Steve Riley on Security : malware

If you know the Conficker dude, we've got a prize for you

Steve Riley — Fri, 13 Feb 2009 20:39:00 GMT

Yesterday (12 February 2009) Microsoft announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”

“Microsoft’s approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Poll: do you use scheduled scans for malware?

Steve Riley — Mon, 05 Jan 2009 23:03:59 GMT

An interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer.

He raises a good point, and I’m curious what all of you think? Do you use scheduled scans? If so, why? If not, is it because you’ve decided the same as Peter?

Throw away your digital picture frames

Steve Riley — Tue, 19 Feb 2008 06:36:00 GMT

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.
There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.
Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

More on Autorun

Steve Riley — Wed, 31 Oct 2007 01:12:27 GMT

Last month, in my post "Autorun: good for you?" I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers.

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

When I searched for it in my registry, I also found a few others, so maybe you'd want something that would search through the registry and delete them all, although I don't know if such a tool exists -- I've never had a need to look for something like that.

More on the necessity of antivirus software

Steve Riley — Tue, 25 Sep 2007 20:53:47 GMT

A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four important steps to protect your PC still hold:

Run the Windows Firewall
Keep Windows and your applications up-to-date
Use current antivirus software
Use current antispyware

These are good recommendations for organizations, as well.

But as I've talked about many times in the past, security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers. Fact is, most individuals who are not full-time security professionals often make mistakes when trying to decide whether something is legitimate -- witness the ongoing success of phishing and 419 scams. And organizations, unless they run highly locked-down environments, often can't know everything their users are doing.

As I said in the previous post, anti-malware is not useless. It is a necessary element in your suite of defensive technologies to help keep the bad guys at bay. In my post I'm simply explaining a personal tradeoff I've made on my own machines at home--that by not running as admin (which I didn't mention before), by using UAC, by relying on the firewall, and by training my family--I have made the decision not to use anti-malware.

So should you make the same tradeoff? Well, that depends. If you're asking me about your own use of your own personal computers at home, I can't answer that for you, you need to. Remember what I wrote: "I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run." Do you have similar self-control? :)

If you're the security administrator for an organization, you should not make this tradeoff. Again, remember what I wrote about my own self-control; I doubt that anyone could make such a statement for everyone in their organization! Antimalware definitely belongs on machines where users can store or transfer files:

client computers
email servers
file servers
SharePoint servers

The purpose of my earlier post was to spark a little discussion, to see what other opinions there might be. Some folks are doing the same thing I am, others always run anti-malware on every computer. Neither stance can be declared "right" or "wrong." It's simply a reflection that we all make tradeoffs, every day, when we decide how to manage and use our computers. And as I suspected, different folks make different tradeoffs, based on their own risk tolerance and experience. These are always good conversations to have.

Autorun: good for you?

Steve Riley — Sun, 23 Sep 2007 08:29:48 GMT

Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start. Groovy!

No, if you're a security administrator. Many people still aren't aware of the security risk that autorun raises. It isn't new anymore, but DarkReading's Social engineering, the USB way is still the best story the make the point. Check it out.

I really can't think of any business reason for keeping this feature enabled. Please shut if off, domainwide, as soon as you can.

In Windows Vista/Server 2008, go here:

Computer Configuration | Administrative Templates | Windows Components | AutoPlay Policies

Enable the "Default behavior for AutoRun" policy and set the default to "Do not execute any autorun commands."

Enable the "Turn off Autoplay" policy and set it to "All drives."

In Windows XP/Server 2003, go here:

Computer Configuration | Administrative Templates | System

Enable the "Turn off Autoplay" policy and set it to "All drives."

While this might be old news for many of my readers, disabling autorun still doesn't seem to be a common security mitigation. At a recent conference I was surprised at the number of folks who haven't considered the risks of leaving it enabled. Surely by now most of you have heard about how certain music CDs can spread rootkits in your network. Yeah, holding down the [Shift] key when inserting a CD-ROM or USB drive will bypass the autorun.inf file -- but do you really want to rely on individual users remembering this? Nope. Group policy is your security friend: put it to good use here and disable autorun right now.

(BTW, Sony is up to their dirty old tricks again.)

Updated, 22 September 2007. Turns out there's a registry key that keeps track of all USB drives your computer has ever seen, and this key will override the Autorun settings if you insert a drive that your computer has seen before. So in addition to changing Autorun, you'll also need to delete this other key. Write a little script and call it from group policy. Here's the key to delete:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

More details here.

Antivirus software -- who needs it?

Steve Riley — Sun, 23 Sep 2007 07:14:44 GMT

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself an expert. I don't run anti-malware on any of my own computers. Why not? It's simple: I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run. And yeah, before the question arises, every four months or so I run a scan, and I've never gotten infected with anything.

Now don't think that I run totally naked (the other residents of my house probably would object, and I shudder to imagine how hot the laptop would feel then, haha). Because there's no way to control what someone else might throw at my Ethernet port, I do run the Windows firewall. I also run with UAC enabled because I want IE's protected mode, but I configure the policy to elevate without prompting.

Am I saying that anti-malware is useless? Absolutely not. In many instances, and for many people, it's still necessary. But we can't ignore the fact that malware is getting more sophisticated. Nor can we ignore the fact that, as I have this conversation with other security experts and similarly-minded folk, I often ask this question: "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never."

Tell us about the junk email you receive

Steve Riley — Thu, 21 Dec 2006 02:53:00 GMT

Another gem in the download center: an Outlook (2003/2007) add-in with which you can report junk email to FrontBridge.

Junk E-mail Reporting Tool 1.0 for Outlook

The Junk E-mail Reporting Tool submits e-mail to Microsoft when you explicitly choose to do so. If you receive a junk e-mail and want to report it to us for analysis, first select the e-mail in Outlook and then click the junk e-mail button on your tool bar. You will see a pop-up window asking whether you want to report the selected e-mail to Microsoft and its affiliates. When you click “Yes” to confirm that you’d like to report the selected e-mail as junk e-mail, the junk e-mail will be deleted from your Inbox and sent to FrontBridge, a Microsoft company, for analysis to help us improve the effectiveness of our junk e-mail filtering technologies.

iPods spread disease?

Steve Riley — Wed, 18 Oct 2006 00:57:00 GMT

Well well. Looks like a few new iPod owners are getting infected when they attach their players to their computers. I'll quote the first paragraph from Apple's web site:

We recently discovered that a small number - less than 1% - of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

So Apple has a quality-control problem, and they blame it on Windows? They mention that decent AV software would catch the virus, but then they become oblivious to the irony that they themselves apparently don't run any?

What's even more inaccurate in Apple's claim is that the malware isn't an actual virus. Rather than exploiting a code vulnerability to spread, it relies instead on a common configuration vulnerability -- the gullibility of humans. To encourage spreading, it creates an autorun.inf file, entices the user to execute the worm, and then looks for any mappped drives and drops itself on whatever it finds. I continue to maintain that autorun has no purpose on business computers and you should disable it at the domain level.

Apparently, someone at Apple fell for the dancing pigs and subsequently infected the equipment used in the manufacture of certain iPods. Ignoring their own problems, Apple finds it easier to blame Microsoft. That's right, blame is always preferable over responsibility.