Jan 04 2013

Controls against industrial Malware

Category: MalwareDISC @ 11:43 pm

Malicious software is called a malware and malware may include viruses, worms and trojans. A virus is a piece of code which is capable of replicating itself and mainly it depends on a host file (a document) to reach its target. However worm does not rely on the host file to reach the target but it does replicate. Main property of Trojan is concealment of code and ultimately used to get control of target system.

Modern day malware Stuxnet can manipulate Programmable Logic Controllers (PLCs) of critical infrastructure. Industrial Control System (ICS), SCADA, and manufactruing insdutry infrastructure is controled by the PLCs. Another malware, named Duqu, Flame by its discoverers, is similar to Stuxnet in many respects. Like modern trojans Duqu communicates with a command and control server in encrypted form which gives you an idea of sophistication to develop this malware. In the past year the discovery of the Stuxnet malware ā€“ and subsequently of the Flame, Duqu and most recently Gauss malware ā€“ has brought the issue of state-sponsored cyberwarfare into sharp focus in security community which are simply known as modern day (WMD) weapon of mass destruction.

The discovery of these modern day malware caused an uproar among the security community when it was found that these malware had been specifically designed as a highly targeted industrial espionage tool. Perhaps this create a frenzy out there to deveop these kind of tools but that bring out some questions which I’m unable to answer. Is it legal for a state to develop these tools? Is it legal for a state to use these tools in offense? do we have any international charter on the legality of these tools, otherwise Stuxnet, Duqu and Flame may set a wrong legal precedence of what’s good for the goose is good for the gander.

Main sources of malware infection may be USB drive, CD Rom, internet and unaware users but basically malware can install itself on your computer by simply visiting an infected/implanted website (pirated software, web sites with illegal content)

An organization should perform a comprehensive risk assessment on their malware policy to determine if they will accept the risk of adobe attachment and other executable files to pass through their perimeter gateway. Organization may need to consider all the possible sources of malware threats in their risk assessment which may include but not limited to spyware.

Malware Controls:
ā€¢ High level formal malware policy and procedure. There should be a formal policy and procedure for USB drives if risk assessment determines that USB drive risk is not acceptable to business. Then there is a need to implement a control (policy, procedure, technical or training) or multiple of these controls to mitigate this risk to acceptable level.
ā€¢ Anti-Virus policy which makes it mandatory to install, and signature file updates should take place on a regular interval (daily)
ā€¢ Patch policy for all the latest patches, fixes and service packs that are published by the vendors
ā€¢ Regular audit or review of anti-malware software and data file on the system
ā€¢ All email attachment, software downloads should be checked for malware at the perimeter and adobe attachment and executable treated based on the risk assessment (drop, pass)
ā€¢ User awareness training to possible infected email, spyware and infected website
ā€¢ There should be a business continuity plan to recover from a possible malware attack

Related Books

Malware Titles from DISC InfoSec Store
Anti-Malware Software from DISC Infosec store
Anti-Virus software from DISC InfoSec Store
Anti-Malware Titles from eBay

Free Online Virus Scan

Norton Virus Scan | McAfee Virus Scan | Analyze suspicious files

Tags: anti virus, Malicious Software, Malware, Security, Spyware and Adware, trojan, Trojan Horses, Viruses


Oct 23 2012

The Rise of Malicious Traffic on Networks and how it Infect

Category: MalwareDISC @ 4:12 pm

Ā 

Malware logo Crystal 128.

Malware logo Crystal 128. (Photo credit: Wikipedia)

Sophisticated malicious attacks can go largely undetected by most antivirus software. Ā Defense in depth approach requires organizations to monitor for malicious activity, malware (bot traffic) at various levels of the network, perimeter layer, application level and subsequently at critical data level.

How an end user might become infected, the obvious scenario being possibly our less educated users who could potentially be clicking in links in email messages from senders they might not be aware of or people visiting some high-risk sites such as those offering free downloads. The second scenario which is less obvious is where a user may click a link from a known good site which may contain a link to a bad site. The most common situation here is where advertising may have been purchased and site owners may not have been able to perform the due diligence to make sure a reputable company has purchased the ad space. Finally we’ve got our third and scarier scenario where a trusted site has actually been compromised and infected with some kind of malware.

According to Symantecā€˜s most recent Internet Security Threat Report, Global networks faced more than 286 million cyberthreats in 2010, as attackers employed more sophisticated methods that make malware harder to detect and more difficult to remove. Furthermore, the number of Web-based attacks increased 93% in 2010, and malware writers have been turning their attention to social-networking sites such as Twitter and Facebook, where it’s estimated that 17% of links are connected to malware.

So the malicious activity is on the rise based on the Symantec report, which emphasis the point to monitor and evaluate the harmful traffic into your network. Ā Malicious activity monitoring also requires an effective incident handling procedures to analyze, evaluate and taking appropriate actions with malicious events at hand.Ā  An incident handling procedures also differentiate the event from incident meaning when an event turn into an incident.

Real time malicious activity monitoring at perimeter will work nicely with ISO 27001 (ISMS) process. It will not only satisfy the auditor need for monitoring and maintaining of certain controls in the standardĀ  but also new threats to the organization will serve as a feed to required risk assessment process which can be evaluated against relevant vulnerabilities.

Below are some of the famous malicious attacks which can be used to breach network:

ļ‚· SQL injectionā€”By analysing the URL syntax of targeted websites, hackers are able to embed instructions to upload malware that gives them remote access to the target servers.

ļ‚· Exploiting system vulnerabilities in another methodā€”In many cases, laptops, desktops, and servers do not have the latest security patches deployed, which creates a gap in the security posture. Gaps or system vulnerabilities can also be created by improper computer or security configurations. Cyber-criminals search for and exploit these weaknesses to gain access to the corporate network and confidential information.

ļ‚· Targeted malwareā€”Cybercriminals use spam, email, and instant message communications often disguised to come from known entities to direct users to websites that are compromised with malware. This section includes several different approaches that cybercriminals leverage to infect systems with malicious code.

Tags: anti virus, facebook, Internet security, Malware, Security, Symantec


Nov 22 2010

Stuxnet virus could target many industries

Category: MalwareDISC @ 1:25 pm
I constructed this image using :image:Computer...
Image via Wikipedia

By LOLITA C. BALDOR, Associated Press

A malicious computer attack that appears to target Iran’s nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday.

They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer.

The complex code is not only able to infiltrate and take over systems that control manufacturing and other critical operations, but it has even more sophisticated abilities to silently steal sensitive intellectual property data, experts said.

Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the “real-world implications of Stuxnet are beyond any threat we have seen in the past.”

Analysts and government officials told the senators they remain unable to determine who launched the attack. But the design and performance of the code, and that the bulk of the attacks were in Iran, have fueled speculation that it targeted Iranian nuclear facilities.

Turner said there were 44,000 unique Stuxnet computer infections worldwide through last week, and 1,600 in the United States. Sixty percent of the infections were in Iran, including several employees’ laptops at the Bushehr nuclear plant.

Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.

A senior government official warned Wednesday that attackers can use information made public about the Stuxnet worm to develop variations targeting other industries, affecting the production of everything from chemicals to baby formula.

“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected,” said Sean McGurk, acting director of Homeland Security’s national cybersecurity operations center.

Stuxnet specifically targets businesses that use Windows operating software and a control system designed by Siemens AG. That combination, said McGurk, is used in many critical sectors, from automobile assembly to mixing products such as chemicals.

Turner added that the code’s highly sophisticated structure and techniques also could mean that it is a one-in-a-decade occurrence. The virus is so complex and costly to develop “that a select few attackers would be capable of producing a similar threat,” he said.

Experts said governments and industries can do much more to protect critical systems.

Michael Assante, who heads the newly created, not-for-profit National Board of Information Security Examiners, told lawmakers that control systems need to be walled off from other networks to make it harder for hackers to access them. And he encouraged senators to beef up government authorities and consider placing performance requirements and other standards on the industry to curtail unsafe practices and make systems more secure.

“We can no longer ignore known system weaknesses and simply accept current system limitations,” he said. “We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address” cybersecurity challenges.

The panel chairman, Sen. Joe Lieberman, I-Conn., said legislation on the matter will be a top priority after lawmakers return in January.

Tags: anti virus, Associated Press, Dean Turner, Industrial control systems, Iran, Joe Lieberman, Siemens, United States


Jan 12 2010

Pop-Up Security Warnings Pose Threats

Category: MalwareDISC @ 4:10 pm

FBI Warning
Image by Travelin’ Librarian via Flickr

Malware: Fighting Malicious Code

By FBI NPO

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you canā€™t click a link to go to the real site to review or see recommendations. Cyber criminals use botnetsā€”collections of compromised computersā€”to push the software, and advertisements on websites deliver it. This is known as malicious advertising or ā€œmalvertising.ā€

Once the pop-up warning appears, it canā€™t be easily closed by clicking the ā€œcloseā€ or ā€œXā€ buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.

Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggersā€”hardware that records passwords and sensitive dataā€”being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.

Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.

If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.

Tags: anti virus, crime, FBI, Federal Bureau of Investigation, Identity Theft, Internet Crime Complaint Center, Malicious Software, Malware, pop-up, Security, Theft, trojan, United States


Jan 06 2009

Digital frames and malware threat

Category: MalwareDISC @ 6:30 pm

Digital photo frame
No doubt, the digital frame is a hot state of the art technology item today. Some digital frames in the market carry a risk of infection through a Trojan horse (malware) which is capable of monitoring keystrokes and sending useful information back to its originator. In Jan 2008 there were multiple reports that digital picture frames attempted to install malware on devices connected to the frame. Itā€™s Jan 2009, and digital frames are still embedded with malwares.

According to SF chronicle article by Deborah Gage (Jan 2, 2009, pg. c1) ā€œThese popular devices are now so powerful that they’ve become computers in themselves, although people who buy them don’t always realize that. And like computers, the frames are capable of carrying code that logs keystrokes, steals data and calls out to other malicious code once it’s installed itself on a PC. ā€œ “Users don’t realize that bad guys can make use of each and every computer they can control, even if you don’t do Internet banking or have any sensitive information,” said Karel Obluk, the chief technology officer of AVG, a security vendor with offices in the United States and Europe. “They can profit by spam or other illegal activities and make (your) PC part of an illegal network. It’s something that users should always be reminded of.”

Consumers have to be wary of devices which have memory on-board.

December 29, 2008 (Computerworld) Amazon.com Inc. last week warned customers running Windows XP that a Samsung digital photo frame it sold until earlier this month might have come with malware on the driver installation CD. Amazon’s advisory identified the malware as “W32.Sality.AE,” the name assigned by Symantec Corp.

According to Samsung’s alert, “a batch of Photo Frame Driver CDs contains a worm virus in the Frame Manager software. This is a risk of the customers host PCs being infected with this worm virus.”
The Samsung SPF-85H is no longer available on Amazon.com.

“Samsung has issued an alert. … Our records indicate that you have purchased one of the digital photo frames through the Amazon.com website and are therefore affected by this alert,” said Amazon in the note.

Based on various security advisories — Only users running Windows XP are at risk from this virus or a Trojan, Samsung and Amazon said; Windows Vista is immune.

Some considerations to safeguard against Trojans:

ļ® Turn off autorun in Windows, to stop Trojan and malware exploits from installing itself on your system.
ļ® To find a Trojan on your system, configure Windows to show hidden files.
ļ® Utilize antivirus software which look for Trojans and keep it turned on and up-to-date. Scan new devices for malware upon connection to a system.
ļ® Perform application vulnerability assessment on digital frame which will look for hidden Trojans.
ļ® Perform regular assessment to find new vulnerabilities
ļ® Buy photo frames manufactured by vendors who can guarantee exclusion of malwares.
ļ® Do your due diligence to find out for known vulnerabilities before buying a digital frame

Who should be responsible for to make sure digital frames are malware free or perhaps both? (consumer/vendors)

AP Impact: Viruses Hit Digital Photo Frames, GPS
httpv://www.youtube.com/watch?v=R19VKUyeXag

Reblog this post [with Zemanta]

Tags: amazon, anti botnet, anti trojan, anti virus, anti worm, illegal network, infection, Malware, photo frame, samsung, Trojan horse