This attack is a good illustration of a vulnerability that affects all versions of Windows and was specifically targeting SCADA environments. More specifically it affects any systems that use shortcuts.

While antivirus companies scramble for a fix to the latest threat of the day, it seems to make more sense to look for security solutions that defend against these sorts of attacks proactively.

McAfee takes a big hit for faulty AV update

One of the most talked about stories in April was the faulty McAfee antivirus update that wreacked havoc on thousands of Windows systems across the world. Instead of updating the security software, the faulty virus definitions removed a critical component in the Windows operating system that left affected systems running Windows XP Service Pack 3 (SP3) endlessly rebooting until tech support repaired the problem manually.

While McAfee issued an apology for the impact that the faulty signature update may have caused individuals and organizations, we will never know the full financial impact the debacle caused for McAfee’s worldwide customers, or the company, itself.

Windows users hit by drive-by attacks

Windows users were also on full alert with the discovery of a wave of drive-by attacks that attempted to exploit a new Java zero-day vulnerability to serve up malware. The problem was with the Java Webstart Framework, a plug-in, and ActiveX control distributed with the Java Deployment Toolkit. The vulnerability affects all versions of Windows, as well as Internet Explorer and Firefox. At the time of attacks were discovered, engineers at Sun Microsystems, which maintains Java, didn’t believe the issue was serious enough to warrant an immediate fix. However, the Google engineer who published the proof-of-concept code gave his reasoning for outlining several workarounds until a patch was deployed:

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor. Exploitation of this issue is not terribly exciting, but is potentially of high enough impact to merit explanation.”

Fake AV software found on Facebook application

Because of their high volume of users and potential victims, social networking sites such as Facebook are becoming prime targets for scammers. In April, [a malicious advertisement was found within a Facebook application] that has more than 9 million monthly users. The bad Shockwave Flash ad redirected Facebook users to a Web site selling fake antivirus software.

Unfortunately, this is one of an increasing trend of socially engineered attacks. According to a Panda Security report released last year, as many as 35 million computers worldwide get infected with fake antivirus programs each month.

New Adobe Flash Player could change how online banks fight fraud

A report from Gartner highlighted how the reliance on Flash cookies as an authentication mechanism to identify legitimate users and block unauthorized or fraudulent access may need to change with the release of Adobe Flash Player 10.1, scheduled for release later this year.

The updated version’s “Private Browsing” feature will make it easier for users to clear Flash cookies after a Web session. While the feature may be good for privacy, it may force online banks and e-commerce businesses to find something else to rely on for their authentication process. Said Gartner analyst, Avivah Litan:

“In my opinion, this is a big deal in the fraud world. Many banks, card issuers and online retailers rely in part on device identification to successfully detect fraud. And in many of these cases, the device identification they use is based on Flash local storage.”

Hackers hiding from anti-malware search bots

Computer criminals are hiding from anti-malware search bots by blocking search engine Web crawlers from indexing legitimate Web pages that host hostile code. The malware inserts code into the hacked sites and goes out to anyone visiting the sites except anti-malware search bots like Yahoo! and Google. When the search bots find these sites they append a warning to a hacked site listing in the search results, as well as inform site owners about potential malware problems that need to be addressed.

While the search engineers are aware of and continually counteracting these types of techniques, Google engineer, Niels Provos, said the fight against these Web site hackers is a constant arms race:

“This has been going on for some time. What happens is if a Web crawler comes along, [the attackers will configure the hacked site so that it] ends up showing [trending content] they get from news sites. This is to game the ranking of search content. But then if the visitor comes to one of these sites via a search engine, he ends up getting exploit code.”

Thanks for taking the time to read this blog. Each week, I comment on the top stories from the security industry. I encourage your feedback and hope you come back soon.

The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide.

Industry works closely with the government to advance the ‘state of the possible’ in cyber defense. As a former CIO and military systems analyst, I have witnessed several generational cycles of defensive technology developments in the cyber arena. In the mid-90s, for example, system administrators configured firewalls (from standard computer systems) by hand, and reviewed log files (either manually or through then-clever application of scripts) to detect, characterize, assess, and potentially contain cyber intrusions. Today, automated intrusion prevention systems are available as commercial-off-the-shelf (COTS) products, integrated with firewalls and incident management solutions to allow very rapid detection and blocking of cyber attacks. This is just one example of how industry has worked closely with the government to deliver significant advances in cyber defense technologies.

Unfortunately, our cyber adversaries today have proven relentless and highly flexible in their endless pursuit of effective attacks (for an entertaining perspective on the topic, please read Toney Jenning’s “Caddyshack & The Defense of Cyberspace: No More “Wack-a-Mole”” post on GlobalSCAPE’s blog site). Those of us in the information security industry understand that the next major terrorist strike very well may come from the cyber domain or, at a minimum, include cyber attacks as part of a broader operation. From a traditional national security perspective, it is a near certainty that future adversaries will continue to develop their cyber attack capabilities. Such asymmetric warfare capabilities are increasingly attractive, given the overwhelming superiority of US forces in conventional, force-on-force combat.

As a result, GlobalSCAPE, our partners and many others in the industry are working tirelessly to deliver next-generation cyber defense capabilities and stay one step ahead of our adversaries. Our continued development in this area is a national imperative. We are excited by the prospects for transformational solutions like application whitelisting to allow more assured defense of the cyber frontier. We’ll be addressing a variety of cyber defense topics in future posts. Stay tuned!

As I mentioned in last week’s entry, “Latest Microsoft patch illustrates the dilemma and dangers of fire drill patching,” relying on antivirus defenses to protect endpoints ties organizations to fire drill software patching. Reactive software application patching will never provide the level of protection today’s companies need to adequately protect their networks against harmful malware. As Mr. Westervelt goes on to write:

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits.

What these recent stories point out is that malware infections on these devices only highlights the fact that existing desktop security isn’t working properly. Why else are these companies regularly patching? The desktop security paradigm of antivirus and patching simply isn’t working.

Unfortunately, what we’re seeing is that patching itself is also causing problems with their systems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from deploying in the first place than aimlessly reacting to cyber criminals exploiting the known and unknown vulnerabilities within their network. Playing catch up with more patches is not only a losing proposition for IT security professionals, it seems to be compounding the problem.

Later this week, we are launching a fun (and funny) awareness campaign, called Planet Antivirus, highlighting the weaknesses of antivirus and focusing on the need to completely rethink our approach to how we defend endpoints. Today I am kicking this campaign off by highlighting the top five failures of antivirus technology:

• Antivirus is a performance hog — One of the most common complaints we hear about antivirus is its performance impact. This can weigh heavier on the minds of IT managers than its problems with catching new threats. A perfect example of this is a description from CNET Labs on how they test antivirus:

  “Antivirus programs are designed to detect and intercept harmful files downloaded to your computer. In order to monitor incoming files, however, antivirus programs — like all applications — need to use system resources. The degree to which an antivirus program detrimentally affects a system’s performance varies from one application to another. CNET Labs tests three areas of antivirus application performance: how deep-file virus scanning impacts overall system performance, how quickly files can be scanned for viruses, and how system boot time is affected by the antivirus program. We also report on how effective the antivirus programs are at identifying viruses by citing the studies of established industry authorities.”

  It is telling that the majority of their test is concerned with how antivirus detrimentally impacts system performance. The effectiveness of the antivirus solution is almost an afterthought.

• Antivirus is an after the fact cleaner and it doesn’t even do that well — The simple fact is that antivirus can’t protect you from getting infected. This is indisputable and has been empirically proven time and again. So why do we still use it? One reason people continue to use antivirus is that it is used to identify infections and to clean up the mess. Unfortunately it doesn’t even do that well. If you are infected by a particularly nasty piece of malware, many times the best option you have is to completely rebuild your system. There is a great post on this on the Cornell Information Technology site titled, “Rebuilding Your System Is the Safest Road to Recovery after a Malware Attack,” that does a good job of making this case:

  “Dangerous software hides from repair tools: The IT Security Office recommends formatting one’s hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.

  strong>Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.”

• Antivirus was designed to address a different threat — Despite the addition of heuristics and behavioral models to detect variants of malware, the fact remains that blacklisting is the foundation of antivirus and it was designed to address a different threat than today’s malware. Antivirus originated to protect against propagating threats. These threats either propagated through the sharing of disks and files by individual users or were self propagating worms that identified weaknesses in networked computers and subsequently infected vulnerable systems. Blacklisting in this model was feasible and effective because it was both easy to collect samples of the malware and protect against a limited set of threats.

  Today’s threats are different. Today, online crime hinges on the combination of social engineering and vulnerability exploitation that allows the attacker to place a custom piece of malware on the targeted system. This is a much harder problem to solve by blacklisting. The attacks can be customized for uniquely targeted online businesses or groups of businesses with software that would elude even the most sophisticated antivirus solution. My main concern if I was Google or any of the other companies targeted in Operation Aurora wouldn’t be what data they stole from me, but what malware they left behind to use at another time. Most likely they will have to resort to reinstalling those systems as I mentioned in the previous point.

• Antivirus updates are too frequent and can cause problems — In order to keep up with the exploding world of malware most antivirus applications issue updates at a very regular interval. This can be as frequently as an update a day in some cases. The problem with this is not only does it require regular distribution of these updates to all endpoints with its corresponding performance impact, but the frequency of updates also means that problems from the updates are more likely to occur. The result of a decrease in reliability of signature updates means that many organizations try to test updates before they roll out the new signatures. This simply isn’t practical. The frequency of signature updates means that testing won’t work or even be completed before the next update arrives. Organizations either need to revert to a less frequent update schedule to allow testing, potentially extending the time they are exposed to a new threat, or they need to simply trust that the update files from their antivirus company won’t cause problems. Neither of these options is optimal.

• Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

2010 needs to be the year that we begin a healthy discussion of completely re-evaluating the approaches we use to protect our endpoints.