Complete Zeus source code available on underground forums

In May, a security researcher discovered that the complete source code for the advanced Zeus banking Trojan was leaked on the Internet. With the malware kit freely available to download from underground forums, cyber criminals interested in developing their own Zeus botnets can potentially launch attacks designed to steal money from legitimate online bank accounts, said Peter Kruse, a security researcher with CSIS.

“We can hereby confirm that the complete Zeus/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks.”

According to Tim van der Horst, a malware researcher at Blue Coat Systems, this lowers the bar for any cyber criminals to access high-quality malware and create Zeus copy-cat attacks. The fact that even inexperienced criminals could get their hands on the infamous banking code could also result in the distribution of more targeted Zeus attacks and variants across the Web.

Microsoft says one in 14 downloads is malicious

Today, downloading any new software, even from a friend, can potentially put your system at risk. That’s according to Microsoft, who reported in May that one in every 14 downloads is malware. The rise in malicious software has been spearheaded by more ambitious and creative hackers who continue to come up with more social engineering tactics, said Jeb Haber, program manager lead for Internet Explorer’s SmartScreen.

“You’re just seeing an explosion in direct attacks on users with social engineering. We were really surprised by the volumes. The volumes have been crazy.”

The range of social engineering attacks can vary from email messages that appear to be from a friend asking to download a video to fake antivirus warnings that look like they are coming from the operating system. Being tricked to download such programs infects the user’s machine with a malicious code. With social engineering threats on the rise, organizations and users alike need to continue educating themselves about new and evolving social engineering tactics designed to sneak bad code onto computers.

Private and public sector team up to educate SMBs on cybercrime

With an astounding 74% of small- to medium-sized businesses having experienced cybercrime over the past year, the Federal Communications Commission (FCC) announced plans to dedicate a portion of its website to educate SMBs about cybercrime, and what they can do to avoid becoming victims of evolving threats.

The effort is part of a collaboration between the FCC, the U.S. Chamber of Commerce and Symantec to provide the latest information and security tips on how small businesses can combat cybercrime.

According to the article, “Cybercrime Affects All Businesses, FCC Warns,” approximately 40% of SMBs have lost confidential data and were penalized with direct financial costs as a result of cyber attacks. The FCC also said the average cost per criminal incident against SMBs climbed to a record $188,242 in 2010.

Online businesses hit with steady climb in new malware

Last month, GFI Software reported that an average of 73,000 fresh e-threats were released each day in the month of April, accounting for a 26% increase in new malware over April 2010. Along with a steady rise in scareware and fake antivirus scams was a uninterrupted stream of Trojans that accounted for over 20% of all malicious programs found.

One of the things malware authors continue to focus on is prominent worldwide events. Black-Hat Search Engine Optimizations attacks are poisoned search engine results that exploit high-profiled events like the Royal Wedding and the Osama bin-Laden assassination to dupe users into clicking on bogus websites. This can result in malicious code being injected on a system.

These types of malware attacks can go beyond individual machines. For example, if a system is connected to a corporate network, the malicious code can be launched on a larger network, putting corporate data and other systems at risk. For organizations trying to protect their networks from such vulnerabilities, stopping the payload is key. Proactive fraud preventative techniques such as application whitelisting stops targeted malware by preventing the execution of any unauthorized application from running on a machine, no matter what criminal method a hacker uses to deliver the malicious code.

I appreciate you reading this month’s recap security blog. Be sure to regularly stop by to read and provide your thoughts on the important stories that impact the security industry.

While companies can educate and train end-users to be more mindful of dangerous phishing and social engineering attacks, the truth of the matter is people are people, and they are going to make mistakes. According to the InfoWorld article, “Report: End-user ignorance at Epsilon let hackers steal customer data,” in this particular case, a mistake made by one end-user in an email-based phishing attack effected many others simply because the user was connected to a larger network that stored millions of customer email addresses of big-name companies including Chase, Citi, Walgreens, Target, Disney Vacations, Fry’s and Eddie Bauer, to name a few.

Once the user opened a bogus email link, they unintentionally downloaded three malware programs that disabled their machine’s antivirus software, ran a Trojan keylogger for stealing passwords, and gave hackers remote administration rights to the infected machine.

With new malware up 26% in 2011 compared to the first quarter of last year, a recent study by PandaLabs found that targeted Trojans account for approximately 70% of all new malware attacks. While it is recommended that organizations keep end-users up to date of evolving online threats, for all intents and purposes, it won’t stop hackers from successfully exploiting their networks.

Because of the human factor, security professionals know you can’t restrict what websites people go to or what emails they download. User behavior is simply out of their control. Along with other safeguards like encryption and segregated networks, the primary objective should be stopping the payload that enters via user actions. By blocking malicious software from executing on a machine, no matter how it got there, organizations can stop targeted cyber attacks from penetrating their networks, which is where the trouble begins. This is where CoreTrace’s Bouncer application whitelisting solution stops any unauthorized applications from exploiting a network without having to unrealistically control end-user behavior.

RSA a mixed blend of cyber security approaches… and the cloud

This year’s RSA Security Conference covered everything from the more vicious attacks to the best ways to prevent them. Because today’s cyber criminals are highly motivated to take whatever they want, Bret Hartman, CTO of EMC’s RSA security devision, said in order to protect their networks from an array of attacks, organizations need to develop a next-generation cyber security solution that encompasses key elements around governance, risk management and compliance policies, with virtualization underlying tomorrow’s security approaches.

When it comes to cloud adoption, Art Coviello, executive chairman of EMC’s RSA security division, said meeting the demands of the cloud requires deploying more flexible, dynamic security.

“Achieving this means building security into virtualized components and, by extension, distributing security throughout the cloud. Also, automation will be absolutely essential in enabling security and compliance to work at the speed and scale of the cloud. Policies, regulations, and best practices will be codified into security management systems and enforced automatically, reducing the need for intervention by IT staff–a problem that’s getting away from us today.”

Because virtualization and the cloud have the power to dramatically change security in the future, our Bouncer application whitelisting solution, which uses CoreTrace’s Software Intelligence (CSI) cloud-based service of known good and bad applications, helps organizations working in the cloud to identify and block malware and other unauthorized applications with a high level of flexible application management and control.

Night Dragon attacks a threat to power grid security

They get up, go to work, and come home like the rest of us. The only difference is while at work they’re hacking and social engineering oil, gas and petrochemical companies and their executives to steal highly sensitive information and intellectual property. That’s who McAfee suggests, in a report released in February, is likely behind the infamous Night Dragon operation.

In the article, ‘Night Dragon’ attacks from China strike energy companies,” the security software vendor said there is strong evidence — from the hacking tools to the computer IP addresses — that the coordinated cyber attacks targeting energy companies could be the work of Chinese hackers, otherwise referred to in the report as “company men”, that work regular 9 to 5 jobs.

With more coordinated campaigns like Night Dragon targeting the energy industry, unsettling reports like the recent U.S. Department of Energy audit of power grid security claim there’s still plenty of work to be done. The DOE found that cyber security standards that don’t always include security controls combined with a reluctance of power plants to identify critical assets is creating challenges for risk-based security approaches.

Hackers co-opting trusted websites to launch attacks

In the past, cyber criminals spent a lot of time using free domains to create fake websites that looked legit. As these sites became known for hosting questionable content, criminals have now begun hacking and compromising legitimate sites with outstanding security reputations to launch attacks.

In the 2010 Web Security Report released in February, Blue Coat Systems found cyber criminals are taking the time to co-opt trusted sites to host malware and other malicious content.
According to the article, “Cyber-Criminals Co-Opting Trusted Sites into Attack Infrastructure: Report,” evidence of this strategy took place last October when a Kaspersky Labs‘ software download page redirected visitors to a fake antivirus software. Even though a site has an excellent security reputation rating, the report warned that relying on a reputation defense could leave users susceptible to attacks.

As Mac OS X gains market share, so does Mac malware

As more and more security experts warn that cybercrime is turning away from targeting traditional Windows-based PCs and focusing on emerging platforms like tablet computers and mobile platforms, Sophos researchers have discovered a new Trojan horse online that is written exclusively for the Mac.

In the article, “Hacker writes easy-to-use Mac Trojan,” Sophos said the BlackHole RAT (Remote Access Trojan) program, which can be found on online hacking forums, may still be in beta mode. However, if someone were to figure out how to get it installed in a Mac computer, it would give the criminals remote control of the compromised machine.

As Mac OS X continues to gain market share on Windows, Chet Wisniewski, a researcher with Sophos, says cyber criminals are taking note. He’s also come across another Mac Trojan, HellRTS, which is circulating on file-sharing websites for pirated Mac software. Either way you look at it, with more Mac malware popping up and enterprises scaling beyond Windows, the ability to protect all network endpoints across all major platforms is becoming essential to any endpoint security strategy.

I appreciate you checking in and reading our top endpoint security stories for February.

Following the worldwide outbreak, Symantec, along with other antivirus companies, issued recommendations to help companies mitigate the threat and stop it from spreading. Instead of installing specific defenses to help further protect their networks, they recommended disabling network sharing, local network access and Internet access for infected computers, as well as blocking all outbound traffic to domains and IP addresses involved in the attack.

Really? Shut everything down? These recommendations sound more like a full-scale retreat than an effective defense against an easily preventable worm. Application whitelisting solutions such as BOUNCER by CoreTrace stop all malicious code execution to eliminate threats such as last week’s mass-mailing email, driveby downloads, and even DLL hijackings.

For security professionals, incidents like “Here you have” are staunch reminders that companies need to continually re-evaluate their existing security strategies to ensure their defenses aren’t disabled by inventive viruses or any malware variants — whether they’re new or an old nemesis with new tricks.

Historically, legislation has proven to be woefully inadequate in preparing the U.S. for cyberwar. Why? Because there are no consequences. Until there are repercussions or someone is going to lose their job for not being secure, this will continue to be problematic. This is where the government is missing the boat. Trying to legislate cyber security without holding organizations accountable seems to be the crux of the problem.

Unfortunately, our friend and newly appointed U.S. Cyber Security Czar, Howard Schmidt, is in a tough spot. With no budget or real authority to levy consequences, there’s not going to be much change. Although many believe the government can and should be leading the way to improve the nation’s cyber defenses, Mr. Schmidt believes the best defense remains in the hands of the private sector.

It all comes down to holding people accountable. Without repercussions, there’s no incentive for companies to spend money to get out of the status quo in terms of what security best practices are, and start thinking in a more proactive manner.

It’s only when people’s jobs are on the line that things truly get done. Only then will we start to move beyond our reactive mindset and get ahead of the problem by implementing proactive solutions such as application whitelisting that adequately prepare ourselves for cyberwar.