According to recently published lists, programs such as Mozilla Firefox and Adobe Photoshop have been added to the increasing number of vulnerable DLL applications that include Microsoft Word 2007, Microsoft Office Visio 2003, and Microsoft Office PowerPoint 2010. The DLL bugs, Microsoft says, are caused by applications passing an insufficiently qualified path when loading an external library. Of the 520 DLL exploits found by researchers at Acros Security, most were DLL file loading issues. The rest were due to insecure loading of executables such as exe. and .com files.

In a recent video post, CoreTrace’s Greg Valentine demonstrates how the base operating system is susceptible to the DLL hijack vulnerability, and how application whitelisting protects systems by blocking all attempts made by PowerPoint to execute corrupt DLL files.

With application developers still the ones responsible for fixing affected applications, one of the biggest challenges organizations face is knowing the number of applications that are potentially vulnerable to DLL bugs. On the other hand, networks protected by whitelisting solutions such as BOUNCER by CoreTrace aren’t hit with the extra time and resources needed to research and clean up applications impacted by malicious DLL files.

I just posted my new video on the DLL hijacking attack and how the exploit gets loaded and executed on a victim’s machine. Check out how the malicious DLL uploads on endpoint systems when end-users open up legitimate Powerpoint files:

The video demonstrates how the base operating system is susceptible to the DLL hijack vulnerability and how organizations using application whitelisting such as BOUNCER by CoreTrace are protected from this particular DLL attack. Through the BOUNCER interface, our customers see how our application whitelisting solution successfully blocks all attempts Powerpoint makes to run the corrupt DLL files.

Check it out and let me know what you think or if you have any questions.

Rather than continuing with the current approach of adding layer upon layer of security to defend endpoints against expected attacks, Jeff Green, senior vice president of McAfee Labs and product development, said the security industry needs to get more aggressive if it expects to get a leg up on the tens of thousands of malware variants that surface every day.

“The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. The cybercriminals prosper as they never have before because they have very little reason to fear the consequences. Maybe this is because we have really never given them a reason to fear. This must change. We must adapt our industry at its core and at all levels. It is time to send the security industry on the offensive.”

This statement comes at a time when testing continues to reinforce how much cybercriminals still have the upper hand. A recent independent study by NSS Labs found that a majority of antivirus security software suites still fail to detect malware attacks on PCs, with average protective scores of 76% even when exploits have been publicly available for months, or in some cases, years. The report concluded:

“Based on market share, between 70 to 75 percent of the market is under protected. Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old.”

Even with the security industry in such dire straits, we all know surrender is never an option. What security professionals need to do is re-evaluate their current approaches and implement more proactive strategies for combating cybercrime. Instead of waving a white flag, the industry needs to consider other options such as application whitelisting. At a time when organizations desperately need to stay one step ahead of hackers, whitelisting solutions such as BOUNCER by CoreTrace can prevent the execution of the growing number of malware attacks that continue to slip passed even the most trusted antivirus security software on the market.

In the article, “‘Viruses Are Winning’: Malware Threat Outpaces Antivirus Software,” not only has malware gotten stealthier, it’s multiplied in variety and volume at an unmanageable rate. According to Sean-Paul Correll, a threat researcher at Panda Security, in 2006 the growth in malware samples were doubling year-after-year. By 2009, that number jumped to 25 million new strains, more than the previous 20 years combined. Through July 2010, the number has grown to 46.6 million malware samples, nearly 100% growth over last year, with 5 months remaining.

While antivirus security companies have responded with new technologies to detect more sophisticated attacks, security experts such as Golden Richard III, a professor of computer science at the University of New Orleans, say antivirus software programmers are losing the battle.

“The viruses are winning because the defenses don’t work very well. It’s much harder to be on defense. And the offensive guys are really smart, they’ve got a lot of resources. It’s a bleak situation.”

Modern malware uses many different ways to conceal itself from the most advanced antivirus software, which only detects 40-70% of infections, said Danny Quist, a malware specialist at Offensive Computing, LLC. The most recent example is the latest incarnation of the Stuxnet worm, which uses techniques to evade antivirus detection and install itself on Windows systems to access SCADA environments. The good news for networks protected by CoreTrace’s BOUNCER application whitelisting solution, they don’t have to play the cat-and-mouse game with enhanced malware specifically designed to defeat virus scanners.

If you would like to read an independant view on our new version, BOUNCER 6.0, check out what Enterprise Management Associates (EMA had to say about the enhancements in their Impact Brief,“Taking Adaptive Application Whitelisting to the Next Level: CoreTrace Introduces BOUNCER 6.0.”

Targeted malware attacks are the new norm, not the exception

Stealthier, targeted cyber attacks aren’t exclusively going after high-tech giants anymore. Research presented at last month’s Black Hat Conference said advanced persistent attacks that have hit defense agencies and high-profiled corporations like Google are also becoming the norm with medium-sized businesses.

In two separate analyzed attacks, researchers Nicolas Percoco and Jibran Ilyas of TrustWave’s Spider Labs research group said the malware didn’t discriminate between the size of the organization. The primary goal of the attack was to avoid detection and maintain a presence on the intended networks.

“Targeted malware is the norm, not the exception,” said Percoco.

Research has found that advancements in malware and anti-forensic features allow remote attackers to stay on their victims’ networks an average 156 days before they are detected. By avoiding detection, more persistent threats enable hackers to dive deeper into a mission-critical applications to steal valuable intellectual property or sensitive financial data they can resell on the black market.

Cyber crime costs businesses each $3.8 million per year

A new report by the Ponemon Institute on the cost of cyber crime revealed that midsized and large U.S. organizations from different industries and government agencies are each paying $3.8 million per year to fight weekly cyber attacks, malicious code and rogue insiders. The annual cost, which represents the direct cost of dealing with the attacks (not the antivirus software used to protect their networks), was derived from varying business reports that ranged between $1 million to a whopping $52 million per year.

The study also found it took, on average, 14 days for an organization to respond to a successful cyber attack, which cost businesses $17,696 per day. According to the report, defense, energy and financial services companies experienced higher costs than organizations in retail, services and education.

No matter if you’re working in the public or private sector, Larry Ponemon, director of the Ponemon Institute, said the study shows the impact cyber crime continues to have on businesses and their bottom line.

“The eye-popping thing we found is a lot of organizations are very disorganized in even understanding the environments they’re dealing with.”

Study finds SCADA systems security “like a ticking time bomb”

While organizations that run SCADA systems claim their networks are secure because they’re not connected to the Internet, findings from an extensive nine-year analysis of more than 120 security assessments of systems that manage power plants, oil refineries, and other critical national infrastructure found the opposite to be true.

The study, conducted by Jonathan Pollet, founder and principal consultant of Red Tiger Security, found that critical infrastructure facilities across the U.S. have been operating with tens of thousands of security vulnerabilities, outdated operating systems, and unauthorized applications. According to the report, facilities unknowingly had computers crucial to the operations running everything from Windows 95 and other unauthorized software such as peer-to-peer applications to games and pornography that contained major vulnerabilities.

“It’s kind of like a ticking time bomb. I’m hoping the message that we’re giving here can open a few eyes.”

While most systems contained common errors and were vulnerable to SQL injections, cross-site scripting and denial-of-service attacks, Pollet found that deploying a patch could take up to a year on systems that couldn’t be taken offline or were too important to risk installing a patch because it would disrupt a critical process.

Unfortunately, system vulnerabilities like these are exactly what attackers use to write malicious code around. Take, for example, the newly surfaced Stuxnet malware, which targets utility companies and exploits a zero-day vulnerability in Windows to access the Siemens WinCC SCADA systems database. Advanced knowledge of system flaws are the key to creating worms that target control systems. You can bet the energy sector is keeping a close eye on this one, and doing everything they can to work with NERC, the U.S. Department of Energy, and others to develop strategies to protect their critical infrastructures.

Are cyber spies already in your system?

It may sound a little farfetched, but some security experts believe that an increasing number of organizations are under surveillance by foreign spybots that are spying on U.S. businesses to gain competitive advantages or exploit weaknesses in their systems. While it’s difficult for researchers to pin down the magnitude of these insidious threats, they’re enough to put security professionals on high alert. Mark Lobel, advisory principal at PricewaterhouseCoopers, said the quiet nature of electronic cyber espionage can be deceiving, particularly when they are undetected by the usual security tools.

“Because the whole point is for the espionage to be stealthy, there is truly no way to know the size and scope of the issue. In conversations with people in the industry, they are confident that it is a larger problem than most people recognize or understand.”

Gartner VP of research for computer security, Neil MacDonald, takes it one step further by maintaining that as many as 75% of enterprises have been or are being infected with undetected, financially driven, targeted attacks that evaded their traditional perimeter and host defenses.

While there’s no way to completely protect an organization against increasingly sophisticated attacks, one security strategy that many experts agree can reduce the impact of such attacks is to practice defense in depth. While most companies continue to remain blissful of electronic surveillance, MacDonald added that denial never works. Taking false comfort in antivirus software and network scans that show zero infections doesn’t mean that a system hasn’t already been compromised.

Thanks for reading this monthly recap of some of the top stories within our space. Please feel free to provide feedback on any of these important topics.