An interesting development in the realm of malware is the battle for exclusive control of the infected host.
In recent years, we've seen how certain trojans and worms can eliminate other competing malware even while infecting the host with its specific malicious code. Here are a couple of examples -

The W32/Nachi worm would target hosts vulnerable to the W32/Lovesan (blaster) worm. In the process, it would eliminate the blaster worm and even go as far as to download the patch from the Microsoft site, protecting the host from further possible infection from the MS03-026 vulnerability. Later variants of Nachi such as W32/Nachi.worm.b would also eliminate competing viruses/worms.

Now Joe Stewart from SecureWorks writes about the Spamthru trojan that serves up spam from an infected host. It appears that Spamthru does not play nice with other spamming trojans, leveraging the Kaspersky Antivirus to eliminate other malware on the system while leaving its own in place. Here's what Joe tells us how Spamthru does
this -

"SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot. "

Of course, Spamthru also does bad stuff like acting as a proxy for spammers as well as serve up obfuscated spam using GIF randomization techniques.

This cannot be a good sign when malware like trojans, worms and spam/spyware engines have to compete for hosts. Do you think we have a serious problem?

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

If there's anything that gets our attention, it may be a free offer of any kind. Microsoft has just released into general availability, the Windows Defender - a free anti-spyware program that has been in beta trials since early 2005.
Here's a brief description from the Microsoft website:

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

It's available for download here.

Although not a surprise to other major security vendors like Mcafee or Symantec, it must still be a troubling sign to them as Microsoft releases free products that competes with their revenue generating anti-spyware products. It'll further commoditize anti-spyware technology which is good news for consumers and businesses alike.

Posted by andreyee in Product Announcements | Permalink | Comments (0) | TrackBacks (0)

Microsoft has faced criticism over the years for security flaws in its products. In an effort to reclaim lost ground, Microsoft expects that Vista will be significantly more secure and less vulnerable than its predecessors. However, two of the largest security companies, Symantec and Mcafee are asserting that Microsoft is leveraging its dominant position in the operating system arena to create unfair competitive advantage in the security space.

Both companies have taken a very public and aggressive stance in defending their core business. Part of the dispute arose from the limited access that was afforded to the Vista kernel. This will make Vista more secure but also has the potential effect of locking out other anitvirus companies. Most of the debate is going on in Europe, probably leading to a complaint filed with the European Union. Mcafee even took out an ad in the Financial Times to stake out their position. Part of the ad reads as follows:

“Only one approach protecting us all: when it fails, it fails for 97 percent of the world’s desktops...”

Stay tuned, this fight is just getting started...

Posted by andreyee in Industry Trends | Permalink | Comments (0) | TrackBacks (0)

Apparently, this past weekend, someone hacked into the Google Blog and posted an fake message about the discontinuation of the adwords click-to-call test. No particular harm done but it highlights how as online services like blogs, wikis, online auctions, etc.. become more prominent, attacks will quickly follow.

Take heed Google, eBay, Yahoo...hackers are getting bored with Microsoft and coming your way.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Bruce Schneier, CTO of Counterpane Internet Security and author of the best-selling books such as Applied Cryptography and Beyond Fear, discusses security and privacy in a talk held at USC.

Here's the link to the audio. It's definitely worth checking out.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

Joel Snyder of Opus One has just published a paper entitled "Six Integral Steps to Selecting the Right IPS for Your Network". It's hosted on Juniper's site but it's actually somewhat vendor neutral. Joel is a knowledgeable security consultant and a very good writer which is a rare combination. I think this paper is quite insightful and offers practical advice on how to think through the selection process. Speaking as the CEO of NFR Security, a vendor in the IPS space, this paper is much needed in what must be a confusing market for buyers of IPS technology.

Joel offers some good solid advice. Here are his six steps:

Step 1: Why am I buying an IPS?
Step 2: Determine Security Parameters and Coverage
Step 3: Determine Your Performance Requirements
Step 4: Determine Form Factor Requirements
Step 5: Determine Security Management Requirements
Step 6: Evaluate an IPS

Here's what I liked about his paper in general:

First, Joel does a nice job not naming names or endorsing any particular vendor. If this paper is to be objective and helpful, it needs to stick to that tenet and it does. Second, It may seem like common sense, but many users don't understand how to systematically think through the evaluation/selection process and this paper offers a very solid approach to doing so.

Also, he calls it like he sees it. I can't say I agree with every single thing he says (I'll get to that later) but he's generally knowledgeable and intellectually honest when he calls out the limitations of Snort IDS embedded in these Unified Threat Management (UTM) boxes. Here's a sampling -

"...some firewalls have an 'IPS function' which was placed into the device simply to satisfy a checklist requirement as part of a UTM offering....these IPS features are based on some version of the Snort IDS engine..."

"Although Snort does a poor job as an IPS...this isn't the main reason why these embedded IPS functions in UTM firewalls should be avoided. The real problem with embedded Snort-based IPS in UTM devices lay with system management."

He goes on to explain how Snort's over 6000 rules can be a real challenge to manage in a UTM and hence limits the ability to keep false positives at an acceptable level. Joel Snyder deserves credit for finally blowing the whistle on what UTM/embedded Snort implementations really deliver. It's not a real IPS solution and probably never will be...but if all you want is to mark a checklist, then I guess it's ok.

Other good points in his paper include his emphasis on how important management capability really is. If you're deploying more than 3-4 sensors, manageability of the system is critical to the decision process.

Here are a few points of disagreement, mostly minor but I thought I'd list them.

Near the top of the list of my concerns is his categorization of the "behavioral IPS". I'm not 100% certain of what he means by behavioral IPS but if he's talking about pure play netflow analysis/user pattern analysis vendors like Arbor Networks or Lancope, I'm not sure that those products qualify as IPSs under generally accepted definitions. Most experts believe that a requirement of an IPS is to run inline, hence possessing the ability to block in real time. I don't think most of what is classified as behavioral systems run inline. No slight intended to Arbor or Lancope since both are excellent products but my perception in speaking with several enterprise customers is that behavioral anomaly systems are viewed as niche, marginal and supplementary to an enterprise security architecture.

I also think his "hard categorization" of signature based versus rate based IPSs can be unintentionally misleading. The truth is that most IPS's offer some measure of multiple protection techniques. I know that NFR Security's Sentivist product uses a hybrid detection model that incorporates a mix of signature based, protocol anomaly based, rate based and policy based detection. However, he does qualify by speaking about every product having a "sweet spot" which I agree with.

Overall, it's an excellent paper and a very worthy read. If you're shopping for an IPS, take some time to check it out.

Posted by andreyee in IPS/Firewall Technology | Permalink | Comments (0) | TrackBacks (0)

Although not as big as other recent acquisitions of ISS by IBM or Network Intelligence by EMC, Mcafee's acquisition of Citadel Security Software for $60M is more evidence of increasing M&A pickup and ongoing consolidation in the security space. It's also indicative of the need for pureplay security companies to get serious in leveraging acquisitions as a means for product line expansion and growth.

Mcafee will add policy compliance and vulnerability remediation to its extensive portfolio of products that include the Intrushield IPS and its well known antivirus offering. I think it's a good move for any large "pure play" security company like Mcafee to bolster its position by increasing its product portfolio with best of breed technology.

In this regard, it's a solid tactical acquisition for Mcafee.

Posted by andreyee in Industry Trends | Permalink | Comments (0) | TrackBacks (0)

Surfing on the web has always provided the individual with the cloak of anonymity. To paraphrase a popular commercial - "whatever is done on the web, stays on the web"...until now.

There are a number of emerging technologies that threaten to render anonymous web surfing a thing of the past. Clickprinting is one such technology. In a recent article on The Guardian, clickprinting is described as a "a unique pattern of web surfing behavior based on actions such as the number of pages viewed per session, the number of minutes spent on each page, the time or day of the week the page is visited, and so on".

Professor Professor Balaji Padmanabhan ( Wharton School at the University of Pennsylvania) and Professor Catherine Yang (Graduate School of Management at the University of California, Davis) assert that over a number of sessions, it is possible to distinguish patterns of web surfing that can uniquely identify a particular individual.

"Our main finding is that even trivial features in an internet session can distinguish users," Padmanabhan told the Wharton Review. "People do seem to have individual browsing behaviors." The duo found that anywhere from three to 16 sessions are needed to identify an individual's clickprint.

"The paper is really a proof of concept that behavior and minimal information can be used to identify users," says Yang. In one example, they found thatfrom just seven aggregated sessions they could distinguish between two different surfers with a confidence of 86.7%. Given 51 sessions, the confidence level rose to 99.4%.

Why the interest in this technology? It is anticipated that clickprinting can help identify eCommerce companies reduce the probability for fraud by identifying inconsistent user behavior. The notion is that even if someone gained access to your login information, their behavior may give them away and hence alert the eCommerce company of a possible fraud in play. I'm not sure if it'll work that well in practice but clickprinting is certainly worthy of note.

Of course, the idea of fingerprinting anonymous surfers isn't anything new. At the Black Hat Briefings in Las Vegas, Dr. Neal Krawetz, of Hacker Factor Solutions noted how gender, nationality and other attributes can be identified by non-classical forensic methods. This include analysis of text posted on blogs, listservs and forums. Dr. Krawetz cautions that this approach is only 60-70% accurate but it offers clues when you're tracking down a malicious hacker. If you're interested, you can checkout his presentation here.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Phishing scams are on the rise, almost doubling in the 1st half of 2006 when compared to the last six months of 2005. According to a Symantec report released a week ago, the number of scams grew by 81% and increasingly targeted the "weakest link" - home users. To get an idea of how fast this problem is proliferating, note that the Anti-Phishing Working Group reported a while ago that from Nov 2004 to Nov 2005, the number of phishing attacks doubled. Now, if you believe the Symantec report, it's almost doubled again in a mere six months. You can download the entire report here from the Symantec website.

Many of the search sites and social networking sites are becoming launch points for a variety of phishing exploits. Google recently had one discovered and reported by Eric Farraro on his blog. Perhaps as hackers find attacking Microsoft platforms passe, they're moving on to new technology giants on the landscape like eBay, MySpace and Google. Well, fame and fortune has its price...

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)