ESET Threat Blog

We seem to have pointed out rather often recently that giving away lots of information on Facebook, Twitter and other social network sites isn't a good idea.

PleaseRobMe claims, somewhat amusingly, to be a resource for burglars, saving them the trouble of searching through Twitter and Foursquare for information on whose house is currently unoccupied. In fact, what it's doing is scooping the info from Twitter et al.

More (with links) at http://avien.net/blog/?p=442.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

I originally posted this on the AVIEN blog site at http://avien.net/blog/?p=286, but in view of the increasing volume of "Y2.10k" date-related bug reports, I'll re-post it here with an updated list. (Thanks to Mikko Hypponen for posting a couple of links I hadn't seen.)

Windows Mobile/SMS bug (Welcome to 2016!)
http://www.theregister.co.uk/2010/01/05/windows_mobe_bug/
http://www.wmexperts.com/y2016-sms-bug

Bank Bugs:
http://www.theregister.co.uk/2010/01/04/bank_queensland/
http://www.msnbc.msn.com/id/34706092/ns/technology_and_science-security/?ocid=twitter]

Symantec bug
http://www.theregister.co.uk/2010/01/05/symantec_y2k10_bug/
http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010

Spamassassin FP bug:
http://www.spamresource.com/2010/01/spamassassin-2010-bug.html

SAP bug: "SAP have detected a problem in the spool area which affects all customers in the world regardless of the SAP release and any support package level."
http://www.basissap.com/2010/01/sap-spool-issue-affects-all-releases/
http://service.sap.com/sap/support/notes/1422843

It's not really that surprising that we're seeing more date-related bugs than at the start of the Millennium: this is a more-or-less accidental cluster of somewhat similar bugs, as far as I can see. It’s certainly not an industry-wide issue that was foreseen years in advance and therefore attracted serious proactive research and remediation.

In fact, if there’s a lesson here, it’s one for the people who dismiss the entire Y2K remediation issue as hype and wasted resources. Well, there was a great deal of hype around at that time (did anyone actually see a Y2K virus?), and a number of consultants made money out of advising IT people on the ground to do what they were already doing.

However, given the (short-term) impact of this handful of unanticipated (but fairly easily fixed) bugs, I think it’s reasonable to assume that if system administrators and support technicians all over the globe hadn’t done that proactive remediative work, the first weeks of the new millennium would have been a lot more dramatic.

Like Ross Anderson (http://www.cl.cam.ac.uk/~rja14/Papers/y2k.pdf), I doubt if the sky would have fallen if that work hadn't been done, but some of the consequent issues would have been harder and more expensive to fix reactively.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
 

Strangely enough, I'm actually encouraged to contribute to other blog pages, perhaps in the hope that I'll stop cluttering this page with rubbish about iPhones.

Today I've finally remembered that I'm supposed to contribute regularly to the AVIEN blog page at http://avien.net/blog/. You might find these a little lighter in tone than I tend to be here, but still security related (AVIEN is the Anti-Virus Information Exchange Network).:

Lawyers in Love: http://avien.net/blog/?p=35

Now we are 60-something: http://avien.net/blog/?p=40

(Grannyx is a version of Linux safe enough for your Granny to use: it's a bit hypothetical at the moment but Alan Solomon has been advocating it for years.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Some readers will be aware of my long-standing connection with the Anti-Virus Information Exchange Network (AVIEN) at http://www.avien.net (I hold the title of Chief Operations Officer there). AVIEN has now instigated a member’s blog at http://www.avien.net/blog, and I’ve put up a couple of blogs today on testing to help kick it off (Andrew Lee, my former colleague at ESET, is also doing some blogging there).

Testing, Testing (yes, Andrew and I did use that as the title of an ESET conference paper!) asks whether an anti-malware testing organization can claim that its testing is "open and transparent" (i.e. in accordance with principle three of the AMTSO fundamental principles of testing document) if that information is only made available for a fee to the company that makes a tested product, and whether making such a charge before the test really qualifies as "vendor independent". (These are issues that are likely to come up for heated discussion at the AMTSO Workshop in Prague next month.)

Blog Reviews points to some resources addressing the FTC ’s (Federal Trade Commission) attempt to make bloggers who review products (not just AV products, of course) more accountable by making them declare financial interest/bias. This is, of course, an example of AMTSO’s principle two in action: it deals with bias, financial incentives and so on.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

One of the more interesting things to happen to me in the past few months – well, that I’m going to talk about in public – is that I was elected to the Board of Directors of AMTSO (The Anti-Malware Testing Standards Organization). Interesting and scary: the first couple of months have seen me at three face-to-face meetings (fortunately for me, two of them were one after the other at the same venue in the UK), and my conference calls and email volumes have definitely escalated.

But that’s OK. If you’ve been following my blogs over the past 18 months or so, or seen any of my presentations on testing, you’ll have noticed that I’m pretty enthusiastic about AMTSO and its aims: I believe that it’s the best chance we have right now of closing the enormous gap between the unrealistic assumptions, expectations and methodologies adopted by so many testers, and the realities of the threatscape and the security technologies that this industry currently works with. I’m well aware that many people are cynical about the purity of intent of anti-malware companies, but there are some of us who believe that fairer testing would benefit the better security vendors as well as their customers.

Right now I’m trying to catch up with the papers that have been circulated following the last member’s meeting in Budapest a few months ago, in preparation for the next meeting, which takes place in Prague next month (hard on the heels of next week’s Virus Bulletin conference in Geneva).

 I expect a lot of exciting stuff to find its way onto the agenda: there are quite a few more papers on their way through the compiling/editing/approval process, some on such controversial topics as malware creation.

I also expect some lively discussion around the topics discussed at the strategy meeting at the end of August, where the Board of Directors and the Advisory Board. The Advisory Board is a group of respected individuals who are well acquainted with the malware field, but not aligned with the industry: as there are quite a few security vendors participating as members, the AB’s impartial advice is invaluable in helping to correct any tendency to focus on the interests of the security and testing industries at the expense of the wider community.

There’s been a lot of interest in the Review Analysis Board in recent months, and one of the topics likely to be discussed in depth is the possibility of streamlining that process and supplementing it with other measures of compliance with AMTSO testing principles. That may lead to some heated debate, but I think it’s a necessary discussion: AMTSO compliance, whatever you (or I) may understand by that term, is something that a lot of people are anxious to see.

If you’re affiliated with a company that’s already a member, maybe I’ll see you in Prague. If you’re not, but you’re going to be in Geneva for VB 2009, you may find Righard Zwienenberg’s AMTSO  presentation on Thursday 24th of interest. Either way, i hope to see some of you at one event or the other, or both. I’m more than happy to talk about ESET, AMTSO, AVIEN or anything else. Though not necessarily officially…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

(1)

Websense, our neighbour in San Diego, has reported a fake anti-malware scam centred on Labor Day social engineering. The scam uses malicious SEO (Search Engine Optimization) techniques, sometimes referred to as index hijacking or SEO poisoning, to misdirect potential victims. When the victim uses Google to search for Labor Day sales (apparently these are very popular in the US), the bad guys use SEO poisoning to ensure that some of the highest ranking hits are actually malicious URLs that redirect the victim to a site "warning" him that his machine is infected, and offers "free but fake" anti-virus software. According to Websense, AOL and ASK.com have been affected by similar SEO poisoning.

(We have a paper on our white papers page on the topic  of fake anti-malware,written by Cristian Borghello, one of my colleagues in ESET Latin America. This describes how "free" anti-malware can turn out to be pretty expensive.)

There’s nothing particularly new about SEO poisoning, of course: my colleague on the AMTSO Board of Directors, Igor Muttik, wrote a comprehensive chapter for the AVIEN Malware Defense Guide* on web attacks that includes a section on index hijacking. Similarly, malware frequently uses social engineering based on public holidays to lure its victims – remember the Waledac 4th of July spam, which we and Websense, among others, also flagged? - as well as other attention-grabbing topics such as theAthens fires. Nevertheless, it’s well worth reiterating that this kind of social engineering isn’t restricted to spamming out malicious attachments or links. You may trust Google’s good intentions, but that doesn’t mean that every link that turns up in a Google search is going to be trustworthy.

Like legitimate concerns who make money out of their web presence, the bad guys also like to take steps to ensure that their "business" is top of the heap in web searches.

(2)

Sophos have also brought our attention to a slightly novel wrinkle currently employed by fake AV distributors. In this case, it’s a fake AV product which doesn’t just tell you that you’re infected by imaginary malware, but tells you which files are "spyware". We have seen instances where a system is deliberately attacked in order to sell the "solution": for instance, part of the pitch for one type of fake file recovery software was to encrypt some of the victim’s files and flag them as "corrupted", so that the fake software can "repair" them. Fortunately, this isn’t quite the same: the Trojan isn’t actually creating malware on the victim’s machine: it’s simply creating garbage files and flagging them as malicious. However, they can’t execute and are easily removed (you certainly don’t need to buy the fake AV to remove them.

You may wonder what’s to stop these guys generating real malware. Well, not much: there’s nothing to stop one malicious program generating another, which a third (the fake security software) claims to detect and remove. The reason that we don’t see this more often may simply be that the authors of fake AV are constantly trying to blur the distinction between fake security software and the real thing. This has at least two advantages for them:

• It makes it more difficult (obviously) for a potential victim to spot a rogue product
• By trying to make real security products look bad, they increase the take-up of their own badware.

So they may be holding back from generating real malware in contexts where it will make it harder for them to claim in court, for example, that the fake scanner is legitimate security software.

However, that doesn’t mean  that some criminal genius won’t decide that it makes sense to write the malware and the "anti-malware" at the same time. In fact, there are precedents for this that go back to the 1990s: indeed, I once declined to participate in a book project that was intended to teach the art of antivirus development by describing how to write specific viruses, and then describing how to write detection routines.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

 *Dr. Igor G. Muttik, A Tangled Web, in "The AVIEN Malware Defense Guide for the Enterprise", ed. Harley, Syngress 2007.

So, back in harness. I’ve been away for a couple of weeks: not on holiday as such, though I did take some days out, but concentrating on writing: it didn’t hurt that I didn’t have a full-strength internet connection to distract me, though.

Before I left, I was interviewed by a Turkish security site. It was an interesting experience in that when I get interviewed by the press it’s usually about something fairly specific, whereas this was more of an "opinion piece". Anyway, I assumed that most of you probably wouldn’t want to go and read it in Turkish, but some of you might find it interesting in English. Well, maybe not.

There were only half a dozen questions, but my answers were uncharacteristically verbose, so I’ll split them across a couple of blogs.

Question (1): Are we afraid of surfing on the Internet?
 
I don’t know, but we probably should be. I wouldn’t really want to see everyone so terrified of the hackers and bogeymen that they won’t make use of all the possibilities for business and social networking that the Internet offers, but we should at least have a healthy respect for the risks that Internet browsing entails.
 
I wouldn’t want to turn everyone with an internet connection into a security geek, either, but we (all of us who pride ourselves on being proficient computer users, not just the security industry) haven’t done a good job of conveying to the wider community a sense of what they should and shouldn’t do in order to stay (reasonably) safe. In fact, that’s an important point: if you know that there’s no such thing as safe browsing, you have a choice. 

• You can throw your hands up in the air and say "I’m never going to use the web because it’s too dangerous"
• Or you can stop thinking about risk elimination and start thinking about risk management. Not in terms of a big corporate exercise in PRINCE project management, conforming with ISO standards, and lengthy risk analysis procedures, but just common sense.
  • "Is it sensible to do my online banking at a hotspot in a city park?"
  • "Should I let someone else use my PC when I’m logged on as an administrator?"
  • "Why is my bank sending me email about a problem with my account addressed to ‘Dear valued customer’ instead of using my name?"

Question (2):  What are your opinions about IT Security?

As Gandhi is supposed to have said about Western civilization, I think it would be a good idea.

Well, of course, we have all the security we can handle, but it’s compromised by a fog of misinformation and mythology, half-understood concepts promoted by the media, politicians and so on: it’s no wonder so many people just look at all the conflicting advice and say "I can’t be bothered with all this. I’m just going to click on this icon…"
 
There’s a famous tripartite data security model: Confidentiality, Integrity, Availability. Of course, all three are vital, certainly to a business or to an individual who uses online services to run his finances. But if you lose Availability, your system has failed, irrespective of whether it’s the Wily Hacker, your ISP, or your director of IT who’s stopped you accessing your own data.
 
Question (3): What advice can you offer about gaining experience in Personal Security?

"How do I get to Carnegie Hall?" "Practice…"
 
At any rate, practice is one way of getting experience in personal security. For many people in my generation and earlier (I had my first email accounts before there was such a thing as the world wide web), it was almost the only option: you learned by experience, and if you were very lucky, you learned quickly enough not to jeopardize your own online health or that of your family, friends and workmates. Of course, there were (mostly academic) training opportunities around. As the web started to come together and the Internet ceased to be an academics’ playground as people noticed and seized commercial opportunities, we began to see a lot more commercial training, of highly variable quality.
 
Actually, as a specialist in anti-malware, my perspective is probably particularly jaundiced. There’s never been much training from within the anti-malware industry (and what there is is nearly all vendor-centric). Unfortunately, there’s not much security training from outside the industry from people who are really knowledgeable about malware management. Some SANS training looks up to the mark though, even though the SANS publicity machine can be pretty AV.
 
So at what level of experience are you thinking of here in terms of your audience?

1. Experienced enough to surf reasonably safely in their spare time?
2. Enough to carry out their daily IT-oriented work safely?
3. Enough to be a security professional?

For categories one and two, there are sites that carry reasonably good information for the non-technical reader. The Anti-Phishing Working Group has good resources at http://education.apwg.org/  with information on phishing, moneylaundering and so on.

ESET is heavily involved with a community project called Securing Our eCity that provides some impartial resources, and we have some white papers, conference papers and so on on our own web site at http://www.eset.com/download/whitepapers.php, most of which are also non-partisan. Many other vendors have similar resources and most of them now cast their nets far wider than antivirus. SANS (www.sans.org) has an enormous range of resources as well as a range of security-related courses, certifications and so on that is a good starting point for some more professional career paths.
 
However, the term security professional covers an awful lot of ground. It took me about 12 pages of the AVIEN Guide to cover just the main training opportunities for someone with an anti-malware/IDS systems leaning, so I’m not going to be able to do the topic justice in an email.
 
Actually, I can’t do justice to any of these areas here. I have done massive lists of useful URLs in the past, but the last one I made public was in 2007: I probably need to update and republish it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/