thewayne: (Cyranose)
There are various ways of stopping malware. Antivirus works by watching for strange behavior or if a program matches a known signature. The problem with signature matches is that it's very easy for a program to change its signature so that it won't hit in the protection program's database. This is known as a polymorphic virus (self-changing). Some malware encrypts itself.

The worst is ransomware. This is malware THAT ENCRYPTS YOUR HARD DISK. In doing so, all of your files get encrpyted, then a message pops up that says you will have to pay X number of bitcoins to get the decrypt key, and it will frequently have a deadline -- if you don't pay by the date, the decrypt key will be deleted and your files will be forever lost.

Some ransomware is written poorly, and some have been decrypted. Some security researchers have created web sites where you can upload an encrypted file and they can analyze the file and give you a key. But you can't count on that.

Backups are a form of protection, but some ransomware versions have sat silently and watched for a backup drive and encrypted it first. So your main recovery method might already have been compromised.

In other words, randomware is a bitch.

But some security researchers have come up with a very interesting approach to fighting it. They don't try to match a signature because that's a losing game. What they do is watch file system activity. If they see files being encrypted, the program identifies the activity and stops the process cold. So you may lose a handful of files, but you won't lose everything.

Here's what I just saw on Slashdot:

Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (
Posted by BeauHD on Friday July 08, 2016 @06:50PM from the always-watching dept.

An anonymous reader quotes a report from Phys.Org:
Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.

"Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.

Let's look at that second to last line again: it detected 100 percent of malware samples and did so after a median of 10 files were encrypted. So on average, you'll lose fewer than that, but you will guaranteed lose one or two files. And you may or may not have other copies of those files.

Still, QUITE impressive. It's not a released product and will need the security community at large to pound it and try to break it, but still, pretty cool.

Personally, if I were relying on Windows computers and concerned about this, I think I'd install Deep Freeze. It's a program we used at a university that creates a frozen copy of your operating system. You install the OS, update it, install the programs that you need, update them, then you freeze it. In order to update the OS or the programs, you have to unlock the system, do the updates, then freeze it again. It's not perfect, but it's darn good. It's VERY hard for a virus to infiltrate a system protected by Deep Freeze. Not impossible, but VERY difficult. Your user data files (word processing documents, spreadsheets, photos, music, etc.) are stored in a different area on the hard drive as they change regularly.

In Linux and some other systems you can install a program such as Tripwire that watches the operating system to see if any files change. It theoretically could detect the system becoming infected and could halt everything and not let it run until it's cleaned up.

But a lot of virus makers these days are pretty darn brilliant and tricky. The best thing you can do is to keep your computer updated, only install programs from trusted sources and web sites, and NEVER open attachments that you were not expecting or specifically requested. That means when your Aunt Ethel sends you that cute kitty video that you don't open it. It just ain't worth it.
thewayne: (Cyranose)
First, if you've upgraded to the latest iOS, v9, go to Settings/Cellular, and scroll all the way down. You'll see an option called Wi-Fi Assist. You'll probably want to turn it off. Last week I received a text that I was 3/4ths through my 10 gig monthly data plan, and I couldn't remember doing anything that could account for a huge spike in my plan usage. It was quite likely this option.

Obviously this only affects iPhone users and not iPad users, though it might if you have a cellular-enabled iPad.

The next is two bona fide malware packages for iPhones from China. It involves falling for porn banner ads that add a certificate manager that bypasses Apple's heretofore strong walled garden. The interesting thing about this particular exploit was that you didn't have to had jailbroken your phone for it to be vulnerable! Phones running iOS 8.3 or older are most vulnerable.

But that's just one of the two. And if you limit your porn viewing to browser-based sites, you're probably fine.

The second one is a lot more serious: some people found a way to hack the Xcode development system which is used to write most iOS programs. The issue is mainly Chinese: because of poor international internet speeds, lots of Chinese developers download the free Xcode development system from Chinese servers rather than from Apple direct, and those copies have been subverted.

Currently the tainted applications have been purged from the app store, and Apple is setting up more servers in China to better control the distribution of the Xcode system, which will improve things.

There was little that could be done to avoid this particular attack because the apps passed inspection by Apple and were allowed in to the app store. So the normal prohibition of only installing apps from trusted sources was subverted in a very clever way, and now defenses are being ramped up to prevent a similar exploit again.

But the perpetual problem is that it's not too difficult to defend against previous attacks. It's the next attack coming that's going to get through at least once.
thewayne: (Cyranose)
A computer contains a CPU, the central processing unit that handles all of the calculations needed to run the operating system and whatever software that you're running. Lots of computers these days also have GPUs, graphics processing units that handle the high-res graphics that lots of modern games require.

Well, the people who write malware have gotten a step up on security researchers by finding a way to hide malware inside a GPU. The problem is that no security tools are designed to look inside the operations of a GPU, so for the time being, until the security tools are updated to cope with this new type of threat, this problem is undetectable.

The thing that I find interesting is that people have been using GPUs for advanced computation for ages. Bitcoin mining, password attacks, etc. We've known how to program GPUs for non-graphic processing, it seems obvious to me that malware authors would eventually figure out a way to leverage it to compromise the host computer.

I also find it interesting that they first threw their attack against Linux, rather than Windows. I wonder how long before it's in the Microsoft environment.
thewayne: (Cyranose)
Obviously computer viruses have matured in their attacks over the last 30-some years. It used to be that a virus could be examined and compared against a database of signatures to see if it would be allowed or not, but that's not enough these days. In the bad guy malware markets, they now have automated test servers that take your malware and bounce it against every anti-virus product out there, and if it hits any of them, it alters the code and encrypts it until it's undetectable. Once your malware passes this test, it is uploaded back on the bad guy's distribution server and they receive a text message saying that it's good to go out and play.

This works for a limited amount of time, as soon as someone knows they've been compromised, they can isolate the software and send it off to the A/V people for analysis and signature updating, still, it might give the bad guys a day or so to run amok and possibly get some valuable information, until the A/V software is updated and the malware is re-processed and the cycle continues.

So basically the truism continues: The price of computer security is eternal vigilance. Anti-virus software is a good first-line defense, it will trap old malware and even newer malware where the obfuscator/encryptor didn't do a very good job. You just have to remain vigilant about opening attachments and careful about running software from untrusted sites. Regardless, you're still potentially vulnerable to zero-day exploits, not to mention the total lack of control over your information that's being held by other people.

It's an ugly world out there, you gotta stay on your toes, and you might still get compromised. I personally fell for a social engineering attack last week: got an email that Yahoo was doing an upgrade and you needed to change your password. I still mentally smack myself upside the head: I didn't look at the freakin' URL on the update page, and I kid ou not, it was Bob's Plumbing. I can't believe I did that. I immediately changed it again to a different pattern than the one that I use for everything else. So even experienced people occasionally have bouts of the stupid.
thewayne: (Cyranose)
The system is known as badBIOS, and it can spread from an infected computer to a clean computer with no network connection via the infected computer's speakers and microphone. Basically it's a reversion to modem technology where digital data was sent using audio coding, only in this case it's using frequencies above human hearing (I hesitate to use the term ultrasonic) to transmit the infection.

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close proximity to -- another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

So now if you need an air-gapped machine, you need to yank the sound card and microphone. Oh: it can infect Windows, Mac, BSD, and Linux machines. And it's been around for around three years. The Ars Technica article is quite interesting, I recommend reading it.
thewayne: (Cyranose)
The software was sold to the Turkish government. An American woman, who is active in protesting a Turkish organization that runs charter schools in the USA and around the world, received a spearphish email that was crafted for her and appeared to be from a Harvard prof who is also active against this group. Well, they misspelled Harvard, so she didn't open it and forwarded it to a security group.

The security group created a honeypot, which I think is really amazing tech, and they started digging. The web site referenced had all sorts of malware hiding behind it, and the software in question is known to include silent remote-control software. The package pointed back to an American company that sold the software to Turkey, they deny any responsibility for how the software is used, naturally.

Turkey is a NATO country. Technically this could be interpreted as an ally spying on American citizens, not that we would EVER do something like that.
thewayne: (Cyranose)
The defense contractor arm of Boeing is going to make a highly secure smart phone, based on the Android platform.

"Earlier this week, it was revealed that aerospace firm Boeing was working on a high security mobile device for the various intelligence departments. This device will most likely be released later this year, and at a lower price point than other mobile phones targeted at the same communities. Typically, phones in this range cost about 15,000-20,000 per phone, and use custom hardware and software to get the job done. This phone will most likely use Android as it's main operating system of choice, which lowers the cost per phone, since Boeing's developers don't have to write their own operating system from scratch."

$15-20k per unit. Yep, sounds like a defense contractor. Wasn't it just recently that the NSA announced that it was going to do a secure phone system based on Android? I'm sure their unit cost would be a bit lower.

I am curious, though, who would build this? Boeing is not an electronics manufacturer per se, they're certainly not a cell phone maker. If they intend this for covert use, they're going to have to buddy-up to someone like Nokia or Samsung or LG to make the phone look like a standard smart phone to allay suspicion, plus it can't really have a Boeing label on it, that'd be a bit of a giveaway.

Seems to me that it's a monumental waste of money if the NSA is already doing a similar project.

Ah, yes: March 8, NSA and German government encrypting Android phones:

Last month the results of the 'Honey Stick Project' were announced in which Symantec 'lost' several bugged smart phones to see what people do when they find one. The results pretty much confirm the worst of human nature.

"In order to get a look at what happens when a smartphone is lost, Symantec conducted an experiment, called the Honey Stick Project, where 50 fully-charged mobile devices were loaded with fake personal and corporate data and then dropped in publicly accessible spots in five different cities ...Tracking showed that 96-percent of the devices were accessed once found (PDF), and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for; the others were all found."

My aunt found a cell phone in a casino. The smart thing to do would be to give it to casino security, instead she took it home. Fortunately it still had a charge when she told me about it, and I found an address book entry for Dad and called it and found out his daughter had lost it, conveniently she worked for FedEx in El Paso, so she called the Las Cruces office and I dropped it off there. I don't think I would poke in to a discovered smart phone beyond trying to identify the owner and get it back to them, but human nature being what it is, who knows? This particular lost phone wasn't a smart phone, which reduces the temptation to pry in to personal information. My phone does contain sensitive information, but the really sensitive info is in a password-protected encrypted system, so it's fairly safe. And there's no banking info on it, nor has it ever accessed my bank account, so that's safe.

Plus, it's an iPhone, so it's easy for me to remotely brick if I lose it, assuming the discoverer doesn't know how to pop the SIM chip.

And finally, Google's Android app store Play has been found to have lots of malware lurking inside in the form of apps that send expensive SMS messages without you knowing it.

"We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

This would well and truly suck. I think that most of the freedoms that Android offers are great, but as it has been said, the price of freedom is eternal vigilance and it's difficult for an end user to be vigilante about the software on their phone because most of us are not programming experts that would allow us to determine if a program is safe or not.
thewayne: (Default)
The Air Force has a dedicated network security unit, and they found out about the virus problem by reading Wired's Danger Room.


Why do I think that someone, or several someone's careers just hit a stone wall.
thewayne: (Default)
It's not often that a news story gets an LOL out of me. Supposedly the network is air-gapped, meaning no direct connection to the internet, but other supposedly air-gapped networks run by the Department of Defense occasionally get hit by malware. One possible source might be infected USB memory sticks, it's hard to say. This particular malware is a key-logger, it's debatable how much value the information it could capture would be since these are such specialized systems, it's not like they're typing in banking passwords. It's also debatable if the malware is capable of transmitting the data to whoever wrote it.

The amusing thing is that a quote in the article says "we keep cleaning it and it keeps coming back", which means there's a computer on their network that they can't clean that keeps reinfecting their cleaned computers, most likely a high-ranking officer who won't give them access.

It hasn't interfered with any missions, but I'm sure it's quite an annoyance for their IT crew.
thewayne: (Default)
They've been available for Windows platforms for several years now, so it was kind of inevitable that one would eventually be made for OS-X. It basically makes it easy for griefers to make trojans, presumably for botnet and similar things. It runs on Windows but has the option of generating binaries for OS-X. And here's some more joy: ""The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform. Basically it's a GUI point & click interface to create payloads that are script kiddie friendly.

Apparently, a dedicated iPad and Linux release are under preparation as well. The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye."

There's also some fake Mac antivirus stuff going around:

At this point, the danger is if you open and run the payload, so once again, smarts is what will mostly keep you safe.
thewayne: (Default)
A combination of poisoning search engine results and malicious payloads, so needless to say, be careful what you click on online.
thewayne: (Default)
This latest one pops up a Microsoft-looking Windows 7 page on your computer and claims to have locked your Windows license key. Calls to the number to unlock it are routed internationally, you're put on hold, and you rack up a substantial phone bill. F-Secure found that 1351236 will unlock the system, but no guarantees. Your best bet is probably an OS reinstall.

Another thing mentioned in the article is an encryption ransomware scam if you happen to catch a vicious piece of nastiness called GPCode:

"GPcode creats a randomly generated 256-bit AES key on each infected system, which it uses to encrypt a number of files including all .doc, .rtf, Excel and PDF files.

It in turn encrypts the AES key using the fraudsters' public RSA key and saves only the encrypted version to the infected system. Consequently, the only way of restoring the system is to use the fraudsters' secret key. The encryption technique used is almost uncrackable and reverse engineering the malware is also fruitless. As Kaspersky's Nicolas Brulez notes in his analysis of GPcode, the only hope is a recent backup. Users who decide to play the blackmailers' game and pay up run the risk of losing their money and still not being able to access their data."

So, like voting in Chicago, back up early and often!
thewayne: (Accio Brain)

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here."

We use a program at the university called Deep Freeze. It locks the computer so that every time the computer is rebooted, it is effectively instantly wiped out and reloaded. Virus hits you? Reboot. Malware making popups? Reboot. All gone, all clean.

The down side is that you can't do system updates without unfreezing your machine, I spent probably five hours over spring break updating computer labs: unfreeze machine, apply updates, refreeze. We also use a rather nifty feature in the computer lab: all of the machines turn themselves off at 10:30pm.

Their more advanced versions offer a lot more features. Basically, when you run this, your C: is read-only. Anything written to it goes away. So you have to be absolutely sure that your data is written to another drive or to a network area.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:19 pm
Powered by Dreamwidth Studios