ESET Threat Blog

As I already mentioned briefly in a blog about our October Threat Trends Report, researchers Christopher and Samir came up with an interesting idea at the First International Workshop on Aggressive Alternative Computing and Security, held under the auspices of ESIEA Laval (École Supérieure d'Informatique, Electronique et Automatique).

They took a handful of scanners (including NOD32), installed them, then logged as
administrator and tried to disable them as fast as possible. It's nice to know that NOD32 turned out to be more resistant than most to tampering like this, whereas some products can be disabled by simply manipulating support files on disk. Frankly, though, if I were using the product that was disabled in two minutes rather than thirty-three, I probably wouldn't change products on the basis of this test. The sad fact is that if you have direct access to a machine with administrator rights, it's usually game over. Essentially, it's all about context.

As Pierre-Marc has suggested, this isn't a very effective measure of a product's effectiveness.

“Malware has to execute code to disable the AV. If a piece of malware is detected, it will never execute and thus the process of the antivirus is safe. Our proactive detection of is our best defense
against disabling of ESET’s program by malware.”

You might be reminded of the infamous “Race to Zero” contest at Defcon 16, which essentially told no-one anything new but generated much heated discussion among our readers (http://www.eset.com/threat-center/blog/?s=race+to+zero).

In fact, useful research often comes out of ESIEA, and at least this exercise was apparently carried out without using real malware (unless you have a very prejudiced view of the EICAR test file) or reverse engineering. As Aryeh Goretsky, ESET Distinguished Researcher, has suggested we look forward to receiving more details, in order to see whether we can make use of them to strengthen the product. He also suggests that given the reliance in this exercise on physical access to systems, it would be quicker and easier to boot from removable media to carry out such an attack in the real world, and that strong passwords and disk encryption could be used to mitigate the risk.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

We’ve just finished working on our monthly Threat Report. There aren’t many surprises in the top ten threats for June.

Conficker has taken over the "top spot", relegating INF/Autorun to second place. It’s difficult to say for sure what the significance is, given the relatively small percentage point involved: minor fluctuations in proportions from month to month can be ascribed to factors other than overall upward or downward trends. ThreatSense.Net® doesn’t distinguish between sources: it simply reports when it detects a Conficker infection attempt over any vector (network shares, USB etc).

As we’ve pointed out previously, the real story with Conficker is less the actual malware than the number of people who still aren’t taking elementary precautions such as timely patching and disabling Autorun, properly securing network shares and so on. I would guess that right now, the continuing prominence of Conficker in the ratings is due to lots of machines, mainly home machines or botnetted business machines, that are never patched or properly protected by AV, often because the owner doesn’t bother with all that, or maybe sometimes because of a longstanding infection that’s blocking patches and updates and has never been noticed.

 Rather more notable, perhaps is the entry of Win32/TrojanDownloader.Bredolab.AA into the top ten at number 10. I feel like a DJ when I make a statement like that… (but where will I get one at this time of the afternoon?)

This is an example of a class of application that is intended to act as an intermediary to the infective process. This particular detection label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the program is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon.

The question, what does this mean to you?

We’re seeing a great deal of this activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. (Nowadays it pays to keep an eye on new patches for any applications and utilities you use!) Having been somewhat negative about Adobe’s updating processes in the past, I really hope that Adobe’s new patching mechanisms, bringing them into line with Microsoft’s, will help to reduce the impact of these exploits in the longer term.

When a Trojan downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may make changes to the system such as those described above in order to increase its chances of doing so successfully. Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases. Because of ESET’s heavy use of generic signatures and advanced heuristics, our detection label actually picks up many close variants and sub-variants.

As we’re halfway through the year, we’ve also provided a look back at the past few months, and hope you’ll find it useful or at least interesting.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Here at ESET we have just released our Global ThreatTrends report for January 2009.

Not surprisingly, at the top of the list is a family of programs that exploit Microsoft’s longest unpatched vulnerability. That’s right, Autorun.inf, is an evil “feature” that should have been patched out of existence a long time ago. Since it is so effective for malware there are lots of threats that exploit it.

In the number two position we find a family of threats that steal passwords for online games. This is also pretty logical. There is a lot of money in the sale of “virtual” items and characters for real money.

In third place is the new kid on the block… the Conficker worm. Conficker is truly a tragedy as it is indicative of really poor security practices. Failure to patch your OS will leave you vulnerable to this worm. Autorun is another attack vector. If you disable autorun you take away another avenue of attack for Conficker and the most widespread threats we see. I’ll have a blog up in a day or two that will show you how to really kill autorun. It’s the patch that MS should have disclosed a long time ago. Administrative shares are another avenue of attack and weak passwords are still another security fault that Conficker exploits.

If you decrease the number of security holes you have then your goalie, security software, takes less shots on goal. That is a basic defensive strategy. Prevention is always better than cure, and Conficker highlights that much more work is required in the prevention department.

You can read the whole report at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf

Randy Abrams
Director of Technical Education

You may have noticed that I’ve been making a lot of references to this over the past few weeks. You can now download it here. Quite a few people have worked pretty hard to make this project happen, and I’d like to thank them now. I hope some of you will find it interesting and useful.

We’ve also been doing a little tidying of the white papers page, and there will be some additional material there in the near future, including papers on fake antimalware, the apparently late but unlamented Storm botnet, some of our recent conference papers on testing, malware naming, and user education, and an independent paper on spotting implementational errors in comparative tests that has also been referenced in the AMTSO document on The Fundamental Principles of Testing.

AMTSO (The Anti-Malware Testing Standards Organization) will be considering a number of additional documents next month, on a number of test-related topics, as well as the "terms of engagement" for the newly-appointed Reviews of Reviews board.

This board, on which ESET is represented, will implement one of the areas highlighted in the AMTSO preliminary charter: "Providing analysis and review of current and future testing of anti-malware and related products."

That’s a topic I certainly intend to come back to!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

• Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
• Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
• While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
• The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
• Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
• The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Table 2: Top Ten Trend Detections

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Log on to your computer with an account that doesn’t have “Administrator” privileges, to reduce the likelihood and severity of damage from self-installing malware. Multi-user operating systems (and nowadays, few operating systems assume that a machine will be used by a single user at a single level of privilege) allow you to create an account for everyday use that allows you less privileges than are available to an administrator.

Most competent system administrators are familiar with (and adhere to) this “principle of least privilege” – simplistically, the more privileges you have as a user, the more damage you can do – and use a privileged account only when they need it to perform a specific task. Following their lead will give an extra layer of protection. However, as always, you shouldn’t think of this as any sort of Magic Bullet. Apart from the fact that there is no Magic Bullet, some modern operating systems have somewhat diluted the least privilege model, making it rather easy for a user with little knowledge of the security implications of administrative privilege to use it inappropriately, exposing the system to threat.

Here’s the second instalment of the "ten ways to dodge cyberbullets" that I promised you.

Keep applications and operating system components up-to-date with automated updates and patches, and by regularly reviewing the vendors’ product update sections on their web sites.

This point is particularly  relevant right now, given the escalating volumes of Conficker that we’re seeing currently.Win32/Conficker is a network worm that propagates by exploiting a recently-discovered vulnerability in the Windows operating system (MS08-67). The vulnerability is present in the RPC sub system and can be exploited remotely by an attacker. The attacker can perform his attack without valid user credentials. As we mention in our Threat Report for November, Conficker tries to download additional malware likely to be connected with adware, typically the FakeAlert, Wigon families): it avoids infecting Ukrainian PCs. In addition, it shuts down the windows firewall and starts an http server on a random port.

Sometimes, it seems that the whole world assumes that the only vendor that suffers from vulnerabilities in its operating system and other software is Microsoft. To see how misleading claims like this can be, check out the weekly “Consensus Security Vulnerability Alert” published by SANS (see http://portal.sans.org), which summarizes some of the most important vulnerabilities and exploits identified in the preceding week. Even during a week that includes “Patch Tuesday”, you’ll typically find that problems are flagged with a frightening number of applications from other vendors. Certainly, any system administrator should consider making use of this resource.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence