Sometimes spam, viruses, and other malware filtering at your email gateway isn’t enough. It’s important to keep your host anti-virus signatures up to date, and if you don’t have anti-virus protection at your firewall or on your network at the Internet gateway you should seriously consider it.

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Continue reading Malware Threats from Unexpected Sources: Trojans Embedded in Streaming Video Links

Last week, Google announced its new Chrome operating system amidst fanfare and excitement throughout the blogosphere. The new operating system is an open-source, Linux-based OS initially targeted at netbooks. I’ve not looked at the Chrome OS up close, but I have no reason to doubt the veracity of their claims of elegance and simplicity, but there’s one claim that Google is making that deserves a response. According to Google’s announcement, they are “completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates.”

Absolute nonsense. The announcement was written by Google’s Engineering Director, but it sounds more like it was written by their Marketing Director. No security expert in his or her right mind would claim that any operating system, open source or otherwise, is completely bullet-proof and immune to malware. It’s just not gonna happen. We’ve heard the same claim from Apple for years, but the fact is, the Mac is not immune to malware any more than a Chrome system, or for that matter, a Windows system. There are fewer Mac intrusions, but it is certainly possible for penetrate one and it is certainly possible for a hacker to create a Mac virus. There are more Windows machines, so opportunistic hackers simply realize that there is more economic incentive to attack those instead. The same principle applies to Chrome. How many people, in reality, will roll out the Chrome OS over the next few months? In the big picture, it’s likely to be a fraction of a percent of all PC users. As a result, the greatest protection afforded users of Chrome OS will be security through obscurity. Hackers just won’t be paying attention to it.

Beyond that, it’s simply impossible to create a foolproof operating system that is immune to all viruses. It is possible to make an OS more secure, and it’s done all the time. Some hardware firewall devices run on “hardened” OS platforms that are exceedingly difficult to penetrate. But to make one that is absolutely secure? Foolproof, and user-friendly to boot? Impossible. For one thing, malware writers are constantly at work, constantly innovating, and constantly looking for new vulnerabilities that weren’t considered by the OS’s engineers. That’s why patches and security updates are a good thing–because it’s not possible to consider absolutely every possible vulnerability at the get-go. For Chrome to say that users “won’t have to deal with” security updates frankly is a frightening thought. Nuisance though it may be, security updates are what keeps us a step ahead of the bad guys.

The FBI’s head of cyber security, Shawn Henry said last week that Conficker media hype is distracting people from other threats. Henry is only half right in his comments, which he made at a speech at the RSA security conference in San Francisco.

Henry correctly pointed out that there are many other cyber threats out there that also deserve attention, and some of the threats may be bigger than Conficker. Henry praised the idea of public awareness, but said he wanted to see more coverage of the “entire threat vector.”

Conficker became big news, for several reasons: it was the biggest botnet to come along in years, and it ran differently than other botnets. And much of the media attention also came from the April 1 deadline, which was supposed to be the “launch date.” Nothing much happened on April 1 (except for a few April Fools jokes), and so what’s happening now is that we’re seeing a sort of “anti-hype” in some circles that is now downplaying Conficker. This is a dangerous thing. The April 1 deadline was obviously either a ruse, or the perpetrators decided to delay the launch date because of the media attention. Conficker is still with us, and reports are out that it is now coming to life, fulfilling on its promise to transform millions of victims’ PCs into spam-spewing robots.

Was Conficker a “false alarm”? Obviously not. The worst is yet to come–and the media attention served the purpose of getting more people to update their systems and install relevant patches. And there’s very little doubt that Conficker has had a monetary impact already. According to the Cyber Secure Institute, it has already consumed “an extraordinary amount of time and energy.” A cyber Secure Institute blog entry noted that because there was no major event on April 1, “numerous commentators are now downplaying the significance of the worm. This view is misguided.”

Cyber Secure Institute also discusses the overall financial impact of the worm in terms of wasted resources and time–and extrapolating from their previous studies about the average costs of other attacks, the agency estimates the total economic cost of Conficker to be as high as $9.1 billion.

The Downadup worm, referred to in some reports as “Conficker”, at last report from the SANS Institute, has infected over a million PCs within a 24-hour period, for a total to date of 3.5 million infections. The worm takes advantage of a flaw in the Windows Server service used by all versions of Windows, which was corrected in a patch released last October–so the good news is, if you keep up with patches like you’re supposed to, you don’t have anything to worry about. And the latest version of Microsoft’s Malicious Software Removal Tool was released on January 13, and this one will detect the worm and remove it. Unfortunately, according to reports, nearly a third of all Windows systems are unpatched, and this has led to the incredibly high number of infections. This is why I enable the auto-update feature, because I know that if it were left up to me to manually install patches, I, like most people, wouldn’t do it. Manual patch updates would get put into the same “around-to-it” bucket as organizing my desk, cleaning out the garage, and patching up all those little nail holes in the plaster.

The worm reportedly uses a brute force command to get Admin passwords on local networks, and it infects removable devices and network shares.

Continue reading Avoiding Conficker/Downadup worm

Polymorphic Companion Viruses appear to be making a comeback. Last November it was announced that a polymorphic companion virus was making the rounds on Windows CE/Mobile phones.

The virus is interesting because it employs two different attack methods: encryption and a companion attack. What makes it polymorphic is its ability to re-write itself in order to avoid detection.

When a virus spreads using the companion attack method, what it does is disguise itself as a normal executable file already existing on your platform. The virus executes when invoked as a normal program by an unsuspecting user, script or other program. This malevolent approach has been around since the DOS days. As an encrypted virus the malevolent piece of software can go undetected by many anti-virus programs.

Continue reading Polymorphic Companion Viruses Back in Vogue

Let me make one thing clear. There is a perception that the Apple Mac cannot have malware. This is incorrect.

Apple Computer posted a note on its support site late last month, and removed it this week, which encouraged people to use anti-virus software. The presence of the note has caused much consternation among the media, the blogosphere and the Apple faithful, the latter of which have long proclaimed that Apple does not need anti-virus software. The notice read, “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Continue reading Mine’s a Mac; Mine’s a PC – both need anti virus