Opportunistic malware writers tried to use the Gmail outage yesterday to distribute malicious files, according to security vendor Trend Micro.

In a blog posting, the firm said that it noticed that searches for the term "Gmail down" brought up a Google Groups page of the same name riddled with links to malicious files.

"The link Really young good looking teenager-547b4.html redirects to two different URLs," wrote Trend Micro's JM Hipolito. "First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. Trend Micro Researcher Loucif Kharouni reported that TROJ_PROXY.AEI drops two files--a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising."

Another link - The Dark Knight torrent.zip - displays a pop-up message stating "Virus Activated," then deletes certain files critical to the loading of Windows. After doing so, another pop-up message is displayed, this time stating "Computer Over. Virus=Very Yes", then the computer shuts down after ten seconds, and will no longer be bootable, he added.

The Google Groups page has now been deleted and was only up for about 25 minutes, according to Trend, but the incident shows yet again just how opportunistice malware writers are - always on the look-out for any situation they can to exploit and infect user machines.

February 25, 2009 | Permalink | Comments (0)

The government has again defended its decision to award new powers to the police and MI5, allowing them to hack into personal computers without a warrant, but appeared less confident about what to do with malware attacks committed from outside the country.

vnunet.com was given exclusive access to the letter of response given by Home Office minister Vernon Coaker to a series of questions posed, through his MP, by Simon Heron, analyst with security vendor Network Box. The response also covers the issue of a potential centralised government database of communications records.

Heron's letter asked the Home Office to explain what it was doing to ensure that any centralised database run by private businesses wouldn't end up in the wrong hands, and that police hacking powers would not be abused. Coaker responded by re-emphasising that comms data would not include the content of calls, and that suggestions of a privately-run database are just "press speculation on the options that will be discussed in a consultation paper". "Depending on the outcome of the consultation, we will then look at options for maintaining our communications data capabilties," he wrote. No explicit ruling-out of such a plan then.

Coaker also defended the new police hacking powers which were widely reported in January, saying that "authorisation [normally from a chief constable] must be necessary and proportionate for the prevention and detection of serious crime and that what the action seeks to achieve cannot be achieved by other means". All cases must be notified to an independent oversight body - the Office of Surveillance Commissioners, he added.

All of which is not particulary surprising and couched in typically wooly political prose. But when asked by Heron, "I am also very keen to know about the international actions the government is taking to curb the increasing deluge of malware that businesses and individuals have to deal with which imposes a huge expense on the UK economy", the response was a little less than satisfactory.

Coaker explained the recent changes to the Computer Misuse Act, bringing us closer to the European Cybercrime Convention, and of its backing of Get Safe Online, and even of the "commercial interest" that "access service providers" have in ensuring no malware gets onto their systems. And that's it. No information on any work being done by the UK to seek agreements with other countries which might help to arrest the flow of malware into the UK. Nothing about the international work being done on an international Convention on Cybercrime, for example.

If the government's policy, as it seems to be, is to trundle towards a European convention, and let the security vendors and ISPs battle it out with the cyber criminals, then we're in for a pretty tough time. Without international action to take down the malicious sites, arrest the spread of botnets and leave no hiding place for the online criminals, the UK will continue to bear the brunt of many of the attacks.

February 21, 2009 | Permalink | Comments (1)

Fresh from a rather embarrassing hack of its US portal, Russian security vendor Kaspersky had a more positive announcement to make today. The firm has patented new technology which it says will help it to detect and remove all malicious programs.

The new technology was developed by Mikhail Pavlyushchik, and granted Patent No. 7472420 by the US Patent and Trademark Office on December 30 2008. But more interestingly, how is it unique? Well, it works by logging all system events that may indicate virus activity; for example, modification of an executable or record in the system registry. When a malicious process or file is detected, a module that analyses preceding events is launched that allows the source and the time of an infection to be determined, according to Kaspersky.

"The system then analyses all child events related to the source event, which makes it possible to detect all malicious programs involved in the incident, including those that were previously unknown," the firm explained. This is particularly useful because in modern day cyber warfare, online criminals use Trojans to get a foothold on users' machines and then that same Trojan downloads a whole host of other malware from the internet, often with unknown signatures that traditional AV technology can't detect.

The new technology also removes or quarantines malicious code, interrupts malicious processes, and restores the system files from a trusted backup, said Kaspersky. And, helpfully, it can then send on any useful info about detected malware to other AV vendors to help them speed response times.

Nice to hear the AV vendors have enough engineers to keep innovating, especially after chief executive Eugene Kaspersky's predictions last year that the financial crisis would lead some to the dark side. Kaspersky in particular prides itself on the ingenuity and expertise of its engineers and the quality of its products, but they're going to need all the ingenuity they can get if they're to even keep pace with a well-funded, well-resourced and highly motivated criminal community.

February 20, 2009 | Permalink | Comments (0)

The EU's security task force, Enisa (European Network and Information Security Agency) has just released a new 600 page document, designed to provide an overview of the 'state of the art' in network and information security (NIS) in each of the 27 European member states.

Now, some of the more cynical readers of this blog may be thinking 'so what?', and to be honest, a 600 page document designed to categorise and map all of the major NIS stakeholders and their mutual relations in each member state, is probably not going to set the pulse racing.

Enisa, which was formed around three years ago now, has sometimes come in for a bit of criticism in security circles for being too bureaucratic, not reactive enough and generally a little ineffectual. Yet it has undertaken some important research in the past and, a bit like the EU itself, it likes to think of itself as more of a coordinator, an overseer and a bringer together of disparate groups.

So what of the Country Reports document? Well, it found that NIS institutions vary substantially from country to country, with the most important actors for implementing NIS policies being governmental organisations. No prizes for guessing that, although it is interesting to hear what the European agency has to say, objectively, about the UK.

We are highly developed in our e-government services and household broadband usage, according to the report, and we come top when it comes to percentage of online buyers, but the percentage of our population with internet skills is alarmingly low; in ninth place behind countries like Hungary.

And now the interesting bit. What then follows in the report is a flow chart of mind-boggling complexity, attempting to show the interrelationships between all the key stakeholders in the sphere of NIS.

The Home Office, the Information Commissioner's Office, the Serious Organised Crime Agency (SOCA), the Department for Business Enterprise and Regulatory Reform (BERR), the Information Assurance Policy and Program Board (IAPPB), the Chief Information Officer Council, The Communications-Electronics Security Group (CESG), The United Kingdom Computer Emergency Response Team (UK-CERT), The Communications-Electronics Security Group (CESG) and The United Kingdom Computer Emergency Response Team (UK-CERT) are all mentioned.

Surely there's no clearer sign of our overly bureaucratic approach to network and information security than this. We're often thought of as a European leader in terms of the maturity of our security market, but surely some serious thought has to go into streamlining and consolidation such bodies if the UK is to truly hold itself up as an example to others..

February 14, 2009 | Permalink | Comments (0)

Ouch, there's never anything more embarrassing for an IT security vendor than finding vulnerabilities in its own software, or having its own databases hacked. Well, the PR team at Russian anti-malware firm Kaspersky Lab must have had plenty to think about over the weekend, after it emerged that the firm's US portal was hacked.

Now the official line from Kaspersky is that a vulnerability was detected on a "subsection of the usa.kaspersky.com domain", but that the site was only vulnerable for a "very brief period", well, it was eliminated within 30 minutes of detection, anyway. Which is all fair enough, although the firm maintains that the vulnerability wasn't critical and no data was compromised.

The hacker, a chap named Unu, posted details of his SQL injection attack on the HackersBlog site.

"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases," Unu wrote in a posting on the site.

"Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to everything: users, activation codes, lists of bugs, admins, shop, etc."

If he happened to have more malicious intent, he could have gained full access to the back-end database containing customer details, user account numbers and activation codes etc. So the vulnerability was maybe a little bit more critical than Kaspersky was making out. Bad PR or not, firms should really come completely clean when their systems are found to be vulnerable, even if they are security vendors.

February 9, 2009 | Permalink | Comments (0)

It's a common problem in many industries; you get these young upstarts bursting onto the scene with fresh, new ideas, disruptive products and generally a different way of doing things. Then the inevitable backlash comes, as they become the establishment, and said products turn out to be not that great as we all thought, actually.

A classic example in the enterprise content management space is SharePoint. According to the Wall Street Journal, "Microsoft sold 85 million licences to the enhanced version of SharePoint across 17,000 companies" by 2007, and Gartner reported a few months ago that approximately 50 per cent of the mid-size businesses it surveyed are running some variant of SharePoint.

Users love it for the ease with which it allows them to collaborate and share documents. But now for the backlash. Security firm Courion a little while ago interviewed SharePoint users only to find that the majority thought they didn't have nearly enough visibility into their SP environments and feared the exposure of sensitive data on these sites. And now new Trend Micro research out today finds a rather disturbing lack of attention being paid by firms towards securing their SharePoint environments.

The research found that only 60 per cent of the 269 IT managers surveyed had security technology deployed to protect their SP environments, and out of these, many said they rely on file server AV, which is unlikely to guard against all the threats around these days - protection must be deployed at all layers of the network. What's more, a large proportion of the organisations surveyed said they allow external users to access their SharePoint systems, increasing the risk of data loss.

Vendor-driven research should always be taken with a small pinch of salt, but the issues raised here are legitimate concerns. SharePoint's usage in the enterprise has grown so rapidly, IT teams have barely had the time to catch up. IT managers need to discover just how widespread SP usage in the enterprise is, and then secure it properly.

February 3, 2009 | Permalink | Comments (1)