The issue of “ethical malware” has raised its ugly head this week in the blogosphere, sparking heated discussions and soapbox speeches everywhere. As reported this week in LinuxInsider, a lengthy Slashdot discussion was sparked when a participant wrote, “I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

The writer, Johannes, is of course correct. Unix/Linux can indeed be vulnerable to malware. We must remember that absolutely no operating system is completely bulletproof. We may like its features, it may have good security, and the OS may be perceived as being “cool”, but it’s not magic. Like any other OS, it’s just lines of code. Armchair computer users that aren’t in the industry may have the incorrect notion of absolute security, but nobody in the business can seriously make that claim with a straight face.

The larger question that is raging on the Slashdot discussion thread is whether Johannes was within his rights to release malware on Linux for the purpose of illustrating his point.

Most people would agree that malware is a scourge on society, and in most cases is illegal. But, Johannes’ malware wasn’t malicious, so was he within the scope of ethical computing to release it? On one hand, the logic is indisputable that by releasing the malware, he was able to highlight a flaw in the OS. And especially when an OS is written the way Linux is written, it’s very likely that any flaw that is brought to public knowledge will be repaired soon enough.

On the other hand, there is naturally a window of vulnerability between when the flaw is made public, and the flaw is fixed, giving the real evil-doers a short but realistic opportunity to exploit it. Would we think it okay for example, if somebody broke into a bank vault one evening, but didn’t take the money, just to show the bank that it could be done? I don’t think there would be any debate about it, the perpetrator would go straight to prison. “White-hat” hacking of this nature may have good intentions, but the writer is taking a risk here that an aggressive prosecutor may decide to pursue the matter in court.

Sometimes spam, viruses, and other malware filtering at your email gateway isn’t enough. It’s important to keep your host anti-virus signatures up to date, and if you don’t have anti-virus protection at your firewall or on your network at the Internet gateway you should seriously consider it.

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Continue reading Malware Threats from Unexpected Sources: Trojans Embedded in Streaming Video Links

We can all generally agree that encryption is good, and that implementing regularly updated anti-malware software is also good. But the two have never been compatible. The only way that encrypted email traffic can be scanned for malware is to decrypt it before scanning, then recrypt it afterwards before sending it on the rest of its journey to the email server. It’s certainly possible to do so, but it’s tricky and can introduce delay into the equation. So why can’t we just scan the encrypted email traffic for viruses?

As reported in Forbes this week, an IBM researcher has made some progress towards solving that dilemma. Although there is no current commercial implementation of the solution, the researcher, Craig Gentry, has effectively set the wheels in motion. Gentry has solved the problem of fully homomorphic encryption, which allows the anti-malware analysis, as well as other processes, to be performed directly on encrypted data, without having to decrypt it first. No software is currently able to do that, and in reality, it may be several years before it is commercially available–but it’s nonetheless a big breakthrough in security.

Microsoft is changing the AutoPlay feature of Windows 7, so that it will not be able to enable AutoRun for USB devices. The change was necessary, since some malware (including Conficker), uses the AutoRun feature to spread. Malware isn’t just an email-borne problem any more–specifically, malware writers recognize that email security has been improving overall, and are looking for new attack vectors. Removable media, such as USB devices, make a perfect attack vector for them.

Although Conficker is the most well-known piece of malware that uses the default AutoRun settings to propagate itself, others have also used this feature in the past and continue to do so now. Spreading malware via USB devices started to become prevalent last year.

There will no doubt be some outcry about Windows 7 hampering usability, but the move makes sense. With this update, the AutoRun task will continue to work for removable media such as CDs and DVDs, but it will not be enabled for other devices, such as USB drives. In addition to being incorporated in Windows 7, the change will also be reflected in future updates of Vista and XP.

April Fool’s Day has always been a favorite of Internet “pranksters”, hackers and disseminators of online evil. Reports are floating around that the Conficker worm’s latest variant will become active on April 1. Conficker malware is designed to spread the malware and grow a massive botnet, and the latest version, W32.Downadup.C, will strengthen the purposes of the worm’s creators. This latest version deactivates security processes on the victim’s PC, preventing some security products from running. It also prevents computers from connecting to some security Web sites. Security software commonly “phones home” to update blacklists and other up-to-date anti-malware information. The latest version also generates thousands of domain names, which are used by the zombified PCs to check in for further instructions.

Continue reading April 1st – A good day to leave the computer off

The most annoying pieces of malware are the fake security programs which pop up on your screen, informing you that they have detected malicious files on your computer. The program, which often disguises itself to look like it’s part of the Microsoft operating system, is very persistent. If I get one of these on my screen and try to press the “cancel” button, it won’t cancel. Usually the only way to cancel the popup is to click on the “X” button in the upper-right hand corner of the box, or go directly to the program manager with a “Control-Alt-Delete” and do it there. The little devils do everything they can to stay on the screen, even though I know very well they are not who they claim to be.

These fake security programs usually do very little if anything to protect your security, and are designed to either just take your money, steal your personal information, or implant malware or adware onto your computer. In some cases, devious bad guys infect computers with popups and adware, and in the same infection, will also implant the bogus security popup at the same time, to make it seem like it’s all the more needed. Don’t fall for it!

Continue reading Knowing when it’s the Real McCoy

Let me make one thing clear. There is a perception that the Apple Mac cannot have malware. This is incorrect.

Apple Computer posted a note on its support site late last month, and removed it this week, which encouraged people to use anti-virus software. The presence of the note has caused much consternation among the media, the blogosphere and the Apple faithful, the latter of which have long proclaimed that Apple does not need anti-virus software. The notice read, “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Continue reading Mine’s a Mac; Mine’s a PC – both need anti virus