Microsoft Out of Band Patch Released – Patch Now!

Microsoft released two out of band patches today. MS09-034 resolves an issue that crept up as a zero-day threat just before Patch Tuesday a few weeks back. And apparently in trying to fix that vulnerability either 1) a light bulb went off somewhere or 2) someone showed them the light, because the bonus patch was MS09-035 affecting a component of Visual Studio products, the Active Template Library (ATL). These are absolutely critical vulnerabilities, potentially worse than Conficker/Downadup and MS08-067.

Why are these so dangerous? MS09-034 was a zero-day release, meaning it was being exploited in the wild before the vulnerability had been disclosed publicly. Zero-days are dangerous depending on the availability and ease of exploit. In this case, it’s a critical vulnerability. I’d rush to get it out on any system that hits the web. But MS09-035 has potentially far reaching implications. I’m still searching out information, but there are already indications that the ATL vulnerability may effect a fair number of 3rd party applications. In other words, the ripple effect of this one may last a long time.

Virus Detected?

If you’re running antivirus software and you see the dreaded virus detection notice, take heed and be paranoid. Many drive-by infections will throw a host of exploits at a possible victim in their attempts to optimize the ratio of “visitors” and successful infections. With malware variants, polymorphism and obfuscation, antivirus is only going to go so far in it’s ability to detect and prevent and typically that’s not far enough.

So next time your antivirus software tells you a virus was detected, consider it a warning, not a notification. There’s a good chance something malicious has landed on your machine and your antivirus is clueless to the fact. If antivirus detects one infection and misses another it’s a tie.

And in the attacker/victim game of life, tie goes to the attacker.

April Fool’s… Is the Joke on Us?

Conficker, aka Downadup, is a worm that grew to prominence thanks to the vulnerability patched in MS08-067 last October. It’s getting widespread popularity in the media these days and deservedly so; a large botnet is always a source of concern and I wish the media paid more attention to the risks/dangers of malware and the people/organizations behind the criminal activity. But all this April 1st talk…is it hype? I’ve had at least a dozen people ask me, “are you ready for April 1st?” Um…yes.

Yes, Conficker is going to “do something” on April 1st. But if anyone in the mainstream media were to stop and think or at the least ask an insightful question instead of latching on to the latest doom and gloom theme of the day and driving it over the cliff, they might be telling a different story than the one you’re hearing from the various media outlets.

For starters, I recommend F-Secure’s wonderful Questions and Answers: Conficker and April 1st. In a nutshell, computers infected with Conficker.C (a variant of the original worm) are going to “update” themselves. All we know is that it’s going to up the ante from phoning home to a batch of 250 domains a day to 500 out of 50,000 a day, making it much harder to disrupt the phone home communications (which is how infections like this get their updates and commands for actions to perform). But since that’s all we know, that leaves a lot of room for conjecture and imagination.

So let’s think rationally for a minute. The people/organization behind Conficker are VERY sophisticated, highly proficient and professional. We aren’t dealing with a couple kids with a grudge here. The landscape has changed, but mass media doesn’t seem to realize it. The business models that cybercriminals apply these days are inline with modern corporate structures. There are board of directors, hiring managers, developers and sales. What do they sell? Why that would be access to your infected PC. Once infected by a bot your computer is there to do the attacker/owners bidding. If they need processing power to crack a password, they can use your PC. If they want to launch other attacks, they can use your computer. If they are bored and want to watch you on your webcam, they can. More and more these days, botnet rentals have become yet another business model.

Imagine you have a business. You have 2 million customers but if anyone finds out who your customers are you’ll risk losing their business. On April 1st you can sign those customers up to a contract extension. Why would you risk doing anything that would cause you to lose those customers?

I’m not buying it. The press wants you to think all hell is going to break loose because it sells papers. But there’s nothing about this worm that indicates it’s creators are stupid. Why on April 1st when they are deploying an update that is going to ensure their botnet stays strong for months to come would they risk losing it all at the same time.  It doesn’t add up. Yes, there are stupid criminals. But these criminals are smarter than the mainstream media.

The effect of the media’s attention is dangerous and misplaced. Cybercriminals are already taking note of the attention, offering new FakeAV/Rogue malware that pose as Conficker removal tools. But even worse, they’re creating a “boy who cried wolf scenario.” What will the media be saying about Conficker if it just does its updating on April 1st and slips quietly back into cyberspace? I guarantee you there will be more than one news anchor piping a comment about how it obviously wasn’t as big a deal as they thought and shrugging it off. Gee thanks. You just made my job that much harder by lowering the guard.

Cybersecurity isn’t a one-off story every 6 months to a year to fill a news quota or aid a slow news day or to fulfill a producer’s zeal for a doomsday shocker. Accessing the Internet is like walking in a really bad neighborhood at 2 a.m. It’s risky and potentially dangerous; caution, awareness and knowledge are your defenses. That pocket knife in your pocket (aka antivirus software) might help you, but chances are it won’t.

So do us a favor, mainstream media. Use your powers to do good. Keep awareness and understanding of cybercrime on your radar and treat it regularly and consistently. The sky is falling stories only breed skepticism and doubt among users in a world where letting your guard down for one minute can have far more reaching impact than most users would ever expect.

Conficker may do more than just update on April 1st, but I’ll be surprised if it does. I just hope the media doesn’t do more harm than good in their treatment of the results.

Width-In-Defense

Depth in defense is always a priority in securing an environment. For the novice, the notion is that the more layers of defense you have in place the more likely you’ll be able to detect the bad guys and their malicious code. The typical analogy is that of a fortified castle. From the outside-in, a deep and wide moat surrounds the outer wall with a drawbridge and/or portcullis to control and limit access. The inner walls provide an additional layer of protection for the castle, with additional barriers in place around the keep. And lets not forget the men and women who strategize and defend their home. Firewalls, intrusion prevention devices, web gateways, and endpoint protection act as similar layers in the depth in defense model. It’s a good model and if designed, managed and monitored properly it will serve as a well fortified defense system.

What concerns me is less the depth model and more how it’s constructed. I saw a prediction a year or so ago from an executive at one of the big security vendors who predicted that within 5 years there would be roughly 5 vendors who owned just about every security based solution available. The trend continues in that direction. From a marketing standpoint, great for them. They can wrap them all up nicely in a bundle and say they are the single source solution to all your security problems. But is that great for us, the end user?

Sure the solutions they offer for the varying layers differ. A web security gateway isn’t an endpoint or antivirus client. But if the same company provides you that web gateway and the antivirus, do you gain anything running their antivirus on the web gateway? Mixing vendors, bringing in different ways of performing a similar function, is critical if you want to provide the best defense. Antivirus solutions vary greatly in their methodology and detection capabilities. They almost all use some level of signature based detection, which is inherently weak in an age of malicious code that can polymorph or obfuscate by the second. The more layers of various antivirus solutions you can place between the attackers and your hosts the more likely you’ll be able to stop it.

Revisiting the castle analogy, those outer walls by the moat seem like a good place for archers. The drawbridge/portcullis probably would benefit more from foot soldiers and hot oil vats above the entryway. Cavalry to stampede through the narrow lanes as attackers draw near to the inner keep, and your best and finest swordsman and archers defending the castle proper.

Depth is critical, but depth plus width is where you’ll truly improve your chances of defense. You may have to suffer with different front-end management systems for the varying solutions but, honestly, most times you’re going to be better off isolating the administration of the varying layers as opposed to dealing with an all-in-one solution that in reality is a jumbled mess to manage. The majority of monitoring concerns can be handled with some basic alerting, event correlation or security information management.

So next time a vendor tells you they have the answer to all your security needs, think width-in-defense before you sign up for their suite of solutions.

Fake A/V Scamware Revisited

Following up on my post from yesterday, if you’re interested in IPS or web filter URL pathings, a majority of the fake a/v paths have been consistent:

  • /2009/download/trial/InstallAV*
  • /download/av_2009glof.exe
  • /download/av_360glof.exe
  • /promo/download/trial/InstallAV*
  • /spygd08/install.php

Blocking these or blocking executable downloads from URLs including these paths won’t stop them all but they will certainly help.

Fake A/V Scamware

I’ve been tracking the rash of fake A/V scamware since last fall and while most of these are probably out of commission, the list below provides a glimpse into the creative (or lack thereof) domain names that are popping up daily. I’ve not had a chance to cross-reference this list with Dancho Danchev’s, but may try if the campaign keeps building steam. I’ve typically been submitting 3-10 copies of the malicious executables a day to Virustotal with disappointing results (3/38 vendors catching them typically). So not only are the domains shifting just enough to inhibit prevention, the payload is as well.

If you’re unfamiliar with the scam, good on you. Typically, you’d be surfing the web and get a pop-up stating that your machine is infected. The browser would then display a page that looks eerily similar to Windows “My Computer” being scanned for infections and infections being detected. The tip off here is that all of this occurs within the browser…so being a little observant would go a long way to keeping your machine clean. If you follow the social engineering attempt, you’ll download an executable which, when run, will install the fake A/V software. It will then make your life a living hell telling you your machine is infected and it must be cleaned…which will require you to register the software. Paying into the scam will not get your machine clean and since you’re providing credit card information to do so, it’s potentially going to cost you a lot more than the $40 or $50 they want initially.

If you see any activity like this while surfing the web, Alt-F4 (close active window shortcut in Windows) is your best friend.

The last numbers I saw were from Panda Security via The Register and estimated it to be a $15 million/month campaign, and that was in August 2008. From the traffic I see, the malicious domains serving the infection have not slowed down since then.

5avscan[.]com
advanced-anti-virus-scanner[.]com
advanced-antivirus-scanner[.]com
advanced-scan[.]com
advancedproscan[.]com
advancedscanner[.]com
anti-virus-computer-scan[.]com
anti-virus-defence[.]com
anti-virus-live-scan[.]com
anti-virusproscan[.]com
antispyware-dl[.]com
antispywareinternetproscan[.]com
antispywareonlinescanner[.]com
antivirus-best-scanner[.]com
antivirus-bestscanner[.]com
antivirus-computer-scan[.]com
antivirus-fast-scanner[.]com
antivirus-live-scanner[.]com
antivirus-online-proscan[.]com
antivirus-pc-full-scan[.]com
antivirus-pro-scan[.]com
antivirus-pro-scanner[.]com
antivirus-proscan[.]com
antivirus-protectionscan[.]com
antivirus-quickscan[.]com
antivirus-rapidscan[.]com
antivirus-scan-your-pc[.]com
antivirus-secure-scanner[.]com
antiviruscomputerscan[.]com
antivirusdefense[.]com
antivirusfastscan[.]com
antiviruspcfullscan[.]com
antivirusprofessionalscan[.]com
av-2009[.]info
av10antivir[.]com
best-anti-virus-scan[.]com
best-antivirus-2010-download[.]info
bestanti-virusscanner[.]com
bestantispywaresecurityscan[.]com
bestantivirusquickscan[.]com
bestantivirusquickscan[.]com
bestantivirusscanner[.]com
bestscan4[.]com
computerantivirusproscan[.]com
computerantivirusscanner[.]com
computerfastscanner[.]com
computerquickscanner[.]com
download-antivirus2010[.]info
download-best-antivirus2010[.]info
fast-antispyware-scan[.]com
fast-antispyware-scanner[.]com
fast-antivirus-pro-scan[.]com
fast-antivirus-pro-scanner[.]com
fast-antiviruspro-scan[.]com
fastantispywaredefense[.]com
file.proas2009download[.]com
files.proas2009-dl[.]com
full-antivirus-scan[.]com
internetantispywarescan[.]com
internetantispywarescanner[.]com
internetsecureddownloads[.]com
internetupdateserver[.]com
live-antivirus-scanner[.]com
live-antiviruspc-scan[.]com
live4scan[.]com
liveantispywarescan[.]com
liveantiviruspccheck[.]com
liveantiviruspcscan[.]com
liveantivirusscanner[.]com
online-antivirusscanner[.]com
online-pc-virus-scanner[.]com
online-securityscanner[.]com
onlineantivirus-scan[.]com
onlineantivirus-scanner[.]com
onlinepcvirusscanner[.]com
onlinesecurityscanner[.]com
onlinevirusbuster[.]com
pc-anti-virus-scan[.]com
pc-antispywarescanner[.]com
pc-security-scan[.]com
pc-security-scanner[.]com
pcantivirusscan[.]com
pcantivirusscanner[.]com
pcsecurityscanner[.]com
premium-advanced-scan[.]com
premium-antispyware-scanner[.]com
premium-antivirus-scan[.]com
premium-online-scanner[.]com
premiumadvancedscan[.]com
premiumadvancedscanner[.]com
premiumantivirusscan[.]com
premiumantivirussecurity[.]com
premiumlivescanner[.]com
premiumlivevirusscan[.]com
premiumlivevirusscanner[.]com
premiumonlinescanner[.]com
premiumonlinespywarescan[.]com
premuim-live-scan[.]com
privacycontrol[.]com
pro-anti-virus-scan[.]com
pro-antivirusscanner[.]com
pro-scan-online[.]com
pro4scan[.]com
proantivirusprotection[.]com
proantivirusscan[.]com
proantivirusscanner[.]com
professionalvirusscan[.]com
professionalvirusscanner[.]com
protectedprivacyupdate[.]com
protection-livescan[.]com
protectionfastscanner[.]com
protectonantivirusscan[.]com
rapidantispywarescanner[.]com
rapidantiviruspcscanner[.]com
scan-on-line.av-2009[.]com
scan-on-line.av-2009[.]info
scan4live[.]com
scan4new[.]com
scaneasy4[.]com
scanlabsonline[.]com
scanner.rapid-antivirus-2009[.]com
secured-anti-virus-scan[.]com
secured-antivirus-scan[.]com
secured-download[.]com
secured-live-scan[.]com
secureddownloadserver[.]com
securedupdatedownloads[.]com
securedupdatesoftware[.]com
securityonlinecomputer[.]com
soft4youupdat[.]org
stabilityinternetscan[.]com
technoevent[.]com
total-antivirus-scan[.]com
updatepcsecuritycenter[.]com
virusandspywarescan[.]com
virusandspywarescaning[.]com
websecurityexamine[.]com
world-2009-antivirus[.]com

Palin Hack Advice

No, I’m not giving her advice on how to be a political hack…she’s getting lots of that already.

You’ve probably heard by now how Sarah Palin’s Yahoo! mail account was accessed by a 20 year old from Memphis. Basically, the attacker used the password reset feature, which prompts you to answer several personally identifiable questions, such as “Where did you meet your spouse?” Being a governor only made that type of information all too easy to find.

Interestingly enough, the Grand Jury in Chattanooga convened on the matter today. I stumbled across this on the ISC Handler’s Diary page and had to share the advice.

Just because you’re presented with a “process” that looks and feels secure, doesn’t mean it is. It’s not just the 1s and 0s that are vulnerable; vulnerabilities start with the user at the keyboard. An uneducated user is almost guaranteed to be attacked. In this case, a seemingly “secure” solution of personal questions provides the user with a choice: secure my information or risk it all. Provide an accurate answer and just about anyone who has some level of personal knowledge (social networking sites anyone?) about you has discovered a vulnerability and can attack at will. Provide a false answer and you increase your odds of protection drastically.

Holey DNS!

Been awhile since I posted, but that doesn’t mean I’ve not been busy. Trends have been all over the map lately. It would take me weeks to catch the site up with what all has been going on since my last post, so I’ll try to fill in pieces as I can going forward.

That said, for now:

PATCH DNS NOW! There’s rumblings of a potentially disastrous DNS cache poisoning vulnerability. We won’t know just how bad this is until Dan Kaminsky gives his presentation Aug. 7th. If it’s a nasty one but the impact is negligible, then credit Kaminsky, CERT, Microsoft and the other vendors involved for the way the disclosure has been handled and coordinating the patch release. Time will tell…

Spring patching

April is a good month to take some time to get up to date on your patching. There was a healthy dose of Black Tuesday Microsoft patches (Microsoft/SANS) and a Flash exploit that was a prize winner in a recent hacking contest was patched. There have also been recent updates to Quicktime (patch details), a bunch of Adobe products, and browsers other than Internet Explorer (Firefox/Opera/Safari). So free up some time this month and take a few minutes to review installed applications and make sure you’re up-to-date!