Tag Archives: anti-virus software

Estonia Nets A Big Phish

The Register, quoting AP, says that an Estonian man suspected of plundering millions from hundreds of online bank accounts accounts across Europe was arrested last week. AP reports that the unnamed 24 year-old allegedly used a sophisticated Trojan in order to monitor the keystrokes on victims’ PCs and extract confidential banking passwords that allowed him to plunder online accounts.

The unnamed Trojan was bulk mailed to prospective victims in emails that promised lucrative job offers from government institutions, banks and investment firms. In reality it linked to a web page hosting malicious code.

Jaan Priisalu, an IT risk manager at Hansabank, told AP the Trojan used in scam was the most sophisticated he had ever seen. For a long time, AP says, it evaded anti-virus protection software and it erased all traces of itself from hard drives after it had exhausted its usefulness.

Which of course, begs the question: How many other trojans are out there evading our defences? And does evading anti-virus software mean the trojan was never identified and added to anti-virus libraries, or does it mean it was added but not caught by the software? Either way, it’s worrying.

Will Inspector Brown Save Us From The Phishers?

Combatting phishing ain’t easy. So how does a new weapon, Inspector Brown, mentioned in a comment to an earlier posting here on phishing, shape up?

Inspector Brown is a program that sits between you and your browser (IE, only, I think, but the documentation is minimalist, to put it mildly) and warns you if a site you are visiting is a suspected phishing site: “The page you tried to access is a potential dangerous and fraudulent website,” you will be told. “You may be at risk for identity theft and financial loss if you continue with this website.” You can then choose to proceed or not.

Not a bad idea, but of course it relies entirely on the software knowing what sites are fraudulent, and this is where the system fails. The software checks a library of ‘known’ fraudulent websites updated by Inspector Brown, a bit like anti-virus software checks an internal library of known virus patterns. Unfortunately there are several problems with this:

  • The list depends on users submitting fraudulent websites, raising the question: Why would a user who is smart enough to recognise a fraudulent website need Inspector Brown?
  • Phishing sites are notoriously short term. Some are up only for a few hours before they are taken down, often after already doing serious damage. In this sense combatting phishing by a library of known phishing sites is as flawed as anti-virus software maintaining libraries of viruses. Unless the libraries move very quickly to not only update themselves, but update users, such tools arrive too late to help users. Indeed, phishing is even less suited to this approach, because phishing sites are no longer active after a few hours, whereas old viruses may still be floating around the Internet months, even years, after their creation.
  • The list itself is short and suspect: It includes, for example, legitimate commercial websites like Vsong.com, a Shenzhen-based manufacturer of computer and mobile phone accessories, and zapthedingbat.com, the home of celebrated anti-phisher Sam Greenhalgh. I’m sure he would be amused to find he is, according to Inspector Brown, ‘a Known Fraud’. Other peculiarities in the list are Visualsoft-tech.com, the website of VisualSoft Technologies, ‘a leading software solutions and product development company catering to diverse industry segments’ based in Hyderabad. InspectorBrown’s library calls it a ‘Bad Company’. Lawsuits, anyone?

Lastly, we just don’t know enough about Inspector Brown and how it appraises websites to trust its judgement. In this regard the company has got to be more open about what it’s doing and how it does it. All we know from the website is that the program is the work of Inspector Brown Software, based in Scottsdale, Arizona. There’s no registry data to work with. No support pages or help pages.That’s about it. Of course, they could argue it’s early days but as it stands I think Inspector Brown, with its poor documentation, eccentric library of fraudulent sites and quirky interface, only adds to the noise instead of reducing it.

Keeping Out The Worms

Can we really keep out worms?

An interesting piece from Information Security Magazine takes a look at a range of “antiworm” products which promise to contain worms by weeding out bad traffic. Among them: Mirage Networks, ForeScout, Check Point Software Technologies, Silicon Defense and IBM.

They use different approaches, from looking for unfulfilled Address Resolution Protocol requests, to anomaly detection, while others automatically isolate compromised hosts, the article says. Others redirect worm traffic to a quarantined area to buy time to isolate the worm and keep systems available. Others try to limit the spread of a virush by ‘throttling it’, i.e. limit the number of Internet connections an infected computer can have.

Interesting article, but in the end we don’t know exactly what the next worm will do, so aren’t we back at square one, of always being wise after the event, like all anti-virus software? Or am I missing something?

Viruses And The Russian Connection

As feared, MyDoom seems to come from Russia. Or does it?

The Moscow Times quotes Kaspersky Labs as saying they used location-sensing software to trace the first e-mails infected with MyDoom back to addresses with Russian Internet providers. “It’s scary, but most serious viruses are written in Russia,” said Denis Zenkov, spokesman for Kaspersky, the country’s largest anti-virus software company.

This is not the first. Russians have long been virus writers. Dumaru, Mimail and Stawin may have Russian origins.

But what has changed in the last year or so, it seems, is the commercialisation of Russian virus writing. These viruses are no longer the product of idle, alienated, out-of-work minds, but of folk working for professional spammers and scammers. Another Kaspersky expert, Alexander Gostiyev, is quoted by AFP as saying the creators of MyDoom were not aiming to disrupt Internet traffic but to use infected computers to distribute unsolicited junk mail. The attack “was very well planned and prepared, perhaps for several months, and at least 1,000 computers were infected in advance,” Gostiyev said. “The virus could be of use above all to criminal groups seeking to distribute spam,” he added.

Spam, however, may be the least of it. There’s not much money to be made from spam, whereas there is from theft. Stawin, for example, records keystrokes when infected victims access their bank accounts, and sends the results to a Russian email address. British police are investigating the possibility that a wave of extortion attempts against gambling sites may come from Russia or Eastern Europe, according to Reuters. These attacks are related to the Superbowl: Those who don’t pay up are brought down by massive traffic, called a Distributed Denial of Service attack, or DDOS. A site dedicated to online betting has recorded at least 20 sports betting sites appeared to have been brought down over the weekend. With all the work that went into something like MyDoom, I can’t believe it’s only spam the creators are after.

Of course, this could all be a feint.

Agence France Presse quotes Kaspersky as saying “there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia” as a ruse. And it’s not entirely clear what Kaspersky means by ‘location sensing software’. This could mean more or less anything, and, as some folk have pointed out, the fact that Kaspersky is based in Russia makes it likely they will receive copies of the virus from Russian email addresses.

And it still leaves us with the fact that the virus was in part tooled to launch an attack on the website SCO, a company that has riled the Open Source community by claiming copyright over parts of the Linux operating system. The virus was designed to launch an attack on their website starting February 1: The website is presently down, apparently overwhelmed by traffic.

One final thing: There seems to be some confusion between the first and second MyDoom virus: Variations often follow when folk get inspired by the success of a virus, but that doesn’t mean the same guy, or guys, wrote both viruses. The presence of a note in English inside the second version of the virus, — sync-1.01; andy; I’m just doing my job, nothing personal, sorry — appears to have confused some folk. The source, and purpose, of the first MyDoom remains a mystery.

Update: Sobig’s 9/11

 Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
 
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
 
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
 
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.

Update: Manually Extracting Worms

 Here are some tips for manually removing the Sobig.F worm, from Global Hauri, which sells something called a ViRobot Expert to filter unwanted emails caused by this virus (sorry, I haven’t tidied up the somewhat eccentric language):
 
 
To repair the virus, install anti-virus software and update to the latest definitions. Once the antivirus update is complete, scan the whole HDD to remove the Sobig.F virus. It is possible to remove the virus manually by searching the virus on the system. Here are the steps to get rid of the critical file called “win32ppr.exe” from infected
systems:
 
1.  Unplug from the network out of your computer.
2.  Boot the computer, then hit F8 Function key above numeric key until it goes through options to choose ‘safe mode’
3.  Wait until boot process completed with ‘safe mode’
4.  Open Task Manager to press simultaneously three keys (Ctrl+Alt+Del) and select ‘Process’ tab.
5.  Find and Highlight ‘winppr32.exe’ from Process tab.
6.  To kill ‘winppr32.exe,’ click ‘End Process’ button in the bottom of Process tab window.
7.  Go to ‘Start’ at button lower left corner of Microsoft Window, select ‘Search’ button.  (It looks slightly different from OS versions between NT, Win2000, and XP)  Choose ‘All files and Folders’ and type ‘winppr32.exe’, and then search it thru the entire Hard Disk Drive.  (If you have more then one Hard Disk Drive, select both)
8.  Delete all ‘winppr32.exe’ from the search window.
9.  Reboot in normal mode and plug to the network (It will not reboot itself since deleting all ‘msblast.exe.)
10. Install Anti-Virus and update the latest anti-virus definition.

News: Man Blames Trojan For Porn, Acquitted

   Sophos reports that a British man has been cleared of storing child pornography on his computer after Trojans — malicious bits of code, a kind of virus — were found on his computer. The man had been arrested after 172 indecent pictures of children were found on his hard drive (the report doesn’t say how). A computer forensics consultant identified 11 Trojan horses on the man’s computer, capable of carrying out actions without the user’s knowledge or permission. The acquittal follows the case of another British man who was cleared in April under similar circumstances.
 
 
Seems, according to Sophos, that all these images could have been put there by someone remotely. Know anyone who might do that to you? “Some Trojan horses have the ability to take ‘remote control’ of your PC,” explains Graham Cluley, senior technology consultant at Sophos Anti-Virus. “A remote hacker can view what you are doing, take over your keyboard, steal information and even upload files to your computer if they wish. There can be no excuse for home users surfing the internet not to be running up-to-date anti-virus software and a personal firewall to keep their systems protected.”

Loose Wire: The State We

Loose Wire: The State We Could Be in

By Jeremy Wagstaff
from the 28 March 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

Voting in your underwear? Sounds an appealing proposition: the chance to exercise your constitutionally protected right without actually having to leave your home. You could be watching Frasier while working out which candidate you want to mess things up for you for the next three/four/25 years, based on criteria such as which one most closely resembles a Teletubby/Frasier’s brother Niles/your Aunt Maudlin.

Yes, the lure of Internet voting is coming around again. In May, soccer enthusiasts will be able to vote for their favourite players in the World Cup via a joint South Korean and Japanese project (mvp.worldcup2002.or.kr; the site is not fully functioning yet). This is just an on-line poll, of course, and doesn’t add much to the mix except to try to introduce a new social group (soccer fans) to the concept of on-line voting. Elsewhere, however, on-line voting is already kicking in: Some towns in Britain are undertaking pilot projects allowing voters to choose their local councillors via the Internet, or even via SMS, in borough elections in May.

I don’t want to be a killjoy, but this kind of thing gives me the heebie-jeebies. The arguments in favour of on-line voting make sense — faster counting, less human error, attracting younger, hipper voters with handphones and Internet connections in their hatbands, higher turnouts, you can vote in your underpants, etc., etc. — until you actually think about it. Computers, we’ve learned since we plugged one PC into another, are notoriously insecure. Viruses are now so sophisticated and prevalent that many security consultants advise their clients to update their anti-virus software every day. What are the chances of a voting system not being a juicy target for people writing these nasty little vermin programs?

Another argument wheeled out in favour of Internet voting is this: The Web is now managing billions of dollars of transactions successfully, so why can’t it handle voting? There’s a simple answer to this, as security consultant Bruce Schneier of Counterpane Internet Security (www.counterpane.com) explains: The whole point of voting is that it’s supposed to be anonymous, whereas any financial transaction has attached to it details of payee, recipient and other important data. This makes it much, much harder to protect any voting system from fraud, much harder to detect any fraud and much harder to identify the guy conducting the fraud. What’s more, if there was evidence of fraud, what exactly do you do in an on-line vote? Revote? Reconduct part of the vote? Chances are that faith in the overall ballot has been seriously, if not fatally, undermined.

Some of these problems could be done away with via ATM-style machines that print out a record of the vote. That could then be used in any recount. But it’s still not enough: As on-line voting expert Rebecca Mercuri points out, there is no fully electronic system that can allow the voter to verify that the ballot cast exactly matches the vote he just made. Some nasty person could write code that makes the vote on the screen of a computer or ATM-machine printout different from that recorded. This may all sound slightly wacky to people living in fully functioning democracies. But (political point coming up, cover your eyes if you prefer) democracies can be bent to politicians’ wills, and one country’s voting system may be more robust than another’s.

Scary stuff. Florida may seem a long way away now, but the lesson from that particular episode must be that any kind of voting system that isn’t simple and confidence-inspiring gives everyone stomach ulcers. The charming notion that the more automation you allow into a system, the more error-free and tamper-proof it becomes, is deeply misguided. The more electronics and automation you allow into the system, the less of a role election monitors can play.

Internet voting, or something like it, may well be the future. I’d like to see it wheeled out for less mission-critical issues, like polling for whether to introduce traffic-calming measures in the town centre, or compulsory kneecapping for spitters, say. But so long as computers remain fragile, untamed beasts that we don’t quite understand, I’d counsel against subjecting democracy to their whim. Even if I am in my underpants.