Between black and white: the state of grayware on the PC

In the old days, as our parents frequently love to remind us, life was much simpler. You bought a computer, and when you finally figured out what you wanted to do with it, you assembled a list and went down to your local Egghead for some software. It was straightforward, if time-consuming.

All this changed when personal computers started hooking up to the Internet. Suddenly, software authors could deliver their wares to people all over the world, quickly, with negligible distribution cost. Unfortunately, reliable methods of payment hadn’t quite been figured out yet, and most Internet users expected to download software for free. In the heady days of the dot com boom, many software companies were happy enough to give out free software and trust that the money would somehow arrive later, magically (some, like the authors of WinAmp, would live to see this happen when their company was bought by America Online). Other companies released trial or demo copies of their software which could be unlocked for a fee.

Still other organizations decided that the best way to make money from free software was to be sneaky—give away something for free that appeared to do something useful but, in the background, do something tricky that would generate revenue for the software’s authors. This sneaky something could be displaying ads that the user did not request, hijacking a web browser’s start page or search engine, or scanning the user’s personal surfing habits and selling the results to the highest bidder.

Malware was born.

Read the rest of the story…

Posted in Internet, Privacy, Security | No Comments

Twitter meets manunkind

Well, I finally jumped on that social networking bandwagon called Twitter.  I signed up for Twitter about an hour or so ago just to check it out and see what all the hype was about.  I know, I’m slow.  But they always say that a person hears or sees something multiple times before they actually stop and check it out.  So I guess I’m right on schedule.  🙂

Anyway, I’m manunkind on Twitter as well and I can be found here:
http://twitter.com/manunkind

Twitter with ya later…

Posted in Internet, Privacy, Software | No Comments

Securing the Internet’s DNS

The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN) plans to go operational with the secure DNS technology, DNSSEC, later this year in one of its domains.

ICANN officials said the organization plans to add DNSSEC to its .arpa Internet domain servers, and that the .org domain servers (run by PIR) as well as the .uk servers also will go DNSSEC soon. Country domains .swe (Sweden), .br (Brazil), and .bg (Bulgaria ) already run the secure version of DNS for their domain servers.

DNSSEC, which stands for DNS Security Extensions, digitally signs DNS records so that DNS responses are validated as legitimate and not hacked or tampered with. That ensures users don’t get sent to phishing sites, for example, when requesting a legitimate Website. DNS security increasingly has become a concern, with DNS prone to these so-called cache poisoning attacks, as well as distributed denial-of-service (DDOS) attacks like the one last year that temporarily crippled two of the Internet’s 13 DNS root servers.

But DNSSEC adoption has been slow in coming, mainly due the complexity of managing the keys. Converting .arpa — a domain mostly relegated to Internet research sites — to DNSSEC isn’t quite the same as securing .com, but it could signal that DNSSEC is finally ready for prime time, experts say.

Read the rest of this story…

Posted in Internet, Privacy, Security | No Comments

Tactical Forensics Platform

Earlier I wrote about my proposed Tactical Network Security Monitoring Platform. Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator.

For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet capture and related network security monitoring tasks.

I decided to triple-boot these three operating systems. The box has three logical hard drives. Two are physical (147 GB each) and the third is a RAID 0 array resulting in a single HDD of 447 GB.

Before I got the following to work I had to experiment with various setups. The following is what I settled upon. I’m posting this information for future reference and for those who might want to try the same setup.

First I installed Windows XP on the only HDD it could see, one of the 147 GB HDDs. I thought this a little odd, but it suited my purposes. I rebooted and Windows started without incident.

Read the rest of the story…

Posted in Coding, Hardware, Internet, Linux, Networking, Security, Software, Windows | No Comments

Targeted attacks using malicious PDF files

Dating back to the end of February, we have been tracking test runs of malicious PDF messages to very specific targets. These PDF files exploit the recent vulnerability CVE-2008-0655.

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no “public, widespread” exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order.

At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
– an embedded trojan installer;
– a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user’s browser. From a user experience, there are two possible methods of detection:

– If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
– If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file. We’re not listing MD5 hashes or file names due to the sheer number of samples we’ve seen so far.

Read the rest of the story…

Posted in Internet, Privacy, Security, Software | No Comments