4th quarter 2010

BUSINESSES UNDER ATTACK

How to protect your company
from cybercriminals

DESPERATE JAILBREAKERS
Is it actually safe to jailbreak an iPhone?

THE ENEMY AT THE GATE

Rogue AV’s are rapidly becoming one of the biggest threat to users

ARTIFICIAL INTELLIGENCE IN THE REALMS OF IT SECURITY

Autonomous systems that treat infections

EXPERTS
COMMENT
WEAK LINKS: Changes in the methods and targets of the cybercriminals’ attacks
www.av-school.com www.av-school.ru www.av-school.pl
 SECUREVIEW

Contents A word from the Editor

News
Breakthroughs and trends
in the IT security industry
Report
Black Hat USA 2010:
News and trends from
Black Hat USA 2010
Top Story
Businesses under attack:
Everything you should know
about corporate threats
Analytics
Desperate Jailbreakers:
Recent smartphone
security issues
The enemy at the gate:
Rogue antivirus
programs on the rise
Technology
Artificial Intelligence
in the realms of IT security:
Cyber Helper – an autonomous
system that treats infections
Under control: Analyzing
application activities
Forecasts
Weak links: Changes in
the methods and targets of
the cybercriminals’ attacks
Interview
Keeping pace with viruses:
Current malware sample
processing techniques
with Nikita Shvetsov
Dear Readers,
I am sure that the majority of you reading this
work for a company of one sort or another. Ten
4-9 to one your company has its own Internet site,
communicates with its clients and partners over
email, and possibly even uses Instant Messaging
too. Often, many of you will take some work home
with you, burning the midnight oil on yet another
important document. Just the thought of working
without a computer and the Internet, or not being
10-11 able to complete an urgent job at home when you
need to, would seem utterly strange for a lot of Editor-in-Chief
people these days. Alexander Ivanyuk
So where is this all leading you may ask? Well,
working in an office, you can’t have failed to notice
that there is a security solution installed on your
12-17 computer. A similar solution should be installed
on your company’s servers where their office is
located. If that it is not the case, then it is very
unfortunate indeed, but let’s put that dismal
scenario aside for now and move on.
Antivirus, or more complex security package
18-21 installed by your company’s systems administrators
are designed to protect your computer from attack
by criminals, but…are you sure that your company
has a complex security policy in place? If the system
22-25 administrator does not regularly install updates for
the operating systems and any third-party software
installed on the users’ computers, there can be no
guarantee that a determined cybercriminal won’t
find an unpatched vulnerability in the system and
use it to their advantage.
Are you sure that your smartphone, which you
rely on for daily business communications, or the
26-29 notebook that you or your boss are working on at
home or in the office are protected from such a banal
thing as loss? After all, if the notebook that you lost
30-31 or had stolen at the airport ended up in the hands of
specialist crooks, all of your confidential information
would be right there in front of them. At least, that
would be the case if your device didn’t happen to
have a suitable encryption solution installed and a
complex login and password security program.
32-33 However, let’s not get ahead of ourselves for
the moment. Just read this issue’s Top Story and
consider carefully whether you have closed all of
the loopholes through which a cybercriminal might
attack your company, and while we are talking
about threats, do you and your colleagues know
enough about rogue antivirus programs and how
they can penetrate your computer?
34
See you next issue!
Alexander Ivanyuk

SECUREVIEW Magazine Editor-in-Chief: Alexander Ivanyuk
4TH Quarter 2010 Editor: Darya Skilyazhneva
Design: Svetlana Shatalova,
Roman Mironov
Production Assistants:
Rano Kravchenko
Editorial matters: editorial@secureviewmag.com
http:// www.secureviewmag.com
© 1997 - 2010 Kaspersky Lab ZAO.
All Rights Reserved. Industry-leading Antivirus Software
The opinion of the Editor may not necessarily agree with
that of the author.
SECUREVIEW Magazine can be
freely distributed in the form of the
original, unmodified PDF document.
Distribution of any modified versions
of SECUREVIEW Magazine content
is strictly prohibited without explicit
permission from the editor.
Reprinting is prohibited unless with
the consent of the editorial staff.

Vulnerabilities
Deanonymizing
anonymizers
Research by the I.N.R.I.A (The
French National Institute for
Research into Computer Science
and Control) has shown that
there are serious vulnerabilities
in the BitTorrent peer-to-peer
protocol. The vulnerabilities
allow BitTorrent users to be
spied on. An attacker might
be able to deanonymize a user
even behind an anonymizing
network such as Tor.
Tor operates on the basis
of the construction of chains of
proxies, as well as multilayered
traffic encryption. The researchers
propose three methods of attack
to deanonymize BitTorrent
users on Tor.
The first method of attack
consists of inspecting the
payload of some of the
BitTorrent control messages
and searching for the public
IP address of the user. In
particular, the announcement
messages that a client sends to
the tracker in order to collect a
list of peers distributing content,
and the extended handshake.
Messages sent by some
clients immediately after
the application handshake
occasionally contain the public
IP address of the user.
The second method of attack
consists of rewriting the list of
peers returned by the tracker in
order to include the IP address
of a controlled peer. As the user
will then connect directly to the
Source: http://arxiv.org/PS_cache/arxiv/pdf/1004/1004.1267v1.pdf
|
4 SECUREVIEW 4th quarter 2010
News
peer controlled by the attacker,
the latter can deanonymize the
user by inspecting the IP header.
Whereas this hijacking attack
is accurate, it only works when
the user relies on Tor alone
to connect to the tracker.
The third and final method of
attack consists of exploiting
the DHT (Distributed Hash
Table) to search for the public
IP address of a user. Indeed,
whereas Tor does not support
UDP, BitTorrent’s DHT uses
UDP for transport and when
a BitTorrent client fails to
contact the DHT using its Tor
interface; it reverts to its public
interface, hence publishing its
public IP address in the DHT.
As the content identifier and
the port number of a client
transit through the exit node,
and port numbers are uniformly
distributed, an attacker can
use this information to identify
a BitTorrent user in the DHT. This
DHT attack is very accurate and
works even when the peer uses
Tor to connect to other peers.
Using the hijacking and
DHT attacks, researchers
deanonymized and profiled close
to 9,000 public IP addresses
of BitTorrent users on Tor.
In particular, they have exploited
the multiplexing of streams from
different applications into the
same circuit to profile the web
browsing habits of the BitTorrent
users on Tor.
Encryption
Random numbers
certified by Bell’s theorem
Researchers have devised
a new kind of random number
generator for encrypted
communications and other uses
that is cryptographically secure,
inherently private and certified
random by the laws of physics.
Although the events around
us can seem arbitrary, none of
them is genuinely random in
the sense that they could not
be predicted given sufficient
knowledge. Indeed, true
randomness is almost impossible
to come by. That situation is
a source of persistent concern
to cryptographers who need
to encrypt valuable data and
messages employing a long string
of random numbers that form
a key to encode and decode the
message. For practical purposes,
encoders typically employ
various mathematical algorithms
called “pseudo-random number
generators” to approximate the
ideal. However, they can never
be completely certain that
the system is invulnerable to
adversaries or that a seemingly
random sequence is not, in fact,
predictable in some manner.
Now though, Stefano Pironio and
Serge Massar from the Université
Libre de Bruxelles (ULB), in
partnership with European and
American quantum information
scientists, have demonstrated
a method for producing
a certifiably random string of
numbers based on the principles
Source: www.physorg.com/pdf190468321.pdf
of quantum physics. Their solution
relies on a discovery made by
physicist John Bell in 1964:
two objects can be in an exotic
condition called “entanglement”
in which their states become
so utterly interdependent that
if a measurement is performed
to determine a property of one,
the corresponding property of the
other is instantly determined as
well, even if the two objects are
separated by large distances.
Bell showed mathematically
that if the objects were not
entangled, their correlations
would have to be smaller than
a certain value, expressed
as an “inequality.” If they
were entangled, however,
the correlation rate could
be higher, “violating” the
inequality. “The important
point is that the violation of
a Bell inequality is possible
only if we are measuring
genuine quantum systems”,
says Pironio. “Therefore if
we verify a Bell inequality
violation between isolated
systems, we can be sure that
our device has produced true
randomness independently of
any experimental imperfection
or technical detail. But to build
something concrete out of
this initial intuition, we had to
quantify how much randomness
is actually produced and
whether it is secure in
a cryptographic setting.”
www.secureviewmag.com

Cryptography
Laser key
Dr. Jacob Scheuer from
Tel Aviv University has
developed a unique
optical system of secret
cryptographic key
distribution. The researcher
claimed that his system is
potentially uncrackable.
antivirus Testing
The Rise of the Rogue AV Testers
Recently, I was sitting around
with a number of colleagues
from Kaspersky Lab, discussing
everybody’s favorite subject:
the state of AV testing these
days. During the chat,
somebody brought up the
name of a new, obscure testing
organization in the Far East.
Nobody else had ever heard
of them and so my colleague,
Aleks Gostev, jokingly called
them a “rogue Andreas Marx”.
It then occurred to us that
some of these new testing labs
that have recently appeared
mimic the tactics of Rogue AV
products. What exactly do I
mean? Well, as we know the
rogue AV business model is
based on selling a false sense
of security; we professionals
know it is fake, but the victims
don’t. People buy a Rogue AV
program hoping that it will solve
their security problems, but at
best the products do nothing
and at worst, they install
additional malware.
Rogue AV testers are somehow
similar in behavior. In their
case, the business model is no
longer based on a false sense
of security, but instead, on a
false sense of insecurity. So,
how do they operate? Well, it
seems to start with a number
of tests which look legitimate
and mimic real world conditions.
Then, the tests slowly become
more ‘complicated’ and security
products do worse and worse.
Sometimes, the product that
did best in the previous test
suddenly becomes the worst
www.secureviewmag.com
Transmitting binary lock-
and-key information in
the form of light pulses,
his device ensures that a
shared key code can be
unlocked by the sender and
receiver and absolutely
nobody else. Dr. Scheuer has
found a way to secure the
transmitted ones and zeros
using light and lasers. “The
trick,” says Dr. Scheuer, “is
for those at either end of
in the group. In other cases, all
products fail miserably. Finally,
the main idea emerges: that
all security products are bad
and utterly useless. Hence,
the false sense of insecurity
is promoted through the tests:
you are insecure, your money
was misspent – beware! Going
further, the rogue AV testers
use various techniques such as
not disclosing product names
in published test results and
attempting to sell these results
for serious amounts of money.
Here are some of the
characteristics we identified as
being specific to rogue AV testers
and can help you to spot them:
1. They are not affiliated
with any serious testing
organization, such as AMTSO.
Sometimes, the Rogue AV
testers could also show fake
affiliations or even falsely
display (say) the AMTSO logo
on their website, in order to
remove suspicion and doubt.
2. They publish free public
reports, but charge money for
the ‘full’ reports. In general,
the public reports should look
as bad as possible for all the
tested products, to maximize
the profits from selling the
full reports.
3. The public reports are full of
charts that look complicated
and intelligent, but sometimes
reveal amusing mistakes.
4. They claim all AV (or security)
products are useless. This is
the foundation stone of any
business based on the ‘false
sense of insecurity’.
News
the fiber optic link to send
different laser signals they
can distinguish between,
but which look identical to
an eavesdropper.”
“Rather than developing
the lock or the key, we’ve
developed a system which
acts as a type of key bearer,”
the researcher explains.
Source: http://www.sciencedaily.com/releases/2010/03/100323121834.htm
The experts comment
5. They charge for samples and
methodologies, usually very
large sums of money, to make
sure the flawed methodology
and samples cannot be
reviewed externally.
Reputable testers will make
samples and methodologies
freely available to the developers
of the products that they test, Costin Raiu
and instead, charge for the is the Director
rights to publish the results in of Kaspersky Lab’s
magazines or for the permission
to use the results in marketing
Global Research
materials. Charging money for & Analysis Team
samples is a clear indication that
something wrong is going on.
There are other characteristics,
but I think everybody has got
the point by now.
Just like the explosion in Rogue
AV products, making them one
of the most profitable crimeware
categories, I suspect Rogue AV
testers will follow and in the
process, they will also become
an extremely profitable category.
Of course, the worst thing is
that they will provide a strong,
negative value to the entire IT
security industry.
So, if you are trying to compare
security solutions, I recommend
sticking to established testing
organizations such as Virus
Bulletin, AV-TEST.ORG and AV-
COMPARATIVES or reputable
magazines with a good history
behind them. If in doubt, ask for
AMTSO affiliations and finally, do
not forget about the list of hints
that can help you to spot Rogue
AV testing behavior.
Do not become a victim of the
Rogue AV testers!
4th quarter 2010 SECUREVIEW |5
 News

Social Networks

Fundamental privacy limits

of recommendations
A group of researchers have
demonstrated the fundamental
limits of privacy in social
networks with personalized
recommendations. The
recommendations cannot
be made without disclosing
sensitive links between users.
Facebook recommends
new contacts based on
the pattern of connections
between existing users, whilst
Amazon recommends books
and other products based on
purchase histories and Netflix
recommends movies based on
historical ratings. To be sure,
these sites produce helpful
results for users that in turn
can dramatically increase sales
for the merchant, but they can
also compromise privacy.
For example, a social network
recommendation might reveal
that one person has been in
email contact with another, or
that an individual has bought
a certain product or watched
a specific film. It may even be
a breach of privacy to discover
that your friend doesn’t trust
your judgment in books.
Today, researchers say
that privacy breaches are
inevitable when networks
are exploited in this way. In
fact, they’ve worked out a
fundamental limit to the level
of privacy that is possible
when social networks are
mined for recommendations.
The scientists’ approach is
to consider a general graph
consisting of various nodes
and the links between them.
This may be a network in
which the nodes are books,
say, and a link between
two nodes represents the
purchase of one book by the
Amazon recommends books and other products based on purchase histories
owner of another. The team that the website makes such
considers all these links to a recommendation both with
be private information. Then the private purchase decision
researchers consider an in question and without it.
attacker who wants to work The question they then ask is to
out the existence of a link in what extent recommendations
the graph from a particular can be made while preserving
recommendation. So given this privacy differential.
the knowledge that people It turns out that there
who bought book X also is a tradeoff between
bought book Y, is it possible to the accuracy of the
determine a purchase decision recommendation and the
made by a specific individual? privacy of the network.
To do this, scientists define So a loss of privacy is
the privacy differential as inevitable for a good
the ratio of the likelihoods recommendation engine.
Source: http://www.technologyreview.com/blog/arxiv/25146/

Online Services Threats

to temporarily suspend offering Google Web History

Hijacking Google services

search suggestions from pages over secure protocol
Search History in addition to HTTPs only.

An international research based on inferences received Source: http://arxiv.org/PS_cache/arxiv/pdf/1003/1003.3242v3.pdf

team has demonstrated the
possibility of hijacking Google
services and reconstructing
users’ search histories.
Firstly, with the exception
of a few services that can
only be accessed over HTTPs
(e.g. Gmail), researchers found
that many Google services
are still vulnerable to simple
session hijacking.
Next they presented the
Historiographer, a novel
attack that reconstructs
the web search histories of
Google users, i.e. Google’s
Web History, even though
such a service is supposedly
protected from session
hijacking by a stricter
access control policy. The
Historiographer implements a
reconstruction technique that
rebuilds the search history
from the personalized
suggestions fed to it by the
Google search engine. The
attack was based on the fact
that Google’s users receive
personalized suggestions for
their search queries based on
previously searched keywords.
The researchers showed that
almost one third of monitored
users were signed in to their
Google accounts, and of
those, half had their Web
History enabled, thus leaving
themselves vulnerable to this
type of attack.
The attacks demonstrated
are general and highlight
concerns about the privacy
of mixed architectures using
both secure and insecure
connections. The research
data was sent to Google and
the company has decided

|
6 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
 News

Quantum Computations
in one direction but hard

Uncounterfeitable
in the opposite direction.
Multiplication is the famous
example. It’s easy to multiply

currency two numbers together to get

A new scheme for making
quantum money could lead to cash
that cannot be counterfeited.
Just like ordinary cash,
quantum cash would be
exchanged in lieu of goods.
It would be sent and received
over the Internet without the
need to involve third parties
such as banks and credit card
companies. That would make
transactions anonymous and
difficult to trace, unlike today’s
online transactions which
always leave an electronic
paper trail. That’s one big
advantage over today’s money.
Another is that quantum states
cannot be copied, so quantum
cash cannot be forged.
But quantum cash must have
another property: anybody
needs to be able to check that
the money is authentic. That
turns out to be hard because
the measurement of quantum
states tends to destroy them.
It’s like testing regular dollar bills
by seeing whether they burn.
But there is a way around this
based on the ideas behind
public-key encryption. The idea
here is to find a mathematical
process that is easy to do
a third but hard to start with
the third number and work
out which two factors created
it. The question for quantum
money gurus is whether a
similarly asymmetric process
will provide similar security
assurances for quantum cash.
A research group led by The purported security of the
Edward Farhi has developed proposed quantum money
secure quantum cash based scheme is based on the
on a new kind of asymmetry. assumption that given two
The scientists took their different looking but equivalent
inspiration from knot theory, knots, it is difficult to explicitly
a branch of topology that find a transformation that turns
deals with knots and links. one into the other.
Source: http://www.technologyreview.com/blog/arxiv/25135/

Encryption
maintains a high bit rate at all transmission of very long

Record in quantum
times and requires no manual secret keys – the same
set-up or adjustment. length as the data itself. For
Significantly, the this reason it has only been

key bit rate breakthrough will enable

Toshiba Research Europe’s
Cambridge lab has announced
an important breakthrough in
quantum encryption.
The researchers have
succeeded in demonstrating
the continuous operation
of quantum key distribution
with a secure bit rate
exceeding 1 megabit per
second over 50 km of fiber
for the first time. Averaged
over a 24 hour period, this
is 100–1000 times higher
than anything reported
previously for a 50 km link.
It was achieved using two
innovations: a novel light
detector for high bit rates
and a feedback system which
the everyday use of “one-
time pad” encryption, a
method that is, in theory,
perfectly secret. Although
ultra-secure, the application
of one-time pad encryption
has been restricted in the
past as it requires the
Source: http://www.toshiba-europe.com/research/crl/qig/Press2010-04-19-
qcbreakthrough.html
used for short messages
in situations requiring very
high security, for example
by the military and security
services. The achieved
bit rate breakthrough will
extend the application of this
ultra-secure communication
method for everyday use.

Visualizing
the malicious web
Researcher Stephan
Chenette has released
a Firefox plug-in called
FireShark designed to build
visual diagrams of criminal
connections as well as
schemes for the malicious
distribution of code. The
plug-in allows the capturing
of web traffic from a browser,
the logging of events and the
downloading of content to disk
for post-processing analysis.
The software has the
potential to become a very
powerful forensics and
antimalware tool.
The plugin can be
downloaded free of charge
from the author’s site.
For example, FireShark makes it easy
to see compromised legitimate sites
Source: http://www.fireshark.org/ redirecting users to malicious domains

www.secureviewmag.com 4th quarter 2010 SECUREVIEW |7


Wireless Security
Securing RFID
Egyptian researchers have
proposed a mutual authentication
protocol that prevents attacks on
low-cost RFID tags.
RFID systems are vulnerable
to a broad range of malicious
attacks ranging from passive
eavesdropping to active
interference. Unlike in wired
networks where computing
systems typically have
both centralized and host-
based defenses such as
firewalls, attacks against
RFID networks can target
decentralized parts of the
system infrastructure, since
RFID readers and RFID tags
operate in an inherently
Encryption
What web programming language
is the most secure?
Security-conscious organizations
evaluate a large number of
developmental technologies for
building websites. The question
often asked is, “What is the
most secure programming
language or development
framework available?”
WhiteHat Security has issued a
report which highlights the answer.
The report’s Top-10
key findings are:
• Empirically, programming
languages/frameworks do
not have similar security
postures when deployed
in the field. They are shown
to have moderately different
vulnerabilities, with different
frequencies of occurrence,
which are fixed in different
amounts of time.
• The size of a web application’s
attack surface alone does
not necessarily correlate
to the volume and type of
issues identified. For example
Microsoft’s .NET and Apache
Struts, with near-average
attack surfaces, turned
in the two lowest historical
vulnerability averages.
|
8 SECUREVIEW 4th quarter 2010
News
unstable and potentially
noisy environment.
RFID tags may pose a
considerable security and privacy
risk to the organizations and
individuals using them. Since
a typical tag provides its ID to
any reader and the returned ID
is always the same, an attacker
can easily hack the system
by reading a tag’s data and
duplicating it in the form of bogus
tags. Unprotected tags may be
vulnerable to eavesdropping,
location privacy, spoofing, or
denial of service attacks.
Low-cost RFID tags like
Electronic Product Codes (EPC)
are poised to become the most
• Perl had the highest average
number of vulnerabilities
found historically by a wide
margin, at 44.8 per website
and also the largest number
currently at 11.8.
• Struts edged out
Microsoft’s. NET for the
lowest average number of
currently open vulnerabilities
per website at 5.5 versus 6.2.
• C old Fusion had the second
highest average number of
vulnerabilities per website
historically at 34.4, but has
the lowest likelihood of having
a single serious unresolved
vulnerability if currently
managed under WhiteHat
Sentinel (54%). Closely
following was Microsoft ASP
Classic, which at 57% beat
its successor Microsoft .NET
by a single point.
• Perl, Cold Fusion, JSP, and
PHP websites were the
most likely to have at least
one serious vulnerability,
at roughly 80% of the time.
The other languages /
frameworks were only within
ten percentage points.
pervasive devices in history.
There are already billions of
RFID tags on the market being
used for applications like supply-
chain management, inventory
monitoring, access control
and payment systems. When
designing a really lightweight
authentication protocol for
low cost RFID tags, a number
of challenges arise due to the
extremely limited computational,
storage and communication
abilities of such devices.
The scientists have proposed
modifications to the Gossamer
mutual authentication protocol
used by the tags. The proposed
protocol prevents passive
attacks, as active attacks are
discounted when designing a
protocol to meet the RFID tags’
Source: http://airccse.org/journal/nsa/0410ijnsa3.pdf
•A mong websites containing
URLs with Microsoft’s. NET
extensions, 36% of
their vulnerabilities had
Microsoft ASP Classic
extensions. Conversely, 11%
of the vulnerabilities
on ASP websites had
Microsoft’s .NET extensions.
• 37% of Cold Fusion
websites had SQL Injection
vulnerabilities, the highest
of all measured, while Struts
and JSP had the lowest with
14% and 15%.
Source: http://www.whitehatsec.com/home/resource/stats.html
requirements. The analysis of
the protocol shows that the
added modifications increase the
security level of Gossamer and
prevent eavesdropping on public
messages between reader and
tag. However, the modifications
do not affect the computational,
storage or communication
cost of Gossamer.
• At an average of 44 days, SQL
Injection vulnerabilities were
fixed the fastest on Microsoft
ASP Classic websites, just
ahead of Perl (PL) at 45 days.
• 79% of “Urgent” Severity SQL
Injection vulnerabilities were
fixed on Struts websites,
the most of the field. This is
followed by Microsoft’s .NET
at 71%, Perl at 71% and the
remainder between 58% and
70% Apercent.
The report is based on data
from 1,659 websites
www.secureviewmag.com

Cyber Security
Investigating global
cyber espionage
An international team
of researchers has published
a report about global cyber
espionage systems titled
“Shadows in the Cloud”.
The report contains the results of
their investigations into a complex
cyber espionage ecosystem that
as the authors say, “Systematically
compromised government,
business, academic and other
computer network systems in
India, the offices of the Dalai
Lama, the United Nations and
several other countries”. The report
also contains an analysis of data
Security Threats
Protecting hypervisors
One of the major threats to
virtualization and cloud computing
is malicious software that enables
computer viruses or other malware
that have compromised one
customer’s system to spread to
the underlying hypervisor, and
ultimately, to the systems of other
customers. In short, a key concern
is that one cloud computing
customer could download a virus –
such as one that steals user data –
and then spread that virus to the
systems of all the other customers.
“If this sort of attack is feasible,
it undermines consumer
Technology
Better remote entrusting
Researchers are proposing
a paradigm-shifting solution
to trusted computing that
offers better security and
authentication. The European RE-
TRUST project (http://re-trust.dit.
unitn.it/) promotes a technology
that ensures remote, real-time
entrusting on an untrusted
machine via the network.
Remote entrusting provides
continuous entrustment for the
execution of a software component
www.secureviewmag.com
stolen from politically sensitive
targets and recovered during the
course of the investigation.
The report analyzes the malware
ecosystem employed by the
Shadows’ attackers, which
leveraged multiple redundant
cloud computing systems, social
networking platforms and free
web hosting services.
The following is a summary
of the report’s main findings:
• T he cyber espionage
network is complex
• T he theft of classified and
sensitive documents is rife
confidence in cloud computing
since consumers couldn’t trust
that their information would
remain confidential,” said Xuxian
Jiang, Assistant Professor of
Computer Science at North
Carolina State University.
For instance, in Blue Pill attacks,
as demonstrated by Polish security
researcher Joanna Rutkowska,
a rootkit bypasses the digital
signature protection for kernel
mode drivers and intercepts the
operating system calls.
But Jiang and his Ph.D. student
Zhi Wang have now developed
by a remote machine, even though
the software component is running
within an untrusted environment.
The proposed technology provides
both software-only and hardware-
assisted remote entrusting.
Whereas hardware-assisted
entrusting requires a special
chip either on the computer’s
motherboard or inserted into
a USB drive, RE-TRUST uses
logical components on an
untrusted machine to enable
News
Concentrations of non-unique IP addresses of compromised hosts (from the report
“Shadows in the Cloud”)
• T here is evidence of
collateral compromise
• T he command-and-control
infrastructure leverages
Source: http://Shadows-in-the-Cloud.net
a piece of software called
HyperSafe that leverages existing
hardware features to secure
hypervisors against such attacks.
“We can guarantee the integrity
of the underlying hypervisor
by protecting it from being
compromised by any malware
downloaded by an individual user,”
Jiang says. “By doing so, we can
ensure the hypervisor’s isolation.”
For malware to affect a
hypervisor, it typically needs
to run its own code in the
hypervisor. HyperSafe utilizes two
components to prevent that from
happening. First, the HyperSafe
program “has a technique
Source: http://www.scientificcomputing.com/news-HPC-New-Security-for-
Virtualization-Cloud-Computing-050310.aspx
a remote entrusting component
to authenticate – via the network –
the untrusted machine’s operation
during runtime. This means it
Source: http://www.sciencedaily.com/releases/2010/04/100413131939.htm
Entrusting by remote software authentication during execution
cloud-based social
media services
• T here are links to the
Chinese hacking community
called ‘non-bypassable memory
lockdown’, which explicitly and
reliably bars the introduction
of new code by anyone other than
the hypervisor administrator,” Jiang
says. “This also prevents attempts
to modify existing hypervisor code
by external users.”
Secondly, HyperSafe uses
a technique called ‘restricted
pointer indexing’. This technique
“initially characterizes the
hypervisor’s normal behavior and
then prevents any deviation from
that profile,” Jiang says. “Only
the hypervisor administrators
themselves can introduce changes
to the hypervisor code.”
ensures that the software is
running properly and that the code
integrity is maintained, thus almost
completely guaranteeing security.
4th quarter 2010 SECUREVIEW |9
 Report | Black Hat USA 2010

Las Vegas –
The Security Researchers’ Oasis
Each year, the entire security industry waits for the Black Hat Briefings in
the sweltering Las Vegas desert. This year was no different, with more
than 6,000 people interested in security gathered from all over the world
at Caesars Palace, Las Vegas, Nevada – the place where the conference is
traditionally held. From private companies and government agencies through
to security researchers, system administrators and law enforcement officers -
everybody was there. “Security researchers from all over the world come to
Black Hat to identify security threats and work collectively to create solutions.
The Black Hat community is one of the greatest assets we have for defending
the safety and security of the Internet,” said Jeff Moss, founder of Black Hat.

Article by Black Hat is the place where IT and computer
Stefan Tanase security happens. Now in its 13th year, researchers’
latest findings are published during presentations
spread over 11 conference tracks and two days.
The two opening keynotes this year were delivered
by Jane Holl Lute, the current Deputy Secretary of
Homeland Security, and Michael Vincent Hayden,
former Director of both the National Security Agency
and the Central Intelligence Agency. This doesn’t
come as a surprise, especially after Jeff Moss, the
founder of the Black Hat and DEF CON conferences
was sworn in to the Homeland Security Advisory
Council of the Barack Obama administration.
This year’s event featured more than 200 speakers
discussing their latest research around essential
security topics ranging from infrastructure, reverse-

Stefan is a Senior Security

Researcher for Kaspersky
Lab. He specializes in web
application security, web-based
threats and malware 2.0. Stefan
is involved in several innovative
research projects, ranging
from malware databases or
honeypots, to web crawlers
which continuously scan
the Internet to identify and
neutralize the latest threats.
As a member of the Global
Research and Analysis Team,
Stefan publishes analyses
of hot information security
topics on threatpost.com and
securelist.com, the Kaspersky
Lab information and education
portals on viruses, hackers
and spam. Stefan is also
frequently invited to speak at
major international security
conferences such as Virus
Bulletin, RSA and AVAR. Caesars Palace – the place to be for Black Hat

|
10 SECUREVIEW 4th quarter 2010 www.secureviewmag.com

Barnaby Jack shows how jackpotting works on vulnerable ATMs
engineering, malware +, fingerprinting
and exploitation, to the latest topics in IT
technology - cloud/virtualization and cyber
war and peace.
Jackpotting ATMs
One of the most highly anticipated talks
at Black Hat USA 2010 was delivered by
Barnaby Jack, Director of Research at
IOActive Labs. Barnaby discussed two types
of attacks against automated teller machines
(ATMs) running Windows CE: the first one was
a physical attack using a master key which
can be purchased on the Internet and a USB
stick to overwrite the machine’s firmware with
a custom-built rootkit; the second one was a
remote attack exploiting a vulnerability in the
ATMs remote administration authentication
mechanism which allowed the attacker to
remotely rewrite the firmware.
The talk itself was eye-opening and
disappointing at the same time. It was
amazing to see the depth that Barnaby
had achieved when reverse-engineering
the ATMs and building a custom software
tool called ‘Dillinger’ to overwrite the
machine’s operating system, take complete
control of the ATM and send commands
which remotely instructed the ATM to start
dispensing cash. Incidentally, ‘Dillinger’ is
named after the famous bank robber. The
disappointing part from an avid researcher’s
point of view was that he only focused on
Windows CE-based ATMs, an old operating
system which is not widely used in other
regions of the world.
For instance, the two attacks that
Barnaby demonstrated, the physical and
the remote attack, would not be possible in
most European countries, but it’s a whole
different story in the United States.
All in all, seeing such progress being made
in ATM security research definitely makes
you think twice about using ATMs, especially
www.secureviewmag.com
Black Hat USA 2010 |
when traveling. In fact, with the amount of
skimming going on anyway, why not avoid
using ATMs altogether?
The Client-Side
Boogaloo
Nicholas Percoco and Jibran Ilyas,
Members of Trustwave’s SpiderLabs team,
presented Malware Freak Show 2010, a talk
that extended their initial Malware Freak
Show presentation delivered at DEFCON
17 in 2009. This year’s talk explored four of
the most interesting new pieces of malware
that were obtained during more than 200
investigations they conducted in 2009.
An interesting fact which emerged as a
result of combining intelligence from cases
they were both involved in was that attackers
spend an average of 156 days exploring a
victim network before getting caught. This is
an alarmingly high number which confirms how
low the general level of security awareness
and education is among businesses.
The presentation included the anatomy
of a successful malware attack, a profile
on each sample and victim and a live
demonstration of each piece of malware
discussed: a memory rootkit, a Windows
credentials stealer, a network sniffer rootkit
and a targeted attack malware program that
uploads documents to an FTP server.
Tracking Cyber Spies
and Digital Criminals
Greg Hoglund, who literally wrote the
book on Windows rootkits, presented some
techniques to track down the origins of
malware samples. Malware attribution,
which is defined by Greg as “Finding the
humans behind the malware,” aims to know
more about the people who create malicious
files. This type of information can be very
useful during forensic investigations.
His basic premise is that software is not
easy to write and programmers adhere to
the “if it ain’t broke, don’t fix it” principle.
Once a programmer has written a piece
of code which works, they are not going to
rewrite it, but instead will most likely reuse it
at every opportunity.
Each cybercriminal or cybercrime group
normally reuses the code that they create.
To prove this, Greg performed a case study
on a Chinese RAT (Remote Administration
Tool) called ‘gh0st RAT’. He showed the
audience how he discovered that malware
samples from 2010 are still using code from
Report
2005 – making it possible to link five-year-
old samples together. These techniques are
very developer-specific.
In his conclusion, Greg called on the security
community to understand that generally it
is better to focus on identifying the authors
behind the malware than the malware itself.
Attacking
Phone Privacy
Cryptography researcher Karsten Nohl
presented vulnerabilities, tricks and ideas
which he used to successfully crack A5/1, the
encryption system used to protect GSM calls.
One of the biggest breakthroughs that helped
him with his research was the fact that
some GSM packets, the keep-alive ones, are
predictable in the stream of different packets.
The fix for this vulnerability was released
two years ago, but none of the GSM networks
have implemented the patch yet, even though
the patch is rather simple.
It is much easier to intercept the part of
the call that is coming from the tower to the
mobile phone, rather than the one going from
the mobile phone to the tower. This is due
to the fact that mobile phones dynamically
adjust the output power of their signal to
save battery power and can be on the move
in areas surrounded by buildings, while the
towers are transmitting high power signals,
are stationary and are located in high areas.
So, the majority of GSM networks
nowadays are quite unsafe. They are either
using very insecure encryption, or in countries
like China and India, none at all. A mitigation
technique to this threat would be to switch
your phone to UMTS-only mode, although not
every phone supports this and 3G coverage is
not available in remote areas.
Until Next Year
There were many other interesting
presentations, as you can see from the Black
Hat online archive: http://www.blackhat.com/
html/bh-us-10/bh-us-10-archives.html.
As usually happens when thousands of
security researchers gather in the same
place, there were several incidents that
made this year’s Black Hat very memorable –
for example, the live stream got hacked
by a security researcher at Mozilla who
responsibly disclosed the vulnerabilities
found to the third party company which was
providing the streaming service.
This and other things make attending
Black Hat a thrill and a challenge at the
same time. RE
4th quarter 2010 SECUREVIEW | 11

Businesses under attack
Article by
Joerg Geiger
Chief Technology Expert
at Kaspersky Lab
Joerg Geiger has 11
years experience in
IT-Journalism. Having
completed his Diploma in
Computer Science, Joerg
worked as a Senior Editor
for a number of different
printed and online
magazines. For the last
3 years, Joerg has been
a freelance contributor
to German newspapers,
websites and various IT
companies and specializes
in operating systems, IT-
Security and mobile IT.
|
12 SECUREVIEW 4th quarter 2010
Top story | Corporate threats
Modern companies cannot survive without information and computer
technologies. IT has become an inseparable part of any commercial
venture, state-run enterprise or worldwide business system.
However, IT has also developed into a potent source of problems
and threats which companies must face. With the help of malware,
hackers are able to steal confidential information from computers
which in turn can lead to damaged commercial reputations, the
collapse of business deals and the infringement of intellectual
property rights. Under the control of hackers, corporate computer
networks can spread spam and malware, not only locally, but to
the computers of trusted clients and partners as well. Software
and hardware failures lead to unwanted downtime, the interruption
of important business processes and the loss of working time
by personnel. This is only a small part of the modern corporate
threatscape which we will look at in more detail within this article.
Today’s computers store and process all carrying criminal responsibility, and where
types of official information; they generate applicable, the withdrawal of state-issued and
business activity reports, they perform other licenses.
economic analyses and undertake planning The incentive to hack corporate networks
and they are used for technical modeling and grows as commercial information becomes
design. Companies advertise their products more and more valuable and as business
via the Internet and communicate with society processes are automated. The tendency is
in general using computers. Goods are for business IT to not only develop automated
readily bought and sold through the medium management and recording systems, but
of electronic trading and Internet shops. In technological processes as well – IT is already
the course of everyday business activity, a major player not only in accountancy,
computers and smartphones have become an warehousing and HR, but in manufacturing
indispensable communications tool for workers, and production as well. Today it is completely
clients and company managers alike. The unacceptable to leave corporate IT systems
burgeoning capabilities of today’s IT equipment under-protected, or worse still, unprotected. A
mean that companies can now benefit from a
whole new world of commercial possibilities.
Such companies rely heavily on stable IT
infrastructure to maintain their business
processes and competitive advantage.
As mentioned previously, the presence of
financial or confidential information attracts
the shadier elements of society who wish
to nefariously grab a slice of the pie for
themselves, and in addition, it should be
remembered that companies can and do suffer
enormous losses due to the availability of
confidential information to insiders. Serious
security incidents can incur punishment by
the state – in most countries, violation of The Internet has long since been used for the majority of corporate
security standards is a prosecutable offence financial transactions
www.secureviewmag.com
 Corporate threats | Top story

• To disable a company’s IT Methods of attack

Cybercriminals do not have to attack a whole organization
to get their hands on financial or confidential information.
It is much simpler to carry out an attack by targeting an
individual victim in an administration or HR department
where the level of computer literacy is usually fairly low
company’s IT infrastructure must include
reliable and comprehensive protection
against computer threats.
Goals and tasks
infrastructure with a view to
extorting money from that company
for returning its IT infrastructure to
operational condition. Additionally,
a hacker may want to do damage to
a company’s reputation or interrupt
their business processes by the use
of DDOS attacks
• To use the IT resources of one
company for the purpose of attacking
other companies
Those who order hacking attacks
are usually dishonest competitors,
financial fraudsters or people involved
in industrial espionage. For example, it
may be that on the day that a company
is due to launch a new product, hackers
acting behalf of a competitor take
down that company’s website, thereby
depriving the company of a lot of
potential customers who would have
otherwise visited it. Another common
example is a competitor acquiring
detailed information concerning an
important business deal from a rival
company’s computer system and the
deal subsequently being undermined.
Then there is always the scenario in
which financial information is stolen by
an insider in order to initiate an illegal
transaction. In the most dangerous
cases, vital social infrastructure can
be put out of operation if the company
responsible for maintaining it becomes
the subject of a hacker’s attack.
How do cybercriminals gain access to
corporate information? What vectors
of attack do they choose? First of all,
the particular attributes of corporate
networks play right into the hands of
the cybercriminals, such networks are
typically: large-scale, distributed across
geographical sub-divisions, hierarchic in
composition with heterogeneity of the
component parts, carrying high levels
of traffic and supporting a significant
number of users.
Networks belonging to large
enterprises with geographically diverse
subdivisions have equipment located
in different towns and sometimes even
different countries, as well as hundreds
of kilometers of communications cables.
All this makes it very difficult to prevent
unauthorized network access or the
interception of confidential information
transmitted over the network. An
attacker can surreptitiously connect to
some part of the network and secretly
monitor the channel traffic without
alerting anyone to their presence, or
masquerade as an authorized user
and send requests for information and
messages in the name of a legitimate
user. Hacking can occur on both private
and publicly accessible sections of a
network – usually the Internet. In such a
case, the cybercriminal does not need to

It is interesting to note that malware

specifically designed to target
corporate information systems does not
exist. The tools of the hackers’ trade
remain the same regardless of whether
the target is a private individual or a
company, the only real difference is
the scale of damage, so companies
have to pay particular attention to
their own protective measures. The
cybercriminals are far more interested
in attacking companies than private
individuals as the potential rewards
from such attacks are considerably
higher. It is very rare indeed for a
hacker or virus writer to work for
nothing. Usually when they feel the
need to put their professional abilities
to the test they try to ensure that their
efforts are duly remunerated.
Hackers that attack companies
generally do so for the following reasons:
• To steal confidential information,
including financial, with a view to
profiting from its usage or resale,
for example, databases belonging to A hacker does not usually need direct access to the target computer within an organization: these days attacks are
financial organizations carried out remotely via the Internet

www.secureviewmag.com 4th quarter 2010 SECUREVIEW | 13

 Top story | Corporate threats
The Structure of a typical corporate network is usually much more complex than the one displayed in the picture
be physically near the hacked channel,
using hackers tools and methods
available on the Internet it is possible to
hack a network remotely.
Probably the most popular method
for infecting computers is via the
use of programs called Trojans which
infiltrate a target machine through
malware links in spam, instant
messaging, drive-by downloads and the
exploitation of vulnerabilities in different
software applications.
Of all of the abovementioned methods
of infection, it is the vulnerabilities
in software that is one of the biggest
problems within the corporate
environment. Large corporate networks
are made up of a huge number of
component parts: workstations, servers,
laptops, smartphones, all of which
may operate under the control of a
different operating system. The situation
gets even more complex when the
functional diversity of the component
parts of a large corporate network
are factored in also; the hardware will
service different subdivisions, perform
different tasks and differ from unit
|
14 SECUREVIEW 4th quarter 2010
to unit, not to mention that it is often
produced by different manufacturers.
It is almost impossible to keep track
of all the programs installed on all of
the systems and devices mentioned.
IT administrators need to constantly
update programs and install patches
for the entire system’s resources, but it
is a complex task, made more difficult
by the fact that an administrator may
have to wait a significant amount
time for a much-needed patch
while the manufacturer creates and
distributes it. As a result, a corporate
network can remain susceptible to
attack by cybercriminals who can
exploit a vulnerability, for example, by
installing malware in an old version
of Adobe Reader, with ensuing dire
consequences for the computers on
the corporate network. In such a case,
even technical specialists may suspect
nothing if they do not keep themselves
up to date regarding the latest detected
vulnerabilities in application-
dependent software.
Another loophole used by the
criminals is the multiplicity of staff and
the resulting multiplicity of computer
network users and access points. The
larger the numbers of end-users and
nodes, the more chance there is of
an accidental oversight in security
procedures or an intentional violation
of security policy. It is more difficult
for the administrators to determine
users’ loyalties, especially as users
could typically be both staff members
and for instance, clients. Therefore it is
more difficult to control them – today,
simple methods of recording user
information are no longer suitable, more
complex methods like authentication,
authorization and auditing are required.
Modern corporate IT systems need to
be able to do much more than just allow
or disallow a user access to something,
they need to have the flexibility to
provide degrees of access, taking into
consideration factors such as - time,
group membership, editing rights etc.
Nowadays a corporate user has a wider
range of services available to them;
very often they have Internet access,
which is awash with malware, a mobile
connection which has become unsafe
and remote access from home which
makes it difficult for the employer to
check whether passwords to access the
corporate servers are stored in a secure
manner. Unfortunately, companies
rarely do have all-encompassing security
policies in place, thus the cybercriminals
continue to actively abuse the situation
and commit targeted attacks.
Education
One of the keys to successfully
minimizing corporate attacks is to
educate staff on a constant basis,
and not just technical staff, but
administrative staff too. It is more
often than not the latter group who
are responsible for the large numbers
of successful attacks carried out
using social engineering techniques.
Obviously, when a user has no real
knowledge of the basic rules of
computer security there can be no
guarantee that hackers won’t be able to
enter the corporate network; regardless
of whether or not a highly qualified
administrator has implemented the most
stringent security settings.
Teach your staff not to react to
emails and IM messages of a dubious
nature, which may well contain
malicious hyperlinks in the body of the
message. Explain to them that a letter
or SMS message from a friend can be
www.secureviewmag.com

If the use of portable storage media is not strictly
managed, then the protection of confidential information
can be forgotten
compromised and that it is always better
to think twice and check before clicking
on any messages received. Remind
your staff again and again that “There
is no such thing as a free lunch”; banks
and social networks will never ask you
about your login or password simply
because they have problems with their
infrastructure, or their database of
users is being updated. It is imperative
to teach your staff to think twice and
remain cautious.
Modules allowing the centralized management of corporate network protection are present in every major business IT security solution
www.secureviewmag.com
Corporate threats |
Complexity
So, what can be done within the
framework of corporate security to
prevent the criminals from gaining
the upper hand? The most important
thing is to understand that protection
of the corporate network needs to be
complex and multilayered. Before the
design and installation of a secure
network can take place it is necessary
to consider all of the possible threats to
the integrity and confidentiality of the
information that it will contain, as well
as to think about how the network could
be penetrated, for example, via external
media and software vulnerabilities. The
measures taken to counter any threats
must be complex and should include
organizational and technical methods.
Organizational means of protection
should include a set of company
procedures and a structured approach
to working with documentation and
information. A company’s management
Top story
has to clearly understand what
information is considered confidential,
which staff can have access to such
information and how to arrange a system
so that a breach of those access rules
cannot occur.
Technical means of protection
can include all kinds of equipment
for nullifying electromagnetic
radiation and avoiding electronic
eavesdropping, access control
mechanisms, encryption systems,
antivirus programs, firewalls, etc.
One should remember that within the
realms of complex technical procedures,
it is very important to restrict the use
of external media such as flash drives
and portable hard disks; it is also
recommended that the possibility of
recording data to CD-ROMs is removed
or otherwise controlled. This is
achievable through technical means, for
example, by closing ports at the BIOS
level to which an ordinary user would
not have access. Additionally, most
corporate antivirus solutions have inbuilt
4th quarter 2010 SECUREVIEW | 15
 Top story | Corporate threats
functionality that provides control over
USB and other peripheral ports. Those
staff members whose work regularly
entails the use of portable storage
media must be provided with, and made
to use, an automatic encryption system
that will protect any information stored
on it in the event of the theft or loss
of the media.
Other similarly important measures,
which are quite often overlooked by
companies, include the protection
of wireless access points and data
transmission channels. If you have
protected the whole infrastructure, but left
your WiFi networks without WEP encryption
and not implemented a monthly password
changing policy, then you have protected
nothing. Generally speaking, the use of
WiFi inside a company should be as limited
as possible. It is necessary to regulate
the distance that the signal can travel
by adjusting the radiated power of the
transmitter, provide users with temporary
passwords, define which WiFi networks
guests can connect to and limit access to
internal resources, etc.
Centrality
Protection of a corporate network is a
round-the-clock, yearlong process and
should embrace the entire information
lifecycle - from its arrival at the company
through to its destruction, loss of value
or downgraded level of confidentiality.
Reliable protection means real time
control over all the important events and
occurrences that may influence security.
It is very important to implement the
centralized management of a security
system. This approach allows the
speedy acquisition of a complete
picture of network events from a single
access point and provides a centralized
approach to the resolution of tasks; it is
a method for checking and effectively
resisting generic threats. At the same
time, the application of different security
policies across the various subdivisions,
as well as an individualized approach
to the resolution of tasks should not be
excluded. The centralized management
of network security via a single interface
has the advantage that system
administrators do not have to spend a
lot of time familiarizing themselves with
several different security solutions.
Modern corporate antivirus solutions
offer companies precisely this level
of control. As a rule, such solutions
will contain some sort of centralized
management system that allows
|
16 SECUREVIEW 4th quarter 2010
adjustment of the many different
security-related software modules that
control; the antivirus system setting,
the setting up of individual and group
application parameters, access to
different resources, database updates
and the continuous monitoring of the
network status and dynamic response in
the event of critical situations.
Sufficiency
Any security system has to be
sufficiently robust. This means that it
should provide the maximum level of
protection, availability and resiliency.
To do this, a security system must have
a reserve of hardware and software to
cope in situations where a component of
one or the other type fails. Additionally,
the system has to employ effective
technologies that can cope with existing
threats and are able to combat new
attacks thanks to imbedded ‘extra’
capabilities such as heuristics and
enhanced signature detection processes.
Heuristics analyzers, as well as script
emulators and file execution emulators,
are used when a program sample is
not present in antivirus databases and
allows program execution to be emulated
inside an isolated, virtual environment.
This is absolutely safe and allows all of
the program’s actions to be analyzed in
advance, so that its potential to cause
harm can be estimated with a high
probability prior to real world execution.
In this way, new threats are being
detected before they become known to
virus analysts and their signatures can
be included into antivirus databases
It is necessary to encrypt not only the data that the phone contains, but also the data stored on any accompanying
memory card in the event that important information is stored on that too
accordingly. Taking care to ensure that a
system is sufficiently robust prolongs its
usefulness as a means of defense.
Reasonable balance
It is always the case that a reasonable
balance needs to be struck between the
capabilities of a security system and its level
of resource-intensity. The more options
and functions a solution has, the more
computer, human and other resources that
are consumed. This is unacceptable for a
corporate network as it will generally have
high enough working loads already - it must
simultaneously serve a large number of
users, search vast databases, transmit big
volumes of traffic and do all of the above
precisely and quickly. Manufacturers
of antivirus products pay a great deal of
attention to the balance between productivity
and protection of systems. For this reason
there are parameters that can be set to run
system scans only at times when nobody
is working on a computer, i.e., when a
computer is locked or its screensaver is on.
This allows, for example, a deep heuristic
analysis to take place during an antivirus
scan without interference to the work of the
staff. Additionally, modern antivirus products
include technologies that can significantly
increase the operating speed of an antivirus
application through always-on protection and
on-demand scanning. Speed is also gained
by excluding the multiple checking of files that
have been scanned already, provided that
this does not pose a threat of infection. By
complimenting each other, such technologies
can greatly reduce the time and resource-
intensity required for the antivirus scanning of
different objects, files and operating systems.
www.secureviewmag.com
 Corporate threats | Top story

Expert Comments
Flexibility synchronized with computers, and if a user opens
a malware link on their telephone, there is a real
chance of transferring that virus to the corporate Nikolay Grebennikov
A security system should also be flexible and network during the process of synchronizing mail Chief Technology Officer at
scalable, in other words it should be adaptable or calendar items with the networked computer. Kaspersky Lab
to a wide range of tasks, working conditions Whilst on the subject of smartphones, it is
and quantitative characteristics of a corporate worth comparing them to portable information
network. Today’s computer networks can expand, storage devices – all messages and mail
contract and change their configuration very correspondence, as well as the contents of
quickly. Threats are also changing with alarming flash memory and memory cards which are
rapidity and security system should be ready for used for the additional storage of information
it. To meet this requirement, high quality security should be compulsorily encrypted. Only then
solutions need the means to update practically it is possible to guarantee the integrity of the
all of their program components - for example, stored information in the event of the loss of a
malware protection solutions should update not device. When choosing a protective solution for
only their antivirus signature databases, but mobile devices, close attention should be paid
also their malware behavior pattern recognition to ensuring that it has the capability to block a
capabilities and their own operating algorithms. lost smartphone, even if the SIM card is changed
by a thief. Otherwise the criminal will be able to
Kaspersky Lab’s
drop off the radars of those seeking to retrieve
Interactivity the device, and having removed the SIM card
products for corporate
users are complex
from the phone, will be able to do anything solutions for heterogenic,
they wish with the phone and the valuable distributed networks and
Another important requirement is interactivity. information it contains. that is very important at
The security system has to be able to interact Also, it is worth remembering that when a the present time. Our
solutions for Windows,
with an experienced user, system and network company uses machines with different operating Linux, Mac, Novell
administrator. It has to provide a user with sufficient systems, all of them should be protected, as if NetWare and mobile
information upon which to base operational only one of the systems is secure, it means none operating systems
decisions and be able to warn a user about of them are safe. If an administrator thinks that are simple to install
potential errors. It is preferable that the system’s there are not many viruses for the Mac OS X out and use. Kaspersky
settings and security modules are understandable there so the risk to the company is negligible Lab’s solutions provide
protection for all types
to a layman who has no specific knowledge in and therefore it is not critical to protect of network nodes –
the field of information security. This allows Macintoshes - they would be absolutely wrong. from mobile devices
corporations to quickly train their own specialists It is through just such an open gate to the world to servers. They can
and means that medium and small business can of Windows computers that the most harmful control all incoming and
have a protected system without the need to employ malware threats may come, for example, by way outgoing data flows, from
security administrators or even IT specialists. In of a malware link which becomes active once email and Internet traffic
to internal network
order to do this, antivirus solution developers pay inside a Microsoft environment. Another route interactions and they
increased attention to their product interfaces, is the Trojan program which automatically copies also provide powerful
trying to make it as simple and straightforward itself to a flash memory card on a computer management tools too.
as possible. Special significance is given to the running under the Mac OS X and is later inserted All of Kaspersky
provision of notifications when the security of the into a different workstation running under Lab’s solutions
system is under threat. The system must inform an Windows management. include the Kaspersky
Administration Kit
administrator of what actions should be performed management console
in order to restore normal defensive levels. The which allows the
interface must also allow the administrator to Resume centralized organization
quickly jump between tasks such as virus scanning, and control of network
antivirus database updating, etc. protection for the whole
New threats and vulnerabilities in the world of company, integrating
all the different levels
computer security are growing as never before
Compatibility and there are no indications that the situation is
of protection into one
system. The solutions
going to improve any time soon. Nevertheless, provide scalability,
and heterogeneity if you as a company administrator or security notification of the
specialist provide proper protection on all status of the network’s
fronts, then there is a good chance that your antivirus protection,
control over the use of
Compatibility is a definitive requirement of company’s business will prosper. Educate your external devices, special
a security system – it must be able to fully staff about computer safety on a regular basis. security policies for
operate in a complex, heterogenic corporate Distributed security policies and access rights mobile users, support
network without any negative impact on the should be compulsory and provide protection for network access
other components. Any corporate antivirus solutions for all nodes on the network, from the control technologies and
system has to be able to function with a range gateways to the endpoints - and don’t omit the customized reporting,
allowing administrators
of different devices. Modern computer systems bosses smartphones or notebooks. Remember; to manage the system
can consist not only of workstation computers, economize just once on network protection and in an effective way
file servers and mail servers, but notebooks and it is possible that the whole of the company’s via a straightforward
smartphones too. Smartphones are commonly business could be lost as a result. RE interface.

www.secureviewmag.com 4th quarter 2010 SECUREVIEW | 17

 Analytics | Smartphone Security

Desperate Jailbreakers
It was late July, and Apple was still reeling from an uncharacteristic
backlash by the media and its typically adoring customer base over
a design flaw in the antenna of its much-vaunted new iPhone 4.0
that effectively wiped out wireless reception for many users.
Then, at the beginning of August, hackers published a remotely
exploitable security vulnerability in the device that left tens of
millions of iPhone users exposed to malicious drive-by downloads.

Article by The exploit, embedded in the website

Brian Krebs
Brian Krebs is editor of
krebsonsecurity.com, a
daily blog dedicated to
in-depth Internet security
news and investigation.
Until recently, Krebs
was a reporter for The
Washington Post, where
he covered Internet
security, cybercrime
and privacy issues for
the newspaper and the
website. Krebs got his
start in journalism at
The Post in 1995, and
has been writing about
computer security,
privacy and cybercrime
for more than a decade..
jailbreakme.com, was intended to provide
a simple way for iPhone and iPad users
to "jailbreak" their phones – a process
that allows the installation of third-party
applications that are not expressly approved
by Apple. Yet, security experts were instantly
drawn to the much darker potential for this
exploit to be abused to install malicious
programs on all of these devices – and not
just those belonging to jailbreakers.
The hackers who discovered the flaw soon
released a patch to block future attacks
against jailbreakers, and Apple issued an
official fix to protect regular iPhone users a
few days later. Still, the incident has thrown
a spotlight on the simmering, high-stakes
tension between security and usability in the
mobile computing market.
While technically speaking all jailbreaks
exploit security vulnerabilities or configuration
weaknesses in the underlying operating
system, nearly all previous jailbreak exploits
required the user to connect their iPhones
to his or her computer with a USB cable. If
you were lucky, the jailbreak would work;
otherwise, you might be the proud owner of a
very expensive paperweight.
All of that changed on 01 Aug, with the
debut of a powerful and highly reliable new
iPhone exploit embedded in jailbreakme.com,
which allowed iPhone users – even those on
the most recent 4.0 iOS – to jailbreak merely
by visiting the site with the iPhone's Safari web
browser and dragging the slider bar across the
device's touchscreen.
Instantly, the process of jailbreaking
became more akin to casual web surfing and
less like patching and praying. At the same
time, tens of millions of people were exposed
to a powerful, remote exploit that criminals
could use to install malware just by convincing
an iPhone or iPad user to browse a hacked or Now to unblock an iPhone, iPod touch or iPad, it’s enough just
malicious website. to visit a special website

|
18 SECUREVIEW 4th quarter 2010 www.secureviewmag.com

"My grandma doesn't know what
jailbreaking is and never had to worry
about what jailbreakers were up to
because if she wanted to jailbreak her
phone she had to plug it into a computer,
download some special tools, and then
it might work," said Charlie Miller, a
renowned iPhone hacker and researcher
with the Baltimore, Md. based firm
Independent Security Evaluators. "But
now, here was something that could
radically change your phone just by
visiting a webpage, all of a sudden
this meant instead of doing something
fun and friendly like jailbreaking the
phone, it could do something evil, where
grandma goes to some site and the
same vulnerability is used to download
code to the phone."
Patch wars
Four days after jailbreakme.com went
live, Apple announced it would soon
be releasing a patch it had developed
to protect users. Almost immediately,
jailbreaking advocates lit up Twitter.com
and other social media sites, warning
people not to download the Apple patch
because it would un-jailbreak those
devices, or possibly worse.
That advice struck some security
experts as a scary sign of things to
come. Mikko Hypponnen, Chief Research
Officer for Finnish computer security firm
F-Secure Corp., was among those who
publicly chastized the team for telling
people not to apply the patch.
"Imagine if this would have
happened with Microsoft Windows,
where someone creates a zero-day
exploit, doesn't report it to Microsoft,
then publishes the exploit, and when
Microsoft responds with a patch there
are thousands of people telling the
world not to patch it," Hypponen said.
"If they want to give that kind of advice
Looking at the Ikee.b source code, it’s easy to spot the default password ‘Alpine’ that opens the door for the malware to walk through
www.secureviewmag.com
Smartphone Security | Analytics
to people who have jailbroken their
phones, that's great. But now they've
made everyone vulnerable – because
these exploits are out there affecting
everyone – and even people who
haven't jailbroken their phones are
getting the advice not to upgrade, when
in fact they should."
Within days of releasing its exploit,
the crew responsible for creating the
web-based jailbreak –a group called
the iPhone Dev Team, along with a
developer known by the screen name
"Comex," - released "PDF Warner," a
tool that jailbreakers could install to
receive a warning if a website tried
to use the jailbreak flaw to install
malicious software.
The Dev Team even released its own
unofficial patch for those who had
jailbroken their phones, which went
further in protecting jailbroken users than
did the official patch from Apple, which
does nothing to fix the flaw in iPhone
devices older than iPhone 2.x versions.
Will Strafach, an independent software
developer from Connecticut who helped
test the exploit used on jailbreakme.
com, acknowledged that the unofficial
patch took a bit longer than expected,
and that it is still not installed by default
after people use jailbreakme.com. Still,
he noted that neither this exploit nor a
similar, remotely exploitable jailbreakme.
com exploit released back in November
2007 resulted in any malicious attacks.
"Not much detail will be released
about how the exploits work until after
Apple has issued their patch, so…there
has never to date been a malicious
payload I have seen for the two
jailbreakme.com exploits," Strafach said.
Strafach is technically correct. Then
again, the only real threats to emerge
against the iPhone have worked only
against jailbroken device, by exploiting
default settings left behind during
the jailbreaking process. In November
2009, the relatively harmless "Ikee
worm" spread rapidly among iPhone
users who had jailbroken their phones
but neglected to change the default
SSH password. The Ikee worm was
more an annoyance than a threat: It
"Rickrolled" less cautious jailbroken
iPhone users by changing the
wallpaper on their devices to a picture
of 80s pop singer Rick Astley.
But a second, less publicized
version of Ikee, introduced the first
known banking Trojan for the iPhone.
Unceremoniously dubbed "Ikee.b," the
worm modified the "hosts" file on the
iPhone – adding a single entry so that
anyone trying to visit the website of ING
Bank in the Netherlands (www.ing.nl)
with an infected iPhone was redirected
to a counterfeit ING website hosted
in Tokyo and designed to phish the
victim's online banking credentials.
That attack received little attention
in the news media, probably because
it affected such a miniscule subset of
iPhone users: Those in the Netherlands
who had insecure jailbroken iPhones
that they used for online banking.
What's more, Hypponen said, the fake
ING site was only online for a short time
before being taken down.
"The overall point is that the more
time passes, the more exploits like this
we will see for the iPhone and other
mobile platforms, and the more likely
we'll start to see moneymaking attacks
on mobile phones," he said.
Attack of
the killer apps?
Of course, security vulnerabiltiies
aren't the only way intruders can
break into mobile phones. Malicious
applications or "apps" designed for use
on smartphones can hide malicious
software, or turn from benign to
4th quarter 2010 SECUREVIEW | 19
 Analytics | Smartphone Security
The first harmful program for Android masquerades as a legitimate Movie Player
malicious via an update after a user
has already trusted and downloaded it
to their phone.
About the same time that jailbreakme.
com debuted this latest remote root
exploit for the iPhone, security experts
were unraveling the secrets of a
questionable app designed for Google's
Android phone users.
According to San Francisco-based
mobile security firm Lookout, the
app – an apparently innocent program
that offered free wallpapers and
was downloaded more than a million
times - collected users' phone numbers,
subscriber information and voicemail
numbers, and sent the information off to
a server in China.
Then, on 09 Aug, Kaspersky Lab said
it had discovered the first malicious
program for the Google Android platform:
A Trojan disguised as a media player
app that uses the victim's phone to send
expensive text messages to premium rate
numbers without the user's consent.
Unlike Apple's tightly controlled
App Store, the Google platform allows
developers to upload applications for other
users. Interestingly though, while the ability
to install unapproved apps is the main
reason people jailbreak their phones, not a
single malicious third-party app has been
reported for jailbroken iPhones.
Lookout co-founder John Hering
said the two models represent the
classic tug-of-war between security
and useability. But, he said, one isn't
necessarily more secure or better than
the other. Rather, the mobile providers
|
20 SECUREVIEW 4th quarter 2010
need to focus on reacting quickly when
problems are spotted.
"It's the classic balance of security
and openness at odds with one another,"
said Hering. "So far, both providers have
shown they have the ability to respond to
these incidents very quickly."
The jailbreakme.com vulnerability drew
an unusually speedy response from Apple,
which has long been criticized for taking
its time in fixing many security flaws. For
example, Apple maintains its own version
of Java and has been shown to lag up to
six months behind implementing the same
security updates that Sun/Oracle released
for versions of Java on other platforms.
The company has also been known
to fix bugs in its Safari web browser on
the Mac and yet leave those same bugs
unpatched on the iPhone for months at
a time (it's notable that the jailbreakme.
com exploit– which leveraged a
vulnerability in the way iPhones render
PDF documents – was used via Safari).
Apple's defenders say if the company
fails to rush out emergency patches
each week, it's probably in part because
the computing platform simply isn't
constantly under siege by cybercriminals -
unlike a certain dominant operating
system made by Microsoft.
Rich Mogull, a security analyst at
Phoenix-based Securosis, says Apple
is right to react differently to potent
threats against its mobile devices. Mogull
notes that Apple's mobile operating
system – which shares much of the same
code base as the OS that powers Mac
desktop and laptop computers - has the
potential to make an end-run around
the traditional flame-war inducing,
long-running debate: Whether Macs are
safer due to the way they are designed or
because there are fewer users relative to
the Windows PC community?
Indeed, with more than 100 million
Apple mobile devices sold so far, there
are now vastly more iPhone, iPad and
iTouch users than traditional Mac
users. In addition, consumers are
increasingly using their mobile phones
for a variety of sensitive transactions,
such as online banking, shopping and
confidential communications.
"Everyone talks about market share
questions, but we're not going to get
the answer to that question on general
purpose computers, we're going to get
the answer to that question from these
devices," Mogull said.
Looking forward
That answer may not come immediately.
For one thing, exploits like the one
stitched into jailbreakme.com don't grow
on trees. Strafach said the Dev-Team
and Comex stated that the exploit went
through three weeks of development and
a week of testing before going live.
The exploit was so difficult to find
and refine that it may be quite some
time before another remote jailbreak
flaw is found, Strafach said, although
he stressed that the Dev Team never
discusses ongoing research.
www.secureviewmag.com
 Smartphone Security | Analytics
"Yeah, I kind of agree is raises the bar for
jailbreaking in a way that may be difficult to
replicate”, Strafach said. "Comex really outdid
himself. Safari isn't an easy thing at all to exploit
because of the strong sandbox restrictions."
Also, vulnerabilities that allow remote
jailbreaking tend to be useful for far less time
than those that require tethering the phone
to the computer, as Apple patches them far
more quickly.
"Apple has a group of people called the Red
Team whose specific task it is to fix exploits
from jailbreaks, because as you have probably
seen, it gives them bad press when hackers
are running around with remote root exploits in
Apple's most iconic product”, Strafach said.
According to Mogull, “In recent weeks, some
antivirus firms have been making noises about
these new threats being an indicator that
Apple should open up its platform to traditional
desktop security vendors. But doing so would
be a mistake at this point, as so far at least, its
systems have been self-correcting.”
"Sure, if device makers don't do a good job
of keeping those platforms secure and locking
them down, then people may need to look at third
party stuff," Mogull said. "There's going to be less
margin for error if anything big starts to happen.
For example, if you can't make a phone call or
summon the emergency services because you
have a virus on your phone, I guarantee that will
get congressional hearings faster than your not
being able to browse porn because you have a
virus on your desktop." RE
To unlock an iPhone, one movement of the finger
is all that is required
www.secureviewmag.com
The topic of iPhone security, as well as that of
other Apple devices running the iOS operating
system (iPod Touch and iPad) is always
important. As one might expect, this topic
encompasses the eternal question of balance
between usability and security, an issue that
comes up time and time again. In many cases,
Apple has successfully managed to tread the
fine line between the two:
1. The huge popularity of iOS-based devices
all over the world proves this
2. In the 3 years since the first iPhone
appeared, only two malware programs have
been detected. However, even those two are
capable of operating only on devices that
have been exposed to ‘jailbreak’.
Apple’s model for the distribution of its
applications has proved itself many times
over: thousands of designers create
purchasable and free applications which
undergo extensive checks before ending up
in the Apple Store. Millions of people buy
and install these applications and everyone
is happy… aren’t they?
Well, it’s not possible to be 100% sure
of that just yet:
1. Malware applications disguised as
legitimate software have never appeared
in the Apple Store
2. The iOS operating system does not contain
any undetected critical vulnerabilities
Let’s look at both of those
statements in more detail.
Considering that as yet there is no indication
that malware applications have been detected
in Apple Store software, it appears that the
checking system for candidate programs to be
added to the catalogue is operating efficiently
enough. Without reliable information regarding
the checking process of new applications,
it is only possible to hypothesize about the
mechanisms involved. In any case, no
matter what the procedure, the possibility of
a mistake cannot be excluded, which in the
worst case, will lead to a piece of malware
entering the Apple Store. Given the fact that
users consider programs distributed via the
Apple Store to be trustworthy and harmless,
the potential for a virus epidemic is huge.
The second statement regarding the
iOS containing no undetected and thus
unpatched critical vulnerabilities is even
more questionable. Given the balance
of probabilities, it is fair to assume that it
must contain at least one. In the event that
such a vulnerability were detected by Apple
themselves, or by a person or company who
notifies Apple privately and without fuss,
a patch for the vulnerability would have
to be launched. However in such a case,
how quickly could the patch be developed
and distributed? Would not any delay in its
distribution result in word spreading publically
Expert Comments
Denis Maslennikov
Senior Malware Analyst,
Mobile Research Group Manager
about the vulnerability’s existence?
Now for the worst case scenario: imagine just
such a critical vulnerability being discovered
by criminals. If this happened; one can only
guess how it would be used. Of the fact that
criminals would try to make use of it one way or
another, there can be no doubt at all, especially
if the vulnerability was present in not just one
particular version of the operating system,
but all of them. Again we can only imagine the
consequences of a mass virus infection of
thousands of devices running on iOS.
We could continue talking about iOS and
other mobile platform security indefinitely.
These questions are of vital importance
today. Mobile devices such as smartphones,
regular mobiles and other “smart” devices
are being equipped with more and more
functionality. With their increased processing
capabilities, mobile devices have become
practically as powerful as the desktop
computers upon which we perform
numerous different tasks. Mobile devices are
a direct line to a user’s money and personal
data, and that is something that the criminals
simply can’t ignore. They are more than
ready to take advantage of a user’s lack of
knowledge about, or indifference to, mobile
security protection issues. That is why it is
not possible to pay too much attention to the
security issues surrounding smartphones
and other similar devices, which if ignored,
can lead to the direst of dire consequences.
If we were to talk specifically
about devices running iOS, then:
1. As mentioned previously, the possible
appearance of malware for jailbroken
smartphones cannot be excluded. How to
protect such devices against infection is
still very much an open question.
2. Again, as we have discussed already,
the possible appearance of unknown
critical vulnerabilities cannot be excluded
either. How can this threat be negated?
Only by prompt notification from the
manufacturer and the rapid development
and distribution of suitable updates.
4th quarter 2010 SECUREVIEW | 21
 Analytics | Rogue Antivirus Solutions

The enemy at the gate

“The FBI warned consumers today about an ongoing threat involving
pop-up security messages that appear while they are on the Internet.
The messages may contain a virus that could harm your computer,
be the cause of costly repairs, or even worse, lead to identity theft.
The messages contain scareware, or rogue antivirus software that
looks authentic… The FBI estimates scareware has cost victims
more than $150 million.” www.fbi.gov

Article by
Maciej Ziarek
Security Evangelist
at Kaspersky Lab
Maciej joined Kaspersky
Lab in 2008. Before
joining Kaspersky Lab,
Maciej wrote for Internet
websites and worked
at the Information
Centre of the Nicolaus
Copernicus University
in Torun, Poland, the
same university from
which he received his
Bachelor’s Degree
in Archival Science
and Documentation
Management.
Maciej is currently
studying Computer
Science at the Wyzsza
Szkola Informatyki
in Bydgoszcz, Poland.
His interests include
cryptography, wireless
network security and
social engineering.
An antivirus program is currently the basic
element of any security policy for fighting viruses
and other broadly recognised malicious applications.
It constitutes a user’s first line of defence against
increasingly sophisticated malware designed
to penetrate their systems. For years, antivirus
companies have built up their reputations, gaining
recognition and trust among their users. Despite this,
in the last few years we have encountered more and
more cybercriminal attacks based upon exploiting
that trust, as well as on human naivety, fear and lack
of knowledge. Rogue antivirus solutions, as per the
subject of my article, are becoming an increasing
plague not only for corporations, but also, and most
importantly, for users unaware of the threat.
What are rogue
antivirus solutions?
Rogue antivirus solutions are applications that
employ various methods to persuade a user that
their system is infected and the only way to remove
the threat is to buy an appropriate licence for
the application. One of the methods used is
to frequently display irritating, fictitious messages,
altering a start page or changing the wallpaper.
There are many reasons why cybercriminals prefer
this method. First of all, a user who is frightened
by frequently appearing messages about a threat
on their computer will be more inclined to pay
for a solution to the problem. Secondly, if a user
downloads an application of this type on their own
they will probably agree to the installation, which
makes it easier to get around security systems
such as the Windows UAC (User Account Control).
Thirdly, along with a rogue antivirus solution,
an attacker can install spyware, keyloggers and
other malware onto the victim’s disks. In this way,
the cybercriminal not only receives money for
a licence, but can later steal the victims’ data.
The application itself is very obtrusive, as every
now and then it floods a user with information
about new threats and the necessity of buying
a full version of the application to remove those
threats. Fearing data loss, a desperate user will
take a shortcut, believing that after purchasing the
application their system will not only be disinfected,
but the application will protect their system against
other threats too.
Why are such programs so successful? There are
many reasons, but the most important of all is social
engineering. The whole business is based upon
it. Social engineering is the art of manipulating a
human being, affecting them in such a way that they
become vulnerable to the suggestions of others.
Everything boils down to making a convincing
presentation of the facts, in this case an alleged
infection, and controlling a particular person for
personal gain. The outcome being that the victim is
persuaded to purchase an expensive licence.
At the beginning of the article I mentioned that
cybercriminals try to make their ’products’ appear
similar to those offered by legitimate antivirus
market giants. Naturally, this similarity begins and
ends with copying the graphical interface style
of a real program. There is no borrowing of any
useful features in copied applications. The aim
is to mislead users, to convince them that what they
have is a reputable program.
It is easy to see that the website of the antivirus
program called ‘Antivirus and Security’ was
modelled entirely on a Kaspersky Lab product.
The similarities include: the box, logo, colours,
and even the window of the installed program that
can be seen on the screen. Kaspersky Lab is not
the only company to be exploited in this way. The
same happens to Symantec, Avast, Avira, AVG
and McAfee. Though the cybercriminals make
their programs resemble products from these
companies, the name of the rogue antivirus solution
remains unchanged – ‘Antivirus and Security.
It is also worth noting that a similarity to known
brands is not the only way of convincing users to buy
a rogue antivirus solution. Other methods include:
• a table which purportedly allows a user to
compare the level of protection offered by
‘Antivirus & Security’ against solutions from

|
22 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
 Rogue Antivirus Solutions | Analytics
Find three differences between these products and a real Kaspersky Anti-Virus box
other [legitimate] companies. Of course,
the table shows supposed shortfalls in
products from the legitimate companies
• a list of bogus awards to highlight the
exceptional characteristics of ‘A&V’
• confirming users’ fears about system
infections through such statements
as ‘System warnings are frequent’
or ‘Pop-ups interrupt web surfing.’It is
obvious that rogue antivirus solutions
display such warnings so that users will
react promptly to them
• the website is divided into several
sections such as: ‘Members’, ’Support’,
‘Download’ and ’Home’ to make them
appear more credible
Compromising
the system
Rogue antivirus programs may infect
a system in various ways. However, each
of them involves social engineering and the
manipulation of human beings. Fear often
turns out to be the best motivation for
people to act. It is usually fear that rogue
antivirus solutions exploit so successfully,
hence their alternative name – scareware.
Programs, plug-ins, codecs
The oldest method of infecting
computers with scareware is by
the use of Trojans. Once they have
infected a system, these Trojans then
download rogue antivirus programs.
To persuade users to download such a file
a cybercriminal spreads a link to websites
with interesting films or add-ons e.g. for
www.secureviewmag.com
a browser. After entering the website
it turns out that the film cannot be played
because the system lacks a certain codec
or the latest version of Flash Player has
not been installed. The same website then
suggests downloading a file which will solve
the problem. Naturally, this file is nothing
more than a malicious program.
The still widespread network worm Kido
(Conficker) is an example of such malware,
among whose many functions is the
downloading of rogue antivirus programs
which are supposed to help remove viruses
and Trojans. The user is informed about
threats which in reality do not exist and
of the necessity to pay for the program
to activate its full functionality.
Online antimalware scanners
This form of system infection is effective
in situations where a user suspects
that their computer has been infected
Rogue antivirus programs may infect a system in various ways
with a malicious program. When your
operating system becomes slow, looking
for files takes you longer than usual and
the processor’s activity is noticeably
high, you know something is wrong and
start to look for a solution. One of which
may be to scan your computer using an
online scanner to find out whether the
source of your problems is indeed a virus.
The Internet is full of websites offering disc
scanning, but unfortunately, some of them
deliberately show false results. They are
designed to persuade users to download the
cybercriminals’ own program which will then
‘solve the problem’.
As a result, once a user enters the
website the script is launched which
supposedly shows the progress of the
hard drive scanning process. This is
an obvious deception and has nothing
to do with your operating system (often
even the names of folders and partitions
differ from those that you have, which
should be the first warning signal).
To remove all infections you need to click
‘Erase Infected’, download the program and
then pay $49,99 for the full version. The
whole scanning process naturally takes
place in the browser window.
Search Engine Optimization (SEO)
Basically, this method of computer
infection is similar to the previous one,
it even uses similar mechanisms. However,
I think it is reasonable to treat them
separately. SEO is a system of positioning
websites in Internet search engines
according to appropriate key words. Thus,
it is quite often used to increase the
positioning of websites containing false
antivirus scanners, but not always. As we
see more and more often, cybercriminals
react very quickly to frequently searched
phrases. They create a website that is
related to popular questions and position
4th quarter 2010 SECUREVIEW | 23
 Analytics | Rogue Antivirus Solutions

Expert Comments
Costin Raiu
Director of the Global
Research & Analysis Team
at Kaspersky Lab
it in such a way that it appears on the first page
of search engine results. Visiting such a website
will end with either malware being downloaded,
or as in the example above, the false  scanning
of a hard drive.
Usually cybercriminals play upon hot news topics.
For example, after the plane crash with the Polish
president on board on 10 April, 2010, websites
quickly appeared which allegedly revealed unknown
details of the tragedy. Unfortunately, once the
site was entered information about the necessity
of scanning the user’s computer was displayed.

Attacks using ‘iframe’

A bogus YouTube website. A false message informs the user that it
One method that is particularly difficult for a is necessary to update their copy of Flash Player. Cybercriminals
Why are rogue AV user to detect is an attack using hidden iframes. often covertly insert malicious programs into a user’s system by
programs so effective? this method, any one of which may be a rogue antivirus solution
This can be achieved by adding the appropriate
“I think there are a number of code to a website:
different reasons for that, of which I
will name the three most important. <iframe src=www.sample.xyz width=1 height=1 depending on the functionality and the way of
First of all, the computers belonging style="visibility: hidden"></iframe> packing/compressing the binary files. Thus,
to people that do not use security Such an iframe will be invisible and the user will rogue antivirus programs may be contained in,
solutions soon become infected. be redirected to www.sample.xyz from which the among other examples, the following signatures:
When they realise that they have an downloading of a malicious program can be started. not-a-virus:FraudTool (this program is ascribed
infection, they then start searching A user is frequently unaware of what is going on. to the ‘not a virus’ category due to the lack of
for solutions and very often end up
on black SEO pages that promote The code can be injected after stealing the a malicious payload, apart from its attempts
RogueAV tools. Secondly, many login and FTP account on the computer of a to persuade users to pay money for a non-
of these RogueAV programs person responsible for a website’s content. functioning application), Trojan.Win32.RogueAV,
get delivered through zero day Trojan.Win32.FraudPack or Trojan-Downloader.
exploits, including from legitimate Win32.Agent.
websites that have been injected
with iframes or  otherwise similarly
Gloomy statistics The diagram refers to FraudTool signatures and
compromised. This is mainly shows the Top10 rogue antivirus programs. The data
because it’s almost impossible comes from the period March 2010 to mid-June
nowadays to keep up with all of There are many types of malicious programs 2010 and was generated by KSN (Kaspersky Security
the patches from all of the vendors designed to scare people into buying a licence Network). Due to the huge number of signatures it
without some kind of specialized for a worthless program. Their names may differ is difficult to tell for sure just by the name whether a
tool to help you. Finally, many
RogueAV programs get installed
by other malware, which originally
infected the system through social
engineering tricks. After all, the
human link is still one of the major
weaknesses in the security chain.
That is why the RogueAV model is
so highly successful. It is based on
the concept of selling something
which is not entirely illegal in every
country. Many users, once they
discover they’ve been deceived,
ask the bank for a reimbursement.
Still, many will not realize they’ve
been the victims of a fraud scheme
and take the blame themselves. For
this reason, I’m sure that RogueAV
programs are here to stay for a
while. I should also say that the
social engineering behind RogueAV
programs is pretty standard and is
based on two main concepts: fear
and reward. In all of these attacks,
the cybercriminals try to scare the
user into installing their products,
or promise rewards if he or she
does it. The number of variations
based on these two main concepts
is very high and new ideas appear
almost every day, however, I think
that in the future, the trends will
continue to gravitate towards fear
and reward.” A fake scanner based on Javascript looks quite genuine to an inexperienced user

|
24 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
 Rogue Antivirus Solutions | Analytics
The KSN Top 10 rogue antivirus programs from March 2010 to mid-June 2010, Information courtesy of Kaspersky Lab
particular malicious program represents a
group of rogue antivirus solutions or not.
Based on the above data a diagram
was created showing which countries had
the largest number of FraudTool.Win32
infections up to June 2010. First
place goes to Vietnam with over
120,000 cases of infection. In total, there
were 266,090 victims of FraudTool.Win32
in all of the countries monitored.
The last graph shows the number
of malicious programs detected on
particular days for the period from March
to June. From mid-March, the number
of infections has systematically decreased.
In March, there were 192,000 infections
in total, in April 150,000, in May 135,000
and between 01 and 17 June 58,000
infections, which indicates that the number
of infections in June will probably be even
smaller than in May. However this fact
only proves that like everyone everywhere,
cybercriminals also like to take their
vacations in summer. As with other
malware distribution, scareware peaks
in spring, autumn and before New Year.
Summary
Rogue antivirus programs are quite
successful, which seems to be confirmed
by the fact that cybercriminals look
for new methods to entrap unwary
users. Cybercriminals are getting better
and better at making their products
similar to known security applications.
As a result, companies lose the trust
www.secureviewmag.com
of their customers, whilst the customers
themselves, quite apart from money, can
lose passwords and logins to bank and
email accounts, social networks, etc.
This means that the identity of the victim
is under threat. We can easily predict
what will happen next. With a new ID,
a cybercriminal can open a bank account
in somebody else’s name and use it with
impunity, as it is the victim that will be
responsible for the cybercriminal’s actions.
Microsoft as the biggest software vendor
is engaged in a campaign against this type
of fraud also. Its website informs visitors
how to remove an unwanted program and
how to tell the difference between a false
version of Windows Defender and the real one,
which is built into the Windows system. RE
The number of malicious programs detected on particular days for the period from March to June 2010
How to avoid these threats
Well, first of all you should have an
updated antivirus program installed
on your computer that regularly scans
the discs. If you want to download
security updates, do it only from known
and trusted websites or directly from
the website of a particular solution’s
manufacturer. If you enter a website
offering computer scanning, it is best
to close the window using the alt+F4
key combination, as clicking any place
in the window often brings the same
result – initiation of the downloading/
scanning system. The Windows
system never warns about infections
in an intrusive way (change of a start
page, wallpaper etc.). If new icons
or applications appear, you should
immediately scan the whole computer
using an antivirus program downloaded
from one of the mainstream computer
security providers’ websites and it is
also worth installing script blocking
add-ons for the browser.
Do not use the option of remembering
passwords to an FTP account (especially
important in the case of webmasters),
use automatic updating of the system
and programs installed on it. Also, work
via a user account with limited rights for
day-to-day tasks and enable UAC.
However, the most important thing
is to show common sense and not to
click on links thoughtlessly. Although
speed is an important element of
security as the reaction to threats
should be as quick as possible,
a user should think twice before
approving an operation or entering
a suspicious website.
4th quarter 2010 SECUREVIEW | 25
 Technology | Cyber Expert

Artificial Intelligence
in the realms of IT security
Is it possible to define human intelligence so precisely as to be able
to then simulate it with the aid of machines? That is still very much a
bone of contention among the scientific community. Developers who
are trying to create artificial intelligence use widely varying approaches.
Some of them believe that artificial neural networks are the way
forward, others the manipulation of the symbols. As things stand today,
no device containing artificial intelligence has successfully passed the
Turing test. The famous British computer scientist Alan Turing stated
that in order for a machine to be classed as truly intelligent in its own
right, a user should be completely unable to distinguish if they are
interacting with a machine or another human being. One potential
application of autonomous artificial intelligence is in the field of
computer virology and the provision of remote computer maintenance

Article by
Oleg Zaitsev
Chief Technology Expert
at Kaspersky Lab
Oleg joined Kaspersky Lab
in 2007 as a Developer
in the Complex Threat
Analysis Group. He was
promoted to Technology
Expert in November 2008
and is responsible for
carrying out research
into new detection and
disinfection technologies,
investigating and
disinfecting remote
systems and analyzing the
behavior of malware.
The main task facing artificial intelligence [AI]
researchers at present is to create an autonomous,
AI device fully capable of learning, making informed
decisions and modifying its own behavioral patterns
in response to external stimuli. It is possible to build
highly specialized bespoke systems; it is possible
to build more universal and complex AI, however,
such systems are always based upon experience
and knowledge provided by humans in the form of
behavioral examples, rules or algorithms.
Why is it so difficult to create autonomous artificial
intelligence? It is difficult because a machine does
not possess such human qualities as animated
thought, intuition, an ability to differentiate between
important and minor, and most importantly, it lacks
the thirst for new knowledge. All of these qualities
endow mankind with the ability to arrive at solutions
to problems, even when those problems are not
linear. In order to do proper work, AI currently
requires algorithms that have been predetermined
by humans. Nevertheless, attempts to reach the holy
grail of true AI are constantly being made and some
of them are showing signs of success.
Manual labor expenses
The process of malware detection and the
restoration of normal operating parameters
on a computer involve three main steps. That rule
applies regardless of whom or what undertakes
each step, be it a man or a machine. The first
step is the collection of objective data about the
computer under investigation and the programs it
is running. This is best achieved by the use of high-
speed, automated equipment capable of producing
machine-readable reports and operating without
human intervention.
The second step involves subjecting the collected
data to detailed scrutiny. For example, if a report
shows that a suspicious object has been detected,
that object must be quarantined and thoroughly
analyzed to determine its level of threat and a decision
taken regarding what further actions are required.
The third step is the actual procedure
of treating the problem, for which a special
scripting language can be used. This contains
the commands required for the removal of any
malware files and the restoration of the normal
operating parameters of the computer.
Generally speaking, just a few years ago steps
two and three were performed by analysts working
for IT security companies and experts on specialized
forums using almost no automation. However,
with an increase in the number of users becoming
malware victims and subsequently needing help,
this led to a number of problems, namely:
• When protocols and quarantine files are
being processed manually, a virus expert is

|
26 SECUREVIEW 4th quarter 2010 www.secureviewmag.com

1 General principles
Users' PC 2
5 System's AI
Cyber Helper
Subsystem 1
Subsystem N
4 Experts - analysts
3
System analyzers
System analyzer 1
System analyzer N
The Cyber Helper system’s general operation algorithm steps 1 to 6
faced with huge volumes of continually
changing information that needs to
be absorbed and fully understood,
a process which is never fast.
• A human being has natural
psychological and physiological
limits. Any specialist can get tired
or make a mistake; the more
complex the task, the higher the
chances are of making a mistake.
For example, an overburdened virus
expert may not notice a malware
program, or conversely, may delete
a legitimate application.
• The analysis of quarantined files is a
very time-consuming operation because
of the fact that the expert needs to
consider the unique features of each
sample – i.e., where and how it appeared
and what is suspect about it.
The abovementioned problems can only
be resolved by fully automating the analysis
and treatment of computer malware,
however, numerous attempts do this by
the use of different algorithms have so
When a request for treatment is made it is important to provide answers to all the questions concerning the system
www.secureviewmag.com
Cyber Expert | Technology
6
6 of time experiments in this field have
far yielded no positive results. The main
reason of this failure lies in the fact that
malware is constantly developing and
that every day, dozens of new malware
programs with ever more sophisticated
methods of imbedding and disguising
themselves appear on the Internet.
As a result, detection algorithms need
to be ultra-complex and worse still, become
outdated very rapidly and need to be
kept constantly up to date and debugged.
Another problem, of course, is that the
effectiveness of any algorithm is naturally
limited by the ability of its creators.
The utilization of expert systems
in virus ‘catching’ appears to be
a little more effective. Developers
of expert antivirus systems face similar
problems – the effectiveness of a
system depends upon the quality of
the rules and knowledge bases that
it uses. Additionally, these knowledge
bases have to be constantly updated
and once again that means spending out
on human resources.
of operation of the
Cyber Helper system
Despite the difficulties, over the course
led to some success – the Cyber Helper
system was created – a successful
attempt at getting nearer to employing
true autonomous AI in the battle against
malware. The majority of Cyber Helper’s
autonomous subsystems are able
to synchronize, exchange data and work
in unison with one another. Naturally
they contain some ‘hard’ algorithms and
rules like conventional programs do,
but for the most part they operate using
fuzzy logic and independently define their
own behavior as they go about solving
different tasks.
At the heart of the Cyber Helper system
is a utility called AVZ that was created by
the author in 2004. AVZ was especially
designed to automatically collect data
from suspect computers and malware
and store it in machine-readable form
for use by other subsystems. The utility
constructs reports of its examination
of a computer system in HTML format for
human consumption and XML for machine
analysis. From 2008 onwards, the core
AVZ program has been integrated into
Kaspersky Lab’s antivirus solutions.
The system’s operating algorithm
consists of six steps. During the first
step, the core AVZ program performs an
antivirus scan on the infected computer
and transfers the results it receives
in XML format to the other Cyber Helper
subsystems for analysis.
The system analyzer studies the
received protocol based on the enormous
volumes of data already available relating
to familiar malware programs, any
previously performed remedial actions
undertaken on similar cases, as well as
other factors besides. In this respect,
Cyber Helper resembles a living, working
human brain, which in order to be
productive must accumulate knowledge
about its surrounding environment;
especially during the period that it is
establishing itself. In order for children to
become fully developed it is vital that they
are continually aware of what is happening
in their world and that they can readily
communicate with other people. Here the
machine has the advantage over man as it
is able to store, extract and process much
larger volumes of information than people
can in a given time span.
4th quarter 2010 SECUREVIEW | 27
 Technology | Cyber Expert
An example of an instruction and script for treatment/quarantine written by the Cyber Helper system without any human participation
One more similarity between Cyber Helper
and human beings is that Cyber Helper
is able to independently and with almost
no prompting, undertake the process of
protocol analysis and constantly teach
itself in an ever-changing environment.
When it comes to self learning, the main
difficulties for Cyber Helper concern the
following three problems: mistakes made
by human experts that the machine
is not intuitive enough to resolve;
incompleteness and inconsistency of
program information and the multiple
refining of data and delays in data entry.
Let’s look at them in more detail.
Once a request has been formulated the system once again displays it to the operator so that the operator can check
that all of the input data is correct
|
28 SECUREVIEW 4th quarter 2010
The complexity
of realization
Experts processing protocols and
quarantine files can make mistakes
or perform actions that cannot be
logically explained from a machine’s
perspective. Here’s a typical example:
when a specialist sees an unknown file
in a protocol with the characteristics
of a malware program called
%System32%\ntos.exe, the specialist
deletes such a file without quarantining
it and analyzing it further based on
their experience and intuition. Thus
the details of the actions performed
by the specialists and how they arrive
at their conclusions cannot always be
transferred directly into something
that the machine can be taught. On
many occasions, incomplete and
contradictory treatment information
is encountered. For example, before
seeking the specialized assistance of
an expert, a user may have tried to
remedy his or her computer and deleted
only a part of a malware program –
restoring infected program files and
not cleaning the registry in the process.
Finally the third typical problem: during
the protocol analysis procedure, only
metadata from a suspect object is
available, whilst after analysis of the
quarantined file, only initial information
about the suspect objects is available.
Then the categorization of an object
takes place - the outcome being that it
either represents a malware program
or a ’clean’ program. Such information
is usually only available after repeated
refinement and some considerable
time, from minutes up to months even.
The defining process may take place
both externally in an analytical services
laboratory, as well as inside Cyber
Helper’s own subsystems.
Let’s look at a typical example: an
analyzer checks a file but finds nothing
dangerous in the file’s behavior and
passes this information on to Cyber
Helper. After a while the analyzer is
upgraded and repeats its analysis
of the suspect file that it examined
earlier, only this time it returns the
opposite verdict to that which it issued
previously. The same problem can
occur in relation to the conclusions
drawn by specialist virus analysts
for those programs with an arguable
classification, for example, programs
for remote management systems, or
utilities that cover a user’s tracks –
their classification may change from
one version to the next. The peculiarity
mentioned above – the volatility and
ambiguity of the analyzed programs’
parameters, has resulted in any
decisions taken by Cyber Helper being
based on more than fifty different
independent analyses. The priorities
in every type of research and the
significance of its results are constantly
changing, along with the process of self
learning for the intelligent system.
On the basis of information available
at the present time, the Cyber Helper
analyzer provides a number of
hypotheses with regard to which of
www.secureviewmag.com

The 911 services available on the VirusInfo website can be used by anyone who wants to
the objects present in a protocol may
constitute a threat and which can be
added to the database of ‘clean’ files.
On the basis of these hypotheses, AVZ
automatically writes scripts for the
quarantining of suspicious objects.
The script is then transferred to the
user’s machine for execution. (Step 2
of the Cyber Helper system’s general
operation algorithm).
At the stage at which the script is
written it may be that the intelligent
system has detected data that is clearly
nefarious. In this case, the script can
include the delete commands for
known malware programs or call for
special procedures to restore known
system damage. Such situations
happen quite often and are due to the
fact that Cyber Helper simultaneously
processes hundreds of requests; this
is typical in situations where several
users have suffered at the hands of
the same malware program and their
machines are requesting assistance.
Having received and analyzed the
required samples from one of the users’
machines, Cyber Helper is able to
provide other users with the treatment
scripts, omitting the quarantine stage
completely and thereby saving users’
time and data traffic. Objects received
from the user are analyzed under the
control of Cyber Helper and the results
enlarge the Cyber Helper knowledge
base regardless of the outcome. That
way the intelligent machine can check
any hypotheses arrived at in step 1
of the general operation algorithm,
consequently providing confirmation,
or otherwise, of the outcome.
www.secureviewmag.com
Cyber Expert | Technology
Cyber Helper’s
technical subsystems
Cyber Helper’s main subsystems are
autonomous entities that analyze program
files for content and behavior. Their
presence allows Cyber Helper to analyze
malware programs and teach itself
from the results of its endeavors. If the
analysis clearly confirms that an object
is malevolent, that object is passed to the
antivirus laboratory with a high priority
recommendation to include it into the
antivirus databases; a treatment script
is then written for the user (step 5 of the
general algorithm). It is important to note
that despite analyzing an object, Cyber
Helper cannot always make a categorical
decision regarding the nature of the
object. When such a situation occurs,
all of the initial data and results collected
are passed on to an expert for analysis
(Step 6). The expert will then provide
the required treatment solution. Cyber
Helper is not involved with the process,
but continues to study the received
quarantines and protocols, generating
reports for the expert and thereby freeing
them from the lion’s share of routine work.
At the same time, the AI systems’ ‘non-
intervention policy’ regarding the expert’s
work is not always applied; dozens of
cases are known in which the intelligent
machine has discovered mistakes in the
actions of humans by referring to the
experience it has accumulated and the
results of its own analysis of an object.
In such cases, the machine may start by
interrupting the analytical and decision-
making process and send a warning to
the expert before going on to block the
scripts that are to be sent to the user,
which from the machine’s perspective
could harm the user’s system. The
machine carries out much the same
control over its own actions. While the
treatment scripts are being developed,
another subsystem simultaneously
evaluates them, preventing any mistakes
that may occur. The simplest example
of such a mistake might be when
a malware program substitutes an
important system component. On the
one hand it is necessary to destroy the
malware program, while on the other;
to do so may result in irrecoverable
system damage.
These days, Cyber Helper is successfully
integrated into the http://virusinfo.info/
index.php?page=homeeng&langid=1
antivirus portal and forms the basis of
the experimental 911 system
http://virusinfo.info/911test/ .
In the ‘911 system’, Cyber Helper
communicates directly with the user:
requesting protocols, analyzing them,
writing scripts for the initial scan and
performing quarantine file analysis.
In accordance with the results of its
analysis, the machine is permitted to
carry out treatment of the infected
computer. Furthermore, Cyber Helper
assists the work of the experts by
finding and suppressing any dangerous
mistakes, carrying out initial analyses of
all the files placed in quarantine by the
experts and processing the quarantined
data before adding it to the database of
‘clean’ files. The technology behind Cyber
Helper and its principle of operation are
protected by Kaspersky Lab patents.
Conclusion
Modern malware programs act and
propagate extremely fast. In order
to respond immediately, the intelligent
processing of large volumes of non-
standard data is required. Artificial
intelligence is ideally suited to this task;
it can process data far in excess of the
speed of human thought. Cyber Helper
is one of only a handful of successful
attempts to get closer to the creation
of autonomous artificial intelligence. Like
an intelligent creature, Cyber Helper is able
to self learn and define its own actions
in an independent manner. Virus analysts
and intelligent machines complement one
another extremely well by working together
more effectively and providing users with
more reliable protection. RE
4th quarter 2010 SECUREVIEW | 29

Under control
Article by
Elmar Török
Elmar Török has been
working in the IT-Industry
since 1989. He became
an author and technical
journalist in 1993 while
studying electrical
engineering in Munich
and Kempten. Since then
he has written hundreds
of articles for just about
every major computer and
networking publication
in Germany. Elmar
specializes in IT-Security
and storage issues,
has a solid knowledge
of server-related topics
and knows his way
around virtualization.
He is the Editor-in-
Chief of the security
periodical “Infodienst
IT-Grundschutz” and
is involved in the final
acceptance process of
new material for the IT-
Grundschutz Catalogues
of the Federal Office for
Information Security.
|
30 SECUREVIEW 4th quarter 2010
Technology | Analysis of application activities
Security systems are constantly being perfected and if the traditional
signature-based technologies are only able to handle known threats,
the solutions for monitoring system events that have appeared
recently can detect threats and anomalous behavior in computer
systems that virus analysts are as yet completely unfamiliar with.
The traditional approach to malware protection
has always been to firstly analyze the specific
characteristics of each piece of malware,
create a database of such features that is as
comprehensive as possible and then to block
those programs that display any of the recorded
malware characteristics . The main drawback to
such signature-based methods is that they only
provide protection against known threats and
information about each threat has to be collected
separately. As a result, it is only possible to get
a very limited idea of what is going on with the
computer system as a whole, whereas to achieve
a good level of security it is necessary to have as
precise a picture as possible of the ever-changing
threatscape and system anomalies.
System monitoring: a
new level of protection
System monitors record every important change
to the system, including destructive changes, for
example, unwanted entries to the system registry
and unauthorized file modifications. Destructive
behavior is the most characteristic, precise and
identifying feature of malware and that is true for
both known and as yet unknown varieties, which is
why system monitoring is universal; it is effective
against any software that behaves as malware.
Once legitimate parameters and events have
been defined for a given system, it is possible
to detect everything that occurs outside these
limits, including unknown anomalies. In many
cases this approach is simpler than trying to
conceive of every type of threat in advance in
order to devise and implement suitable protective
strategies accordingly.
System monitoring is especially valuable if one
considers that new malware attacks and threats
are constantly being developed and perfected. For
example, it allows new threats and anomalies to
be detected that may be based on new methods of
penetrating a system and obfuscating malware.
System monitoring provides flexible protection. It
is possible to draw an analogy between whitelisting
and blacklisting software technologies. Blacklists
contain malware and destroy everything that is
not on the list, whilst whitelists contain legitimate
programs and allow only those programs on
the list to have access to the necessary system
resources. In both cases, reliable protection would
only be achieved if the lists were kept fully up-to-
date; which is an impossible task given the sheer
volume of new malware and legitimate programs
appearing daily. That is why the most reasonable
and flexible approach is to involve both types of
list: white and black.
What’s important is that system monitoring, if
implemented correctly, makes it possible to roll
back the activity of malicious programs and restore
the computer’s normal operating parameters.
Analysis of
system events
Dependable system monitoring capabilities
can be achieved by the integration of the system
monitoring software with a high quality, intellectual
system of threat analysis. It is not enough to
simply collect information about system events;
it is necessary to correctly define the sources of
such events, as well as their interconnections and
influences on the system’s security.
The monitoring system’s functionality must be
flexible and its methodology can differ depending
upon its aims. When threats are detected, a
comparison with known models of malware behavior
is used. When unknown anomalies are detected,
system events and statuses need to be analyzed as
a whole and deviations from the norm identified in
order to trigger an appropriate response.
To achieve full system protection using system
monitoring techniques, the monitoring software
has to be able to analyze events in real time in
order to be able to block and roll back destructive
actions immediately.
www.secureviewmag.com
 Analysis of application activities | Technology

Expert Comments

Nikolay Grebennikov
Chief Technology Officer at
Kaspersky Lab

Modern antivirus solutions

must include system
monitoring software.
Kaspersky Lab was one
of the first companies
to recognize the end
user benefits of this
A general overview of a typical application activity analysis system technology and introduced
it into Kaspersky Internet
Security2010. This has
Conclusion Using an analogy, the traditional signature- since been followed
by its integration into
based technologies can be compared with the the 2011versions
identification of criminals by their fingerprints, of Kaspersky Anti-
Modern threats are constantly mutating, but if the fingerprint database is not complete, Virus and Kaspersky
demanding new and more effective methods of then system monitoring can be employed Internet Security. In
protection against them. System event monitors and this is like establishing total control the 2011solutions, the
monitoring software is
meet these requirements by providing the over a protected territory and monitoring the
a separate module and
maximum amount of information about system situation so closely that criminals cannot help is known as ‘System
activities to analytical modules that can decide but be identified as soon as they set out to do Watcher’.
what, if any, response is needed. something nefarious. RE In Kaspersky Lab’s
solutions, System Watcher
monitors and records
information about the
creation and modification of
files, changes to the registry,
operating system calls
and the transfer of data to
and from the Internet. The
data collection process
is automatic and requires
no input from the user.
Most importantly, System
Watcher allows any potential
changes caused by malware
to be rolled back.
We have not only
implemented System
Watcher, but integrated
it with several analytical
modules. Based upon the
data that it collects, System
Watcher is able to make a
decision about the potential
malignancy of a program
using its ‘Behavior Stream
Signatures’ module. System
Watcher can also actively
exchange information with
the other modules used to
analyze program behavior
such as: the proactive
protection module, the
attack prevention system,
the antivirus engine and the
The latest version of Kaspersky Internet Security 2011 makes it possible to control the activities of applications Internet screen.

www.secureviewmag.com 4th quarter 2010 SECUREVIEW | 31

 forecasts | Changes in the methods and targets of attacks

Weak links Our forecasts regarding the development of threats usually look closely at
any new methods by which viruses proliferate, new platforms upon which
threats may appear and aspects of the cybercriminals existence from the
point of view of their income. However, the principle factor lying at the root
of the problem has always been, and will remain, the human factor.

Article by Right now, even cybercriminals without any

Aleks Gostev
Chief Security Expert
at Kaspersky Lab
Aleks led the Global Research
& Analysis Team from 2008,
before moving to his current
position as Chief Security
Expert with the team in
2010. Aleks specializes in
all aspects of information
security, including mobile
malware. His responsibilities
include the detection and
analysis of new malware.
Aleks’ research and analytical
articles are published both on
dedicated IT sites and in the
mass media.
the main threat
Currently however, the majority of cases of virus
infection occur while the user goes about their
business on the Internet. The now ubiquitous ‘drive-
by download’ virus technology has pushed the threat
up to new levels – despite the name, the user doesn’t
even have to actually download any files from the
Internet, but may at any time visit a malware site or
a legitimate site that has been compromised by an
exploit and end up with an infected computer as a
result. The exploitation of vulnerabilities has become
an even more effective means of proliferating viruses
than ’social engineering’ techniques – and that is
something that the information security industry has
still not got used to yet.
Many software development companies that
produce programs containing vulnerabilities
appear to struggle when it comes to restructuring
their processes — not just from the point of view of
reducing the number of vulnerabilities, but also in
how efficient they are at addressing the problem.
The situation whereby unpatched threats are
actively proliferating across the Internet is, quite
worryingly, starting to become the norm rather
than the exception.
As I sit here writing this article, I know of a
minimum of three critical vulnerabilities in popular
products that have, as yet, not been addressed by
their developers. It would not be a great surprise if
they remain unaddressed for some time after this
article is published.
The security aspects relating to the business of
the creation of other popular Internet resources,
primarily social networks, is equally woeful.
XSS- vulnerabilities are being detected in some
of the most popular resources with alarming
frequency, which adds yet another layer of threats
to the already sizeable problem being considered.
Thus the exploitation of vulnerabilities in
order to spread malware and steal information
is now extremely commonplace and not at all
the rarity that it once was.
proper knowledge of programming are able to use
ready-made ’exploit packs’ to distribute their Trojan
programs. This provides them with the ability to
reach a vastly bigger number of computers than
they could ever have hoped to reach through the
use of social engineering alone.
It has to be acknowledged that the danger
presented by software vulnerabilities is growing by
the day. Until recent times, the antivirus industry as
a whole has been reactive rather than proactive in
its approach to detecting exploits and /or informing
users about vulnerable applications on their
computers. Antivirus software companies are only
just taking the first steps towards the development of
multilayered protection systems to combat threats of
this type with the introduction of basic tools that can
identify and protect against such vulnerabilities.
Obviously this is not enough, but the process
of creating the required new technologies, their
development and their implementation is time
consuming. However, even if we are able to turn the
tide and make the exploitation of vulnerabilities as
rare an event as it was 10 years ago – the notorious
‘human factor’ will always remain.
Industrial espionage
The existence of multiple ‘zero-day’ vulnerabilities
opens up many new possibilities for the
cybercriminals, not least in the area of attacking
companies, research institutes and governmental
organizations. Whereas previously one of the main
problems experienced by these entities was the
human factor, usually involving insider action or
staff negligence, today’s threats mean that such
companies and organizations have had to completely
redefine their corporate protection strategies.
The most prolific example of the new type of
threat is the Stuxnet worm that was first detected
during the summer of 2010. Its target was to
gain access and information from the systems
that manage production of Siemens Simatic

|
32 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
 Changes in the methods and targets of attacks |
WinCC and which work on the SCADA
platform. Apart its unusual functionality,
the worm exploited a zero-day vulnerability
in Windows for the purposes of self-
proliferation. This vulnerability was known
to the cybercriminals at least half a year
before security experts managed to detect
it, so we can only guess who has been
using it and for what purpose. What is
even more alarming is that a conflict of
interests between the cybercriminals and
governmental institutions can be expected
in the field of industrial espionage.
Previously, the scope of the cybercriminals
attacks was limited to harassing the
everyday user en masse and only rarely
did they carry out successful attacks on
financial organizations, payment systems
and online shops. Back then the criminals’
main aim was to gain access to user
accounts. However, during the course of
its evolution, the world of cybercriminality
performed a spiral maneuver which has
seen it return to the same point from which
it started, but on a new and higher level.
That starting point that we are talking
about here is the realization of the value
of information in today’s society. Often,
a successful attack on a company’s
infrastructure will net the cybercriminals a
far more significant profits than they would
otherwise receive through the mass viral
infection of home users’ computers.
The development of information processes
and the involvement in this sphere of new
areas of human activity leads to a situation
where information previously unavailable
to the remote attacker is now accessible
to them. At the same time, the range of
information that is of interest to the criminals
has become even wider. If in times gone by it
was financial information and users’ personal
data that was the target of the hacker, it is
now more often than not technical data and
research information they are after.
The approximate percentage ratio of virus infections
caused by the human factor (blue), compared to software
vulnerabilities (red) for the period 2000 -2005
www.secureviewmag.com
FORECASTS
ALTERNATIVE
METHODS OF ENTRY
As we have stated above, an attack via
a user’s web browser is the most common
method by which a threat will infiltrate a
computer. At the same time, however, it is
worth remembering that there are many other
ways to access a user’s system and those
other means are currently receiving a great
deal of attention from the cybercriminals and
are under constant development.
File sharing networks have become the
most rapidly growing threat from the point
of view of the distribution of malware.
To illustrate the level of the problem we
can look to the Mariposa botnet saga
whose authors and owners were arrested
in Spain and Slovenia just this summer.
According to information from the FBI
report, during the time of its existence
the botnet contained some 12 million
computers located across 190 countries
of the world. The main method by which
the botnet spread was P2P networks.
Christopher Davis, CEO of Defense
Intelligence, who first discovered the
Mariposa botnet, explains: “It would be
easier for me to provide a list of the Fortune
1000 companies that weren’t compromised,
rather than a long list of those who were.”
During the first half of 2010, practically
every noteworthy release of a pirated
version of a popular game or software
application contained a Trojan component
within it that was spread by the pirates’
distributive over file sharing networks.
In July, Microsoft announced that they had
detected several viruses in unlicensed
copies of the game Star Craft 2.
With the growth in the quality of protection
against browser attacks, the vector of entry
The approximate percentage ratio of virus infections
caused by the human factor (blue), compared to software
vulnerabilities (red) for the period 2009-2010
will doubtless be shifted more and more
strongly towards file sharing networks.
ANTIVIRUS CLOUDS
Practically all of the major antivirus
companies have started using in-the-cloud
technologies or are planning to use them in
the nearest future. Despite the undoubted
advantage with regard to the struggle
against attacks, in-the-cloud technologies
are themselves sure to be a prime target
for the cybercriminals.
The eternal conflict between virus and
antivirus has, up to the present moment,
been largely going on at the level of files
and processes on the end users’ machines.
Malware programs have been trying to
destroy the antivirus system by different
means or attempting to persuade the user
to switch it off themselves.
With the beginning of cloud- technology
detection and categorization, a new front has
opened up in this war. Malware programs,
or to be more precise – their authors, will
have to solve the problem of attacking the
cloud. Although technologically it is practically
impossible to destroy the cloud, direct mass
DDoS attacks aside, it is quite vulnerable
in terms of its own functionality - receiving,
processing and sending information to and
from the end users.
Problems within the very architecture
of the majority of antivirus clouds will be
actively used by the cybercriminals, and the
first examples of such actions can be seen
already. The most widespread and simple
method of disabling cloud technologies is to
block computer access to the cloud. More
complex methods include the substitution of
data –with the aim of ‘trashing’ the cloud with
false information, as well as modification of
the data received from the cloud.
Such ‘trashing’ is probably the most
dangerous threat. Blocking access to the
cloud or the modification of responses from
the cloud specifically affects only infected
users, but inputting false data into the cloud
will influence every single user. This would
bring with it not only an absence of detection,
but also to a more serious problem – false
positives, which would lead to a general
decline in the level of trust in cloud-based
technologies and to the necessity to revise or
alter their performance algorithms.
With the increase in the number of
antivirus technologies that operate using
in-the-cloud technologies, there will be a
constant quantified and qualified growth
in the number of attacks upon them from
malware programs on clients’ computers, and
additionally with the help of special services,
supported by the cybercriminals. RE
4th quarter 2010 SECUREVIEW | 33
 Interview | Malware processing

Keeping pace
with viruses
Creators of viruses obviously set out to make as much profit as possible
from their activities. To achieve it they distribute as many malware
programs as they can, hiding them from antivirus detectors with the
help of many tricks. Nikita Shvetsov, Kaspersky Lab’s Head of Antivirus
Research tells us how the virus analysts manage the processing of huge
numbers of these malware samples.

SV: Lately we have seen an enormous
growth in the quantity of malware.
What is it connected with – the
cybercriminals thirst for profit?
N: Let’s start from the fact that there is no
single system of counting these programs.
It‘s no secret that modern solutions are
developed along the lines of advanced
behavioral analyzers, and that the enhanced
behavioral template HEUR:Worm.32.Generic
blocks million of different files per day. So,
how to count this? Kaspersky Lab has long
since gone from abstract evaluation of the
volume of detected viruses to hard statistics
concerning virus infections and prevented
attacks. Such statistics are received online
from the users of our products. We operate
by knowing the amount of virus infections per
day and the amount of machines infected,
and can thus reliably track the spread of
any ongoing epidemics. In absolute figures,
it is the same millions of unique files, but
occurring on a daily basis. However, where
do so many files come from? Virology has
become heavily commercialized and the
field of systems programming, which a while
ago was interesting because of its nontrivial
approach, has now become a method of
income for the cybercriminals. Then, as in any
industry, there has been a transformation
from backstreet workshops to well organized
factories with the distinct separation of work.
Clients are generally unwilling to pay tens
of thousands of dollars for the creation of
a new version of a Trojan-based botnet. It
is much simpler to buy a package that has
been developed for you, and to buy it with
support, which means that if the package is
detected – you are simply provided with a
new one. This is a prime source of malware
file growth. As one of our colleagues says:
“everything that is new – is in fact something
old, neatly repackaged”.
Either the malware developers were very
lazy or the antivirus solutions manufacturers
have raised the speed at which they create
protective signatures, but the idea has
undergone further development.
Tools responsible for obfuscation are being
placed actually on the web server from where
the malware is downloaded. Each time a
user follows the malware link, the server
provides a new, unique file. This is called
server side polymorphism. Each time that
the link is used, a different file with identical
functionality is received. The development
projects of virus programs with open source
code of the Pinch & BlackEnergy variety also
played a significant role in the growth of
the number of detected program variants.
Anyone with no respect for the law can find
the initial texts of these programs, upgrade
them to suit their own purposes and begin
to distribute them.
SV: In connection with this, how has
the approach to malware processing
changed from the side of the
antivirus companies?
N: First of all, the incoming flow of malware
data has increased to such an extent that
we have encountered electrical supply
capacity issues regarding the connection of
new server equipment in our headquarters.
We receive hundreds of thousands of files
per day and to process them manually we
would need to retain more than 1,000 staff.
That is why the approach has changed
radically. Our aim is to minimize the flow
of files reaching our virus analysts. People
should be given the opportunity to do what
they enjoy doing – to think about and analyze
new samples, which cannot be dealt with by
automatic means. Routine work – that’s the
robots’ task. We even joke about our robots
fighting the robots from the other side. We
are also enhancing our regional capabilities.
For a start, we have opened the antivirus
laboratory in Beijing, and currently we are
opening another laboratory in Seattle, in the
USA. This allows Kaspersky Lab to cover all
the time zones, and possibly in the future,
to eliminate the need for our Moscow-based
virus analysts to have to do shift work.
SV: How do you receive new versions
of malware programs?
N: Of course, we have significantly changed
our approach to obtaining new malware
samples. Whilst before we received
suspicious files sent to us by users of our
products and other interested parties via
our newvirus@kaspersky.com email box,
now the emphasis is on proactively seeking
out malware files. Our robots are out there
crawling Internet pages, receiving and
‘reading’ spam and imitating users of IM
clients - they can even hold a conversation!
This is very engaging. Also, we readily share
information about detected threats with
our colleagues from other companies, and
they reciprocate.
SV: In the future, will it be possible to
completely automate the entire
process so that virus analysts will no
longer be needed?
N: Completely removing humans from
the process, particularly virus analysts,
is hugely unlikely. The quality of such an
automated system would seriously degrade
pretty quickly. It is more likely that the
virus analysts’ role will be to configure
different robots with the aim of adding to
their algorithms the means to combat new
vectors of attack. Even then, there is always
incomplete or contradicting data that a robot
is simply not able to handle, or false positives
which really only humans can deal with. RE

|
34 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
www.securelist.com