Security Manifest : COMMENTARY

Highly Recommended Book

trafton — Mon, 07 Mar 2005 22:04:00 GMT

To anyone interested in computer viruses, their origins, and their functioning with an involved or better knowledge of computers, I would highly recommend legendary virus analyst Peter Szor's The Art of Computer Virus Research and Defense. You can find it at Amazon.com for a scant $32.99, which is very much worth this in-depth, 744 page book. From the cover:

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process.

Worms and Instant Messaging

trafton — Sun, 06 Mar 2005 23:32:00 GMT

It has been nearly four years since the first worm to spread via an instant messaging program, the Hello worm, appeared on the AOL Instant Messenger network. At that time, IM program worms were more of a curiosity. Despite a significant number of doomsday predictions from the media, few of these worms actually ended up becoming common. Those that made it in the field were typically quick burners, dropping off the radar in a few days when most worms last weeks. However, recent worms have proven that IM programs are a significant potential distribution area for new worms.

Instant Messengers vs. Email
One thing to consider when assessing the risk of instant messaging worms is that the target audience is different from that of email worms. Users of instant messaging programs are typically younger and much less likely to be corporate users. As IMing is generally more fast-paced than emails, it is also more likely that users will accept files without much discretion. However, it is also easier to ask about a suspicious file via instant messenger than it is in email.

With only a small range of major instant messengers out there, there is opportunity to solve many of the problems that have plagued email as an open standard. Together, AOL Instant Messenger, MSN Messenger, Yahoo Messenger, and ICQ make up the lion's share of the US IM market, with similar programs popular throughout the world (Asia is the home to many alternative IM programs). Three companies thus control almost all of the IM market (AIM and ICQ are both owned by AOL). These companies can, and have, enforced security standards and provided warnings. However, it has been demonstrated that, despite warnings, users will gladly accept files if they do not understand what they are. Education is a major problem on the IM front.

Case study
On the morning of March 6, 2005, I received a report of a small outbreak of an undocumented AOL Instant Messenger worm among roughly a dozen users belonging to a group interested in climatology and Internet broadcasting from one of the infected users, who resides in Ohio. The worm (which I will refer to Ostow here for the sake of simplicity) appeared to randomly set away mode. In the away message was a link to a .pif file on a remote Internet server (at this time, the file remains up) and a promise that the file contained “beach photos.”

The user explained that he had opened the file, assuming that the .pif extension stood for “something like Picture Image Format.” Since the file was offsite, not send via AOL Instant Messenger, there was no notification that the file opened could be damaging other than the download notification in Internet Explorer. He opened the file and became infected with Ostow; subsequently, a number of other members of the community clicked on his away message and became infected. None realized that anything was wrong until the Ohioan user observed that his status was changing to away randomly.

Eventually, HijackThis was installed on an infected machine in Louisiana and a suspicious file masquerading as the BitDefender antivirus program was discovered to contain what was detected as a “variant W32/Spybot“ and a dropper from the web site, detected as a “variant W32/SDBot.“ Despite several hits on Google that mentioned the AIM away message, it appeared that all detections were generic and Ostow was not recognized specifically by antivirus programs (neither W32/Spybot nor W32/SDBot are described as AOL Instant Messenger worms). Manual removal instructions were created and followed by all infected users, and no infections have been since reported.

This case is not exceptional other than that it shows the confusion that can result from unknown worms spreading via AOL Instant Messenger. Without assistance from knowledgeable users, the average person infected by a worm like Ostow could do nothing to fix their problem and likely would ignore the problem, allowing the worm to spread further. It also shows how a worm can spread among members with linked AOL Instant Messenger relations.

Conclusion
With an increasing number of IM worms, and the recent medium risk rating received by Bropia.P, increasing attention is being, deservedly, given to this growing threat area. With detection often here-and-there, and users who are less tech-savvy and less likely to submit discovered worms to antivirus companies, IM worms may soon become a top-tier vector for new threats in the upcoming months.

A Look at Plexus

trafton — Thu, 03 Jun 2004 21:07:00 GMT

Commentary on a Potential Major Problem

It is generally true that if a virus family does not produce a variant that spreads quickly within its first five manifestations, it will be a proverbial damp squib. Obviously, this isn't foolproof, but many don't realize how often it isn't until a variant that a virus truly takes off. The first incarnation of Netsky was a minor event which took several months to even get a single report on the industry standard WildList. At first, it was believed to be confined to the labs of virus researchers for the most part. It wasn't until Netsky.B that the family took off - and did it ever.

What we have now is the first manifestation of a virus based on the successful MyDoom (which needs no introduction) by the handle of Plexus. There are a huge number of interesting things to note here, all of which would probably have garnered it a mention here. The first is that the code is almost certainly based on MyDoom. Despite the recent rounding up of subjects in the Netsky case, the author(s) of MyDoom still remain at large. Could this be their latest incarnation? Perhaps. But that's definitely not the most interesting here.

The most interesting thing would probably be that mass-mailing isn't all Plexus can do. It also spreads via the LSASS vulnerability exploited by Sasser. It certainly isn't the first, second, or even twentieth virus to do this but it is the first (as far as I know) to also include mass-mailing ability. This could be a potential headache if the worm was released in the wild, as this would allow it to spread to two major cesspools of the Internet world - users who open every attachment they receive and users who never patch their systems. For the users who still have not patched it, the worm also makes use of the RPC vulnerability from the Blaster days.

Plexus also targets Kaspersky Antivirus, which the Register article makes sound like a big deal. Retroviral abilities in viruses are nothing new (in fact, they've been around since the '80s,) and are considered nearly standard issue in today's mass-mailers. In fact, Plexus has a fairly simplistic mass-mailing capability for these days (Netsky has a huge number of variations,) although MyDoom only had a small handful of formats too. These days, it's a near impossibility to get an outbreak virus using just a single message; that more or less went out with VBScript mass-mailers about three years ago.

Is Plexus a threat? Probably not the “A” version, although an outbreak is still a possibility for the next 24 hours or so, and a minor outbreak could remain a possibility for at least a week. But so far nothing much has been reported of this in the field. Of course, if it starts spreading rapidly or a new variant appears, it'll definitely be reported here.

Bits and Pieces

trafton — Sun, 16 May 2004 18:18:00 GMT

Commentary: The Antivirus Industry Reacts to Spyware, and Some Other Stuff, Too

In October 2002, an aggressive marketing scheme was hatched by a company known as FriendGreetings that would cause a mild uproar in the security field and force antivirus vendors to decide how they would handle the detection of spyware programs and gray area programs. FriendGreetings concocted a “greeting card” program that would mass-mail itself out to everyone in the infected user's address book. There was a EULA, but the truth was no one would ever even look through that. The question was, at that time, should it be detected? And, if it should be, as a worm or an “unwanted application” to avoid litigation issues?

The level of bravery in detection varied vendor by vendor. SOFTWIN was the most straightforward, detecting it as a plain mass-mailer. Computer Associates, H+BEDV, MKS, Panda, Symantec, and Trend Micro designated it a worm out of the box. ESET and Network Associates both originally called it an unwanted application, but later detected it as HideMinimized, saying that this particular part of the program was a Trojan Horse. Frisk Software, GeCAD, and Sophos detected it as an unwanted application and still do. Kaspersky Labs detects it as a “flooder” for some reason. To this day, it appears that Dialogue Science, Grisoft, IKARUS, and VirusBuster do not detect it at all. I found the reaction to this interesting.

Many years ago, in the early '90s, there was a large but fairly uninteresting family of kit-based viruses known as NuKE. One strain of NuKE even contained text stating that, as the virus was “copyrighted,” antivirus vendors could not legally add it to detection lists. Every single antivirus vendor detected it anyway. NuKE's kit was mainly used by people we would now called “script kiddies.” There was no legal base for these threats. And there also was little legal base for any threats from Friendgreetings, a country so solid in their business practices that they used a Panamanian address, probably fake.

Now I am happy to say that antivirus companies now commonly detect all sorts of spyware. There was a good degree of discussion about this around the same time that Friendgreetings came out, and the consensus was that detection should be defaultly disabled or not present at all. Nowadays, the worst spyware offenders are detected by mainstream antivirus products. It is good to see that the developers of antivirus programs have realized that having a corporate logo on a malicious program doesn't make it not malicious.

On a similar note, it has been interesting to see the development of the anti-spyware industry. Small developers like PepiMK (Spybot Search & Destroy) and Lavasoft (Ad-Aware) still remain the top names in the game, despite giving their software out for free (PepiMK doesn't even have an enhanced pay version of Spybot - all the money they receive is donations.) Other small developers such as Webroot (Spy Sweeper), Bazooka (Adware and Spyware Scanner), and the Enigma Software Group (SpyHunter) also frequently grace the Download.com Top 50. Many major players have tried to enter the anti-spyware field with pay products with mixed results. Frequently, the “big guys” have received poor reviews for their products. The delay before major security companies entered the field puts them at a major disadvantage, facing free programs that are better than their pay offerings. It will be interesting to see how this field develops over the next few years.

The Love Bug Turns Four: A Look Back

trafton — Tue, 04 May 2004 19:41:00 GMT

Commentary: Four Years Later, a Look at What Has Changed, and What Hasn't

I remember the day VBS/Loveletter appeared quite clearly. Although it technically debuted overnight on May 3rd, 2000 (depending on time zones), the morning of Tuesday, May 4th, 2000 will always be remembered as the day that changed computer viruses forever.

I was ten years old at the time. I awoke at 8 A.M. that day and turned on the radio to NPR (National Public Radio.) They were just finishing with a broadcast about an Internet worm. They concluded with something along the lines of “security experts do not consider it a high risk.” It was hard to tell. At that time, I read most of the write-ups posted for the various new threats on a collection of web sites, but was not extremely involved in the Internet security community. I tried to get online to various vendor web sites - McAfee, Symantec, and Trend Micro - but was out of luck. All of their servers were busy. In fact, the only page I could get was the front page of Trend Micro's site, which warned that they had declared a high risk alert for VBS_LOVELET.A.

When I got to school, I tried to go to the vendors' sites, yet they were still down. At lunchtime, the school tech guy made an announcement that no computers were to be used because of the outbreak. This was funny, considering all computers in the school were iMacs or PowerMacs and could not be affected. During this time, the worm stormed through the world and has been put down in history as probably the most high-profile worm incident in the history of computing.

Today is May 4th, 2004. It has been four years since the initial outbreak, and we are still dealing with worms similar to VBS/Loveletter. Now, a quick look at what's changed, what hasn't, and what the virus climate will look like four years from now if we continue along this path.

Predictions: The Good, the Bad, and the Wrong
In the days following the VBS/Loveletter outbreak, many things were said that probably shouldn't have been, even considering the knowledge of that time. Many predictions were made on fact-less base. Hysteria was the public diet in respect to worms. Experts suddenly appeared to make doomsday predictions that no one had ever heard of before, and then they vanished into the woodwork as quickly as they had appeared. Here's a look at some of the predictions made back four years ago and their truth today.

Prediction: VBScript worms will remain a major risk for most of computing.
Outcome: False
The Truth: In April of 2003, seven VBScript-based viruses were on the WildList. Three of those viruses were on the main list. Of those three, only one - VBS/Freelinks - had more than one line of reports. By December 2000, 33 VBScript viruses were on the list, fifteen on which were on the main list, and four with more than one line of reports. This number fluctuated only slightly for the next two years. By mid 2001, the VBS/VBSWG family of kit-based worms added a number of its family members to the WildList ranks. After this, the number of VBScript-based worms began to decline as .vbs became an infamous extension. Today, 25 VBScript viruses are on the list, of which are 11 on the main list, and two have multiple lines of reports. No new major VBScript virus has been discovered since VBS/Redlof in October 2002. The last even semi-major VBScript mass-mailer was VBS/VBSWG.AQ-mm in July 2002. VBScript worms are no longer considered a very significant threat in the field.

Prediction: Mass-mailing worms will remain a major risk for most of computing.
Outcome: True
The Truth: VBS/Loveletter was the second time a mass-mailing worm had grabbed the public's attention, the first being W97M/Melissa. And, ever since, the number one type of worm has more or less reliably been the mass-mailer. Of the 56 worms that currently have two or more lines of WildList reports (14 or more reports), 45 have some sort of mailing ability, and all but two of those are mass-mailers.

Prediction: VBS/Loveletter will always be the most successful worm of all time.
Outcome: (Arguably) False
The Truth: In terms of spread, it is hard to debate that VBS/Loveletter is NOT the most successful worm of all time. Any number of other worms - Blaster, MyDoom, Sobig.F - has easily trumped VBS/Loveletter in this category. Damage is another question. Fiscally, VBS/Loveletter definitely does not hold the world record. MyDoom does ($43.9 billion), followed by Sobig.F ($14.62 billion), Klez.H ($13.94 billion), and then Loveletter ($8.75 billion). Another worm which would probably eclipse it, Blaster, has no statistics available, while the current Sasser outbreak will probably also break Loveletter's position. Damage cannot necessarily be calculated in billions, but of any of the worms on this list, VBS/Loveletter was certainly the most destructive. Still, it is unlikely that it caused the most damage.

Prediction: The end of the world as we know it, or at least computing as we know it, is near.
Outcome: False
The Truth: Although a difficult and dynamic foe, computer security threats are NOT the end of the world - even the computing world. Developing technologies will continue to appear to protect against threats that seem to develop equally quickly. The average user will never become a victim of a security problem if they practice excellent security methods and keep up-to-date software and patches.

Did Loveletter Actually Mean Anything?
The question still remains after these four years: Did Loveletter actually mean anything to the security world or the public at large? This question is open to debate, but there are a few things that it is hard to disagree that Loveletter changed forever, and a few that it did not.

What Loveletter Did Change
The Public Perception of Viruses
Before VBS/Loveletter, the average person had little more knowledge of computer viruses than that they were bad, and in some cases that there was one named Melissa that did something a while ago that was also bad. After Loveletter, viruses became a common point of discussion, and fear - whether senseful or otherwise.

Public Awareness of Viruses
Although this is similar to the last entry, it is different enough to deserve its own category. Before Loveletter, many computer users would just click on anything they were sent, even if it had the subject “THERE IS A VIRUS ATTACHED DON'T OPEN IT.” In fact, many still do. However, this number is significantly lesser thanks to media coverage of worms like Loveletter, which brings us to...

Media Coverage of Viruses
The media had, before Loveletter, a superficial knowledge of worms much like the general public. Loveletter prompted them to at least bring in some experts, although much of it was still hype. This was somewhat negated by the sudden urge to report on every single worm that involved a celebrity or clever piece of social engineering. Reports continued, though, to use colorful terms such as “Killer Internet Trojan horse worm virus.”

Outbreak Response and Management
Both antivirus companies and system administrators at like were faced with the problem of more prompt response to sudden outbreaks of new viruses. No longer could detection files just be posted weekly; after Loveletter, it was down to the hour in a crucial attempt to squash the virus before detection release could help little.

What Loveletter Didn't Change
The Technological Aspect of Viruses
VBS/Loveletter was not a very interesting worm as much as it was a lucky worm. The code and methods was old hat even at that point. The clever social engineering wasn't all that clever even for the day. Making a detection file was more or less a piece of cake (although a few companies still managed to mess it up, such as the one who detected any instance of the filename “LOVE-LETTER-FOR-YOU.TXT.vbs” as the worm itself.)

The World
Loveletter was a significant but not technologically-based outbreak. It showed how a simplistic email worm could spread globally, how fast, and how much damage it could do, but all of this would eventually surface. It was just a matter of time and luck.

The Uncertain Future
Even four years later, we still deal with mass-mailing worms, and probably will still be doing so for a few years to come. What is the next wave of worms? It is futile to predict. New-age automatic worms like Blaster and Sasser have displayed some muscle, but their long-term spread is hindered by their easiness to prevent against. Spyware continues to become a developing threat, and the line between malicious software and intrusive software is blurring at an increasingly rapid rate. The one thing that hasn't changed, though, since Loveletter's day and age is a good security strategy: an updated firewall, an updated antivirus program, a good configuration, and current Windows Update patches (maybe a spyware killer these days, too.) And, of course, something that will be invaluable for computer security as long as it exists: common sense.

Google's Fall From Grace

trafton — Fri, 23 Apr 2004 18:11:00 GMT

Commentary: The Google Situation

Due to a lack of news today, there probably will not be any Daily Update unless a few more news stories are released that are worthy of inclusion. Because of this slow day, I decided that I might as well comment on a situation that has interested me as of late. Please note that this is an opinion, and any views here do not reflect those of Microsoft, the MVP program as a whole, etcetera, etcetera.

For those of you who do not know, Google has recently experienced a fall from grace of sorts. The previously near-spotless reputation of the company has lately been marred by security concerns about an unreleased service, GMail (short for “Google Mail.”) GMail, which has no official release date and probably won't be hurried up anytime soon, has turned Google into - in the words of BroadbandReports - “this month's whipping boy.” And it's true enough. The beloved search company has made some questionable announcements about security. After the initial raving about its one gigabyte (!!!) storage capacity and its chance of being an April Fools joke (information was released on April 1st - perhaps a successful marketing strategy for generating buzz,) it became clear that the big news would be the security problems. Less than a week ago, a California Democrat in the senate filed a lawsuit to block GMail.

The primary concern lately has been GMail's security. For advertising purposes, Google announced that GMail (currently being beta-tested) would mechanically read the user's message and then append a short text ad to the bottom based on the contents of the message. An email forward about caring for puppies, for instance, might have an ad for Petco at the bottom. At first glance, this isn't a major problem to many people. However, privacy advocates quickly came out saying there is little difference between a machine and person reading it. The organizations argue that they are both a breach of privacy. And, frankly, they probably are.

I am not going to argue that it is impossible to be safe on the Internet, even though it is indeed impossible to be completely safe (of course, without shutting off the Internet or the computer.) The best Joe Enduser can do is run an updated firewall, updated antivirus program, and not do anything really stupid. The perception of Internet security is one of falsity. Every system has a hole, whether or not it is waiting to be uncovered. These are established facts, and in no way rationalize going about installing backdoor servers on your machine, since it will “inevitably happen anyway.” The sad fact is, most users that don't have firewalls will never be hacked. If you never open email attachments, keep your Windows patching up to date, there is a good chance that you will never find the need to utilize an antivirus program. But many machines do get infected, and many do get hacked. It is not an inevitability, although it is increasingly becoming more common; however, neither is one's house burning down, but there is no reason not to have a fire alarm.

By this logic, GMail is guilty of unnecessarily privacy invasion, but most email providers are guilty of it, too. Services with junk mail folders have to read received emails to determine whether they are spam. This can be turned off, but most people do not. Although I obviously don't have real statistics on this, I'd assume 95 per cent of cases in which junk mail filtering is disabled are because legitimate mail was marked as spam. Email is simply not a secure method of transferring information. GMail does make it more insecure, but webmail is not the venue to transmit anything that would cause criminal or legal problems if it was leaked.

The question is really one of subjectivity and preference. Considering what sort of emails you are receiving (and sending to a lesser extent,) would you be willing to risk a small chance of total data leakage in exchange for one gigabyte of storage space? And will those sending you email want to risk it? With twenty-two pieces of spyware installed on the average user's computer, it will be a long time before GMail is the biggest threat out there, but it still does show a mainstream movement toward less security. Google will recover, but will never have a spotless reputation again in the minds of some. A few years from now, though, it is doubtful that many will even remember the uproar over the service. Only time will tell.

Links: For
”The Fuss About Gmail and Privacy: Nine Reasons Why It's Bogus” - Tim O'Reilly. A well-done article, although the title is somewhat misleading. It is more about the benefits of GMail as a whole, although plenty of security topics are included.

Links: Against
”Gmail Privacy Alert” - GoogleWatch. Although this site brings to mind those old “NETWORK SOLUTIONS IS A BAD COMPANY” pop-up ads with its irrelevant pictures, it still highlights some disturbing aspects of GMail.

Links: News Coverage
”Google's 'Gmail' Under Fire” - CNN. Excellent CNN coverage of the outcries from organizations against GMail.

Links: Other
”E-Mail Ads Can Read Between the Lines” - Curt “Digital Slob” Brandao/Honolulu Star-Bulletin. A funny look at some of the more interesting possibilities of what Google's context-based ads could render.