It's Not A Con

The birth of the ‘zombie’ phone?

con — Mon, 13 Jul 2009 21:48:03 +0000

Symantec security response have noted and written on a SMS based worm that promises the recipient ‘sexy’ pictures. The malware is a variant of a threat originally identified as SymbOS.Exy. The threat works hard to stealth itself onto the ‘phone, and as such, has also a number of defence mechanisms to ensure that the threat continues to run.

The original SymbOS.Exy, was for the most part targeting mobile phone users in China. The new variant of the threat is now also being distributed in English. What this threat currently does is gather information from the ‘phone and send it to predetermined addresses in addition to spamming other phones via SMS. Given the ability of the threat to propagate effectively and also for it to ‘dial home’ for further instructions, it has led to some speculation as to whether this lays the foundation for the birth of the SMS Botnet?

Let the games begin!

con — Sun, 12 Jul 2009 23:28:37 +0000

As I flew back into London the other evening, from the window of the ‘plane, to my surprise and delight, I could see the outline of Olympic stadium. Preparations seem to be well in hand and on track, which is good news. ‘The Guardian’ also points out that preparations are also underway in the virtual world as criminal networks and cyber-criminals look to see how they can exploit the London games. The Olympics in Beijing clearly showed just how a global event, like the Olympics, can be alluring and lucrative to the cyber-criminal fraternity.

The UK law enforcement agencies are also turning their attention to this, with the Metropolitan police already having established a specialist team to examine the threat of electronic and internet attacks on the 2012 Olympic games. It would also appear that they have detected some ‘precursor’ activity, with companies being set up in what they believe are false names in anticipation of fraud and other types of criminal activity during the run-up to the Olympics.

A month of insights?

con — Tue, 07 Jul 2009 15:39:25 +0000

A group of security researchers have declared, that they will use the month of July to list, or is that ‘out’, security holes in Twitter. They justify it as an attempt to get Twitter to move more quickly to improve security. To be fair to Twitter, they do recognize the issue and have been active in closing any ‘holes’. At the same time, they as trying to hire into the company security developers, if postings on recruitment sites are to be believed.

When they created Twitter, I am far from sure that the founders could have predicted just how quickly and widely it would be used and adopted. It is therefore hard to foresee security issues given this context. The month of bugs is effective in bringing focus and coverage to the issue. As to whether it makes the application safer, this will depend on how quickly and effectively the ‘holes’ are attended to. Importantly, in the medium term we need to see how it influences the development and testing of future applications.

In the meantime, what does this mean for us as users of the service? Well, firstly it does remind us that we do need to be mindful of security. The bad guys follow the crowds and they are flocking to micro-blogging sites like Twitter. You need to ensure that your security product is updated (we are releasing a steady stream of definitions and updates that help mitigate the ‘holes’. Install Windows and other updates from the key application software providers. And be careful of the links sent to you in Twitter. The short-form URL’s bring with them convenience, but they can be equally convenient for the bad guys.

What Malware can teach Spam

con — Fri, 03 Jul 2009 13:43:13 +0000

The world of spam shows an ‘ebb and flow’ pattern. New techniques to evade spam filters arrive, drive an increase in spam, the anti-spam tools react to it and the level and effectiveness falls back to a ‘normal’. Google have been commenting that, maybe, the spammers are running out of new and original ideas. The second quarter of 2009 saw a substantial 53 per cent increase in average spam levels from the first quarter. However, Google said in a blog post that many of the new attacks were simple rehashes of attacks that occurred in the past.

We ourselves have noticed in the past few months the reemergence of some old tactics, notably image spam. There is nothing revelatory in the application of old techniques and their refurbishment and use in a new context. This is an area wherein spam and malware show similarities. In the world of malware, if an attack found itself to be successful, we would see it being reused or adapted to extend its usefulness. The ‘Storm’ trojan being a good recent example of this. Every other month, it seemed that there was a ‘new’ variant of it that kept it alive – over two years down the line it was still going. Even ‘Conficker’ morphed and changed over the months to help prolong itself. In terms of old techniques being reused, Conficker borrowed from the worms of the past, that made use of floppy-disks and reapplied this in the form of USB thumb drives. So, unfortunately, the world of spam looks to have borrowed some lessons from malware. Twenty years later, we are still fighting malware and fighting more of it than we could ever have imagined.

Norton 2010 - the BETA is here

con — Fri, 03 Jul 2009 10:41:18 +0000

I am delighted to let you know that we have released BETA versions of Norton AntiVirus 2010 and Norton Internet Security 2010. Without wanting to resort into the realms of hyperbole, the Norton 2010 products are not just another update to a well established security product. These products see us deploy an exciting and innovative new approach to security: namely reputation based security. As, and when, you encounter a file that is being downloaded onto your PC, we will be able to make a real-time assessment as to the safety or trustworthiness of that file. Trojan based downloads are the attack ‘du jour’ of the malware crowd, this represents a new approach that they have not encountered before. The link to the BETA is here. You can also track the development of the BETA testing and find out what other people think of the products by monitoring the Norton Forum. A quick summary of just some of the many new features in Norton 2010 are:

Performance enhancements
The 2010 products improve on the very high performance bar already set by the 2009 products. The Beta builds will be regularly updated, with later builds improving on performance and functionality.

Enhanced Norton Insight
Norton Insight is built on the Symantec Quorum backend intelligence technology first introduced in the 2009 products. In 2009 Norton Insight only quantified trustworthiness, in 2010 Norton Insight also provides information on prevalence, age, and runtime performance data.

Download Insight
Download Insight is a new line of defense against the introduction of untrusted applications on your system. Download Insight monitors new application or installer downloads, automatically analyzes and classifies the application using the Quorum technology, and provides you with a trust rating for the application before allowing the application or installer to execute.

Performance Monitoring
The system performance monitoring now also monitors system events such as application installations, and we monitor process performance. This information is graphed over time, to make it easier to determine if an application may be the cause of degraded performance.

Enhanced SONAR
SONAR behavioural protection technology was completely re-written for the 2010 products. SONAR now also utilises the Quorum backend intelligence technology to further improve detections and reduce false positives.

Power Savings
Power saving options are available that helps conserve battery power by only running non-critical when on AC power.

Silent Mode
The Silent Mode functionality was enhanced to include Quiet Mode on automatic detection of CD/DVD burning and media recording applications. Users can now also define their own applications that will trigger Quiet Mode.

Anti-Spam
The Anti Spam technology was completely re-written for the 2010 products. The Anti Spam engine is now using the world’s leading Symantec Brightmail technology. The engine is further enhanced to not only perform local scanning, but to also double check the results in real-time against the backend system, further increasing the effectiveness and reducing false positives.

Windows 7
Full support for Windows 7, including support for Teredo, Windows Mail, and Home Groups.

The bots at the heart of Spam

con — Tue, 30 Jun 2009 13:23:38 +0000

My colleagues, at MessageLabs, are reporting that 83% of all Spam messages are sent from botnet infected systems. It has long understood that one of many uses for botnets is for an infected PC to become a spam relay. The information from MessageLabs is interesting in that it provides data to finally start to size the issue. They also went onto identify the botnets that are responsible for the spam itself. The Cutwail botnet is by far and the biggest culprit, accounting for 45% of all botnet spam, with others like Mega-D, Xarvester, Donbot, Grum, and Rustock making up much of the difference.

One other interesting update, contained in the report from MessageLabs, was that Instant Messaging (IM) continues to carry an increasing number of embedded links, that in turn, then lead people to compromised web sites that are then hosting malware. At the end of 2008, MessageLabs Intelligence research indicated that 1 in 200 (0.50%) hyperlinks shared over public instant messaging (IM) applications were identified as malicious, i.e. the website harbored some form of malware designed to perform a drive-by attack on a vulnerable web browser or browser plug-in. In June, the same research was conducted again and highlighted that the threat has increased to 1 in 78 (1.28%) were linked to websites that hosted malicious content.

Better late than never

con — Fri, 26 Jun 2009 11:19:01 +0000

The UK Government, yesterday, announced their cyber security strategy, as part of a revamped all encompassing national security initiative. For many people it may have prompted the question, ‘I thought we would have already had this already?’ Well we did not, but it is all in hand now. The new cyber security minister (Yes, we do have one), Lord West commented that it is not that the UK has been left exposed to cyber threats from other countries to this point in time. He did go out of his way to reassure that the UK government has already faced down cyber attacks from foreign states such as Russia and China.

Two new bodies will be established in the coming months as part of the strategy. A dedicated Office of Cyber Security in the Cabinet Office will co-ordinate policy across government and look at the legal and ethical issues as well as the relations with other countries. The second body will be a new Cyber Security Operations Centre (CSOC) based at GCHQ. This will bring people together from across government and from outside to get a better handle on cyber security issues and work out how to better protect the country, providing advice and information about the risks

So there we have it. We have shiny new groups to go out and battle the national cyber threats - we wish them well!

Microsoft and free security

con — Tue, 23 Jun 2009 16:17:41 +0000

Today, Microsoft released a BETA of its ‘Morro’ free anti-virus product. They also announced the name for the product, hence forward, it will be called Microsoft Security Essentials.

Microsoft Security Essentials is a slightly modified and stripped down version of the OneCare product it pulled from the shelves recently. At a time when we face more threats online and our PCs are being deluged by malware, consumers don’t need less protection - they need more. Referring to Microsoft’s basic antivirus and antispyware product as an essential security solution could be misleading. Consumers need firewall protection, Web protection, antispam and identity safeguards – these are among the essentials when it comes to security, and you can only get them through a full Internet security suite provided by security experts.

The reality is that shareware and freeware vendors have been in the market for 20-plus years, it’s a crowded space and Microsoft is just joining the fray. In addition, early reviews of the beta are showing that it underperforms when compared to existing freeware products, and well below paid solutions such as Norton AntiVirus.

The Spy in your hand?

con — Tue, 09 Jun 2009 20:34:28 +0000

I came across an article in ‘Businesweek’ (June 15th, 2009) that caught my attention. It’s theme was that a new generation of user-friendly spy-phone software has become widely available in the past year or so. They note that more than 200 companies are selling spyware online, at prices as low as $50. What really was interesting was the estimation that 3% of mobiles in France and Germany are ‘tapped’ and that this rises to 5% in countries such as Italy and Greece. Now, it has to be admitted that the source of this estimate was a private-investigation outfit in Italy. That being said, James Atkinson a spy-phone expert at Granite Island Group, Massachusetts, puts the number of tapped phones at 3% in the US. I agree that all of this needs to be taken with a good pinch of salt; nonetheless it does get you thinking.

The current generation of spy-phone software has one major drawback and that is that you need to have access to the phone you want to tap to load the software onto it. That being said the Newsweek article goes onto outline that a new generation of mobile spyware that is being developed for law enforcement agencies will accompany a text message and automatically itself on the targets phone when the message is opened. The supposition being that the same technology could also make its way into the hands of criminals.

The article finishes off claiming that AV and security programs developed for computers require too much processing power, even for smartphones. At the end of the day, the spy-phone software is just software, just as is the security software that can detect it and mitigate the risk. So I do not sign up for their presumption that smartphones are exposed. We are seeing the evolution and deployment of security software for smartphones. There is a saying in our industry – ‘security through obscurity’. By and large, it can be seen to be a truism. At the moment, with smartphones this can also be seen. Given the number of mobile operating systems that are being used e.g. iPhone OS, Palm Web OS, Android, Windows Mobile, Symbian etc, it neatly segments the addressable market into smaller chunks that may diminish the attractiveness of any segment to the malware author. It may simply be a moment in time, but no doubt many would like it to hold for as long as possible. Thankfully, in term of actual numbers, the volume of malware for smartphones and applications such as spy-phone software is dwarfed by that created for the PC. However, it is one area that needs to be taken seriously and a careful eye kept on it.

The state of Spam and Phishing reports for May

con — Mon, 08 Jun 2009 10:40:53 +0000

I thought that you would be interested to learn that in addition to our monthly state of spam report, we have now added a monthly report on Phishing. In May we detected that 42% of phishing URLs were generated using phishing tool-kits. This shows just how prevalent the use of these kits is and how this is helping fuel the automation of these attacks.

Our state of Spam report for May, notes the reemergence of image spam during the month to some 6.5% of all spam (it did climb to 21.9% in one week). One consequence of this is that the average size of spam message has increased. Therefore, we have the annoyance that not only are there more spam emails (nearly 95% in May) and they are larger and take up even more valuable internet bandwidth. This link will take you to both reports.