news anchor piping a comment about how it obviously wasn’t as big a deal as they thought and shrugging it off. Gee thanks. You just made my job that much harder by lowering the guard.

Cybersecurity isn’t a one-off story every 6 months to a year to fill a news quota or aid a slow news day or to fulfill a producer’s zeal for a doomsday shocker. Accessing the Internet is like walking in a really bad neighborhood at 2 a.m. It’s risky and potentially dangerous; caution, awareness and knowledge are your defenses. That pocket knife in your pocket (aka antivirus software) might help you, but chances are it won’t.

So do us a favor, mainstream media. Use your powers to do good. Keep awareness and understanding of cybercrime on your radar and treat it regularly and consistently. The sky is falling stories only breed skepticism and doubt among users in a world where letting your guard down for one minute can have far more reaching impact than most users would ever expect.

Conficker may do more than just update on April 1st, but I’ll be surprised if it does. I just hope the media doesn’t do more harm than good in their treatment of the results.

Fake A/V Scamware

I’ve been tracking the rash of fake A/V scamware since last fall and while most of these are probably out of commission, the list below provides a glimpse into the creative (or lack thereof) domain names that are popping up daily. I’ve not had a chance to cross-reference this list with Dancho Danchev’s, but may try if the campaign keeps building steam. I’ve typically been submitting 3-10 copies of the malicious executables a day to Virustotal with disappointing results (3/38 vendors catching them typically). So not only are the domains shifting just enough to inhibit prevention, the payload is as well.

If you’re unfamiliar with the scam, good on you. Typically, you’d be surfing the web and get a pop-up stating that your machine is infected. The browser would then display a page that looks eerily similar to Windows “My Computer” being scanned for infections and infections being detected. The tip off here is that all of this occurs within the browser…so being a little observant would go a long way to keeping your machine clean. If you follow the social engineering attempt, you’ll download an executable which, when run, will install the fake A/V software. It will then make your life a living hell telling you your machine is infected and it must be cleaned…which will require you to register the software. Paying into the scam will not get your machine clean and since you’re providing credit card information to do so, it’s potentially going to cost you a lot more than the $40 or $50 they want initially.

If you see any activity like this while surfing the web, Alt-F4 (close active window shortcut in Windows) is your best friend.

The last numbers I saw were from Panda Security via The Register and estimated it to be a $15 million/month campaign, and that was in August 2008. From the traffic I see, the malicious domains serving the infection have not slowed down since then.


Spring patching

April is a good month to take some time to get up to date on your patching. There was a healthy dose of Black Tuesday Microsoft patches (Microsoft/SANS) and a Flash exploit that was a prize winner in a recent hacking contest was patched. There have also been recent updates to Quicktime (patch details), a bunch of Adobe products, and browsers other than Internet Explorer (Firefox/Opera/Safari). So free up some time this month and take a few minutes to review installed applications and make sure you’re up-to-date!

“3D Screensaver” spam

Sunbelt Software has a good write-up on a recent spike in 3d screen saver spam. It’s a free screen saver that comes at a price. The malware has been tracked back to a re-emerging malware gang and is a gift that keeps on giving. Looks like Sunbelt is pursuing them hard, so kudos for their efforts. Always handle attachments and links in an e-mail message with extreme care. If you don’t know how to do that, check out page 12 of the US-CERT’s Common Sense Guide to Cyber Security for Small Businesses or any of the other links in the Resources > Awareness & Education section.