IT Security Blog

My apologies for being a bit light on posting this week.  I have been in Amsterdam for the 16th MAAWG Conference.  It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!

It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.

This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured.  Many of the samples that I have reviewed use different mail client names between the message subject and the body.  A couple of examples:

Message Subject: Microsoft Outlook Setup Notification
Message Body:

You have (6) message from Outlook Express.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

Message Subject: TheBat Setup Notification
Message Body:

You have (9) message from Microsoft Outlook.

Please re-configure your TheBat again.

Download attached setup file and install.


Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again.  I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.

These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101. 

Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack.  This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.

Either way, be on the lookout for this respin of last week's news. 

 

I have been starting to feel like I have hardly been in the office over the past month.  After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family.  I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.

I wanted to take a few minutes to talk about something that has kind of been bothering me lately.  It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer.  Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer. 

Is it, really?  Or Is it just a matter of perception? 

At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates.  The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides. 

Take this recent analysis of the Conficker worm/botnet as an example.  According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP.  Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version.  What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches.  This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world.  You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either.  If you aren't familiar with the "insecurity iceberg" report, I would recommend it.  It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser.  It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader. 

So, to go back to my original question, is Firefox really more secure than Internet Explorer?  In addition to my previous argument about patching, I believe this also comes down to an issue of perception.  For example, Firefox releases security updates more frequently than Internet Explorer.  Does that make it more secure or less secure?  Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser.  This gives the impression to the user that they are being kept safer.  Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides.  Neither Firefox nor IE have any native protection against what is known as Clickjacking.  With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added.  IE currently has no protection available although it is being planned for IE 8.  Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL.  Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link.  URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites.  So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.

You could make analogies between the OS X and Windows debate here too.  Apple users claim they don't have the malware problem that Windows users have.  In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share.  Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals? 

My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk.  More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk. 

Following on the heels of last week's announcement of a trojan horse being installed as part of some pirated copies of iWork '09 for the Mac being distributed on peer-to-peer file sharing services comes another announcement that a trojan has also been identified in pirated versions of Adobe Photoshop CS4 for the Mac.

No word yet on whether the new Photoshop trojan was created by the same people who created the iWork trojan that was used to launch DDoS attacks. 

It is important to note that these trojans do not attempt to infect other computers, rather they stay resident on the local machine.  Since the trojans run as root, it is possible that once it has been installed it could be used to affect other applications.  Since these trojans also have a phone home component it could (not confirmed) be used for information theft as well.

Trojans being distributed via applications shared through peer-to-peer file sharing services are nothing new in the PC world, but have recently been garnering more attention for Macs as Apple's computers have been gaining market share.  The Mac fallacy of invulnerability is being challenged more frequently now.  It looks like Apple has finally gained enough penetration into the computer market that cyber criminals are targeting them and their users with more regularity.  This is a trend that will certainly continue especially if you consider the number of Mac users who have resisted purchasing security software in the past.

There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser.  This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly.  See this story from CNET that has a graphical proof of concept example using Bank of America.

If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications.  For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system). 

MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number.  This means that there are only a finite number (2^128) of potential hash possibilities.  This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced.  According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s.  This kind of computing power is infinitesimal compared to most botnets.  Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision. 

Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies.  My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate.  Take our SIV example from earlier.  If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit.  This could also cause AV companies to have to rethink how they do some of their own scanning methods also.

What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system.  I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now.  Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level. 

This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective. 

It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed.  See article here.

This move was inevitable.  At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals.  Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago.  Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.

From a timing perspective this announcement comes at a good time as well.  As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year.  If your Mac does not already have some kind of antivirus software installed, the time is now to get it.  Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise.  Don't be left holding the bag either as a personal Mac user or as a corporate user.  Macbots are coming.  iPhones and iPods will not be far behind.

*** UPDATE 12/2/2008 4:42pm MST ***  So it looks like I need to recant a little bit.  If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008.  This article was originally published back on June 8, 2007.  Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines.  The time is still now to change that.  A widespread Mac virus could be a devastating event!

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.

Another day, another Storm worm tactic.

This new tactic is leveraging Youtube links in an effort to get users to click and download malicious code. The link sent via email looks like a properly formatted Youtube URL, but is actually directed toward a compromised web server. To avoid DNS the link goes to a numerical IP address instead of a hostname which is also easier to take down.

This is another example of pull based malware that we have been talking about more and more where the user has to go visit a web site (either by clicking a link or following instructions to go to a particular web site) in order to get infected as opposed to having the malware "pushed" to them via an email attachment.

This method of infection also forced the AV vendors to start employing URL based blacklists into their products such that malicious web sites can be proactively identified by the AV engine based on the web site address and not necessarily based on the hosted content. This is a good move on their part especially considering the increase (and expected continued prevalence) in server side polymorphic viruses.