Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts
Tuesday, March 10, 2009
PIFTS
Something is rotten in the state of security.
Users of Symantec's Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.
This wouldn't be news in and of itself, but it seems that Symantec doesn't want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.
Since they can't turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.
ThreatExpert has a breakdown of PIFTS and its attempt to phone home here
VirusTotal shows no hits
Brian Krebs @ The Washington Post is trying to get some answers.
SANS Internet Storm Center writes that they've been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn't intended to do any harm.
Nice of them to respond...
But won't they let people talk about it on the msg boards?
Why the secrecy Symantec?
**Update** (courtesy of Brian Krebs @ The Washington Post)
"David Cole, senior director of product management at Symantec, said the PIFTS file was part of a 'diagnostics patch' shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7."
As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, "hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments."
This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like 'hey, how come part of your software wants to access the Internet?'
Not exactly ban-worthy behaviour.
A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn't that have saved everyone a lot of trouble?
Tuesday, March 3, 2009
Coin Toss
http://tinyurl.com/akvagb
Go. Read the article.
Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.
It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.
A 50% success rate is unacceptable. It is a coin toss - 50/50 chance - that your network is secure.
"The average delay in detection and remediation was 54 days."
54 days?! Two months?!
The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn't in over two years.
Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.
Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.
This isn't like having your house robbed.
It's like having your house broken into and the robbers moving in and hiding in your closet for two months.
From home users to large corporate networks, we must - MUST - move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven't the good guys evolved?
The numbers speak for themselves:
"About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware -- even within organizations running up-to-date antimalware tools."
"Antivirus software immediately discovered only 53 percent of malware samples."
"Another 32 percent were found later on, and 15 percent were not detected at all."
Now you may be thinking that 15% doesn't sound like a lot, that maybe that's an acceptable level of risk. Consider this:
Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!
The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.
15% of 19 million is a big number.
You really want to take that chance?
Sunday, November 30, 2008
The Enemy Within
Two weeks ago, users of AVG's virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file - only to find that they were now stuck in an endless cycle of reboots.
User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.
In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.
Even Microsoft is guilty of such casual coding. In 2007, Microsoft's OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google's Gmail as a Virus. Even Microsoft's own product weren't safe, with OneCare regularly quarantining or deleting all of the email in a user's inbox.
AV companies tout their wares as the silver bullet for personal protection. You know this isn't true. I know this isn't true. So, why doesn't everybody else?
It was bad enough that the generic, non-technical computer user didn't know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their "protection" might sometimes do more harm than good.
User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.
In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.
Even Microsoft is guilty of such casual coding. In 2007, Microsoft's OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google's Gmail as a Virus. Even Microsoft's own product weren't safe, with OneCare regularly quarantining or deleting all of the email in a user's inbox.
AV companies tout their wares as the silver bullet for personal protection. You know this isn't true. I know this isn't true. So, why doesn't everybody else?
It was bad enough that the generic, non-technical computer user didn't know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their "protection" might sometimes do more harm than good.
Monday, September 8, 2008
Cyber Security Event for the Government of Canada and IT Industry
Dear Friends and Colleagues:
On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.
Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?
Topics include:
Update on the Kaminsky DNS Vulnerability
Christopher Davis, CEO Defence Intelligence
The Evolution of the Threat: From Fun to Profit
Christopher Davis, CEO Defence Intelligence
Meaghan Molloy, Threat Analyst Defence Intelligence
Information Protection Capability Gap
Aron Feuer/Wayne Boone, Cygnos IT Security
Cyber-Attacks: Experiences From the Trenches
Bill Woodcock, Packet Clearing House
We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.
This is a meeting not to be missed!
This CIRA Cyber Security event is limited to 60 participants. We urge you to register!
Sincerely,
Norm Ritchie
Chief Information Officer
Canadian Internet Registration Authority (CIRA)
On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.
Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?
Topics include:
Update on the Kaminsky DNS Vulnerability
Christopher Davis, CEO Defence Intelligence
The Evolution of the Threat: From Fun to Profit
Christopher Davis, CEO Defence Intelligence
Meaghan Molloy, Threat Analyst Defence Intelligence
Information Protection Capability Gap
Aron Feuer/Wayne Boone, Cygnos IT Security
Cyber-Attacks: Experiences From the Trenches
Bill Woodcock, Packet Clearing House
We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.
This is a meeting not to be missed!
This CIRA Cyber Security event is limited to 60 participants. We urge you to register!
Sincerely,
Norm Ritchie
Chief Information Officer
Canadian Internet Registration Authority (CIRA)
Subscribe to:
Posts (Atom)