Malware infects 13 percent of North American home networks

Some 13 percent of home networks in North America are infected with malware, half of them with "serious" threats, according to a report released Wednesday by a cyber-security company.

However, that number is a one-percent decrease from the quarter that ended in June, according to Kindsight Security Labs, of Mountain View, California, in its third-quarter malware report [PDF].

Based on information gathered from service providers, Kindsight reported that 6.5 percent of the home network infections were high-level threats that could turn a home computer into a spam-spewing zombie on a botnet or compromise a computer owner's bank account.

ZeroAccess botnet

Some 2.2 million home networks worldwide are infected with malware controlled by the ZeroAccess botnet, the report estimated. In North America, one in every 125 home networks are infected with malicious software.

Map of the ZeroAccess botnet as it spreads across North America

"The ZeroAccess.net has grown significantly to become the most active botnet we've measured this year," Kevin McNamee, Kindsight security architect and director, said in a statement.

"Cyber criminals are primarily using it to take over victim computers and conduct click fraud," McNamee continued. "With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud."

Kindsight estimates that online advertisers lose $900,000 a day in fraud perpetrated by ZeroAccess.

Big money for evil-doers

Spam, add-click malware, banking Trojans, theft of identity information, and fake security software are big money makers for cybercriminals, the report noted.

The cyber-security vendor also reported that it saw a 165% increase in the number of Android malware samples during the period. Nevertheless, despite the growth in spyware apps and malware, there have been no major malware outbreaks, the report said.

"Aggressive Adware," some of it bordering on spyware, continues to be a problem in the Android market, according to Kindsight. It estimates that three percent of all mobile devices host some form of that software.

While security software aimed at removing aggressive adware from mobile devices has been introduced into the market, the report explained, it remains to be seen how effective it will be in mitigating the problem.

Similar efforts were made in the past to address spyware problems in the Windows world, but the Android environment is a horse of a different color. "One key difference between these ad-funded Android apps and the traditional Window’s variety is that the Android variety is being distributed from the Google Play App Store, which lends them considerable legitimacy," the report said.

Source: pcworld.com

Read More

Windows 7 malware infection rate soars in 2012

But 2009 OS still 2X-3X less likely to get hacked than 11-year-old XP

Windows 7's malware infection rate climbed by as much as 182% this year, Microsoft said today.

But even with that dramatic increase, Windows 7 remained two to three times less likely to fall to hacker attack than the aged Windows XP.

Data from Microsoft's newest twice-yearly security report showed that in the second quarter of 2012, Windows 7 was between 33% and 182% more likely to be infected by malware than in the second quarter of 2011.

The infection rate for Windows RTM, or "release to manufacturing," the original version launched in Oct. 2009, was 33% higher this year for the 32-bit edition (x86), 59% higher for the 64-bit (x64) OS.

Windows 7 Service Pack 1 (SP1) -- the upgrade that shipped in Feb. 2011 -- saw even larger infection increases: 172% for x86, 182% for x64.

Microsoft blamed several factors for the boost in successful malware attacks, including less savvy users.

"This may be caused in part by increasing acceptance and usage of the newest consumer version of Windows," said Microsoft in its latest Security Intelligence Report. "Early adopters are often technology enthusiasts who have a higher level of technical expertise than the mainstream computing population. As the Windows 7 install base has grown, new users are likely to possess a lower degree of security awareness than the early adopters and be less aware of safe online practices."

But other elements came into play, argued Tim Rains, director of Microsoft's Trustworthy Computing group.

"There are several factors at play here. In XP, for example, we've seen infection rates go up because of particular pieces of malware that are more effective on that platform," said Rains in an interview. "[And] in different places in the world, [users'] ability to keep Windows up to date varies greatly."

For the first time, Microsoft ranked the threats facing each version of Windows, bolstering Rains' assertion that some malware families are more successful against, or at least more often aimed at, specific Windows builds, and thus affect the infection rates.

But security researchers were more likely to pin the blame on Windows 7's popularity.

"Windows 7 has really been the first platform adopted by both enterprises and consumers, and that kind of adoption hasn't happened in quite some time for Microsoft," said Andrew Storms, director of security operations at nCircle Security. "Given the market movements, its likely that the attackers follow."

And Windows 7 is a more popular operating system this year: From June 2011 to June 2012, Windows 7's usage share grew 45%, according to statistics from metric firm Net Applications.

Microsoft collects infection data from several sources, including the Malicious Software Removal Tool (MSRT), a free utility it distributes to all Windows users each month that detects, then deletes selected malware. It then normalizes the data by comparing an equal number of computers for each edition of Windows.

The measurements are expressed as X per thousand: Windows XP SP3's infection rate, for instance, was 9.5 in the second quarter, or 9.5 XP SP3 machines out of every 1,000.

The x86 editions of Windows 7 RTM and SP1 came with higher infection rates than the x64 versions, and Windows 7 SP1 was less likely to be infected than RTM. Windows 7 RTM x86 had the highest rate, 5.3, while Windows 7 SP1 x64 had the lowest, just 3.1.

But even with that low rate, Windows 7 SP1 x64 had the dubious distinction of sporting the largest year-to-year increase because in the second quarter of 2011, its infection rate was an even lower 1.1.

Microsoft's numbers back up the belief that Windows 7 is a more secure OS than the still-present-in-large-numbers XP, and makes a good case for users of the latter to migrate to the former, a transition Microsoft and industryanalysts have long supported.

If history is any guide, Windows 7's infection rate will continue to climb as its market share does the same, and won't begin to decline until a successorreplaces it on a large number of PCs.

"There is probably no single technology feature set that can explain infection rates in either incline or decline," said Storms. "It has more to do with what the attackers want to attack. And as we have seen, attackers generally get what they want."

The 146-page Security Intelligence Report Volume 13 can be downloaded fromMicrosoft's website.

Source : computerworld.com/

Read More

Watchdog issues spam warning to real estate agent

Targets real estate sector.
The communications watchdog has issued a "formal warning" to Elders Real Estate Wollongong following an investigation that found the agency breached the Spam Act.

The Australian Communications and Media Authority said the real estate agent breached the Act by sending commercial electronic messages without an unsubscribe facility.

ACMA said it contacted "more than forty" head offices of real estate franchisors and companies last year to inform them of "key obligations" and "consequences of non-compliance" with anti-spam laws.

"This is the first enforcement measure taken against a real estate agent since an ACMA awareness campaign about unsolicited communications targeted at the real estate sector," said Chris Cheah, acting chairman of the ACMA.

Penalties of up to $1.1 million per day may be imposed by the Federal Court for repeat offenders of the Spam Act, ACMA said.

Read More

Curiosity drives Twitter "social virus"

If you were hanging out on Twitter today, you probably noticed a lot of very similar Tweets coming through, saying "Don't Click" followed by a shortened URL.

Many people, upon receiving that Tweet, immediately clicked the link, which took them to a page with a "Don't Click" button. And when they clicked on that button (assuming they were logged into Twitter in their web browser) they ended up posting a Tweet from their account. This Tweet repeated the original message: "Don't Click" followed by a shortened URL. Which all their Followers clicked. And so on.

The end result of this was huge numbers of "Don't Click" Tweets, a lot of puzzlement on the part of the Twitter community, and nothing more serious. This time at least.

The security community immediately got to work investigating the event and found that it was accomplished via clickjacking. Chris Shiflett has a done a great job of explaining the exploit, as has Sunlight Labs. This wasn't a case of using clever javascript or any scripting at all. It was just done with an IFrame, pulling the Twitter page into the "Don't Click" page and populating the Status Update box on the Twitter page. However the IFrame was rendered invisible via CSS. You thought you were clicking this "Don't Click" button on the page, but you were actually clicking the (now invisible) Update button on the embedded Twitter page. If that went over your head, the links above step through it much more clearly.

To their credit, the Twitter Engineers blocked the problem very quickly, and no real harm was done. But their fix isn't bulletproof, as Jeff Jones discovered.

In some ways, the most interesting part of this story was the way it was the "virus" was distributed. Apparently the very best way to get people to click on something is to label it "Don't Click"!

Read More

A New Internet Attack: Parking Tickets

Trojan-pushing parking tickets? Yes, really. The Internet Storm Center, which tracks Internet attacks and threats, documented a case in Grand Forks, North Dakota where someone put yellow fliers on cars that claimed to ticket a parking violation. The fliers named a Web site that purportedly had pictures of your supposed violation.

To see the pictures, according to additional commentary from the McAfee Avert Labs, the site instructs you to download a toolbar named PictureSearchToolbar.exe. Do so, and you end up with a Trojan. That Trojan, called Vundo by Symantec and McAfee and Monder by Kapsersky (according to a Threat Expert report linked by the ISC), displays false infection warning pop-ups that market a fake antivirus product called "Antivirus 360."

I knew that pushing rogue antivirus was becoming a more popular tactic for crooks, who get a cut of the purchase price via shady affiliate marketing deals, but I had no idea the potential profits could justify the time and expense of physically distributing fake parking tickets. Then again, maybe it doesn't: Many Internet crooks aren't exactly known for their excessive brain power.

The ISC post from Lenny Zeltser has more details on the discovery, including some digital sleuthing about the model of the camera used for pictures on the Web site. And keep an eye out for an upcoming PC World story that delves into rogue antivirus, including how to tell a harmless browser-based social engineering attempt from one that can indicate a malware infection like the one described here

Read More

Attachment spam – the latest trend

Spammers using common file formats as attachments for pump-and-dump scams

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

At one point or another – like the majority of computer users – you have received emails that promise business deals worth millions of pounds, that try to sell products to improve your appearance or that try to convince that it’s worth investing your money in a particular company or stock. Dealing with spam (unsolicited email that is not targeted at specific individuals), is one problem that all email users share in common. Research shows that between 65% and 90% of all email received is considered spam.
On an individual user basis, spam is annoying; it is a waste of time and often contains spyware, malware and even pornography. On a company-wide basis, the same threats apply however there is also the financial cost to manage spam that must be taken into consideration.

The evolution of spam

Until a while ago, spam was the domain of text- or html-based emails. For anonymous delivery, these messages traditionally relied on abusing open SMTP relays. When open SMTP relays became less common, spammers switched to proxy servers, dial-up services and more recently, hijacked computers. Spammers designed personalized template emails to deliver their messages and then made use of bulk mailing software for distribution.
To block spam, email service providers and companies often relied on keyword ‘detection’, and drew up a list of keywords that commonly appeared in most of the spam email. This list would often include keywords such as ‘viagra’ or ‘bank’. However, this method often blocked genuine email and adding more keywords simply resulted in more false positives which in turn blocked legitimate email. But spammers became smarter too, and they addressed keyword blocking by replacing keywords such as ‘viagra’ to ‘v1agra’.
Another attempt at blocking spam includes making use of blacklists that contain a list of IP addresses of known spammers or compromised hosts. However, these lists have to be constantly updated because spammers have learnt to counteract this by rapidly changing the origin of spam.

New trends: Dynamic Zombie botnets

Botnets can be defined as networks of compromised computers which can be controlled by a single master. The number of nodes (also known as zombies) of these botnets can run into millions and these machines make use of different software vulnerabilities to gain full access to the infected hosts and add it to their existing array of zombies. Computer hackers had long been using botnets to launch DoS (denial of service) attacks and distribute network hacking attacks. Computer criminals had also been using botnets for money-making schemes, such as stealing credit card information and scamming pay-per-click advertising companies.
Seeing huge potential in botnets, spammers started financing hackers to make use of zombie machines. Hackers were able to offer services such as renting of botnets for a few minutes or hours and collections of email recipients (spam lists). The anti-virus industry noticed correlations between the spam industry and botnets. Not only were malware writers allowing spammers to make use of their creations, but they were writing malicious code to specifically suit their needs. An unholy alliance had been created.

Image spam

By early 2006, most anti-spam vendors had added Bayesian filtering to their arsenal of spam blocking methods. The fight between spam and anti-spam looked like it was taking a positive turn. However, by the end of 2006, the nature of spam had totally shifted. Whereas spam had been mainly text based, this time spam started looking more graphic in nature. Spammers began making use of images to bypass text-based content filtering, simply by no longer using any text content. By making use of image spam, spammers were attacking the defenses of most anti-spam solutions; while the images displayed text messages to the end-users, the anti-spam software was only able to see pixels.
Some email anti-spam solutions decided to go with OCR (Optical Character Recognition) to turn the images into text that the software could then use. However, spammers took their images to the next level. In an approach usually applied to CAPTCHA (an anti-spam solution that is used on web forums), they started fuzzing (including noise and distortions) images to make it even harder for the machine to recognize text. Although it is possible for the machine to read this text, the process is very CPU intensive – especially when it is handling multitudes of images every few seconds. Read the full article: Attachment Spam- the latest trend

Read More

Hackers exploit Obama site to spread malware

My.BarackObama.com still serving up Trojan a week after being notified, says Websense
A social networking site operated by the 2008 Barack Obama presidential campaign is serving up malware to unwary visitors a full week after the tactic was reported, a security researcher said today.

My.BarackObama.com, still active after the innauguration last week of President Obama, is being used by hackers trying to dupe users into downloading a Trojan horse, said Dan Hubbard vice president of security research at Websense Inc.

My.BarackObama.com provides tools that enable visitors to join groups of Obama supporters, raise funds and create a personal blog hosted on the site. The criminals have set up bogus accounts and used them to create blogs. When a user reaches one of the fake blogs, a YouTube-like video window is displayed; clicking on that video frame takes the user to a malicious Web site packed with pornography.

If the user clicks to view the porn, a message pops up claiming a video codec must be downloaded and installed. The executable file is no codec, but rather a Trojan horse that hijacks the PC.

"The group behind this is one of those that's infecting people with fake antivirus software," said Hubbard, referring to so-called scareware programs that pose as security software but are actually useless. Until the victim pays for the worthless program -- prices range between $40 and $50 -- he or she is deluged with fake pop-up warnings.

The cybercrooks don't just try to grab people browsing through My.BarackObama.com, Hubbard added; rather, they are actively polluting search engines with the URLs of their bogus blog accounts in an attempt to take advantage of My.BarackObama.com's reputation and popularity.

Although Websense first uncovered the phony blogs a week ago, it has had no luck reaching someone responsible for the My.BarackObama.com site. "We've been constantly trying to reach them, and tried every possible angle, from e-mail to the site itself to the phone, but we haven't heard back," said Hubbard. "Obviously, they've been fairly busy."

Multiple bogus blogs on the site are still serving the Trojan, Hubbard confirmed today.

A call Monday by Computerworld to the contact phone number listed in the site's terms of service was not returned.

This is not the first time Obama's name has been used to spread malicious code. The weekend before his inauguration, sites claiming that Obama would refuse to take office infected users with the Waledec bot Trojan; last November, the day after Obama won the U.S. presidential election, hackers launched a major malware campaign based on a site that claimed to have final vote tallies.

Read More

Trojan hides in pirated copies of Apple's iWork '09

Malware hitchhikes on iWork installer, hijacks Macs, says security firm
Pirated copies of Apple Inc.'s new iWork '09 application suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday.

The "iServices.a" Trojan hitchhikes on iWork '09's installer, said Intego, an Austin-based company that specializes in Mac security software. "The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password," Intego said in a warning published Wednesday.

Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions. Intego did not spell out what second-stage actions the iServices.a Trojan takes but noted that they could include delivering additional malware to the hijacked machine.

Intego said that iWork '09 download traffic on file-sharing sites has been brisk, claiming that as of early Wednesday, 20,000 copies had been downloaded. "The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users," the company's alert continued.

Users on Pirate Bay, a popular BitTorrent tracking site, confirmed that copies of iWork '09 harbored the Trojan. "I can confirm that this contains a iServices trojan," said a user identified as "Aklacat" in a comment appended to one iWork '09 listing on Pirate Bay. "Little Snitch also confirms this," said Aklacat, referring to a Mac-only personal firewall.

According to the dates assigned to Pirate Bay's iWork '09 BitTorrents, most copies were posted before Apple announced it had dropped a form of copy protection from retail copies of the suite. On Monday, Apple said that it was not including serial numbers with iWork '09, an antipiracy measure it had used to keep customers from copying earlier versions of the bundle.

Apple unveiled iWork '09 at Macworld Conference & Expo on Jan. 6 when it touted changes and additions to Pages, the suite's word processor, and Numbers, its spreadsheet application.

IWork '09 retails for $79. Apple also offers a free 30-day trial version that does require a serial number -- delivered via e-mail at the time of payment -- in order to run as a fully functional version.

Mac-only malware is such a relative rarity that Apple has publicly mocked Microsoft Corp. about the number of worms, viruses and Trojans that take aim at the Windows operating system. Late last year, in fact, when Apple revised an online recommendation that Mac users consider running antivirus software, the move drew lots of attention.

Read More

'Amazing' worm attack infects 9 million PCs

Biggest infection in years, says Finnish security firm.
Calling the scope of the attack "amazing," security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours.

"We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.

Downadup -- which also goes by the name "Conficker" -- exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.

In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers.

Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.

By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.

"So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally infected computers successfully attacked 116 other machines.

"We wrote a program that parses the logs, extracting the highest value for the IP/User-Agent pairs ... then added together to get our figures," said Koivunen. "As you can see now, they are very conservative."

Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday.

Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work at Microsoft said Tuesday.

Microsoft has recommended that Windows users install the emergency update, then run the January edition of the MSRT to scrub the worm from compromised computers.

Read More

1 in 3 Windows PCs vulnerable to worm attack

And open-source exploit code made hacker's job easier.
The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today.

Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc. concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.

"The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."

With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."

The Downadup worm, called "Conficker" by some researchers, surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003 and Server 2008.

Microsoft issued a patch in late October after confirming reports of in-the-wild attacks, most of them against machines in Asia.

On Tuesday, Microsoft laid at least some of the blame for the worm's success at the feet of Windows users. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," said Cristian Craioveanu and Ziv Mador, researchers at Microsoft's Malware Protection Center, in a Tuesday blog post.

Kandek agreed with them. "This shows that a three-month patch cycle, which some companies use, is unacceptable," he said.

In related news, a researcher at McAfee Inc. today said that the author of Downadup/Conficker worm took a shortcut when crafting the malware by grabbing functional exploit code from Metasploit, the open-source penetration testing framework.

"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," said Xiao Chen, a McAfee security researcher, in an entry to the company's blog. "We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills.

"It's obvious that worm writers are abusing open-source tools to their advantage to make their work easier," Chen added.

Microsoft has recommended that Windows users install the October update, then run the January edition of the Malicious Software Removal Tool to clean up compromised computers.

"Patch faster," urged Kandek from Qualys.

Read More

Pentagon recalls USB sticks over virus fears

The Pentagon has banned the use of portable USB drives after fears that they are being used to propagate viruses.

No official statement has been released, but internal emails have shown that the Pentagon wants to recall all USB sticks distributed to employees. Warnings emerged last week of a major outbreak of malware targeting USB drives.

"For most organisations, completely banning USB Flash drives would restrict the productivity and efficiency of end users," said Jason Holloway, sales manager for Northern Europe at portable storage firm SanDisk.

"USB drives are productivity enhancing, but the risk of malware infection must be stopped with layers of security, such as hardware-based USB encryption and password protection, and virus scanning on the drive itself."

While refusing to confirm or deny the recall, Pentagon spokesman Bryan Whitman acknowledged the global spread of USB malware.

"This is not solely a department problem, this is not solely a government problem," he told Associated Press.

Virus propagation via USB stick is a throwback to the first virus techniques in which floppy discs were used to carry the code. But for an organisation like the Pentagon to take such a drastic step, the spread of the code must be wider than usual.

Copyright © 2008 vnunet.com

Read More

NetWitness releases free version of security software

NetWitness, a vendor of networking threat-analysis software, is offering a free version of its NetWitness Investigator package by download, the company said Monday.
NetWitness Investigator is different from most other network-scanning software in that it uses forensic tools to examine applications and changes on content on the network, as well as attacks coming from outside the network, said Amit Yoran, NetWitness' chairman and CEO. The software package gives users detailed analyses of malicious activity on their networks.

NetWitness Investigator is designed to address gaps in other cybersecurity products, he said. It can help users identify cybersecurity problems, insider attacks, and sophisticated outsider attacks, and it can help with IT audits and antifraud investigations, the company said.

The company, which split off from ManTech in 2006, has customers in the U.S. government and the financial industry, according to NetWitness, based in Herndon, Va.

NetWitness Investigator doesn't rely on a list of known threats to protect users from cybersecurity threats, said Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security. Instead, it looks for changes on the network and alerts users of possible problems
Sophisticated criminals and attackers sponsored by nations aren't going to use commonly known methods to attack their victims, Yoran said. "They're going to be using something a little more complex

Users of many cybersecurity products "are still unable to see a lot of the right information" about their networks, he added. Companies can be lulled into a false sense of security when they're using standard cybersecurity products, Yoran said.

Yoran hopes the free version will drive customers to the company's other products and services, and he sees the free download as a way to expose potential users to a new type of network monitoring, he said.

"We thought this was the right thing to do to contribute back to the community," he said.

The free version of Investigator is fully functional and ready for users to run on their networks. The free license allows up to 25 simultaneous users with a data capture of up to 1GB.

It also contains the major features of the Investigator Enterprise version, available for purchase. NetWitness has a YouTube demo page for Investigator, and the download is available on the NetWitness site.

The enterprise version of the software comes with Linux-based network appliances and is capable of remote network monitoring. The enterprise package of products includes Informer, an automated reporting engine, and Decoder, a data recording package.

Read More

New worm exploits critical Windows bug

A worm that exploits the bug Microsoft patched in an emergency update 11 days ago is actively attacking systems, several security companies and researchers said Monday.

The worm, which Symantec Corp. labeled " Wecorl " but was dubbed "MS08-067.g" by Kaspersky Lab and Microsoft itself, likely originated in China, said Kevin Haley, a director with Symantec's security response team. "It may have come out of China," said Haley, who added that it appeared to target Chinese language versions of Windows 2000.

Haley confirmed that the worm is both different from the information-stealing Trojan horse that prompted Microsoft to issue the out-of-cycle patch on Oct. 23, and circulating in the wild.

Other researchers echoed Symantec's take that the worm installs multiple components on victimized PCs, including a Trojan downloader and rootkit code to mask it from security software. Helsinki-based F-Secure Corp ., for example, identified the former as "Trojan-Dropper.Win32.Agent.yhi" and the rootkit bits as "Rootkit.Win32.KernelBot.dg."

According to Haley, if the worm manages to infect a Windows PC, it also tries to attack all the machines on the same subnet. "If it can get behind the [fire]wall, then it can infect other systems," Haley said.

"That circumvents the firewall mitigation that Microsoft noted," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Enterprises typically have laptops configured to be location aware so when they're on the company network, parts of the firewall are disabled, or port 139 is allowed from known IP addresses."

In the security bulletin it released two weeks ago, Microsoft said that "standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."

Within days of the emergency patch , hackers had published working attack code on the Internet.

F-Secure said that the just-released worm is based on the exploit code that had been posted online last week. nCircle's Storms agreed that's likely.

Symantec rated the worm as a "Very Low" threat, although it maintained its ThreatCon, an all-around indicator of Internet security, at "2" because Microsoft issued an emergency patch. "It doesn't appear to be very widespread, although that could change, of course," said Haley.

As counter-intuitive as it sounds, Storms said that the appearance of a worm is actually a good thing. "Evidence that we're finding and detecting it means we're in a better situation than we were earlier," he argued. "If it had gone undetected and unfound [it would have meant] that enterprises didn't have any defense-in-depth. But because we're finding it, that means we have signatures for it."

Storms urged users who had not installed the MS08-067 update to do so immediately. "The worm may not have many legs, but you should get ahead of the game and deploy now," he said.

Read More

Anti-malware testing standard proposed

Symantec, McAfee, F-Secure and Kaspersky are among the names who have pledged support for the project, which boasts a list of more than 40 security vendors and media groups as part of the Anti-Malware Testing Standards Organisation.

The new system would provide guidelines as to how a test should be conducted, including the types of malware used, method of analysis, and accurate support for a conclusion. The guidelines also outline procedures for studying and disclosing new malware samples.

Many security vendors and experts have suggested that an updated standard for testing be established in recent years. Current security tests, such as the VB100 system, have been criticized for their testing procedures and what some say is an inability to accurately access certain types of anti-malware programs.

The group hopes that its outlines will allow both security firms and independent testing groups to research the effectiveness of anti-malware software with better accuracy and a built-in neutrality.

"While there have been many great security software reviews in the past, many poor reviews have confused or misled people," commented McAfee senior vice president Jeff Green.

"This is a significant milestone that should skew the balance towards fair and scientific testing, providing users with a true viewpoint on the security protection vendors provide."

Copyright © 2008 vnunet.com

Read More