Tag Archives: Norton AntiVirus

KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Is That a Virus on Your Phone or a New Business Model?

This week’s WSJ.com column (subscription only) is about mobile viruses — or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn’t new: It has been around since March 2005. But this isn’t much comfort if you find yourself — as a lunch companion and I did — bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. “I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously,” says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses — usually lumped together under the catchall “malware” — and, despite lots of scare stories, I couldn’t find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I’m adding it here for anyone who’s interested. Apologies to those sources who didn’t get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Technorati Tags: , , , ,

A Patch in Time?

Further to my earlier post about what I felt was Symantec’s somewhat tardy and insubstantial public response to the discovery of a serious vulnerability in its own Antivirus software, I don’t feel much more at ease after an email exchange with their PR folk. First off, Symantec has, by midday in the Asian day, come up with a fix which can be downloaded here.  “Symantec product and security teams,” the media statement says, “have worked around the clock since being notified of this issue to ensure its customers have the best protection available.”

That’s good. And quick. But not, I fear, good enough in PR terms. Why has Symantec worked around the clock to find a solution but not made the same effort to let interested people know of the problem in the first place? There’s been no press release on the web site, for example, only a media statement emailed to those journalists who enquire. When I asked Symantec’s PR about this. and requesting a comment to my original post, all I got was a copy of the media statement and a link to the original security advisory. So I where I could find the “media statement” online, where customers, readers, users and the media could find it? Their response: “Symantec posts security advisories [here]. Please contact Symantec Public Relations for any information you need.”

Sorry, but I don’t think this is sufficient. Security advisories are for specialists. This is not a specialist problem. It’s a vulnerability that affects everyone who uses the software, and people need to know about it. (A Google search throws up more than 130 stories on the topic.) Symantec, I feel, needs to be upfront about the problem and blanket everyone with information, not bury it. Symantec occupies a hallowed position in the Internet world, since journalists, users and others turn to it for supposedly objective views on the state of Internet security. Symantec makes the most of this position, straddling telling us about the problem and selling us the solution for it.

Perhaps I’m overstating things here, but I feel Symantec has let us down. I need to know that if I’m entrusting Symantec with defending my valuable data and office network, it’s going to tell me if there’s a problem with that defence. It’s no good hiding, as Symantec PR does in its response to my email that “There are no exploits of this vulnerability. Symantec strongly recommends customers to follow best practices and apply the patches as soon as they become available from Symantec.” First off, there are no known exploits. I don’t see how Symantec can be 100% sure of this. One has to assume that if there’s a hole in your defensive wall, someone is going to see it. Especially if it’s been publicised. Now the world has known there is a problem with Symantec’s software since Thursday. It’s now Monday. I’m assuming the bad guys too read these websites and news agencies.

So while the argument that you should throw all your effort into plugging the hole and then telling your customers you’ve built a plug might work if the vulnerability wasn’t publicised, this wasn’t the case. It was splashed all over the shop. Symantec’s position on this process is “that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.” (For a list of all Symantec product vulnerabilities, look here.) This clearly wasn’t going to happen here, because the vulnerability was already made public, for better or worse. And the process of “disclosing product vulnerabilities to our customers” seems to be somewhat weak here; if the vulnerability is an obscure one, perhaps an advisory might work. But more people than just a sysadmin needed to know what was happening and yet no one, unless they really looked on Symantec’s site, was any the wiser. Still aren’t, actually, since no press release is available.

Some lessons in here. Sometimes just keeping readers, journalists, bloggers, customers in the loop helps, even when it’s bad news.

Symantec’s Hole

I am starting to be a bit concerned about the future of blogs, but there’s no question a blog is the best way to get information out to people quickly, especially if it’s about the Internet, technology or tech-related stuff. It needn’t be a blog, but it needs to share the blog’s most powerful features – speed, easy to use and easy to find, and deliverable by the best mechanism we’ve come across so far: RSS.

Case in point: Symantec, one of the world’s biggest makers of antivirus software, are red-faced after EEye Digital Security revealed on Thursday that it had found a software vulnerability inside Symantec’s Anti-Virus Corporate Edition 10.0. As darkreading says, the vulnerability  requires no user intervention and could be used to create a worm. This is an important event, and Symantec need to let their customers, and people in general, know about this as soon as possible. So why is the company’s website making no reference to the exploit, except for a “Symantec Client Security and Symantec AntiVirus Elevation of Privilege”, which cannot mean anything to anybody except the smallest circles (an Elevation of Privilege, is, according to Microsoft, “the process by which a user obtains a higher level of privilege than that for which he has been authorized. A malicious user may use elevation of privilege as a means to compromise or destroy a system, or to access unauthorized information.”)

No mention in the heading of a vulnerability, or a problem with the very software that is used by a lot of people. Unless you really know what you’re looking for, the advisory doesn’t really shed much light on the issue. Nor does Symantec’s main website: While the main page includes a link to the advisory under its Recent News tab on the left of the page, with the less than informative “AntiVirus Notice: Norton Customers Not Affected; Advisory for Corporate Customers”, I could find no press release two days after the vulnerability had been found and been acknowledged by Symantec. The latest Symantec news release is from Wednesday, the day before the vulnerability was found, and there’s nothing there I can find that relates in any way to the issue at hand. This despite there definitely being a statement out there, because eWeek quote a statement from a Symantec spokesman sent to the magazine.

I’m requesting a comment from Symantec to see what they say about this. Apologies if I’ve missed something here, but my feeling is that Symantec need to be very upfront about this kind of thing — a vulnerability in a piece of software its customers rely on to keep out the bad stuff — and to inform readers, journalists, users and investors in a faster, more open and more informative way than they did so far. A blog would be the perfect place to start.

Is Antivirus Software Still Up To The Job?

How often do antivirus manufacturers admit that their products are not really up to the challenge anymore?

The only folks I know who do this are those from Trend Micro. I interviewed Steve Chang, its founder, a couple of years back, and he made it clear that antivirus software can’t keep everything out. But it doesn’t always come across quite as frankly as it should. This BusinessWorld piece today makes clear, in an interview with Ah Sin Ang, Trend Micro Incorporated’s regional marketing manager for South Asia, asks the important question, (is there) yet no antivirus software than can protect us from phishing?

Ang’s reply could be more thorough, but it’s probably more honest than some of Trend Micros’ competitors: If you are aware that banks don’t send you these types of emails, you’ll be protected. That’s why Trend Micro emphasizes public education.

He also makes the valid point that ‘antivirus’ is not a particularly useful term anymore: Although anti-virus is a general term for Internet security, we like an antivirus software to clarify what that software means – does it include protection against Trojans, spyware, adware and hackers? Does it block unhealthy sites? Once you get infected, there may be a lot of pop-ups featuring pornographic and gambling sites. A good integrated software must also allow filtering. When you filter, it must also be able to filter spam and phishing.

I think the bottom line is that antivirus software is not doing what its customers think it’s doing. Most of us can’t tell the difference between a worm and a Trojan, and tend to assume that antivirus software will also protect us if we click on something in an email that takes us to an infected site. This is no longer true, if it ever was. Instead, the software gives us a false sense of security. Would we better off not having it, and instead educating ourselves about threats?

Korgo Spreads Its Wings

Seems like the big anti-virus boys are waking up to Korgo, the ‘phishing worm’ that F-Secure was warning about a few days ago.

Symantec have just issued an advisory upgrading W32.Korgo.F, a new variant of the worm, from a Level 2 to a Level 3 threat. As Symantec says, W32.Korgo.F is a worm that attempts to propagate by exploiting a Microsoft Windows vulnerability publicly announced on April 13, 2004, the LSASS Buffer Overrun Vulnerability. This vulnerability allows a hacker, in the words of Symantec, “to execute malicious code on a vulnerable system, resulting in full system compromise.”

But what I don’t understand is that Symantec don’t indicate the real threat behind this worm: That it steals passwords. And no mention of the keylogging properties of Korgo (sometimes called Padobot or Lsabot) on Sophos or McAfee (which has found a seventh variant, but measures all the threats as low). Even a more detailed explanation on Virusdesk doesn’t refer to the keylogging capability. Why is that?

F-Secure point out that “this latest worm makes it possible to gain access to secure passwords and other valuable information, such as credit card numbers.  Banking information is especially vulnerable as this is essentially a keylogging virus.” I can’t see Symantec mentioning this key bit of information, which as UK-based Netcraft points out“represents an alarming advance in phishing, as it forgoes the need to trick the end user into divulging details.”

End users: Symantec recommends that users update their antivirus definitions and configure their firewalls to block ports 113 and 3067.

More On MyDoom, And Why

It’s not my intention for loosewire to become a realtime virus news service, but this is a special case, so here’s more on MyDoom/Novarg, the worm that I’ve reported on before.

Doom, it seems, is being prepared for the SCO Group, a company that sells Unix software and has been the focus of several Internet attacks, apparently in response to its legal claims that Linux contains software that violates its intellectual property.

Symantec have just upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat (5 is the highest) based on how fast the threat is spreading, the potential damage and the threat distribution. Like MX Logic it is comparing the worm to Sobig.F@mm — discovered on August 13, 2003 — in terms of the number of folk submitting it: more than 960 in 9 hours.

Here’s some more information on what it may do to you if you’re infected:

  • the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by your computer;
  • it propagates by sending itself to addresses found in files with the extensions: .htm, .sht., .php, .asp, .dbx, .tbb, .adb., .pl, .wab, and .txt.
  • (and here’s the sting) it will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against www.sco.com. The worm creates 64 threads that send HTTP “GET” requests to the SCO site. 

One aspect to this that worries me: I’ve noticed it’s not possible (unless I’m missing something) to increase the frequency of automatic virus library updates with Norton Antivirus. It my view updates should be done everyday: For example, anyone not updating their software in the last few hours will be vulnerable. Yet how many people do that? I’ve noticed my automatic update seems to do so once a week, if I’m lucky. There must be a better way of doing this simple task: How about using Norton’s own Level alert ladder, which could be routinely checked remotely by users’ computers? If there’s a dangerous virus in the wild, the software updates; if not, it sticks to its normal schedule. How about it?

Zone Labs Snapped Up – Firewalls R Us?

My favourite firewall, Zone Alarm, is being bought by another firewall maker, Check Point Software Technologies [CNet News.com].

It looks to me as if there’s quite significant consolidation within the security software industry, not just from the point of view of big guys buying the smaller guys, but of companies trying to create products that offer an all-round ‘security solution’. Symantec have long peddled this type of idea, but their 2004 embodiments have increased the coverage to include cutting out spam, spyware and even pop-ups. With Check Point focusing on server-side software it makes sense that they grab Zone Labs, whose strength is software for desktops and notebooks.

Expect to see software companies trying to push more integrated software that offers this kind of overall solution to corporates and to ISPs. While it obviously makes sense for companies to farm out these kind of problems — viruses, spam, any kind of disrupting influence on their networks — to single companies. Internet Service Providers will doubtless see a market to sell something similar to the individual user, keeping such rubbish out of their inbox and away from other subscribers.

My only worry is that such ‘packaged solutions’ may not offer the best individual component: Just because a company makes all the products you need, doesn’t mean they’re all great. I use Norton Antivirus but stick with Zone Alarm because it tells me more about what’s going on.

News: Norton Chips In

 I should have known, given the whole virus thing is big business, that if one company announces a new product, its rival down the street isn’t likely to stay silent. Hot on the heels (or maybe before, who knows) of McAfee’s upgrade to its VirusScan, Symantec Corp.announced Norton AntiVirus 2004, although tellingly it’s not ‘widely available’ until early September. (Not trying to muddy McAfee’s launch, are we lads?)
 
 
Norton AntiVirus 2004 takes a slightly different approach to the growing threat of worms, rather than viruses (worms jump aboard without the user doing anything like loading a file, while viruses depend on the user actually doing something). Norton AntiVirus 2004 will include scans for programs on the user’s computer that can be used with malicious intent to compromise the security of a system, spy on the user’s private data, or track users’ online behavior. AntiVirus will identify and block these threats at the point of entry to the system, detecting the threats during scans of email and instant message attachments, or during scheduled or on-demand system scans. This seems a little different to McAfee, although on the surface this all doesn’t sound that new. I’ll take a closer look and get back to you.
 
Norton AntiVirus 2004 and Norton AntiVirus 2004 Professional will be available for an estimated retail price of US$49.95 and US$69.95