Dragan on Security

ZoneAlarm by Check Point, firewall, antivirus and antispyware is tool that I use for quite some time on one of my computers. It offered update to new version 7.0.462.000 today. After installation and starting antispyware scan it detected and considered Windows Live Messenger as Trojan with medium risk.  ZoneAlarm recommended that I should “delete this application immediately because it constitutes security and privacy risks, and has no known usefulness”.

Here is screen shot (censored because of privacy reasons):

ZoneAlarm offered options to quarantine, delete or ignore it. After I selected delete it actually deleted Windows Live Messenger!

I reinstalled messenger, scanned again for spyware and same situation repeated. So we can now say that Check Point firmly considers Windows Live Messenger as Trojan. Some people will say: Not to far from truth, isn’t it? :)

Hopefully Check Point and Microsoft will solve this in mutual talks and confirm messenger as safe software.

This is a very interesting question that Steve Riley talked about in recent post on his blog (here). And of course, a number of people have asked him if he is recommending such a stance to other individuals or to organizations. Quickly after that Steve gave more detailed explanation (here). More important is that security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers.

Mark Kanok from Symantec put interesting post titled Detection and Remediation on Symantec official blog. It contains updated definitions of some of today’s most prevalent threats:

• Backdoors — A backdoor is an undocumented way of gaining access privileges to a program, typically for the intent of opening up further access or vulnerabilities.
• Bots or Zombies — A computer that is under the control of a malicious hacker without the knowledge of the computer owner, and is typically used to execute various nefarious processes in a networked basis (e.g. denial of service attacks, spam, etc.)
• Trojan Horse — A Trojan Horse is malicious software that masquerades as a legitimate or benign program, often exploiting the willingness of users to try “free” software.
• Polymorphic Virus — A polymorphic virus is one that changes its binary pattern, or signature every time it replicates and infects a new file in order to keep from being detected by a signature-based antivirus programs.
• Rootkit — A rootkit is a malicious program that is activated each time the system boots up, making them especially difficult to detect and remove. In some cases, rootkits are counted as Trojan Horses.
• Drive-By Downloads — A drive-by download is a program that is automatically downloaded onto the computer without the user’s consent or knowledge. Drive-by downloads can be initiated simply by visiting a dangerous Web site or by viewing an HTML e-mail message.
• Phishing — A phishing attack is a type of scam designed to lure a victim — typically via a cleverly written, legitimate-looking e-mail — to a false web site, which also tends to look legitimate. The victim’s personal or financial information is then compromised.

This is really interesting reading: invisiblethings’ blog: Tricky Tricks. Joanna Rutkowska says:

…

So, do I want to say that all those years of A/V research on detecting file infections was a waste time? I’m afraid that is exactly what I want to say here. This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution. This is an example of how people decided to employ tricks, instead looking for generic, simple and robust solutions.

Security should not be built on tricks and hacks! Security should be built on simple and robust solutions. Oh, and we should always assume that the users are not stupid – building solutions to protect uneducated users will always fail.

Thousands of Italian tourism Websites have been hit by a virus that infects the computers of visitors, then slithers through them in search of confidential information.

The attack, known as The Italian Job, has hit over 4,500 websites on travel in Italy. So-called Trojan software is installed on the computers of people visiting the sites, taking over that computer and sending bank records and other data to a server believed to be located in Chicago.

Only those using out-of-date versions of Microsoft’s Internet Explorer are vulnerable to the attack. The attack was apparently launched using Russian software that runs at about $700. It is controlled remotely by its programmers, who can redirect the flow of information if the current server destination is shut down.

This attack got a name HTML_IFRAME.CU and you can see more about it on TrendMicro Website (here and here).

Over two years ago, George Ledin wrote an essay in Communications of the ACM, where he advocated teaching worms and viruses to computer science majors. He stated in that essay:

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

This spring semester, George Ledin Jr. taught the course at Sonoma State University. He created a class that taught students how to design and execute malicious programs that can take over a computer, steal information, or cause the computer to erase vital information and need a complete overhaul. Ledin believes that teaching students how to write computer viruses will give them a better understanding of how malicious programs are made and the knowledge needed to create better defenses. The controversial class, which SSU officials call the first of its kind in the nation, has drawn heavy criticism from members of the computing community. Three security software development companies sent SSU hostile letters, according to Ledin, and have pledged not to hire SSU graduates. That threat did not stop 15 students from signing up for the course. To prevent any malware created during the course from endangering any computers on the Internet, all work was done in an isolated lab disconnected from the network. Ledin acknowledged that there is a danger that some student might maliciously release a virus, but like with other academic fields that deal with dangerous and controversial material, teachers must rely on the students’ ethics. To help reinforce those ethics, SSU assistant professor of philosophy John Sullins was added to the course as a second instructor, and continuously reminded students of the potential consequences. Ledin developed the idea for this class after writing an editorial emphasizing the need for better education on malware for an ACM publication. Ledin said that despite the criticism he plans to teach the course again. “There is a perception that this is a taboo topic and shouldn’t be taught,” Ledin said. “But if we are going to develop better security, we need to know how these programs work.”

It got a lot of press coverage. Here are some articles:

• Sonoma State University http://www.sonoma.edu/pubs/newsrelease/archives/001090.html
• The California State University http://www.calstate.edu/pa/clips2007/may/22may/virus.shtml
• PC World http://blogs.pcworld.com/staffblog/archives/004452.html
• Also here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070526/NEWS/705260309/1043
• And here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070522/NEWS/705220312/1033/NEWS01.

Bruce Schneier commented on this:

No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillian graduated.

Teaching this stuff is just plain smart.

One of comments on this course was:

I believe that anyone who criticizes Ledin should meditate whether the action of forbidding virus lessons could lead to a more secure computer world. This story remembers me something that I have experienced in my childhood. I was a teenager, I was supposed to have a lecture in human reproduction, but a group of parents have come to my school to complaint about the subject and the school representatives decided to eliminate the subject in the program. That was a similar situation, do those parents have educated their children with a strong moral? Do the companies who disagree with the classes would hire students with more strong ethics and moral because they couldn’t learn how to program a virus at the university? Do they know there are a lot of documents to do that? Are they trying to cover the sky with their hands?
Besides, the advantage of learning something with the guidance of someone with expertise is worth value. Should the academic members have the knowledge? Yes, they should!

So, should we teach students how to write viruses?

This will probably cause many discussions in future. But I think that it will end up with recommendation that we should teach students about viruses and worms, but also give those good advices and ethical guidance related to this area, as medical doctors get on human viruses.

Commercial filters are often expensive, especially when used on a large number of computers, as would be the case in a school computer lab or in small or medium companies with computer networks. In contrast, open source filters are generally freely available for download. In addition, since commercial filters are proprietary, in many cases the system administrator does not have the opportunity to modify or even view the lists of blocked sites. 

Article consists of two parts and I can recommend reading. Here is part 1 and part 2.

Be careful with choosing antivirus, antyspyware and software firewall tools that you will use. It can significantly slow down performances of your Windows system, including but not limited to boot time, prime, and file IO delays. I’ve used Symantec Norton Antivirus for long period of time. Much more: I can say that I liked Symantec since Peter Norton’s times and famous DOS Norton Utilities and it guided me later to choose Norton Antivirus and not any other. I was reluctant and denied many advices from colleagues to change to other antivirus software.  But as boot time, opening files and applications performances were significantly degraded I started to seriously consider other solutions. Colleague spotted this article and it triggered me to finally give up from using Symantec Norton Antivirus and I bought NOD32 now. It was really improvement of performances of my system. Adio Symantec Norton Antivirus, welcome to NOD32!

Just quick note and warning in New Year’s night: new virus spreads on Internet. It carries file postcard.exe or greetingcard.exe and variants, masked as greeting card send by someone to you. Be careful with opening attachments with names similar but not limited to:

• postcard.exe
• Postcard.exe
• greeting card.exe
• Greeting Card.exe
• greeting postcard.exe
• Greeting Postcard.exe

This virus is currently being spammed in EMails with the subject “Happy New Year” and couple of similar:

• Annual Fun Forecast!
• Baby New Year!
• Best Wishes For A Happy New Year!
• Fun 2007!
• Fun Filled New Year!
• Happiness And Continued Success!
• Happiness And Success!
• Happiness In Everything!
• Happy 2007!
• Happy New Year!
• Happy Times And Happy Memories!
• May Your Dreams Come True!
• New Hopes And New Beginnings!
• New Year… Happy Year!
• Promises Of Happy Times!
• Raising A Toast To Happy Times!
• Scale Greater Heights!
• Sparkling Happiness And Good Times!
• Warm New Year Hug!
• Warmest Wishes For New Year!
• Welcome 2007!
• Wish You Smiles And Good Cheer!
• Wishing You Happiness!
• Wishing You Happy New Year!

According reports mutation begins.

As it does every year, Panda Software is publishing its annual list of those malicious codes which, although they may not have caused serious epidemics, have stood out in one way or another - read report here.