RAM Scraping – new attack vector

02. January 2010 · Comments Off on RAM Scraping – new attack vector · Categories: Malware · Tags: , ,

RAM Scraping is a new type of malware being tracked by the security forensics team at Verizon Business. Good article describing it here.

RAM Scraping attacks were first seen targeting Point-of-Sales terminals as a way to get credit card information. However, as users increase the use of password managers to mitigate the risks of phishing and keyloggers, I can see RAM Scraping attacks increasing in popularity.

Good guys bring down a botnet. Or did they?

31. December 2009 · Comments Off on Good guys bring down a botnet. Or did they? · Categories: Botnets, Malware, Network Security

Earlier this week PC World reported that a security researcher at FireEye took down a major botnet, Mega-D. However, LonerVamp weighed in with a more objective analysis of what FireEye accomplished.

Koobface launches new Christmas message attack on Facebook

06. December 2009 · Comments Off on Koobface launches new Christmas message attack on Facebook · Categories: Application Security, Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy, User Activity Monitoring · Tags: , ,

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page

22. November 2009 · Comments Off on Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page · Categories: Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy · Tags: , ,

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.

Evil Maid attack shows that laptop hard drive encryption not the silver bullet

26. October 2009 · Comments Off on Evil Maid attack shows that laptop hard drive encryption not the silver bullet · Categories: Breaches, Malware, Risk Management · Tags: , , , ,

As important as laptop hard drive encryption is, it's not the silver bullet for protecting confidential data on laptops. Bruce Schneier described Joanna Rutkowska's "evil maid" attack against a disk encryption product. This type of attack would probably work against any disk encryption product because disk encryption does not defend against an attack where the attacker gets access to your encryption key.

As usual, risk management is about understanding the threat which you are trying to mitigate. Disk encryption does solve the stolen laptop problem. But if an attacker can get access to your laptop multiple times without your realizing it, the evil maid attack can defeat disk encryption.

PGP, a disk encryption vendor, discusses the limitations of disk encryption and as well as other defenses available to protect against evil maid and other attacks.

Bruce Schneier notes that two-factor authentication will defeat the evil maid attack. BTW, don't leave your token in the hotel room for the evil maid to find. 🙂

Phishing emails have become more convincing

21. October 2009 · Comments Off on Phishing emails have become more convincing · Categories: Botnets, Funds Transfer Fraud, Malware, Social Engineering · Tags: , , ,

The "quality" of phishing emails continues to improve. In other words, the attackers continue to make their phishing emails seem legitimate and thus trick more people into taking the emails' suggested actions. An article in Dark Reading this week discusses research done by F-Secure about new, more convincing, phishing attacks generated by the Zbot botnet which attempts to infect victims with the Zeus trojan. I wrote about how the Zeus trojan is used as a keylogger to steal banking credentials which enable funds transfer fraud

While one might have considered the Dark Reading article a public relations piece for F-Secure, its validity was increased for me by Rich Mogull at Securosis who wrote about  "the first phishig email I almost fell for," i.e. one of these Zbot phishing emails.

If a security person like Rich Mogull, who has the requisite security "paranoia DNA" can almost be fooled, then the phishing attackers are indeed improving their social engineering craft.

URLZone – Funds Transfer Fraud innovation accelerates

04. October 2009 · Comments Off on URLZone – Funds Transfer Fraud innovation accelerates · Categories: Botnets, Breaches, Funds Transfer Fraud, Innovation, Malware · Tags: , , ,

Web security firm, Finjan, published a report (Issue 2, 2009) this week on a more advanced funds transfer fraud trojan called URLZone. It basically follows the now well understood process I blogged about previously, where:

  1. Cybercriminals infect Web sites using, for example, Cross Site Scripting.
  2. Web site visitors are infected with a trojan, in this case URLZone.
  3. The trojan is used to collect bank credentials.
  4. Cybercrirminals transfer money from the victims to mules.
  5. The money is transferred from the mules to the cybercriminals.

URLZone is a more advanced trojan because of the level of automation of the funds transfer fraud  (direct quotes from the Finjan report):

  • It hides its fraudulent transaction(s) in the report screen of the compromised account.
  • Its C&C [Command and Control] server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited.
  • It logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries.

In the past, the trojan was merely a keylogger that sent credentials back to the cybercriminal. These exploits were mostly against small businesses and schools where relatively large amounts of money could be stolen. But the URLZone trojan has much more sophisticated command and control which enables a much higher volume of transactions. Finjan reports 6,400 victims in 22 days losing 300,000 Euros. So far all the victims have been in Germany.

Popular social news site infected with XSS exploit

30. September 2009 · Comments Off on Popular social news site infected with XSS exploit · Categories: Application Security, Breaches, Malware, Secure Browsing · Tags: , , ,

The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.

All enterprises have infected hosts controlled by botnets

28. September 2009 · Comments Off on All enterprises have infected hosts controlled by botnets · Categories: Botnets, Breaches, Compliance, Malware · Tags:

If you think your organization is free of botnet controlled hosts (aka zombies), it's only because you don't have the right detection tools! For example, Damballa, a botnet detection company claims that every organization it has tested was infected. And the number of infected hosts is rising – from 5% to 7% last year to 7% to 9% this year.

In one sense, this is a shocking number, i.e. almost 10% of the hosts in your network are controlled by botnets. On the other hand, not so much because I have yet to find an enterprise with hosts not running non-compliant or non-monitored software. 

Another interesting finding from Damballa's research is the proliferation of small, customized botnets. Here is a quote from the Dark Reading article:

"The bad guys are also finding that deploying a
small botnet inside a targeted organization is a more efficient way of
stealing information than deploying a traditional exploit on a specific
machine. And [Damballa VP of Research Gunter] Ollmann says many of the smaller botnets appear to have
more knowledge of the targeted organization as well. "They are very
strongly associated with a lot of insider knowledge…and we see a lot
of hands-on command and control with these small botnets," he says.

There are several advanced security tools that can be easily deployed in a couple of days that will pinpoint non-compliant and non-monitored software and network communications.

End point security software misses malware, proof that defense-in-depth is a must

25. September 2009 · Comments Off on End point security software misses malware, proof that defense-in-depth is a must · Categories: Malware, Security Information and Event Management (SIEM), Web 2.0 Network Firewalls, Web Application Firewalls · Tags: , , , , , ,

NSS Labs the well-respected UK-based security product research and testing service, just published the results of its consumer anti-malware test. The most popular products, Symantec and McAfee, both came it at only 82%. Therefore you cannot rely on this single security control to protect you against malware. A layered, defense-in-depth strategy is a must.

While all organizations are different, complementary technologies include Secure Web Gateways, Intrusion Prevention, Data Leak Prevention, or an advanced firewall that performs all of these functions,  and possibly a Security Information and Event Management System. If you are running web applications, you will also need a Web Application Firewall. I wrote about this in my post about the 20 Top Security Controls.

The top vendor was Trend Micro with a 96% success rate when you combine the 91% caught at download time and the 5.5% caught at execution time. I also read about this report in an article at Dark Reading written by Tim Wilson. However, Tim said Trend Micro only blocked 70% of the malware. I am not sure where he got his number.

« Older articles
Newer articles »