Dragan on Security

More than two years ago I wrote post on this blog with question in title: “Should We Teach Students How to Write Viruses?” That post outlines some reasons pro at contra and links to various Internet resources regarding this question.

I’ve added new poll to this blog with this question, today. Goal of this poll is to see opinion of visitors of this blog in regards to this very controversial issue. Before voting, it is recommended to read previous post on this blog and visit links which are mentioned at that post. Also, I recommend you to visit:

• Vesselin Bontchev ‘Should We Teach Virus Writing?
• Teaching students how to write malware
• Virus Writing 101

Your opinions are welcome. Thank you for voting.

There is new poll on this blog. Question is “Which antivirus software do you use?” and possible answers are:

• Symantec
• McAfee
• Kaspersky
• F-Secure
• AVG
• Avast
• Trend Micro
• NOD32
• Other
• None

Thank you for voting.

Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.

To simply check if you are infected, you can use Conficker Eye Chart developed by Conficker Working Group.

If you can see all six images in both rows of the top table on Conficker Eye Chart, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Read this interview and you probably will be scared. It is interview with Matt Knox. He talks about his early days designing and writing adware for Direct Revenue.

He says:

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.

and:

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

Question is: Who owns “your” computer?

Thanks to Aleck for pointing me to this scary interview.

Recent poll with question “Will crisis in financial sector affect tech and security?” expired.

New question is related to long lasting rumors that some security software companies are connected to virus writers and use them as helpers to increase revenues. In my opinion, it is unlikely to believe in, but I would like you to say your opinion in poll on this blog.

So, question is: “Are software companies, which produce antivirus tools, connected to virus writers?”

Two simple answers are yes or no.

Thank you for your vote.

ZoneAlarm by Check Point, firewall, antivirus and antispyware is tool that I use for quite some time on one of my computers. It offered update to new version 7.0.462.000 today. After installation and starting antispyware scan it detected and considered Windows Live Messenger as Trojan with medium risk.  ZoneAlarm recommended that I should “delete this application immediately because it constitutes security and privacy risks, and has no known usefulness”.

Here is screen shot (censored because of privacy reasons):

ZoneAlarm offered options to quarantine, delete or ignore it. After I selected delete it actually deleted Windows Live Messenger!

I reinstalled messenger, scanned again for spyware and same situation repeated. So we can now say that Check Point firmly considers Windows Live Messenger as Trojan. Some people will say: Not to far from truth, isn’t it? :)

Hopefully Check Point and Microsoft will solve this in mutual talks and confirm messenger as safe software.

This is a very interesting question that Steve Riley talked about in recent post on his blog (here). And of course, a number of people have asked him if he is recommending such a stance to other individuals or to organizations. Quickly after that Steve gave more detailed explanation (here). More important is that security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers.

Mark Kanok from Symantec put interesting post titled Detection and Remediation on Symantec official blog. It contains updated definitions of some of today’s most prevalent threats:

• Backdoors — A backdoor is an undocumented way of gaining access privileges to a program, typically for the intent of opening up further access or vulnerabilities.
• Bots or Zombies — A computer that is under the control of a malicious hacker without the knowledge of the computer owner, and is typically used to execute various nefarious processes in a networked basis (e.g. denial of service attacks, spam, etc.)
• Trojan Horse — A Trojan Horse is malicious software that masquerades as a legitimate or benign program, often exploiting the willingness of users to try “free” software.
• Polymorphic Virus — A polymorphic virus is one that changes its binary pattern, or signature every time it replicates and infects a new file in order to keep from being detected by a signature-based antivirus programs.
• Rootkit — A rootkit is a malicious program that is activated each time the system boots up, making them especially difficult to detect and remove. In some cases, rootkits are counted as Trojan Horses.
• Drive-By Downloads — A drive-by download is a program that is automatically downloaded onto the computer without the user’s consent or knowledge. Drive-by downloads can be initiated simply by visiting a dangerous Web site or by viewing an HTML e-mail message.
• Phishing — A phishing attack is a type of scam designed to lure a victim — typically via a cleverly written, legitimate-looking e-mail — to a false web site, which also tends to look legitimate. The victim’s personal or financial information is then compromised.

This is really interesting reading: invisiblethings’ blog: Tricky Tricks. Joanna Rutkowska says:

…

So, do I want to say that all those years of A/V research on detecting file infections was a waste time? I’m afraid that is exactly what I want to say here. This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution. This is an example of how people decided to employ tricks, instead looking for generic, simple and robust solutions.

Security should not be built on tricks and hacks! Security should be built on simple and robust solutions. Oh, and we should always assume that the users are not stupid – building solutions to protect uneducated users will always fail.

Thousands of Italian tourism Websites have been hit by a virus that infects the computers of visitors, then slithers through them in search of confidential information.

The attack, known as The Italian Job, has hit over 4,500 websites on travel in Italy. So-called Trojan software is installed on the computers of people visiting the sites, taking over that computer and sending bank records and other data to a server believed to be located in Chicago.

Only those using out-of-date versions of Microsoft’s Internet Explorer are vulnerable to the attack. The attack was apparently launched using Russian software that runs at about $700. It is controlled remotely by its programmers, who can redirect the flow of information if the current server destination is shut down.

This attack got a name HTML_IFRAME.CU and you can see more about it on TrendMicro Website (here and here).