malware

Archived Posts from this Category

November 10, 2010

Fishing for Zero Day

Posted by awillingham under information security, malware | Tags: |
1 Comment 

I miss the interaction that I used to have on Twitter. Now that the only way I can get it during the day is via my phone it is much harder to follow and participate in the conversations. Recently I’ve been trying to do a little more but with limited success. Then last night I posted a query looking for stats regarding malware infections on fully patched systems w/ up to date AV signatures. Man did I land a big one. Josh Corman (@joshcorman) of the 451 Group apparently was hovering about 10 feet deep next to the ole oak tree that fell in the lake last year. As soon as the  lure hit the water he had it and was off and running. We ended up having a pretty decent conversation about this and he gave me some good stuff for a report I’m working on.

Then today I posted the following question on Twitter:

What is your definition of a zero day?

It had barely hit the Twitterverse before Josh was off and running with it again. We ended up trading a few DM’s and it went so well that I posted the question again and this time it landed in a school of large mouth Bass. They were all over it like white on rice. I’ve included them below for you to see. Most of them were keepers but a couple were too puney to keep so I threw them back.

Why did I do this and why do I think it’s important? I did it b/c of a conversation I was in at work. There was a little disagreement on exactly what a Zero Day was and I wanted to get the input of those who follow me on Twitter. They are men and women who know security from many different angels and I wanted to see what kind of similarities and differences I would run into from different perspectives. I also was hoping to spur conversation. Conversation is key to making security work in the big picture. That’s why I find so much value in participating in Twitter. I love how Security Professionals have latched on to Twitter and use it as a venue to have good solid conversations.

I’ve added a few thoughts of my own under some of the tweets. So feel free to read along and if you want to join in please do. Tweet me @andywillingham, email me andy dot itguy at yahoo dot com, leave a comment on this post, or blog it on your blog.

 

lonervamp

@andywillingham I also don’t really use the term outside other sec geeks. It’s otherwise always "unpatched vuln. exploit in wild."

The term has a good FUD factor for Senior Management

>

lonervamp

@andywillingham I *do* get how some define 0day with the key phrase "previously unknown," however. Either by vendor or public/defender.

»

Wim Remes

@andywillingham release of working exploit code for an unpatched vuln, optionally with a side of narcissistic wanking.

»

lonervamp

@andywillingham my POV is of defense or even attacker. I don’t much care if the vendor knows. I’m still at risk as if they didn’t.

»

lonervamp

@andywillingham 0day: a vuln without a patch or official fix. So even if known, it’s 0day to me until official response.

It’s hard to patch what doesn’t have a patch

»

bug_bear Tim

@andywillingham Media Hype for a unpatched vulnerability being exploited.

If it wasn’t for the media the term “Zero Day” probably wouldn’t have caught on.

»

WeldPond Chris Wysopal

@joshcorman @andywillingham AV industry calls 0 day malware "custom".

Sounds like “The Spin Zone” to me

»

joshcorman Joshua Corman

.@andywillingham I "love" how we think Vuln 0day is sexier. Since AV is so reactive isn’t most malware ~technically~ 0day?

At least most new malware, even if patch is out if it’s not deployed it’s not doing much good.

»

timdafoe Tim Dafoe

@joshcorman @andywillingham Must it truly be "actively exploited"? What about an unused working exploit being held in reserve?

»

wikidsystems Nick Owen

RT @andywillingham: Not one else has a opinion on what a zero day is? < the conference day when the press release goes out?

there is a lot of truth in Nick’s statement

»

armorguy Martin Fisher

@andywillingham Zero Day??? Hmm… Wasn’t that Elvis Costello’s second album? Or was that CCRs? I forget… 

This is one of those that I mentioned being puney.  :)

»

negativeindex Donald Rudder

@andywillingham sorry. Vulnerability being exploited but not disclosed to the wider security / user / vendor community.

»

pjvela PJ Velasco

@andywillingham I would say a zero day is the announcement of a formally unpublished exploit that makes use of an unpublished vulnerability

This is where some start to split hairs. We have a exploit and a vuln but they exploit may not be in the wild.

»

JoelEsler Joel Esler

@andywillingham a vulnerability previously undisclosed and in use. Without it being in use, it’s just a disclosure.

I like Joel’s thoughts about the difference between in use and disclosure.

»

pauldotcom Paul Asadoorian

@andywillingham The day before 1

»

joshcorman Joshua Corman

RT @andywillingham: What is your definition of a zero day? <- Active exploitation of a previously unknown/unpublished Vulnerability

 

March 31, 2009

Real life Conficker Stories

Posted by awillingham under Conficker, information security, malware
Leave a Comment 

I ran across this post about a real life, in the trenches story of one man’s battle with Conficker and thought you might find it interesting. Let me know what you think.

 

February 26, 2009

I can haz all your money

Posted by awillingham under information security, malware, The Last Watchdog
Leave a Comment 

I’ve always wanted to title a post using “haz” but never haz had a good reason to in the past. Like that really matters. But now I do have a good reason. I wanted to point you to a post by Byron Ac0hido on the proliferation of banking trojans. I met Byron while I was in Spain for the Security Blogger Summit. Many of you already know of Byron via his writing at USA Today and his book “Zero Day Threat”. He has a independent security blog that he is blogging on more and more.

This write up covers a brief history of banking trojans, how they work and what you can do to protect yourself. As usual Byron does a great job of explaining a subject on a level that all can understand. It is a good article to point your friends and family to when they look at you with dazed eyes and head cocked to one side.

 

January 21, 2008

A little clarity

Posted by awillingham under Andy ITGuy, malware
Leave a Comment 

I’ve gotten a bit of feedback on my post "Will Malware Kill the Internet" and I want to clarify a few things.

  • I don’t really think that malware will kill the internet. As Kurt Wismer put it "malware profiteers need the internet"
  • I won’t quit using the internet. I can assure you that I my usage will most likely increase not decrease. Just today I joined Twitter.
  • I may quit using the Internet for financial dealings. Things such as online banking, stocks, etc…
  • For online purchases I’ll probably start using one time use credit card numbers.

I do have fears that things will continue to get more dangerous to the average user. I’m not an average user. I’m very careful but as the bad guys get smarter and better at what they do it makes it more difficult for even the most careful of us.

 

January 17, 2008

Will Malware Kill the Internet?

Posted by awillingham under Andy ITGuy, information security, malware, safe browsing
1 Comment 

There was a question posted to the Security Catalyst Community forums earlier asking about our thoughts on the MBR (Master Boot Record) malware that is circulating again. I’ve mentioned several times in the past that the Internet scares me since it is so easy to drop malware on your computer. The fact that now it is getting more common for Owned sites to be Pwned makes it even worse. Then to hear that security companies and malware researchers are saying that malware increased between 500% and 1000%.

What chance do we have? I hate to sound so "doom and gloom" but you almost hate to think what things will be like this time next year. I’ve gotten used to not writing checks and doing all of my banking online. Yet, I hate to think of what would happen if my computer was infected by a site that was serving up malware unknowingly. I may have to go back to writing checks.

I’m not normally negative about such things, but this has me worried. Also, not being one to point out a problem w/o offering up solutions I will repeat what all of you probably know. A few things that you can do to reduce the chance of getting malware on your system when surfing the Internet.

  1. Don’t use your computer logged in with privileges any higher than "User"
  2. Don’t click on links from emails, IM’s unless you are 100% sure that they are valid and safe.
  3. When possible type the address in yourself.
  4. Verify links before clicking on them by making sure that they take you where they say they are going to take you. You can do this by putting your mouse over them and checking the browser status bar or by looking at the page source.
  5. Be very wary of shortened links that are created with things such as TinyURL.
  6. Use Firefox or another alternative browser instead of Internet Explorer.
  7. If offered by your browser community use things such as "no script" and "ad blocker".
  8. Stay off of web sites that are known for serving up malware. (Porn, gambling, hacker, etc)

There are lots of other things that you can and should be doing to keep yourself safe. These are just the basics. If you are not aware of what else you can do then I highly recommend that you search for ways to secure your PC or email me and I’ll give a more detailed list.

 

June 8, 2007

Where is your malware?

Posted by awillingham under information security, malware, security
Leave a Comment 

The F-Secure Blog has a good post on where to look for malware launch points on windows boxes. The looked at thousands of samples of malware to see where they were hiding themselves in the registry to ensure that they were launched when the machine is rebooted. They have a nice graph and a list of the top 10 registry keys to look in to see if you are unknowingly infected.

 

May 3, 2007

No one is exempt

Posted by awillingham under Andy ITGuy, information security, malware, mcwresearch, rootkits
Leave a Comment 

I ran across this article this morning. The author and some people he interviewed seem to have been under the impression that corporate networks were almost immune to bots and similar malware. At first I thought “how naive” but then I remembered that I used to think that also. That is until I thought about all the different attack vectors that a network is susceptible to.

Years ago, when malware was sparse, a firewall and AV software was all many companies (even large ones w/ big budgets) needed and used. Virus’ popped up from time to time when someone took a floppy disk home and got it infected and then used it at work. Then email started being used more frequently to spread them but they were mostly limited to doing little “real” damage and could be contained fairly easily. The malware writers got smarter and the advent of the Internet as a critical tool of business for both home and business use raised the stakes.

Now a corporate network can be secure at the perimeter, secure at the end point (as secure as is reasonably possible) and secure on the wire, yet still be open to attack from many points. Machines can get infected and the protections in place are often totally in the dark that anything has happened. You can get infected by doing things you shouldn’t be doing and you can get infected by doing things that aren’t inherently dangerous (browsing a legitimate site that has been compromised). The corporate network may be adequately secured to prevent this (at least we like to think so) but your home network, the coffee shop, the book store and other open wi-fi hot spots are ripe for the picking. These are the places where many users get infected and then they often bring the infection back to the office.

I’d dare to say that most corporate networks are not equipped to notice this unless something really unusual happens to trigger and IDS/IPS or they happen to stumble across it. Michael at mcwresearch gives us a great example of this. I also tell a story here of a time when I “stumbled” across something at a client site.

This is what is so scary about today’s malware. It’s easier than ever to get infected and harder than ever to be detected. That’s why it’s so important that security professionals continue to work diligently in all areas to protect their little corner of the network and Internet. Everyone from the Security Researcher down to the desktop guy is important in the fight. No one is better than anyone else and no one is more important than anyone else. We all have to work together if we ever hope to win this battle.

 

February 28, 2007

Blogger Threat

Posted by awillingham under Andy ITGuy, information security, malware
Leave a Comment 

I ran across this today. It’s something that we as bloggers and especially those who read blogs need to be aware of. Apparently if a blogger get infected with this malware it will insert a link to a malicious site when a new blog post is created. If the reader visits that site then they will be infected with this variant of the Storm Worm Trojan.

Remember these immortal word from the Hill Street Blues character Sgt. Phil Esterhaus “Let’s be careful out there”.

 

February 28, 2007

Noticebored Malware Newsletter

Posted by awillingham under Andy ITGuy, information security, malware, noticebored.com
[2] Comments 

Noticebored.com has released the March Issue of their newsletter which focuses on gaining a better understanding of Malware. It contains info on how malware works and some remediation steps to prevent and remove (if possible).

 

November 20, 2006

What I Worry About

Posted by awillingham under information security, malware, spam, threats, virus
Leave a Comment 

As the primary IT guy and security guru for my company I have lots to worry about. I don’t worry about my data circuits, my servers (too much), my routers or firewalls (unless I need support for my Barracuda). I don’t worry about most of these things.

What I do worry about is security. What “evil” is lurking out there trying to ruin my day and get at my data. I worry about virus’s, worms, trojans, rootkits and keystroke loggers. I worry about remote users who are at Wifi HotSpots while I’m waiting on the vendor to fix a driver vulnerability. I worry about someone sniffing my wireless and getting on it and thus gaining access to my network. I worry about who it was that left FTP open on my firewall all weekend (since no one remembers doing it). I worry about home users using their laptop from home to connect to the vpn while “hitching a ride” on their neighbors unsecured wireless. I worry about all the IM traffic that crosses my network (especially the user who practices IM Sex). I worry about the users who have USB thumb drives and IPODS connected to their machine. I worry about the users who have local admin rights on their machine because some program that they use requires it. I worry about Spammers and phishers and users who click on links and attachments.

That’s enough to drive any security nut even nuttier. That was how my IT life was, but luckily it has and is changing. It’s still not perfect. The tools are slowly getting put in place to reduce or eliminate these things and hopefully make my life easier. But until then I worry…………

More woes of small shop IT and our struggle to make it through the day.

 

Follow

Get every new post delivered to your Inbox.