ESET Threat Blog

As I already mentioned briefly in a blog about our October Threat Trends Report, researchers Christopher and Samir came up with an interesting idea at the First International Workshop on Aggressive Alternative Computing and Security, held under the auspices of ESIEA Laval (École Supérieure d'Informatique, Electronique et Automatique).

They took a handful of scanners (including NOD32), installed them, then logged as
administrator and tried to disable them as fast as possible. It's nice to know that NOD32 turned out to be more resistant than most to tampering like this, whereas some products can be disabled by simply manipulating support files on disk. Frankly, though, if I were using the product that was disabled in two minutes rather than thirty-three, I probably wouldn't change products on the basis of this test. The sad fact is that if you have direct access to a machine with administrator rights, it's usually game over. Essentially, it's all about context.

As Pierre-Marc has suggested, this isn't a very effective measure of a product's effectiveness.

“Malware has to execute code to disable the AV. If a piece of malware is detected, it will never execute and thus the process of the antivirus is safe. Our proactive detection of is our best defense
against disabling of ESET’s program by malware.”

You might be reminded of the infamous “Race to Zero” contest at Defcon 16, which essentially told no-one anything new but generated much heated discussion among our readers (http://www.eset.com/threat-center/blog/?s=race+to+zero).

In fact, useful research often comes out of ESIEA, and at least this exercise was apparently carried out without using real malware (unless you have a very prejudiced view of the EICAR test file) or reverse engineering. As Aryeh Goretsky, ESET Distinguished Researcher, has suggested we look forward to receiving more details, in order to see whether we can make use of them to strengthen the product. He also suggests that given the reliance in this exercise on physical access to systems, it would be quicker and easier to boot from removable media to carry out such an attack in the real world, and that strong passwords and disk encryption could be used to mitigate the risk.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.