Escolar Documentos
Profissional Documentos
Cultura Documentos
DESPERATE JAILBREAKERS
Is it actually safe to jailbreak an iPhone?
EXPERTS
COMMENT
WEAK LINKS: Changes in the methods and targets of the cybercriminals’ attacks
www.av-school.com www.av-school.ru www.av-school.pl
SECUREVIEW
Dear Readers,
News
I am sure that the majority of you reading this
Breakthroughs and trends work for a company of one sort or another. Ten
in the IT security industry 4-9 to one your company has its own Internet site,
communicates with its clients and partners over
email, and possibly even uses Instant Messaging
Report too. Often, many of you will take some work home
Black Hat USA 2010: with you, burning the midnight oil on yet another
important document. Just the thought of working
News and trends from
without a computer and the Internet, or not being
Black Hat USA 2010 10-11 able to complete an urgent job at home when you
need to, would seem utterly strange for a lot of Editor-in-Chief
Top Story people these days. Alexander Ivanyuk
So where is this all leading you may ask? Well,
Businesses under attack: working in an office, you can’t have failed to notice
Everything you should know that there is a security solution installed on your
about corporate threats 12-17 computer. A similar solution should be installed
on your company’s servers where their office is
Analytics located. If that it is not the case, then it is very
unfortunate indeed, but let’s put that dismal
Desperate Jailbreakers: scenario aside for now and move on.
Recent smartphone Antivirus, or more complex security package
security issues 18-21 installed by your company’s systems administrators
are designed to protect your computer from attack
The enemy at the gate: by criminals, but…are you sure that your company
Rogue antivirus has a complex security policy in place? If the system
programs on the rise 22-25 administrator does not regularly install updates for
the operating systems and any third-party software
installed on the users’ computers, there can be no
Technology guarantee that a determined cybercriminal won’t
Artificial Intelligence find an unpatched vulnerability in the system and
use it to their advantage.
in the realms of IT security:
Are you sure that your smartphone, which you
Cyber Helper – an autonomous rely on for daily business communications, or the
system that treats infections 26-29 notebook that you or your boss are working on at
home or in the office are protected from such a banal
Under control: Analyzing
thing as loss? After all, if the notebook that you lost
application activities 30-31 or had stolen at the airport ended up in the hands of
specialist crooks, all of your confidential information
Forecasts would be right there in front of them. At least, that
would be the case if your device didn’t happen to
Weak links: Changes in have a suitable encryption solution installed and a
the methods and targets of complex login and password security program.
the cybercriminals’ attacks 32-33 However, let’s not get ahead of ourselves for
the moment. Just read this issue’s Top Story and
Interview consider carefully whether you have closed all of
the loopholes through which a cybercriminal might
Keeping pace with viruses: attack your company, and while we are talking
Current malware sample about threats, do you and your colleagues know
processing techniques enough about rogue antivirus programs and how
they can penetrate your computer?
with Nikita Shvetsov 34
See you next issue!
Alexander Ivanyuk
SECUREVIEW Magazine Editor-in-Chief: Alexander Ivanyuk Editorial matters: editorial@secureviewmag.com SECUREVIEW Magazine can be
4TH Quarter 2010 Editor: Darya Skilyazhneva http:// www.secureviewmag.com freely distributed in the form of the
Design: Svetlana Shatalova, original, unmodified PDF document.
Distribution of any modified versions
Roman Mironov © 1997 - 2010 Kaspersky Lab ZAO.
of SECUREVIEW Magazine content
All Rights Reserved. Industry-leading Antivirus Software is strictly prohibited without explicit
permission from the editor.
Production Assistants: The opinion of the Editor may not necessarily agree with Reprinting is prohibited unless with
Rano Kravchenko that of the author. the consent of the editorial staff.
News
Vulnerabilities Encryption
Source: www.physorg.com/pdf190468321.pdf
|
4 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
News
Cryptography
Transmitting binary lock- the fiber optic link to send
Laser key
and-key information in different laser signals they
the form of light pulses, can distinguish between,
his device ensures that a but which look identical to
shared key code can be an eavesdropper.”
Dr. Jacob Scheuer from unlocked by the sender and “Rather than developing
Tel Aviv University has receiver and absolutely the lock or the key, we’ve
developed a unique nobody else. Dr. Scheuer has developed a system which
optical system of secret found a way to secure the acts as a type of key bearer,”
cryptographic key transmitted ones and zeros the researcher explains.
distribution. The researcher using light and lasers. “The
claimed that his system is trick,” says Dr. Scheuer, “is
potentially uncrackable. for those at either end of Source: http://www.sciencedaily.com/releases/2010/03/100323121834.htm
Social Networks
|
6 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
News
Quantum Computations
in one direction but hard
Uncounterfeitable
in the opposite direction.
Multiplication is the famous
example. It’s easy to multiply
Encryption
maintains a high bit rate at all transmission of very long
Record in quantum
times and requires no manual secret keys – the same
set-up or adjustment. length as the data itself. For
Significantly, the this reason it has only been
Visualizing
the malicious web
Researcher Stephan downloading of content to disk
Chenette has released for post-processing analysis.
a Firefox plug-in called The software has the
FireShark designed to build potential to become a very
visual diagrams of criminal powerful forensics and
connections as well as antimalware tool.
schemes for the malicious The plugin can be
distribution of code. The downloaded free of charge
plug-in allows the capturing from the author’s site.
For example, FireShark makes it easy
of web traffic from a browser, to see compromised legitimate sites
the logging of events and the Source: http://www.fireshark.org/ redirecting users to malicious domains
Wireless Security
pervasive devices in history.
Securing RFID
There are already billions of
RFID tags on the market being
used for applications like supply-
chain management, inventory
Egyptian researchers have unstable and potentially monitoring, access control
proposed a mutual authentication noisy environment. and payment systems. When
protocol that prevents attacks on RFID tags may pose a designing a really lightweight
low-cost RFID tags. considerable security and privacy authentication protocol for
RFID systems are vulnerable risk to the organizations and low cost RFID tags, a number
to a broad range of malicious individuals using them. Since of challenges arise due to the
attacks ranging from passive a typical tag provides its ID to extremely limited computational,
eavesdropping to active any reader and the returned ID storage and communication requirements. The analysis of
interference. Unlike in wired is always the same, an attacker abilities of such devices. the protocol shows that the
networks where computing can easily hack the system The scientists have proposed added modifications increase the
systems typically have by reading a tag’s data and modifications to the Gossamer security level of Gossamer and
both centralized and host- duplicating it in the form of bogus mutual authentication protocol prevent eavesdropping on public
based defenses such as tags. Unprotected tags may be used by the tags. The proposed messages between reader and
firewalls, attacks against vulnerable to eavesdropping, protocol prevents passive tag. However, the modifications
RFID networks can target location privacy, spoofing, or attacks, as active attacks are do not affect the computational,
decentralized parts of the denial of service attacks. discounted when designing a storage or communication
system infrastructure, since Low-cost RFID tags like protocol to meet the RFID tags’ cost of Gossamer.
RFID readers and RFID tags Electronic Product Codes (EPC)
operate in an inherently are poised to become the most Source: http://airccse.org/journal/nsa/0410ijnsa3.pdf
Encryption
|
8 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
News
Cyber Security
Investigating global
cyber espionage
An international team stolen from politically sensitive
of researchers has published targets and recovered during the
a report about global cyber course of the investigation.
espionage systems titled The report analyzes the malware
“Shadows in the Cloud”. ecosystem employed by the
The report contains the results of Shadows’ attackers, which
their investigations into a complex leveraged multiple redundant
cyber espionage ecosystem that cloud computing systems, social
as the authors say, “Systematically networking platforms and free Concentrations of non-unique IP addresses of compromised hosts (from the report
“Shadows in the Cloud”)
compromised government, web hosting services.
business, academic and other The following is a summary • T here is evidence of cloud-based social
computer network systems in of the report’s main findings: collateral compromise media services
India, the offices of the Dalai • T he cyber espionage • T he command-and-control • T here are links to the
Lama, the United Nations and network is complex infrastructure leverages Chinese hacking community
several other countries”. The report • T he theft of classified and
also contains an analysis of data sensitive documents is rife Source: http://Shadows-in-the-Cloud.net
Security Threats
a piece of software called called ‘non-bypassable memory
Technology
a remote entrusting component ensures that the software is
Las Vegas –
The Security Researchers’ Oasis
Each year, the entire security industry waits for the Black Hat Briefings in
the sweltering Las Vegas desert. This year was no different, with more
than 6,000 people interested in security gathered from all over the world
at Caesars Palace, Las Vegas, Nevada – the place where the conference is
traditionally held. From private companies and government agencies through
to security researchers, system administrators and law enforcement officers -
everybody was there. “Security researchers from all over the world come to
Black Hat to identify security threats and work collectively to create solutions.
The Black Hat community is one of the greatest assets we have for defending
the safety and security of the Internet,” said Jeff Moss, founder of Black Hat.
Article by Black Hat is the place where IT and computer and the Central Intelligence Agency. This doesn’t
Stefan Tanase security happens. Now in its 13th year, researchers’ come as a surprise, especially after Jeff Moss, the
latest findings are published during presentations founder of the Black Hat and DEF CON conferences
spread over 11 conference tracks and two days. was sworn in to the Homeland Security Advisory
The two opening keynotes this year were delivered Council of the Barack Obama administration.
by Jane Holl Lute, the current Deputy Secretary of This year’s event featured more than 200 speakers
Homeland Security, and Michael Vincent Hayden, discussing their latest research around essential
former Director of both the National Security Agency security topics ranging from infrastructure, reverse-
|
10 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Black Hat USA 2010 | Report
when traveling. In fact, with the amount of 2005 – making it possible to link five-year-
skimming going on anyway, why not avoid old samples together. These techniques are
using ATMs altogether? very developer-specific.
In his conclusion, Greg called on the security
community to understand that generally it
The Client-Side is better to focus on identifying the authors
behind the malware than the malware itself.
Boogaloo
Attacking
Nicholas Percoco and Jibran Ilyas,
Members of Trustwave’s SpiderLabs team, Phone Privacy
presented Malware Freak Show 2010, a talk
that extended their initial Malware Freak
Show presentation delivered at DEFCON Cryptography researcher Karsten Nohl
17 in 2009. This year’s talk explored four of presented vulnerabilities, tricks and ideas
Barnaby Jack shows how jackpotting works on vulnerable ATMs the most interesting new pieces of malware which he used to successfully crack A5/1, the
that were obtained during more than 200 encryption system used to protect GSM calls.
engineering, malware +, fingerprinting investigations they conducted in 2009. One of the biggest breakthroughs that helped
and exploitation, to the latest topics in IT An interesting fact which emerged as a him with his research was the fact that
technology - cloud/virtualization and cyber result of combining intelligence from cases some GSM packets, the keep-alive ones, are
war and peace. they were both involved in was that attackers predictable in the stream of different packets.
spend an average of 156 days exploring a The fix for this vulnerability was released
victim network before getting caught. This is two years ago, but none of the GSM networks
Jackpotting ATMs an alarmingly high number which confirms how have implemented the patch yet, even though
low the general level of security awareness the patch is rather simple.
and education is among businesses. It is much easier to intercept the part of
One of the most highly anticipated talks The presentation included the anatomy the call that is coming from the tower to the
at Black Hat USA 2010 was delivered by of a successful malware attack, a profile mobile phone, rather than the one going from
Barnaby Jack, Director of Research at on each sample and victim and a live the mobile phone to the tower. This is due
IOActive Labs. Barnaby discussed two types demonstration of each piece of malware to the fact that mobile phones dynamically
of attacks against automated teller machines discussed: a memory rootkit, a Windows adjust the output power of their signal to
(ATMs) running Windows CE: the first one was credentials stealer, a network sniffer rootkit save battery power and can be on the move
a physical attack using a master key which and a targeted attack malware program that in areas surrounded by buildings, while the
can be purchased on the Internet and a USB uploads documents to an FTP server. towers are transmitting high power signals,
stick to overwrite the machine’s firmware with are stationary and are located in high areas.
a custom-built rootkit; the second one was a So, the majority of GSM networks
remote attack exploiting a vulnerability in the Tracking Cyber Spies nowadays are quite unsafe. They are either
ATMs remote administration authentication using very insecure encryption, or in countries
mechanism which allowed the attacker to and Digital Criminals like China and India, none at all. A mitigation
remotely rewrite the firmware. technique to this threat would be to switch
The talk itself was eye-opening and your phone to UMTS-only mode, although not
disappointing at the same time. It was Greg Hoglund, who literally wrote the every phone supports this and 3G coverage is
amazing to see the depth that Barnaby book on Windows rootkits, presented some not available in remote areas.
had achieved when reverse-engineering techniques to track down the origins of
the ATMs and building a custom software malware samples. Malware attribution,
tool called ‘Dillinger’ to overwrite the which is defined by Greg as “Finding the Until Next Year
machine’s operating system, take complete humans behind the malware,” aims to know
control of the ATM and send commands more about the people who create malicious
which remotely instructed the ATM to start files. This type of information can be very There were many other interesting
dispensing cash. Incidentally, ‘Dillinger’ is useful during forensic investigations. presentations, as you can see from the Black
named after the famous bank robber. The His basic premise is that software is not Hat online archive: http://www.blackhat.com/
disappointing part from an avid researcher’s easy to write and programmers adhere to html/bh-us-10/bh-us-10-archives.html.
point of view was that he only focused on the “if it ain’t broke, don’t fix it” principle. As usually happens when thousands of
Windows CE-based ATMs, an old operating Once a programmer has written a piece security researchers gather in the same
system which is not widely used in other of code which works, they are not going to place, there were several incidents that
regions of the world. rewrite it, but instead will most likely reuse it made this year’s Black Hat very memorable –
For instance, the two attacks that at every opportunity. for example, the live stream got hacked
Barnaby demonstrated, the physical and Each cybercriminal or cybercrime group by a security researcher at Mozilla who
the remote attack, would not be possible in normally reuses the code that they create. responsibly disclosed the vulnerabilities
most European countries, but it’s a whole To prove this, Greg performed a case study found to the third party company which was
different story in the United States. on a Chinese RAT (Remote Administration providing the streaming service.
All in all, seeing such progress being made Tool) called ‘gh0st RAT’. He showed the This and other things make attending
in ATM security research definitely makes audience how he discovered that malware Black Hat a thrill and a challenge at the
you think twice about using ATMs, especially samples from 2010 are still using code from same time. RE
Article by Today’s computers store and process all carrying criminal responsibility, and where
Joerg Geiger types of official information; they generate applicable, the withdrawal of state-issued and
Chief Technology Expert business activity reports, they perform other licenses.
at Kaspersky Lab
economic analyses and undertake planning The incentive to hack corporate networks
and they are used for technical modeling and grows as commercial information becomes
design. Companies advertise their products more and more valuable and as business
via the Internet and communicate with society processes are automated. The tendency is
in general using computers. Goods are for business IT to not only develop automated
readily bought and sold through the medium management and recording systems, but
of electronic trading and Internet shops. In technological processes as well – IT is already
the course of everyday business activity, a major player not only in accountancy,
computers and smartphones have become an warehousing and HR, but in manufacturing
indispensable communications tool for workers, and production as well. Today it is completely
Joerg Geiger has 11 clients and company managers alike. The unacceptable to leave corporate IT systems
years experience in burgeoning capabilities of today’s IT equipment under-protected, or worse still, unprotected. A
IT-Journalism. Having mean that companies can now benefit from a
completed his Diploma in
Computer Science, Joerg whole new world of commercial possibilities.
worked as a Senior Editor Such companies rely heavily on stable IT
for a number of different infrastructure to maintain their business
printed and online processes and competitive advantage.
magazines. For the last As mentioned previously, the presence of
3 years, Joerg has been financial or confidential information attracts
a freelance contributor
to German newspapers, the shadier elements of society who wish
websites and various IT to nefariously grab a slice of the pie for
companies and specializes themselves, and in addition, it should be
in operating systems, IT- remembered that companies can and do suffer
Security and mobile IT. enormous losses due to the availability of
confidential information to insiders. Serious
security incidents can incur punishment by
the state – in most countries, violation of The Internet has long since been used for the majority of corporate
security standards is a prosecutable offence financial transactions
|
12 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Corporate threats | Top story
|
14 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Corporate threats | Top story
Modules allowing the centralized management of corporate network protection are present in every major business IT security solution
functionality that provides control over adjustment of the many different accordingly. Taking care to ensure that a
USB and other peripheral ports. Those security-related software modules that system is sufficiently robust prolongs its
staff members whose work regularly control; the antivirus system setting, usefulness as a means of defense.
entails the use of portable storage the setting up of individual and group
media must be provided with, and made application parameters, access to
to use, an automatic encryption system different resources, database updates Reasonable balance
that will protect any information stored and the continuous monitoring of the
on it in the event of the theft or loss network status and dynamic response in
of the media. the event of critical situations. It is always the case that a reasonable
Other similarly important measures, balance needs to be struck between the
which are quite often overlooked by capabilities of a security system and its level
companies, include the protection Sufficiency of resource-intensity. The more options
of wireless access points and data and functions a solution has, the more
transmission channels. If you have computer, human and other resources that
protected the whole infrastructure, but left Any security system has to be are consumed. This is unacceptable for a
your WiFi networks without WEP encryption sufficiently robust. This means that it corporate network as it will generally have
and not implemented a monthly password should provide the maximum level of high enough working loads already - it must
changing policy, then you have protected protection, availability and resiliency. simultaneously serve a large number of
nothing. Generally speaking, the use of To do this, a security system must have users, search vast databases, transmit big
WiFi inside a company should be as limited a reserve of hardware and software to volumes of traffic and do all of the above
as possible. It is necessary to regulate cope in situations where a component of precisely and quickly. Manufacturers
the distance that the signal can travel one or the other type fails. Additionally, of antivirus products pay a great deal of
by adjusting the radiated power of the the system has to employ effective attention to the balance between productivity
transmitter, provide users with temporary technologies that can cope with existing and protection of systems. For this reason
passwords, define which WiFi networks threats and are able to combat new there are parameters that can be set to run
guests can connect to and limit access to attacks thanks to imbedded ‘extra’ system scans only at times when nobody
internal resources, etc. capabilities such as heuristics and is working on a computer, i.e., when a
enhanced signature detection processes. computer is locked or its screensaver is on.
Heuristics analyzers, as well as script This allows, for example, a deep heuristic
Centrality emulators and file execution emulators, analysis to take place during an antivirus
are used when a program sample is scan without interference to the work of the
not present in antivirus databases and staff. Additionally, modern antivirus products
Protection of a corporate network is a allows program execution to be emulated include technologies that can significantly
round-the-clock, yearlong process and inside an isolated, virtual environment. increase the operating speed of an antivirus
should embrace the entire information This is absolutely safe and allows all of application through always-on protection and
lifecycle - from its arrival at the company the program’s actions to be analyzed in on-demand scanning. Speed is also gained
through to its destruction, loss of value advance, so that its potential to cause by excluding the multiple checking of files that
or downgraded level of confidentiality. harm can be estimated with a high have been scanned already, provided that
Reliable protection means real time probability prior to real world execution. this does not pose a threat of infection. By
control over all the important events and In this way, new threats are being complimenting each other, such technologies
occurrences that may influence security. detected before they become known to can greatly reduce the time and resource-
It is very important to implement the virus analysts and their signatures can intensity required for the antivirus scanning of
centralized management of a security be included into antivirus databases different objects, files and operating systems.
system. This approach allows the
speedy acquisition of a complete
picture of network events from a single
access point and provides a centralized
approach to the resolution of tasks; it is
a method for checking and effectively
resisting generic threats. At the same
time, the application of different security
policies across the various subdivisions,
as well as an individualized approach
to the resolution of tasks should not be
excluded. The centralized management
of network security via a single interface
has the advantage that system
administrators do not have to spend a
lot of time familiarizing themselves with
several different security solutions.
Modern corporate antivirus solutions
offer companies precisely this level
of control. As a rule, such solutions
will contain some sort of centralized It is necessary to encrypt not only the data that the phone contains, but also the data stored on any accompanying
management system that allows memory card in the event that important information is stored on that too
|
16 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Corporate threats | Top story
Expert Comments
Flexibility synchronized with computers, and if a user opens
a malware link on their telephone, there is a real
chance of transferring that virus to the corporate Nikolay Grebennikov
A security system should also be flexible and network during the process of synchronizing mail Chief Technology Officer at
scalable, in other words it should be adaptable or calendar items with the networked computer. Kaspersky Lab
to a wide range of tasks, working conditions Whilst on the subject of smartphones, it is
and quantitative characteristics of a corporate worth comparing them to portable information
network. Today’s computer networks can expand, storage devices – all messages and mail
contract and change their configuration very correspondence, as well as the contents of
quickly. Threats are also changing with alarming flash memory and memory cards which are
rapidity and security system should be ready for used for the additional storage of information
it. To meet this requirement, high quality security should be compulsorily encrypted. Only then
solutions need the means to update practically it is possible to guarantee the integrity of the
all of their program components - for example, stored information in the event of the loss of a
malware protection solutions should update not device. When choosing a protective solution for
only their antivirus signature databases, but mobile devices, close attention should be paid
also their malware behavior pattern recognition to ensuring that it has the capability to block a
capabilities and their own operating algorithms. lost smartphone, even if the SIM card is changed
by a thief. Otherwise the criminal will be able to
Kaspersky Lab’s
drop off the radars of those seeking to retrieve
Interactivity the device, and having removed the SIM card
products for corporate
users are complex
from the phone, will be able to do anything solutions for heterogenic,
they wish with the phone and the valuable distributed networks and
Another important requirement is interactivity. information it contains. that is very important at
The security system has to be able to interact Also, it is worth remembering that when a the present time. Our
solutions for Windows,
with an experienced user, system and network company uses machines with different operating Linux, Mac, Novell
administrator. It has to provide a user with sufficient systems, all of them should be protected, as if NetWare and mobile
information upon which to base operational only one of the systems is secure, it means none operating systems
decisions and be able to warn a user about of them are safe. If an administrator thinks that are simple to install
potential errors. It is preferable that the system’s there are not many viruses for the Mac OS X out and use. Kaspersky
settings and security modules are understandable there so the risk to the company is negligible Lab’s solutions provide
protection for all types
to a layman who has no specific knowledge in and therefore it is not critical to protect of network nodes –
the field of information security. This allows Macintoshes - they would be absolutely wrong. from mobile devices
corporations to quickly train their own specialists It is through just such an open gate to the world to servers. They can
and means that medium and small business can of Windows computers that the most harmful control all incoming and
have a protected system without the need to employ malware threats may come, for example, by way outgoing data flows, from
security administrators or even IT specialists. In of a malware link which becomes active once email and Internet traffic
to internal network
order to do this, antivirus solution developers pay inside a Microsoft environment. Another route interactions and they
increased attention to their product interfaces, is the Trojan program which automatically copies also provide powerful
trying to make it as simple and straightforward itself to a flash memory card on a computer management tools too.
as possible. Special significance is given to the running under the Mac OS X and is later inserted All of Kaspersky
provision of notifications when the security of the into a different workstation running under Lab’s solutions
system is under threat. The system must inform an Windows management. include the Kaspersky
Administration Kit
administrator of what actions should be performed management console
in order to restore normal defensive levels. The which allows the
interface must also allow the administrator to Resume centralized organization
quickly jump between tasks such as virus scanning, and control of network
antivirus database updating, etc. protection for the whole
New threats and vulnerabilities in the world of company, integrating
all the different levels
computer security are growing as never before
Compatibility and there are no indications that the situation is
of protection into one
system. The solutions
going to improve any time soon. Nevertheless, provide scalability,
and heterogeneity if you as a company administrator or security notification of the
specialist provide proper protection on all status of the network’s
fronts, then there is a good chance that your antivirus protection,
control over the use of
Compatibility is a definitive requirement of company’s business will prosper. Educate your external devices, special
a security system – it must be able to fully staff about computer safety on a regular basis. security policies for
operate in a complex, heterogenic corporate Distributed security policies and access rights mobile users, support
network without any negative impact on the should be compulsory and provide protection for network access
other components. Any corporate antivirus solutions for all nodes on the network, from the control technologies and
system has to be able to function with a range gateways to the endpoints - and don’t omit the customized reporting,
allowing administrators
of different devices. Modern computer systems bosses smartphones or notebooks. Remember; to manage the system
can consist not only of workstation computers, economize just once on network protection and in an effective way
file servers and mail servers, but notebooks and it is possible that the whole of the company’s via a straightforward
smartphones too. Smartphones are commonly business could be lost as a result. RE interface.
Desperate Jailbreakers
It was late July, and Apple was still reeling from an uncharacteristic
backlash by the media and its typically adoring customer base over
a design flaw in the antenna of its much-vaunted new iPhone 4.0
that effectively wiped out wireless reception for many users.
Then, at the beginning of August, hackers published a remotely
exploitable security vulnerability in the device that left tens of
millions of iPhone users exposed to malicious drive-by downloads.
|
18 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Smartphone Security | Analytics
"My grandma doesn't know what to people who have jailbroken their worm" spread rapidly among iPhone
jailbreaking is and never had to worry phones, that's great. But now they've users who had jailbroken their phones
about what jailbreakers were up to made everyone vulnerable – because but neglected to change the default
because if she wanted to jailbreak her these exploits are out there affecting SSH password. The Ikee worm was
phone she had to plug it into a computer, everyone – and even people who more an annoyance than a threat: It
download some special tools, and then haven't jailbroken their phones are "Rickrolled" less cautious jailbroken
it might work," said Charlie Miller, a getting the advice not to upgrade, when iPhone users by changing the
renowned iPhone hacker and researcher in fact they should." wallpaper on their devices to a picture
with the Baltimore, Md. based firm Within days of releasing its exploit, of 80s pop singer Rick Astley.
Independent Security Evaluators. "But the crew responsible for creating the But a second, less publicized
now, here was something that could web-based jailbreak –a group called version of Ikee, introduced the first
radically change your phone just by the iPhone Dev Team, along with a known banking Trojan for the iPhone.
visiting a webpage, all of a sudden developer known by the screen name Unceremoniously dubbed "Ikee.b," the
this meant instead of doing something "Comex," - released "PDF Warner," a worm modified the "hosts" file on the
fun and friendly like jailbreaking the tool that jailbreakers could install to iPhone – adding a single entry so that
phone, it could do something evil, where receive a warning if a website tried anyone trying to visit the website of ING
grandma goes to some site and the to use the jailbreak flaw to install Bank in the Netherlands (www.ing.nl)
same vulnerability is used to download malicious software. with an infected iPhone was redirected
code to the phone." The Dev Team even released its own to a counterfeit ING website hosted
unofficial patch for those who had in Tokyo and designed to phish the
jailbroken their phones, which went victim's online banking credentials.
Patch wars further in protecting jailbroken users than That attack received little attention
did the official patch from Apple, which in the news media, probably because
does nothing to fix the flaw in iPhone it affected such a miniscule subset of
Four days after jailbreakme.com went devices older than iPhone 2.x versions. iPhone users: Those in the Netherlands
live, Apple announced it would soon Will Strafach, an independent software who had insecure jailbroken iPhones
be releasing a patch it had developed developer from Connecticut who helped that they used for online banking.
to protect users. Almost immediately, test the exploit used on jailbreakme. What's more, Hypponen said, the fake
jailbreaking advocates lit up Twitter.com com, acknowledged that the unofficial ING site was only online for a short time
and other social media sites, warning patch took a bit longer than expected, before being taken down.
people not to download the Apple patch and that it is still not installed by default "The overall point is that the more
because it would un-jailbreak those after people use jailbreakme.com. Still, time passes, the more exploits like this
devices, or possibly worse. he noted that neither this exploit nor a we will see for the iPhone and other
That advice struck some security similar, remotely exploitable jailbreakme. mobile platforms, and the more likely
experts as a scary sign of things to com exploit released back in November we'll start to see moneymaking attacks
come. Mikko Hypponnen, Chief Research 2007 resulted in any malicious attacks. on mobile phones," he said.
Officer for Finnish computer security firm "Not much detail will be released
F-Secure Corp., was among those who about how the exploits work until after
publicly chastized the team for telling Apple has issued their patch, so…there Attack of
people not to apply the patch. has never to date been a malicious
"Imagine if this would have payload I have seen for the two the killer apps?
happened with Microsoft Windows, jailbreakme.com exploits," Strafach said.
where someone creates a zero-day Strafach is technically correct. Then
exploit, doesn't report it to Microsoft, again, the only real threats to emerge Of course, security vulnerabiltiies
then publishes the exploit, and when against the iPhone have worked only aren't the only way intruders can
Microsoft responds with a patch there against jailbroken device, by exploiting break into mobile phones. Malicious
are thousands of people telling the default settings left behind during applications or "apps" designed for use
world not to patch it," Hypponen said. the jailbreaking process. In November on smartphones can hide malicious
"If they want to give that kind of advice 2009, the relatively harmless "Ikee software, or turn from benign to
Looking at the Ikee.b source code, it’s easy to spot the default password ‘Alpine’ that opens the door for the malware to walk through
The first harmful program for Android masquerades as a legitimate Movie Player
malicious via an update after a user need to focus on reacting quickly when potential to make an end-run around
has already trusted and downloaded it problems are spotted. the traditional flame-war inducing,
to their phone. "It's the classic balance of security long-running debate: Whether Macs are
About the same time that jailbreakme. and openness at odds with one another," safer due to the way they are designed or
com debuted this latest remote root said Hering. "So far, both providers have because there are fewer users relative to
exploit for the iPhone, security experts shown they have the ability to respond to the Windows PC community?
were unraveling the secrets of a these incidents very quickly." Indeed, with more than 100 million
questionable app designed for Google's The jailbreakme.com vulnerability drew Apple mobile devices sold so far, there
Android phone users. an unusually speedy response from Apple, are now vastly more iPhone, iPad and
According to San Francisco-based which has long been criticized for taking iTouch users than traditional Mac
mobile security firm Lookout, the its time in fixing many security flaws. For users. In addition, consumers are
app – an apparently innocent program example, Apple maintains its own version increasingly using their mobile phones
that offered free wallpapers and of Java and has been shown to lag up to for a variety of sensitive transactions,
was downloaded more than a million six months behind implementing the same such as online banking, shopping and
times - collected users' phone numbers, security updates that Sun/Oracle released confidential communications.
subscriber information and voicemail for versions of Java on other platforms. "Everyone talks about market share
numbers, and sent the information off to The company has also been known questions, but we're not going to get
a server in China. to fix bugs in its Safari web browser on the answer to that question on general
Then, on 09 Aug, Kaspersky Lab said the Mac and yet leave those same bugs purpose computers, we're going to get
it had discovered the first malicious unpatched on the iPhone for months at the answer to that question from these
program for the Google Android platform: a time (it's notable that the jailbreakme. devices," Mogull said.
A Trojan disguised as a media player com exploit– which leveraged a
app that uses the victim's phone to send vulnerability in the way iPhones render
expensive text messages to premium rate PDF documents – was used via Safari). Looking forward
numbers without the user's consent. Apple's defenders say if the company
Unlike Apple's tightly controlled fails to rush out emergency patches
App Store, the Google platform allows each week, it's probably in part because That answer may not come immediately.
developers to upload applications for other the computing platform simply isn't For one thing, exploits like the one
users. Interestingly though, while the ability constantly under siege by cybercriminals - stitched into jailbreakme.com don't grow
to install unapproved apps is the main unlike a certain dominant operating on trees. Strafach said the Dev-Team
reason people jailbreak their phones, not a system made by Microsoft. and Comex stated that the exploit went
single malicious third-party app has been Rich Mogull, a security analyst at through three weeks of development and
reported for jailbroken iPhones. Phoenix-based Securosis, says Apple a week of testing before going live.
Lookout co-founder John Hering is right to react differently to potent The exploit was so difficult to find
said the two models represent the threats against its mobile devices. Mogull and refine that it may be quite some
classic tug-of-war between security notes that Apple's mobile operating time before another remote jailbreak
and useability. But, he said, one isn't system – which shares much of the same flaw is found, Strafach said, although
necessarily more secure or better than code base as the OS that powers Mac he stressed that the Dev Team never
the other. Rather, the mobile providers desktop and laptop computers - has the discusses ongoing research.
|
20 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Smartphone Security | Analytics
Expert Comments
"Yeah, I kind of agree is raises the bar for
jailbreaking in a way that may be difficult to
replicate”, Strafach said. "Comex really outdid The topic of iPhone security, as well as that of Denis Maslennikov
himself. Safari isn't an easy thing at all to exploit other Apple devices running the iOS operating Senior Malware Analyst,
because of the strong sandbox restrictions." system (iPod Touch and iPad) is always Mobile Research Group Manager
Also, vulnerabilities that allow remote important. As one might expect, this topic
jailbreaking tend to be useful for far less time encompasses the eternal question of balance
than those that require tethering the phone between usability and security, an issue that
to the computer, as Apple patches them far comes up time and time again. In many cases,
more quickly. Apple has successfully managed to tread the
"Apple has a group of people called the Red fine line between the two:
Team whose specific task it is to fix exploits 1. The huge popularity of iOS-based devices
from jailbreaks, because as you have probably all over the world proves this
seen, it gives them bad press when hackers 2. In the 3 years since the first iPhone
are running around with remote root exploits in appeared, only two malware programs have
Apple's most iconic product”, Strafach said. been detected. However, even those two are
According to Mogull, “In recent weeks, some capable of operating only on devices that
antivirus firms have been making noises about have been exposed to ‘jailbreak’.
these new threats being an indicator that Apple’s model for the distribution of its about the vulnerability’s existence?
Apple should open up its platform to traditional applications has proved itself many times Now for the worst case scenario: imagine just
desktop security vendors. But doing so would over: thousands of designers create such a critical vulnerability being discovered
be a mistake at this point, as so far at least, its purchasable and free applications which by criminals. If this happened; one can only
systems have been self-correcting.” undergo extensive checks before ending up guess how it would be used. Of the fact that
"Sure, if device makers don't do a good job in the Apple Store. Millions of people buy criminals would try to make use of it one way or
of keeping those platforms secure and locking and install these applications and everyone another, there can be no doubt at all, especially
them down, then people may need to look at third is happy… aren’t they? if the vulnerability was present in not just one
party stuff," Mogull said. "There's going to be less Well, it’s not possible to be 100% sure particular version of the operating system,
margin for error if anything big starts to happen. of that just yet: but all of them. Again we can only imagine the
For example, if you can't make a phone call or 1. Malware applications disguised as consequences of a mass virus infection of
summon the emergency services because you legitimate software have never appeared thousands of devices running on iOS.
have a virus on your phone, I guarantee that will in the Apple Store We could continue talking about iOS and
get congressional hearings faster than your not 2. The iOS operating system does not contain other mobile platform security indefinitely.
being able to browse porn because you have a any undetected critical vulnerabilities These questions are of vital importance
virus on your desktop." RE Let’s look at both of those today. Mobile devices such as smartphones,
statements in more detail. regular mobiles and other “smart” devices
Considering that as yet there is no indication are being equipped with more and more
that malware applications have been detected functionality. With their increased processing
in Apple Store software, it appears that the capabilities, mobile devices have become
checking system for candidate programs to be practically as powerful as the desktop
added to the catalogue is operating efficiently computers upon which we perform
enough. Without reliable information regarding numerous different tasks. Mobile devices are
the checking process of new applications, a direct line to a user’s money and personal
it is only possible to hypothesize about the data, and that is something that the criminals
mechanisms involved. In any case, no simply can’t ignore. They are more than
matter what the procedure, the possibility of ready to take advantage of a user’s lack of
a mistake cannot be excluded, which in the knowledge about, or indifference to, mobile
worst case, will lead to a piece of malware security protection issues. That is why it is
entering the Apple Store. Given the fact that not possible to pay too much attention to the
users consider programs distributed via the security issues surrounding smartphones
Apple Store to be trustworthy and harmless, and other similar devices, which if ignored,
the potential for a virus epidemic is huge. can lead to the direst of dire consequences.
The second statement regarding the If we were to talk specifically
iOS containing no undetected and thus about devices running iOS, then:
unpatched critical vulnerabilities is even 1. As mentioned previously, the possible
more questionable. Given the balance appearance of malware for jailbroken
of probabilities, it is fair to assume that it smartphones cannot be excluded. How to
must contain at least one. In the event that protect such devices against infection is
such a vulnerability were detected by Apple still very much an open question.
themselves, or by a person or company who 2. Again, as we have discussed already,
notifies Apple privately and without fuss, the possible appearance of unknown
a patch for the vulnerability would have critical vulnerabilities cannot be excluded
to be launched. However in such a case, either. How can this threat be negated?
how quickly could the patch be developed Only by prompt notification from the
To unlock an iPhone, one movement of the finger
and distributed? Would not any delay in its manufacturer and the rapid development
is all that is required distribution result in word spreading publically and distribution of suitable updates.
Article by An antivirus program is currently the basic about new threats and the necessity of buying
Maciej Ziarek element of any security policy for fighting viruses a full version of the application to remove those
Security Evangelist
at Kaspersky Lab and other broadly recognised malicious applications. threats. Fearing data loss, a desperate user will
It constitutes a user’s first line of defence against take a shortcut, believing that after purchasing the
increasingly sophisticated malware designed application their system will not only be disinfected,
to penetrate their systems. For years, antivirus but the application will protect their system against
companies have built up their reputations, gaining other threats too.
recognition and trust among their users. Despite this, Why are such programs so successful? There are
in the last few years we have encountered more and many reasons, but the most important of all is social
more cybercriminal attacks based upon exploiting engineering. The whole business is based upon
that trust, as well as on human naivety, fear and lack it. Social engineering is the art of manipulating a
of knowledge. Rogue antivirus solutions, as per the human being, affecting them in such a way that they
subject of my article, are becoming an increasing become vulnerable to the suggestions of others.
plague not only for corporations, but also, and most Everything boils down to making a convincing
Maciej joined Kaspersky importantly, for users unaware of the threat. presentation of the facts, in this case an alleged
Lab in 2008. Before infection, and controlling a particular person for
joining Kaspersky Lab, personal gain. The outcome being that the victim is
Maciej wrote for Internet
websites and worked
What are rogue persuaded to purchase an expensive licence.
at the Information At the beginning of the article I mentioned that
Centre of the Nicolaus antivirus solutions? cybercriminals try to make their ’products’ appear
Copernicus University similar to those offered by legitimate antivirus
in Torun, Poland, the market giants. Naturally, this similarity begins and
same university from Rogue antivirus solutions are applications that ends with copying the graphical interface style
which he received his
employ various methods to persuade a user that of a real program. There is no borrowing of any
Bachelor’s Degree
in Archival Science their system is infected and the only way to remove useful features in copied applications. The aim
and Documentation the threat is to buy an appropriate licence for is to mislead users, to convince them that what they
Management. the application. One of the methods used is have is a reputable program.
Maciej is currently to frequently display irritating, fictitious messages, It is easy to see that the website of the antivirus
studying Computer altering a start page or changing the wallpaper. program called ‘Antivirus and Security’ was
Science at the Wyzsza
There are many reasons why cybercriminals prefer modelled entirely on a Kaspersky Lab product.
Szkola Informatyki
in Bydgoszcz, Poland. this method. First of all, a user who is frightened The similarities include: the box, logo, colours,
His interests include by frequently appearing messages about a threat and even the window of the installed program that
cryptography, wireless on their computer will be more inclined to pay can be seen on the screen. Kaspersky Lab is not
network security and for a solution to the problem. Secondly, if a user the only company to be exploited in this way. The
social engineering. downloads an application of this type on their own same happens to Symantec, Avast, Avira, AVG
they will probably agree to the installation, which and McAfee. Though the cybercriminals make
makes it easier to get around security systems their programs resemble products from these
such as the Windows UAC (User Account Control). companies, the name of the rogue antivirus solution
Thirdly, along with a rogue antivirus solution, remains unchanged – ‘Antivirus and Security.
an attacker can install spyware, keyloggers and It is also worth noting that a similarity to known
other malware onto the victim’s disks. In this way, brands is not the only way of convincing users to buy
the cybercriminal not only receives money for a rogue antivirus solution. Other methods include:
a licence, but can later steal the victims’ data. • a table which purportedly allows a user to
The application itself is very obtrusive, as every compare the level of protection offered by
now and then it floods a user with information ‘Antivirus & Security’ against solutions from
|
22 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Rogue Antivirus Solutions | Analytics
Expert Comments
it in such a way that it appears on the first page
of search engine results. Visiting such a website
Costin Raiu will end with either malware being downloaded,
Director of the Global or as in the example above, the false scanning
Research & Analysis Team of a hard drive.
at Kaspersky Lab
Usually cybercriminals play upon hot news topics.
For example, after the plane crash with the Polish
president on board on 10 April, 2010, websites
quickly appeared which allegedly revealed unknown
details of the tragedy. Unfortunately, once the
site was entered information about the necessity
of scanning the user’s computer was displayed.
|
24 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Rogue Antivirus Solutions | Analytics
Summary
Artificial Intelligence
in the realms of IT security
Is it possible to define human intelligence so precisely as to be able
to then simulate it with the aid of machines? That is still very much a
bone of contention among the scientific community. Developers who
are trying to create artificial intelligence use widely varying approaches.
Some of them believe that artificial neural networks are the way
forward, others the manipulation of the symbols. As things stand today,
no device containing artificial intelligence has successfully passed the
Turing test. The famous British computer scientist Alan Turing stated
that in order for a machine to be classed as truly intelligent in its own
right, a user should be completely unable to distinguish if they are
interacting with a machine or another human being. One potential
application of autonomous artificial intelligence is in the field of
computer virology and the provision of remote computer maintenance
Article by The main task facing artificial intelligence [AI] on a computer involve three main steps. That rule
Oleg Zaitsev researchers at present is to create an autonomous, applies regardless of whom or what undertakes
Chief Technology Expert AI device fully capable of learning, making informed each step, be it a man or a machine. The first
at Kaspersky Lab
decisions and modifying its own behavioral patterns step is the collection of objective data about the
in response to external stimuli. It is possible to build computer under investigation and the programs it
highly specialized bespoke systems; it is possible is running. This is best achieved by the use of high-
to build more universal and complex AI, however, speed, automated equipment capable of producing
such systems are always based upon experience machine-readable reports and operating without
and knowledge provided by humans in the form of human intervention.
behavioral examples, rules or algorithms. The second step involves subjecting the collected
Why is it so difficult to create autonomous artificial data to detailed scrutiny. For example, if a report
intelligence? It is difficult because a machine does shows that a suspicious object has been detected,
not possess such human qualities as animated that object must be quarantined and thoroughly
thought, intuition, an ability to differentiate between analyzed to determine its level of threat and a decision
important and minor, and most importantly, it lacks taken regarding what further actions are required.
Oleg joined Kaspersky Lab
in 2007 as a Developer
the thirst for new knowledge. All of these qualities The third step is the actual procedure
in the Complex Threat endow mankind with the ability to arrive at solutions of treating the problem, for which a special
Analysis Group. He was to problems, even when those problems are not scripting language can be used. This contains
promoted to Technology linear. In order to do proper work, AI currently the commands required for the removal of any
Expert in November 2008 requires algorithms that have been predetermined malware files and the restoration of the normal
and is responsible for by humans. Nevertheless, attempts to reach the holy operating parameters of the computer.
carrying out research
into new detection and
grail of true AI are constantly being made and some Generally speaking, just a few years ago steps
disinfection technologies, of them are showing signs of success. two and three were performed by analysts working
investigating and for IT security companies and experts on specialized
disinfecting remote forums using almost no automation. However,
systems and analyzing the
behavior of malware.
Manual labor expenses with an increase in the number of users becoming
malware victims and subsequently needing help,
this led to a number of problems, namely:
The process of malware detection and the • When protocols and quarantine files are
restoration of normal operating parameters being processed manually, a virus expert is
|
26 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Cyber Expert | Technology
1 General principles
Users' PC 2
5 System's AI
Cyber Helper of operation of the
Subsystem 1
Subsystem N 6
Cyber Helper system
4 Experts - analysts
3
|
28 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Cyber Expert | Technology
Under control Security systems are constantly being perfected and if the traditional
signature-based technologies are only able to handle known threats,
the solutions for monitoring system events that have appeared
recently can detect threats and anomalous behavior in computer
systems that virus analysts are as yet completely unfamiliar with.
Article by The traditional approach to malware protection System monitoring provides flexible protection. It
Elmar Török has always been to firstly analyze the specific is possible to draw an analogy between whitelisting
characteristics of each piece of malware, and blacklisting software technologies. Blacklists
create a database of such features that is as contain malware and destroy everything that is
comprehensive as possible and then to block not on the list, whilst whitelists contain legitimate
those programs that display any of the recorded programs and allow only those programs on
malware characteristics . The main drawback to the list to have access to the necessary system
such signature-based methods is that they only resources. In both cases, reliable protection would
provide protection against known threats and only be achieved if the lists were kept fully up-to-
information about each threat has to be collected date; which is an impossible task given the sheer
separately. As a result, it is only possible to get volume of new malware and legitimate programs
a very limited idea of what is going on with the appearing daily. That is why the most reasonable
computer system as a whole, whereas to achieve and flexible approach is to involve both types of
Elmar Török has been a good level of security it is necessary to have as list: white and black.
working in the IT-Industry precise a picture as possible of the ever-changing What’s important is that system monitoring, if
since 1989. He became
an author and technical
threatscape and system anomalies. implemented correctly, makes it possible to roll
journalist in 1993 while back the activity of malicious programs and restore
studying electrical the computer’s normal operating parameters.
engineering in Munich System monitoring: a
and Kempten. Since then
he has written hundreds
of articles for just about
new level of protection Analysis of
every major computer and
networking publication system events
in Germany. Elmar System monitors record every important change
specializes in IT-Security to the system, including destructive changes, for
and storage issues, example, unwanted entries to the system registry Dependable system monitoring capabilities
has a solid knowledge and unauthorized file modifications. Destructive can be achieved by the integration of the system
of server-related topics
and knows his way
behavior is the most characteristic, precise and monitoring software with a high quality, intellectual
around virtualization. identifying feature of malware and that is true for system of threat analysis. It is not enough to
He is the Editor-in- both known and as yet unknown varieties, which is simply collect information about system events;
Chief of the security why system monitoring is universal; it is effective it is necessary to correctly define the sources of
periodical “Infodienst against any software that behaves as malware. such events, as well as their interconnections and
IT-Grundschutz” and Once legitimate parameters and events have influences on the system’s security.
is involved in the final
acceptance process of
been defined for a given system, it is possible The monitoring system’s functionality must be
new material for the IT- to detect everything that occurs outside these flexible and its methodology can differ depending
Grundschutz Catalogues limits, including unknown anomalies. In many upon its aims. When threats are detected, a
of the Federal Office for cases this approach is simpler than trying to comparison with known models of malware behavior
Information Security. conceive of every type of threat in advance in is used. When unknown anomalies are detected,
order to devise and implement suitable protective system events and statuses need to be analyzed as
strategies accordingly. a whole and deviations from the norm identified in
System monitoring is especially valuable if one order to trigger an appropriate response.
considers that new malware attacks and threats To achieve full system protection using system
are constantly being developed and perfected. For monitoring techniques, the monitoring software
example, it allows new threats and anomalies to has to be able to analyze events in real time in
be detected that may be based on new methods of order to be able to block and roll back destructive
penetrating a system and obfuscating malware. actions immediately.
|
30 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Analysis of application activities | Technology
Expert Comments
Nikolay Grebennikov
Chief Technology Officer at
Kaspersky Lab
Weak links Our forecasts regarding the development of threats usually look closely at
any new methods by which viruses proliferate, new platforms upon which
threats may appear and aspects of the cybercriminals existence from the
point of view of their income. However, the principle factor lying at the root
of the problem has always been, and will remain, the human factor.
|
32 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
Changes in the methods and targets of attacks | FORECASTS
WinCC and which work on the SCADA will doubtless be shifted more and more
platform. Apart its unusual functionality, ALTERNATIVE strongly towards file sharing networks.
the worm exploited a zero-day vulnerability
in Windows for the purposes of self- METHODS OF ENTRY
proliferation. This vulnerability was known ANTIVIRUS CLOUDS
to the cybercriminals at least half a year
before security experts managed to detect As we have stated above, an attack via
it, so we can only guess who has been a user’s web browser is the most common Practically all of the major antivirus
using it and for what purpose. What is method by which a threat will infiltrate a companies have started using in-the-cloud
even more alarming is that a conflict of computer. At the same time, however, it is technologies or are planning to use them in
interests between the cybercriminals and worth remembering that there are many other the nearest future. Despite the undoubted
governmental institutions can be expected ways to access a user’s system and those advantage with regard to the struggle
in the field of industrial espionage. other means are currently receiving a great against attacks, in-the-cloud technologies
Previously, the scope of the cybercriminals deal of attention from the cybercriminals and are themselves sure to be a prime target
attacks was limited to harassing the are under constant development. for the cybercriminals.
everyday user en masse and only rarely File sharing networks have become the The eternal conflict between virus and
did they carry out successful attacks on most rapidly growing threat from the point antivirus has, up to the present moment,
financial organizations, payment systems of view of the distribution of malware. been largely going on at the level of files
and online shops. Back then the criminals’ To illustrate the level of the problem we and processes on the end users’ machines.
main aim was to gain access to user can look to the Mariposa botnet saga Malware programs have been trying to
accounts. However, during the course of whose authors and owners were arrested destroy the antivirus system by different
its evolution, the world of cybercriminality in Spain and Slovenia just this summer. means or attempting to persuade the user
performed a spiral maneuver which has According to information from the FBI to switch it off themselves.
seen it return to the same point from which report, during the time of its existence With the beginning of cloud- technology
it started, but on a new and higher level. the botnet contained some 12 million detection and categorization, a new front has
That starting point that we are talking computers located across 190 countries opened up in this war. Malware programs,
about here is the realization of the value of the world. The main method by which or to be more precise – their authors, will
of information in today’s society. Often, the botnet spread was P2P networks. have to solve the problem of attacking the
a successful attack on a company’s Christopher Davis, CEO of Defense cloud. Although technologically it is practically
infrastructure will net the cybercriminals a Intelligence, who first discovered the impossible to destroy the cloud, direct mass
far more significant profits than they would Mariposa botnet, explains: “It would be DDoS attacks aside, it is quite vulnerable
otherwise receive through the mass viral easier for me to provide a list of the Fortune in terms of its own functionality - receiving,
infection of home users’ computers. 1000 companies that weren’t compromised, processing and sending information to and
The development of information processes rather than a long list of those who were.” from the end users.
and the involvement in this sphere of new During the first half of 2010, practically Problems within the very architecture
areas of human activity leads to a situation every noteworthy release of a pirated of the majority of antivirus clouds will be
where information previously unavailable version of a popular game or software actively used by the cybercriminals, and the
to the remote attacker is now accessible application contained a Trojan component first examples of such actions can be seen
to them. At the same time, the range of within it that was spread by the pirates’ already. The most widespread and simple
information that is of interest to the criminals distributive over file sharing networks. method of disabling cloud technologies is to
has become even wider. If in times gone by it In July, Microsoft announced that they had block computer access to the cloud. More
was financial information and users’ personal detected several viruses in unlicensed complex methods include the substitution of
data that was the target of the hacker, it is copies of the game Star Craft 2. data –with the aim of ‘trashing’ the cloud with
now more often than not technical data and With the growth in the quality of protection false information, as well as modification of
research information they are after. against browser attacks, the vector of entry the data received from the cloud.
Such ‘trashing’ is probably the most
dangerous threat. Blocking access to the
cloud or the modification of responses from
the cloud specifically affects only infected
users, but inputting false data into the cloud
will influence every single user. This would
bring with it not only an absence of detection,
but also to a more serious problem – false
positives, which would lead to a general
decline in the level of trust in cloud-based
technologies and to the necessity to revise or
alter their performance algorithms.
With the increase in the number of
antivirus technologies that operate using
in-the-cloud technologies, there will be a
constant quantified and qualified growth
in the number of attacks upon them from
malware programs on clients’ computers, and
The approximate percentage ratio of virus infections The approximate percentage ratio of virus infections
caused by the human factor (blue), compared to software caused by the human factor (blue), compared to software additionally with the help of special services,
vulnerabilities (red) for the period 2000 -2005 vulnerabilities (red) for the period 2009-2010 supported by the cybercriminals. RE
Keeping pace
with viruses
Creators of viruses obviously set out to make as much profit as possible
from their activities. To achieve it they distribute as many malware
programs as they can, hiding them from antivirus detectors with the
help of many tricks. Nikita Shvetsov, Kaspersky Lab’s Head of Antivirus
Research tells us how the virus analysts manage the processing of huge
numbers of these malware samples.
SV: Lately we have seen an enormous Either the malware developers were very are also enhancing our regional capabilities.
growth in the quantity of malware. lazy or the antivirus solutions manufacturers For a start, we have opened the antivirus
What is it connected with – the have raised the speed at which they create laboratory in Beijing, and currently we are
cybercriminals thirst for profit? protective signatures, but the idea has opening another laboratory in Seattle, in the
N: Let’s start from the fact that there is no undergone further development. USA. This allows Kaspersky Lab to cover all
single system of counting these programs. Tools responsible for obfuscation are being the time zones, and possibly in the future,
It‘s no secret that modern solutions are placed actually on the web server from where to eliminate the need for our Moscow-based
developed along the lines of advanced the malware is downloaded. Each time a virus analysts to have to do shift work.
behavioral analyzers, and that the enhanced user follows the malware link, the server
behavioral template HEUR:Worm.32.Generic provides a new, unique file. This is called SV: How do you receive new versions
blocks million of different files per day. So, server side polymorphism. Each time that of malware programs?
how to count this? Kaspersky Lab has long the link is used, a different file with identical N: Of course, we have significantly changed
since gone from abstract evaluation of the functionality is received. The development our approach to obtaining new malware
volume of detected viruses to hard statistics projects of virus programs with open source samples. Whilst before we received
concerning virus infections and prevented code of the Pinch & BlackEnergy variety also suspicious files sent to us by users of our
attacks. Such statistics are received online played a significant role in the growth of products and other interested parties via
from the users of our products. We operate the number of detected program variants. our newvirus@kaspersky.com email box,
by knowing the amount of virus infections per Anyone with no respect for the law can find now the emphasis is on proactively seeking
day and the amount of machines infected, the initial texts of these programs, upgrade out malware files. Our robots are out there
and can thus reliably track the spread of them to suit their own purposes and begin crawling Internet pages, receiving and
any ongoing epidemics. In absolute figures, to distribute them. ‘reading’ spam and imitating users of IM
it is the same millions of unique files, but clients - they can even hold a conversation!
occurring on a daily basis. However, where SV: In connection with this, how has This is very engaging. Also, we readily share
do so many files come from? Virology has the approach to malware processing information about detected threats with
become heavily commercialized and the changed from the side of the our colleagues from other companies, and
field of systems programming, which a while antivirus companies? they reciprocate.
ago was interesting because of its nontrivial N: First of all, the incoming flow of malware
approach, has now become a method of data has increased to such an extent that SV: In the future, will it be possible to
income for the cybercriminals. Then, as in any we have encountered electrical supply completely automate the entire
industry, there has been a transformation capacity issues regarding the connection of process so that virus analysts will no
from backstreet workshops to well organized new server equipment in our headquarters. longer be needed?
factories with the distinct separation of work. We receive hundreds of thousands of files N: Completely removing humans from
Clients are generally unwilling to pay tens per day and to process them manually we the process, particularly virus analysts,
of thousands of dollars for the creation of would need to retain more than 1,000 staff. is hugely unlikely. The quality of such an
a new version of a Trojan-based botnet. It That is why the approach has changed automated system would seriously degrade
is much simpler to buy a package that has radically. Our aim is to minimize the flow pretty quickly. It is more likely that the
been developed for you, and to buy it with of files reaching our virus analysts. People virus analysts’ role will be to configure
support, which means that if the package is should be given the opportunity to do what different robots with the aim of adding to
detected – you are simply provided with a they enjoy doing – to think about and analyze their algorithms the means to combat new
new one. This is a prime source of malware new samples, which cannot be dealt with by vectors of attack. Even then, there is always
file growth. As one of our colleagues says: automatic means. Routine work – that’s the incomplete or contradicting data that a robot
“everything that is new – is in fact something robots’ task. We even joke about our robots is simply not able to handle, or false positives
old, neatly repackaged”. fighting the robots from the other side. We which really only humans can deal with. RE
|
34 SECUREVIEW 4th quarter 2010 www.secureviewmag.com
www.securelist.com