Technical Tidbits™

Posts Tagged ‘trojan’

You may remember my earlier post: On Botnets, Lie and Corporate BullS#&t, or perhaps you saw the New Trend in Trend post where I discussed the fact that not only were mal-ads being served up through the ad servers, but that my Trend Micro was actually blocking them!

Well, alas and alack, this weekend there were some interesting developments along these lines.

I’ve been a bit of a funk lately and took the weekend off to play my online games and catch up on some personal reading. I have this tendency to leave my MySpace Mafia Wars* open in one tab, while I go look at other sites so I can wait until my 3 hours are up to collect on my Cuba Business! Those of you who play Mafia Wars know what I’m talking about! (GRIN)

Anyway, I had Mafia Wars open on one tab and then opened Tarot.com on the other so I could read my horoscope and find the SuperKC for the day. (Don’t ask! But if you’re interested: Click here for a FREE Tarot Reading**) I walked away from the computer to grab a cup of coffee or something, and when I returned, my Tarot page was switched to the following:

Now, you might say, Debbie, how do you know it’s tarot.com that delivered the malware? Glad you asked that! Because, other people were reporting the same in the forums!

I also tried for several hours to reproduce the behavior as I was running my screen capture program and here’s what I discovered!

It’s very difficult – if not impossible – to catch this bugger in the act because of the way the many ads and ad programs they are running rotates. I was able to capture at least 11 different ad servers that were rotating on that site. Specifically:

• a367.yahoofs.com
• ads.lucidmedia.com
• ad.reduxmedia.com
• pixel.quantserve.com
• s7.addthis.com
• m1.2mdn.net
• doubleclick.net
• googleads
• ak.imgfarm.com
• clk.atdmt.com
• img.mediaplex.com

As I would refresh the page trying to get the mal-ad to show up again, these 11 ad servers (and more) would rotate on the page and also rotate the ads they were showing. Therefore, there are hundreds, if not millions of different possible ads that could show up at any given time on that site and individual pages!

I spent nearly 2 hours refreshing the various pages to no avail. I could not capture the mal-ad again.

But this clearly demonstrates how slick this method of pushing malware through the ad servers is!

In case you do not remember, the anti-virus scanner is one of those Trojan downloaders – AKA Drive-by downloads – that are so hard to get rid of!

If you are using Firefox – make sure your options are set correctly to help avoid these drive-bys. The first setting is to adjust your Main tab to show the download and always ask you where to save it. This gives you the heads-up that the drive-by is trying to install, AND, you can then cancel it before it installs or saves itself to your temporary folder. IE saves a copy to your temp folder long before you ever get a pop-up notice that it even blocked it. By then, it’s too late!

See the section with the red line around it below to adjust yours as I have mine adjusted:

Also, allow Firefox to protect you by blocking known bad sites by altering your Security options as follows:

If you are still stupid enough – AND YES, I CALLED YOU STUPID – to be using Internet Explorer, and you get caught with this drive-by download, (because there are other sites still dishing it out!) then go to MalwareBytes.org and download their free tool to remove it.  I am not an affiliate of this company, I don’t make any money off recommending their program to you, I just know that I’ve used it to remove these drive-bys from my clients machines. And to be honest, it’s the only thing I found that works!

Now, one final point of clarity, if this is the first time you’re reading about any of this information and you just now found our blog, then I do apologize for calling you stupid. You’re not. You are in fact very smart for finding us!

However, for the numerous amount of readers that we have on a repeat basis, if you are still using IE after I’ve preached, and shown you how dangerous it is, then you fit the stupid category! Strong words, Yes. But I don’t know what else to do to get you to listen to me!

These problems perpetuate because you are not protecting yourself! You are not educating yourself! You owe it to every other Internet citizen to stop the insanity by making this kind of behavior unprofitable to the people who send this crap out!

Okay, I’ll get off my soapbox now. Enough said?

*Please feel free to add me as a friend if you play MySpace Mafia Wars!

**TIIM This is my affiliate link to tarot.com. I earn Karma Coins if you sign up.

CORRECTION ADDED 10/11/09 Addthis.com is not an ad server! Thank you Joel for setting the record straight and thank you for letting us know!

With Guest Author and Co-Instructor: Anthony Valente, CEO of Network Defense Solutions

I think I’m on either a debunking roll, or just out right rage against the machine! Either way, I’ve about had it with these big corporations spoon feeding you a line of crap.

I’m taking the gloves off.

The name of this post is actually the name of an InfoWorld Article published yesterday. But don’t bother clicking the link, I’m going to provide you with the 7 points and quotes as I go through each one.

1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.

First of all, that is totally not true that the antivirus programs do not catch non-replicating trojans.  I have had my TrendMicro, Norton, and other AV tools I ‘ve tested catch my test Trojans.  Now that may be through their heuristic capablilities, it still does catch them!

I have no clue where this guy got his information, but I’d like to see what the AV vendors have to say about this one! To me, this is nothing more than fear-mongering.

Granted, there are a ton of things wrong with AV vendors and their products, but this claim is totally misleading.

Anthony’s Note:  Don’t forget that you also have packers, and down loaders that many anti-virus applications / vendors don’t detect.  I can prove this because Norton doesn’t detect the downloaders, and if my LPM attaches to a machine it can cripple Norton in record time.  Norton is useless.  NOD on the other hand can.  I also have a few techniques which help with the assurance that a Trojan not be caught by an AV application.

2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn’t to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It’s more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn’t be more wrong.

Does anyone else see the contradiction here? First he says there is no perimeter and if you believe in one you may as well believe in Santa Claus. Then he says that isn’t to say there is no perimeter.  Dude! Make up your mind! Enough said?

Anthony’s Note:  Regardless of a perimeter defense and whether its existence is valid or invalid, security cannot be just thrown at a borderline defense solution and forgotten.  People forget about middleware and security on the servers themselves.  Just saying “we will filter conditions here” doesn’t necessitate security. The point is to layer. Each layer tightening it’s vices on security. If you have packets pass a borderline defense, and it’s up to middleware its already too late to be worrying about security. There it’s not a worry that you’re insecure, it becomes a certainty.

3. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don’t always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don’t have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.

Does that go for you too Mr. principal security strategist for IBM Internet Security Systems? Whatcha selling?

I will agree that there are a lot of security vendors out there that will sell companies things they don’t need to make bucks on products they sell. But if everyone listened to me, we wouldn’t be having this discussion in the first place.  *Yes, I know that was egotistical and out right rude.  But like I said, I’m really fed up with all this misinformation going around. So indulge me!

But the problem is NOT with the vendors pal. It’s with the companies and the people who REFUSE to deal with the issue of security!

When our company ran our promo for our online security courses during our anniversary celebration, no one – not one person or company even inquired let alone purchased.  In all of our discussions with folks on the issue of security, I heard excuse after excuse of why they didn’t want to take the time to learn about it.

They are too busy.  They want someone else to worry about it for them.

And the usual question I get, “Is it really that bad?”

I’ve even given the courses away for free! Then I get a call from one of the people I offered the free course to, saying she got her third drive-by download! Has she taken the FREE course? NO! What does she do? Takes the computer to Best Buy and spends $100 bucks to get it reset.

If the companies and individuals would educate themselves about the BASICS of what they need to know regarding their security, then vendors wouldn’t be able to pull the wool over their eyes or sell them crap they don’t need.

Is it any wonder that we’ve had the Monster.com and heartland breach this week? I can give you a list a mile long of websites like theirs and commercial vendors that have vulnerabilities found by our researchers. (Right Anthony?) But do they want to hear? NO.  Do they hire us to report on what we’ve found? NO.

I’m telling you what, I can make more money selling what we know to the hackers than I can get any money out of corporate tight wads! And I’m really beginning to wonder why I have a conscious about it at all anymore. But I digress.

The article goes on with the list to say:

4. There is more to risk than weak software. The lion’s share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn’t leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for ‘a spooky good time’ (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.

Okay, I agree wholeheartedly with this one.  And what solves this problem? EDUCATION! The one no one is buying!

5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it’s a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

Agreed. And it depends upon what kind of compliance you’re speaking about sir. Is it the government imposed security compliance?

Let’s look at HIPPA, shall we?  Our health data is supposed to be kept private. I’ll challenge any freaking government official to go stand in a line at any pharmacy (and Wal-mart specifically, but they are not alone in this), and listen to the names being called out from the prescription counter.  And I have to loudly verify my birth date and addresss. Privacy? Joke!

And don’t even get me started on the joke of PCI compliance in regards to credit cards.

Again, enough said.

6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.

EDUCATION, EDUCATION, EDUCATION

And again, the vendors don’t want to listen to folks like us. Our co-instructor was laughed at when he proposed that he had an exploit that would replace a well-known AV vendors ON button with a fake one that allowed his Trojan to operate in the background.  They wouldn’t even listen!

Anthony’s Note: Attack works by writing api text to “OFF” to appear as “ON” and “ON” to appear as “OFF” confusing the consumers. However, this isn’t the only issue. It’s the fact that AV software sometimes doesn’t check to see if it’s visible when an attack is mitigated. Any application that knows the API handles can hide the window, and throw up a screenshot of the desktop. Eliminate the anti-virus (with no checking by the av apps – Norton was one of them!) and have the user completely blind for 3 seconds; while they interact with a screen  that is a picture.

And if we know this possible and can prove it, what do you think the hackers and malcode writers are doing?

And finally the article concludes with:

7. Security has grown well past “do it yourself.” Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could “do it yourself.” But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best — your business — scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

My only guess on this one is that IBM is selling some kind of managed service for security.

Look, I started this company a very long time when there was only McAfee and  Norton as major security vendors. I started teaching this stuff because McAfee let in a known virus that destroyed my entire business computer and database. This was before back-up capabilities!  That’s when I learned how it happened, why it happened and how to prevent it and led to my teaching it to help others avoid the problems I experienced.

Anthony, our co-instructor is a Certified Ethical Hacker and CEO of Network Defense Solutions, a company founded on the same principles of protecting others.

We aren’t huge corporations with shareholders to worry about. We are just trying to make a decent living doing what we do.  But it’s really hard to keep plugging away at it when we read garbage like this – touted as truth, and laughed at when we confront big corporations with their lack of security.

But let us use what we know to hack the SOB’s and prove it, and then we’re the bad guys!And when other bad guys figure it out and breach data or steal identities, oh well, it’s the cost of doing business.

Anthony’s Note:  The problem with security, is it’s taught with the views of “Avoid doing this yourself.”  Which in a way is reverse engineering for “g’head and do exactly the opposite!” And, this can have a great division on the lines of such a topic.  If corporate, America and this greedy government of ours would take their egotistical heads from out of their asses; they would see where security can be applied.

Showing home users the venues in such attacks and how easily they can be mitigated, leading up to what information can be divulged is a starting point.  In addition to which, corporate America has the motto that  “WE WANT THE FLASHING CISCO ROUTER WITH THE FANCY FIREWALL AND THE NIDS TO PROTECT THE NETWORK AND THE HIDS ALONG WITH THE AIDS TO PROTECT IF A BREACH IS DETECTED.” But, what really does happen? They see it, they feel it THEY KNOW the risks, however they’d rather fail to see them to put the extra few thousand back into their pockets in hopes of woosing over the secretary for one more night with a Louis Vuton bag.

Demonstrating security risks and showing their impact to get people on the bandwagon is the best route. Telling someone not to touch the security stove is basically like saying “Shower with this gasoline and play with this match.”  Even if the security landscape fell in price; remember one thing – you cannot escape the almighty dollar.

I think that Anthony is more jaded than I am and he’s a heck of a lot younger!

I guess my point is, read what you will but do so with a discerning eye.  The recent presidential election called out some of the networks on their bias to one candidate or the other, you have to look at technology articles the same way. Who posted the article? What’s in it for them? And is what you are reading true?

Something to think about.

Although this has been out since November of last year, with the upcoming inauguration of our new President, chances are quite good that there will be an increase in the spread of this virus spreading e-mail.

According to snopes.com:

These email messages may appear to be from legitimate news sources, and will try to lure you into clicking on a link that will direct you to a malicious web site, or opening an infected video clip or attachment.

The enclosed video links direct recipients to a malicious web site that tries to trick users into downloading a file (Adobe_flash9.exe) purportedly offering an updated version of Adobe Flash but actually harboring password-stealing malware.

Remember, virus writers and malware pushers will capitalize on the “buzz” of the day, week, or month.

Don’t be fooled!