July 14th, 2009

Does free antivirus offer a false feeling of security?

Posted by Dancho Danchev @ 2:08 am

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware, Symantec

Tags: Antivirus, Antivirus Scanner, Viruses And Worms, Security, Dancho Danchev

Earlier this month, Symantec’s product manager David Hall dismissed free security software as equal alternative to the paid versions, and also described  Microsoft’s free “Microsoft Security Essentials” as “a stripped down version of the OneCare product Microsoft pulled from retail shelves“.

Needless to  say that such statements from a competing vendor often come as a direct frontal attack against the alternative solution, however, they also fuel the debate on whether or not free antivirus offers a false feeling of security.

The answer? Let the data, and a bit of a common sense speak for itself.

Read the rest of this entry »

April 2nd, 2009

Eyeballing Conficker with eye-charts and maps

Posted by Ryan Naraine @ 11:29 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Malware, Microsoft, Patch Watch, Responsible disclosure, Symantec, Viruses and Worms

Tags: Web, SecureWorks Inc., Malware, Web Site, Conficker, Cyberthreats, Spyware, Adware & Malware, Web Site Development, Viruses And Worms, Security

As expected, the April 1st activation date for the Conficker worm passed without much noise but, as Microsoft and others are explaining, the botnet associated with the worm is very much alive — and still potentially dangerous.

“[This threat] should remain a manageable cause for concern and it doesn’t go away after April 1,” says Microsoft’s Christopher Budd.  The malware still lives on millions of Windows machines and could start calling home for instructions at any time.

Now that the crazy hype has died down (hopefully!), it’s important for end users to get reliable information on eyeballing the presence of Conficker on a machine and, if it’s found, disinfection instructions from a Web site that isn’t blocked by the malware.

Read the rest of this entry »

February 23rd, 2009

Brand spanking new Excel 0-day being exploited in the wild

Posted by Adam O'Donnell @ 6:47 pm

Categories: Arbitrary Code Execution, Malware, Microsoft, Symantec, Zero-day attacks

Tags: Brand, Vulnerability, Microsoft Excel 2007, Details, Microsoft Excel, Microsoft Office, Security, Office Suites, Software, Adam O'Donnell

Symantec is reporting that a new remote vulnerability has been discovered in Microsoft Excel 2007, and that this vulnerability is being exploited in the wild.
Read the rest of this entry »

December 15th, 2008

Firefox tops list of 12 most vulnerable apps

Posted by Ryan Naraine @ 10:41 am

Categories: Adobe, Anti Virus, Apple, Arbitrary Code Execution, Browsers, Firefox, Flash, Mozilla, Patch Watch, Responsible disclosure, Symantec, Vulnerability research, Zero-day attacks

Tags: Mozilla Firefox, Attacker, Vulnerability, JRE, Arbitrary Code Execution, Buffer-overflow, Security, Viruses And Worms, Ryan Naraine

Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.

According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs.  Here’s Bit9’s dirty dozen:

Read the rest of this entry »

November 26th, 2008

Symantec puts value of underground transactions at $275M

Posted by Adam O'Donnell @ 12:30 am

Categories: Complex Attacks, Data theft, Phishing, Research, Spyware and Adware, Symantec

Tags: Symantec Corp., Security, Adam O'Donnell

Those of you looking for statistics to justify your security budgets for next year, look no further: Symantec has released their view of the underground economy as it has evolved over the past year.
Read the rest of this entry »

October 14th, 2008

Secunia: popular security suites failing to block exploits

Posted by Dancho Danchev @ 5:24 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Hackers, Java, Kernel-level Exploits, Malware, McAfee, Microsoft, Passwords, Patch Watch, Pen testing, Research, Symantec, Vulnerability research

Tags: Secunia, Internet Security Suite, Comparative Review, Dancho Danchev

In a recently conducted comparative review, Danish security company Secunia, tested the detection rate of 12 different Internet Security Suites against 300 exploits (144 malicious files and 156 malicious web pages) affecting popular end user applications, to find that even the top performer in the test is in fact performing poorly in general. Their conclusion :

“These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities.

While we did expect a fairly poor performance in this field, we were quite surprised to learn that this area is more or less completely ignored by most security vendors. Some of the vendors have taken other measures to try to combat this problem. One is Kaspersky who has implemented a feature very similar to the Secunia PSI, which can scan a computer for installed programs and notify the user about missing security updates. BitDefender also offers a similar system, albeit this is more limited in scope than the one offered by Kaspersky and Secunia. We do, however, still consider it to be the responsibility of the security vendors to be able to identify threats exploiting vulnerabilities, since this is the only way the end user can learn about where, when, and how they are attacked when surfing the Internet.”

And while it’s boring to scroll through the empty tables of the study, is Secunia’s report a frontal attack against the security software vendors’ inability to block exploits, or are they trying to emphasize on the fact that the end user should make better informed purchasing decisions when relying on All-in-One Security products?

Read the rest of this entry »

September 17th, 2008

Sarah Palin's Yahoo account hijacked, e-mails posted online

Posted by Ryan Naraine @ 10:40 am

Categories: Browsers, Data theft, Exploit code, Hackers, Passwords, Patch Watch, Pen testing, Privacy, Symantec, Web 2.0

Tags: e-Mail Account, Yahoo! Inc., Activist, Sarah Palin, E-mail, Online Communications, Ryan Naraine

On the heels of media reports that Republican vice presidential candidate Sarah Palin was using a private Yahoo e-mail account (gov.palin@yahoo.com) to conduct Alaska state business, hackers have broken into the account and posted evidence of the hijack on Wikileaks.

An activist group calling itself ‘anonymous’ claimed responsibility for the compromise and released screenshots, photographs and the e-mail addresses of several people close to Palin, including her husband Todd and assistant Ivy Frye.

Read the rest of this entry »

August 26th, 2008

Malware detected at the International Space Station

Posted by Dancho Danchev @ 2:37 pm

Categories: Anti Virus, Black Hat, Botnets, Hackers, Malware, Passwords, Patch Watch, Pen testing, Symantec, Viruses and Worms

Tags: Security, W32.Gammima.AG, NASA, International Space Station, Removable Media, Dancho Danchev

Malware is reaching new heights, and going into Space through a removable media carrying the W32.Gammima.AG password stealing malware to the International Space Station. According to SpaceRef.com :

“W32.Gammima.AG worm is a level 0 gaming virus intended to gather personal information. Virus was never a threat to any of the computers used for cmd and cntl and no adverse effect on ISS Ops. Theory is virus either in initial software load or possibly transferred from personal compact flash card. Working with Russians (and other partners) regarding ground procedures to protect flown equipment in the future. It was noted that most of the IP laptops and some of the payload laptops do NOT provide virus protection/detection software .”

Going through some of the daily reports from the ISS, it appears that the folks above us may in fact be doing more antivirus signature updates and scanning of arriving removable media then the average Internet users here on Earth. Trouble is, this approach only mitigates the risk of infection from known threats. How long before the ISS’s laptops start phoning back to a botnet command and control here on Earth upon having their laptops infected with an undetectable by their AV scanner malware?

Read the rest of this entry »

March 29th, 2008

Black Hat Europe, Day 2: The day that wasn't and Black Hat Europe, Day 3: Begin the presentations

Posted by Nathan McFeters @ 7:15 am

Categories: Black Hat, Black Hat Europe, Black Hat Federal, Exploit code, Hackers, Passwords, Pen testing, Responsible disclosure, Symantec, Vulnerability research, Wireless, Zero-day attacks, ~Special Series~

Tags: Black Hat, Antivirus, Buffer-overflow, Attack, Breese, Security, Viruses And Worms, Nathan McFeters

If you haven’t seen it yet, you can check out Day 1 of my coverage of Black Hat Europe 2008 here.  So, for those of you looking forward to a Black Hat Day 2 update with some more from the training sessions… I’m afraid it didn’t happen. I had intended to hook up with Adam Laurie for a discussion of his “Invisible Network, Invisible Risk” training course which is a focused wireless security class, but I just couldn’t make it happen as there was too much to do around Amsterdam, and seriously, I needed the day off. So for me, this was the Black Hat day that wasn’t, but I did get a chance to speak with Laurie late yesterday and will create an update to Day 2 later.

Onto Day 3, and we’re into the presentations. I bounced back and forth between PDP’s talk on “Client-side Security” and Christopher Tarnovsky’s “Security Failures in Secure Devices“. I found both talks to be interesting with PDP’s talk more directly applying to the research that I’m involved in, and Tarnovsky’s talk more focused on something I have not looked into.

Tarnovsky discussed attacks against various semiconductors, which was quite interesting. He used Hydrofluoric Acid to eat away areas of the chips so that he could connect pins to the devices and begin reading the EEPROM (Electrically Erasable Programmable Read-Only Memory). While I didn’t find this particularly useful to myself, it was certainly an entertaining talk about the security of semiconductors.

As I said, PDP’s talk more directly related to research that I’m interested in and focused on a lot of the various attack vectors that PDP and his Gnucitizen group have been involved with throughout the last year. I’d recommend people take a look at his slides once they are posted, as his talk had a lot of good places to look for those involved in Web application assessments.

For the next round of talks, I attended Feng Xue’s (aka Sowhat) talk on “Attacking Anti-Virus Software“, which I found to be entertaining and completely what I expected. He started with some interesting thoughts on the use of AV and its role in the security arena:

• Over 80% of people use Anti-Virus products
• Most of those people believe that their Anti-Virus is a key component of protection

After this, “Sowhat” got into a discussion of what these flaws are and where to look:

• There are numerous areas to look for flaws
  • Local Privilege Escalation attacks
    • Such as attacks attacks against weak DACL
    • Numerous driver issues
    • See Examples:
      • Panda Antivirus Insecure Default Directory Permissions
      • Panda Platinum Internet Security Insecure Default Directory Permissions
      • Symantec Products IOCTL Handler Privilege Escalation
      • Symantec Windows LiveUpdate NetDetect Privilege Escalation
  • Attacks against ActiveX controls
    • Think of all of those “free” registry and virus scans online companies want
    • We’re looking at the typical buffer overflow type issues that ActiveX has become so famous for
    • Some examples:
      • Kaspersky AV
        
      • Norton Personal Firewall ISAlertDataCOM ActiveX Control Buffer Overflow
  • Attacks against the AV engine
    • At the core of the AV is the engine which powers all of the parsing of files and searching them through for attacks
    • Many file format parsers = many vectors for attack
    • File format flaws have been huge for a number of years now and are well understood and more importantly easy to fuzz
    • Also consider all of the sources that will take in files that need to be scanned:
      • E-mail
      • P2P
      • Instant Messaging
      • The web, etc.
    • Some examples:
      • Symantec Multiple Products UPX Parsing Engine Buffer Overflow
  • Attacks against management software for the AV, see the following CVE’s for reference:
    • Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow

So, as the talk got to flowing, “Sowhat” made it clear that he had a couple of 0-days that he was going to show us, but not release; however, when showing the demo, I think a few of us (David Weston, Rob Carter, and I) saw it as pretty clear what was happening and were a bit surprised as to the ease with which a little fuzzing could yield a bug on these highly critical applications.

After “Sowhat’s” talk I moved on to the “CrackStation” talk by Nick Breese, which turned out to be fairly interesting. Breese has taken advantage of the Vector processing and multiple SPU’s that have made the PS3 a very powerful gaming machine and used that to make it a very powerful password cracking machine. One of the key claims made that showed the huge upside of this setup was, “The current upper limit on Intel-based systems is 10-15 million cycles per second, but on the CrackStation, we can get up to 1.4 billion cycles per second.” There was no detailed mathematical proof of this number that I saw during the presentation, but the claim if true is astounding.

Day 3 wrapped up into a night out on the town with several good friends, Billy Rios, Nitesh Dhanjani, Rob Carter, David Weston and his girlfriend, and Tiller Beauchamp and his girlfriend; which unfortunately had to be cut short for Rob and I as we were speaking first thing in the morning the next day and had our talk trimmed from 70 minutes to 50 minutes.

Check back for more on Day 4 of Black Hat as well as my interview with Adam Laurie from Day 2.

-Nate

March 3rd, 2008

Whither anti-virus software?

Posted by Larry Dignan @ 7:30 am

Categories: Botnets, Exploit code, McAfee, Punditocracy, Symantec, Vulnerability research

Tags: Software, Antivirus, Viruses And Worms, Security, Larry Dignan

In the security industry it’s not hard to run into someone predicting the demise of the anti-virus industry. But the end game will take forever to play out.

The common argument: Anti-virus software can never keep up, is outdated and outgunned against rapidly evolving threats. Websense CEO Gene Hodges recently said as much: “Modern attackware is much better crafted and stealthy than viruses so developing an antivirus signature out of sample doesn’t work.”

His advice was to scrimp on anti-virus software and invest your budget money elsewhere.

The latest entry in this debate is the fact that venture capital is flowing into anti-bot software companies. Ryan Naraine argues that if you follow the money it’s clear that the anti-virus industry has issues.

Ryan notes that the investment into anti-bot startups “is an indictment of the anti-virus industry.” Andrew Jaquith, an analyst with the Yankee Group, backs up Ryan’s assertion. Just like anti-spyware companies emerged so will the anti-bot folks.

Here’s where the argument falls apart–or at least becomes more nuanced. The traditional anti-virus companies were among the first and used their advantage to build suites. While anti-virus software isn’t perfect, folks still need it. The big question is whether customers will pay for anti-virus protection. The short answer is no. But to the security giants like Symantec this point doesn’t matter. The game to Symantec and McAfee is to sell you a security suite–the components are irrelevant.

Bottom line: These anti-bot companies–Damballa, FireEye, Sana Security and NovaShield–will develop and then be quickly bought out by the traditional anti-virus giants. Anti-virus software may wither on the vine, but that traditional sell-people-a-suite model and the licensing revenue that goes with it is alive and well.